HP 6125XLG R2306-HP 6125XLG Blade Switch Security Configuration Guide
HP 6125XLG Manual
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
HP 6125XLG manual content summary:
- HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 1
HP 6125XLG Blade Switch Security Configuration Guide Part number: 5998-3718 Software version: Release 2306 Document version: 6W100-20130912 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 2
, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 3
44 AAA configuration examples 45 AAA for SSH users by an HWTACACS server 45 Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users 46 Authentication and authorization for SSH users by a RADIUS server 48 Authentication for SSH users by an LDAP server 51 Troubleshooting - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 4
68 HP implementation of 802.1X 68 Configuration prerequisites 68 802.1X configuration task list 68 Enabling 802.1X 69 Enabling EAP relay or EAP termination 69 Setting the port authorization state 70 Specifying an access control method 70 Setting the maximum number of concurrent 802.1X users - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 5
procedure 101 Verifying the configuration 102 Troubleshooting port security 104 Cannot set the port security mode 104 Cannot configure secure MAC addresses 104 Configuring password control 105 Overview 105 Password setting 105 Password updating and expiration 106 User login control 107 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 6
SSH server function 128 Enabling the SFTP server function 128 Configuring the user interfaces for Stelnet clients 129 Configuring a client's host public key 129 Configuring an SSH user 130 Setting the SSH management parameters 131 Configuring the device as an Stelnet client 132 Stelnet client - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 7
attack detection 175 Configuration example 175 Configuring ARP packet source MAC consistency check 177 Configuring ARP active acknowledgement 177 Configuring ARP detection 177 Configuring user validity check 177 Configuring ARP packet validity check 178 Configuring ARP restricted forwarding - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 8
ACL-based IPsec 202 Feature restrictions and guidelines 202 ACL-based IPsec configuration task list 202 Configuring an ACL 203 Configuring an IPsec transform set 204 Configuring a manual IPsec policy 206 Configuring an IKE-based IPsec policy 207 Applying an IPsec policy to an interface - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 9
231 Setting the limit on the number of IKE SAs 231 Displaying and maintaining IKE 232 Main mode IKE with pre-shared key authentication configuration example 232 Network requirements 232 Configuration procedure 233 Verifying the configuration 235 Troubleshooting IKE 235 IKE negotiation failed - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 10
read and print permissions to the files on the device, and prevent a guest from reading or printing the files. • Accounting-Records network usage details of users, including the service type, start time, and traffic. This function enables time-based and traffic-based charging and - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 11
responses. RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting. RADIUS was originally designed for dial-in user access. With the addition of new access methods, RADIUS has been extended to support additional access methods, such as Ethernet and ADSL. Client/server - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 12
RADIUS operates in the following manner: 1. The host sends a connection request that includes the user's username and password to the RADIUS client. 2. The RADIUS client encrypts the user password by using the MD5 algorithm, the shared key, and some other information, encapsulates the username - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 13
the client to the server. A packet of this type includes user information for the server to authenticate the user. It must contain the User-Name attribute and can optionally contain the attributes of NAS-IP-Address, User-Password, and NAS-Port. From the server to the client. If all attribute values - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 14
used RADIUS attributes No. Attribute 1 User-Name 2 User-Password 3 CHAP-Password 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 7 Framed-Protocol 8 Framed-IP-Address 9 Framed-IP-Netmask 10 Framed-Routing 11 Filter-ID 12 Framed-MTU 13 Framed-Compression 14 Login-IP-Host 15 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 15
Password-Retry 29 Termination-Action 76 Prompt 30 Called-Station-Id 77 Connect-Info 31 Calling-Station-Id 78 Configuration-Token 32 NAS-Identifier 79 EAP-Message 33 Proxy-State 80 Message-Authenticator 34 Login-LAT-Service 87 NAS-Port-Id 41 Acct-Delay-Time 88 Framed-Pool - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 16
and authorized by the HWTACACS server. Does not support authorization of configuration commands. Commands a user can use solely depend on the user's roles. For more information about user roles, see Fundamentals Configuration Guide. Basic HWTACACS packet exchange process Figure 6 describes how - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 17
packet with the username 8) Request for password 9) The user enters the password 14) The user logs in successfully 17) The user logs off 7) Authentication response requesting the password 10) Continue-authentication packet with the password 11) Response indicating successful authentication 12 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 18
typically used to store user information. For example, LDAP server software Active Directory Server is used in Microsoft Windows operating systems to store the user information and user group information for user login authentication and authorization. LDAP directory service LDAP uses directories to - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 19
in the specified root directory of the server, and obtains a user DN list. 3. The LDAP client uses each user DN in the obtained user DN list and the user's password to bind with the LDAP server. If a binding succeeds, the user is a legal user. The LDAP authorization process is similar to the LDAP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 20
to the device. Terminal users can access through a console port. NOTE: The device also provides authentication modules (such as 802.1X) for implementation of user authentication management policies. If you configure these authentication modules, the ISP domains for users of the access types depend - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 21
whether a command entered by a login user is permitted, and allows login users to execute only authorized commands. For more information about command authorization, see Fundamentals Configuration Guide. • Command accounting-When command authorization is disabled, command accounting enables - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 22
about command accounting, see Fundamentals Configuration Guide. • User role authentication-Authenticates each user who wants to obtain a temporary user role without logging out or getting disconnected. For more information about temporary user role authorization, see Fundamentals Configuration Guide - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 23
used standard RADIUS attributes No. Attribute 1 User-Name 2 User-Password 3 CHAP-Password 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 7 Framed-Protocol 8 Framed-IP-Address 11 Filter-ID 12 Framed-MTU 14 Login-IP-Host 15 Login-Service 18 Reply-Message 26 Vendor-Specific 27 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 24
: • 1-Start. • 2-Stop. • 3-Interim-Update. • 4-Reset-Charge. • 7-Accounting-On. ( NAS-Port-Type Type of the physical port of the NAS that is authenticating the user. Possible values include: • 15-Ethernet. Port-Id String for describing the port of the NAS that is authenticating the user. HP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 25
attribute Description 20 Command Operation for the the start, stop, and interim update types, the Control_Identifier attribute does not user passes security authentication. 201 Input-Interval-Octets Number of bytes input within a real-time accounting interval. 202 Output-Interval-Octets Number - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 26
AAA methods need to reference the configured RADIUS, HWTACACS, and LDAP schemes. Figure 10 AAA configuration procedure Local AAA Configure local users and related attributes Configure AAA methods for different types of users or/and the default methods for all types of users No AAA Create an - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 27
network services, but a user in blocked state cannot. • User group. Each local user belongs to a local user group and bears all attributes of the group, such as the password control attributes and authorization attributes. For more information about local user group, see "Configuring user group - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 28
the commands available for the public key authenticated SSH users. For more information about the authentication mode and user roles for user interfaces, see Fundamentals Configuration Guide. • You can configure authorization attributes and password control attributes in local user view or user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 29
request network services. 6. (Optional.) Configure binding attributes for the local user. bind-attribute { ip ip-address | location port slot-number subslot-number port-number | mac mac-address | vlan vlan-id } * By default, no binding attribute is configured for a local user. Binding attribute - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 30
Configure the password composition policy: password-control composition type-number type-number [ type-length type-length ] Optional. By default, the local user uses password control attributes of the user group to which the local user belongs. Only device management users support the password - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 31
type-number type-number type. For more information about [ type-length type-length ] password control commands, see Security Command Reference. Displaying and maintaining local users and local user groups Execute display commands in any view. Task Display the local user configuration and - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 32
, no RADIUS scheme is defined. • If the switch uses the default configuration file, a system-defined RADIUS scheme named system exists. For more information about the initial settings and configuration file, see Fundamentals Configuration Guide. Specifying the RADIUS authentication servers A RADIUS - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 33
Configure at least one command. [ port-number | key { cipher | By default, support accounting for FTP users. To specify RADIUS accounting servers and the relevant parameters for a RADIUS scheme: Step 1. Enter system view. 2. Enter RADIUS scheme view. 3. Specify RADIUS accounting servers. Command - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 34
Command retry realtime-accounting retry-times Remarks The default setting is 5. Specifying the shared keys for secure RADIUS communication The RADIUS client and server use the MD5 algorithm and shared keys to generate the Authenticator value for packet authentication and user password configured - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 35
default, traffic is counted in bytes and packets. The command does not apply to 802.1X and MAC users, for whom the switch does not support traffic accounting. Setting the maximum number secondary server in active state (a secondary server configured earlier has a higher priority). If the secondary - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 36
manually which this server is specified. By default, the device sets the status port-number | configuration file, and can vpn-instance vpn-instance-name ] * ] only be viewed by using the { active | block } display radius scheme • Set the status of a secondary RADIUS accounting server: command - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 37
configured with VRRP for stateful failover, the source IP address of outgoing RADIUS packets can be the virtual IP address of the uplink ipv6-address } Remarks N/A N/A By default, the source IP address specified by the radius nas-ip command in the system view is used. If users. To implement 28 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 38
, the device must periodically send real-time accounting packets to the accounting server for online users. When you set RADIUS timers, follow these guidelines: • When you configure the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, consider the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 39
] By default, no security policy server is specified for a scheme. You can specify up to eight security policy servers for a RADIUS scheme. Displaying and maintaining RADIUS Execute display commands in any view and reset commands in user view. Task Display the RADIUS scheme configuration. Display - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 40
authentication server: primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * Configure at least one command. By default, no authentication server is specified. • Specify a secondary HWTACACS Two HWTACACS - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 41
[ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * N/A Configure at least one command. By default, no support accounting for FTP users. To specify HWTACACS accounting servers for an HWTACACS scheme: Step 1. Enter system view. 2. Enter HWTACACS scheme view. Command - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 42
HWTACACS accounting server: secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * Remarks Configure at least one command. By default, no accounting server is specified. Two HWTACACS accounting servers in - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 43
configure the device to remove the domain name from each username to be sent. If you want two or more ISP domains to reference the same HWTACACS scheme, configure default, traffic is counted in bytes and packets. The command does not apply to 802.1X and MAC users, for whom the switch does not support - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 44
Remarks N/A N/A By default, the device uses the IP address specified by the hwtacacs nas-ip command in system view as accounting updates to the HWTACACS accounting server for online users. To secondary server in active state (a secondary server configured earlier has a higher priority). If the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 45
the server quiet timer. timer quiet minutes By default, the server quiet timer is 5 minutes. Displaying and maintaining HWTACACS Execute the display command in any view and the reset command in user view. Purpose Display the configuration or server statistics of HWTACACS schemes. Clear HWTACACS - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 46
Configuring administrator attributes • (Required.) Configuring LDAP user Configure the IP address of the LDAP server. Command Remarks System-view N/A ldap server server-name N/A { ip ip-address | ipv6 ipv6-address } [ port port-number ] [ vpn-instance vpn-instance-name ] By default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 47
Command 3. Specify the LDAP version. protocol-version { v2 | v3 } Remarks By default, LDAPv3 is used. A Microsoft LDAP server supports only login-password { cipher | simple } By default, no administrator password password is specified. Configuring LDAP user attributes To authenticate a user, - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 48
and the default user object class on the LDAP server is used. Creating an LDAP scheme You can configure up to 16 LDAP schemes. An LDAP scheme can be referenced by multiple ISP domains. To create an LDAP scheme: Step 1. Enter system view. 2. Create an LDAP scheme and enter its view. Command system - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 49
attributes, such as different username and password structures, different service types, and different rights. To manage users of different ISPs, configure ISP domains, and configure AAA methods and domain attributes for each ISP domain as needed. The device supports up to 16 ISP domains, including - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 50
Enter ISP domain view. Command system-view domain isp-name 3. Place the ISP domain in active or blocked state. state { active | block } Remarks N/A N/A By default, an ISP domain is in active state, and users in the domain can request network services. Configuring authentication methods for an - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 51
. The default authorization method applies to all access users, but it has a lower priority than the authorization method that is specified for an access type or service type. Configuration guidelines When configuring authorization methods, follow these guidelines: • The device does not support LDAP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 52
use FTP services do not support accounting. • Local accounting does not provide statistics for charging. It only counts and controls the number of concurrent users who use the same local user account. The threshold is configured by using the access-limit enable command. Configuration procedure To - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 53
-scheme-name By default, the default accounting method is used for command accounting. accounting lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } By default, the default accounting method is used for LAN users. The none keyword is not supported in FIPS - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 54
Configure the switch to assign the default user role network-operator to SSH users after they pass authentication. Figure 11 Network diagram Configuration procedure 1. Configure switch to expert, add an account for the SSH user, and specify the password. (Details not shown.) 2. Configure the switch: - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 55
gets the default user role network-operator after passing authentication. [Switch] role default-role enable Verifying the configuration When the user initiates an SSH connection to the switch and enter the correct username and password, the user successfully logs in and can use the commands for the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 56
SSH service. [Switch] ssh server enable # Enable scheme authentication for user interfaces VTY 0 through VTY 15. [Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme [Switch-ui-vty0-15] quit # Configure an HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 57
-operator after passing authentication. [Switch] role default-role enable Verifying the configuration When the user initiates an SSH connection to the switch and enter the username hello@bbb and the correct password, the user successfully logs in and can use the commands for the network-operator - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 58
nas-ip command { IP address of the outbound interface (the default) Figure 14 Adding the switch as an access device # Add an account for device management. Click the User tab, and select Access User View > Device Mgmt User from the navigation tree. Then, click Add to configure a device management - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 59
dsa # Enable the SSH service. [Switch] ssh server enable # Enable scheme authentication for user interfaces VTY 0 through VTY 15. [Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme [Switch-ui-vty0-15] quit # Enable the default-user-role authorization function, so that - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 60
ldap.com. Configure the switch to authenticate SSH users by using the LDAP server, and to assign the default user role network-operator to SSH users who pass authentication. On the LDAP server, set the administrator password to admin!123456, add user aaa, and set the user's password to ldap!123456 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 61
. b. From the navigation tree, click Users under the ldap.com node. c. Select Action > New > User from the menu to display the dialog box for adding a user. d. Enter the login name aaa and click Next. Figure 17 Adding user aaa d. In the dialog box, enter the password ldap!123456, select options as - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 62
Figure 18 Setting the user's password e. Click OK. # Add user aaa to group Users. f. From the navigation tree, click Users under the ldap.com node. g. On the right pane, right-click aaa and select Properties. h. In the dialog box, click the Member Of tab and click Add. 53 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 63
group Users. Figure 20 Adding user aaa to group Users # Set the administrator password to admin!123456. a. From the user list on the right pane, right-click Administrator and select Set Password. b. In the dialog box, enter the administrator password. (Details not shown.) 2. Configure the switch: 54 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 64
[Switch] user-interface vty 0 15 [Switch-ui-vty0-15] authentication-mode scheme [Switch-ui-vty0-15] quit # Enable the default-user-role authorization function, so that an SSH user gets the default user role network-operator after passing authentication. [Switch] role default-role enable # Configure - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 65
Verifying the configuration When the user initiates an SSH connection to the switch and enter the username aaa@bbb and password ldap!123456, the user successfully logs in and can use the commands for the network-operator user role. Troubleshooting RADIUS RADIUS authentication failure Symptom User - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 66
the services are provided by different servers. Solution Check that: • The accounting port number is correctly configured. • The accounting server IP address is correctly configured on the NAS. Troubleshooting HWTACACS Similar to RADIUS troubleshooting. See "Troubleshooting RADIUS." Troubleshooting - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 67
The IP address and port number of the LDAP server configured on the NAS match those of the server. • The username is in the correct format and the ISP domain for the user authentication is correctly configured on the NAS. • The user is configured on the LDAP server. • The correct password is entered - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 68
Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports -A user terminal seeking access to the LAN. It must have 802.1X software to • Authentication server-Provides authentication services for the network access device - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 69
unauthorized state, a controlled port controls traffic in one of the following ways: • Performs bidirectional traffic control to deny traffic to and from the client. • Performs unidirectional traffic control to deny traffic from the client. The HP devices support only unidirectional traffic control - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 70
4 Length 6 Packet body N • PAE Ethernet type-Protocol type. It takes the value 0x888E for EAPOL. • Protocol version-The EAPOL protocol version used by the EAPOL packet sender. • Type-Type of the EAPOL packet. Figure 25 lists the types of EAPOL packets supported by HP implementation of 802.1X - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 71
contains an EAP packet. EAP over RADIUS RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP authentication. For the RADIUS packet format, see "Configuring AAA." EAP-Message RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 26. The - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 72
supports the following modes: • Multicast trigger mode-The access device multicasts Identity EAP-Request packets periodically (every 30 seconds by default) to initiate 802.1X authentication. • Unicast trigger mode-Upon receiving a frame the dot1x authentication-method eap command to enable EAP relay. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 73
Supports various EAP authentication methods. • The configuration and processing is simple on the network access device. Works with any RADIUS server that supports client. • Supports only MD5-Challenge EAP authentication and the "username + password" EAP authentication initiated by an HP iNode 802.1X - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 74
(11) EAP-Request/Identity (12) EAP-Response/Identity ... (13) EAPOL-Logoff Port unauthorized (14) EAP-Failure 1. When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. 2. The - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 75
. 12. Upon receiving a handshake request, the client returns a response. If the client fails to return a response after a certain number of consecutive handshake attempts (two by default), the network access device logs off the client. This handshake mechanism enables timely release of the network - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 76
.1X authentication procedure in EAP termination mode In EAP termination mode, the network access device rather than the authentication server generates an MD5 challenge for password encryption. The network access device then sends the MD5 challenge together with the username and encrypted - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 77
authentication methods for different users on a port. It is described in "Configuring port security." HP implementation of 802.1X HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control. • Port-based access control-Once - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 78
. 3. Enter Ethernet interface view. 4. Enable 802.1X on a port. Command system-view dot1x interface interface-type interface-number dot1x Remarks N/A By default, 802.1X is disabled globally. N/A By default, 802.1X is disabled on a port. Enabling EAP relay or EAP termination When configuring EAP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 79
Ethernet interface view. 3. Specify an access control method. Command system-view interface interface-type interface-number dot1x port-method { macbased | portbased } Remarks N/A N/A By default, MAC-based access control applies. Setting the maximum number of concurrent 802.1X users on a port - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 80
2. Enter Ethernet interface view. 3. Set the maximum number of concurrent 802.1X users on a port. Command system-view interface interface-type interface-number dot1x max-user user-number [ interface interface-list ] Remarks N/A N/A The default maximum number of concurrent 802.1X users on a port is - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 81
configure the online user handshake function: Step Command 1. Enter system view. system-view 2. (Optional.) Set the handshake dot1x timer handshake-period timer. handshake-period-value 3. Enter Ethernet interface view. interface interface-type interface-number port to a data frame from an - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 82
procedure To configure the authentication trigger function on a port: Step 1. Enter system view. 2. (Optional.) Set the username request timeout timer. 3. Enter Ethernet interface view. Command system-view dot1x timer tx-period tx-period-value interface interface-type interface-number 4. Enable - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 83
timer. 3. Enter Ethernet interface view. 4. Enable periodic online user re-authentication. Command system-view dot1x timer reauth-period reauth-period-value interface interface-type interface-number dot1x re-authenticate Remarks N/A The default is 3600 seconds. N/A By default, the function is - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 84
or configuration information of specified or all ports. Clear 802.1X statistics. Command display dot1x [ sessions | statistics ] [ interface interface-type interface-number ] reset dot1x statistics [ interface interface-type interface-number ] Remarks Available in any view. Available in user view - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 85
this example, see Security Command Reference. 3. Assign an IP address for each interface on the access device. (Details not shown.) 4. Configure user accounts for the 802.1X users on the access device: # Add a local network access user with the username localuser, and password localpass in plaintext - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 86
GigabitEthernet1/1/5] dot1x mandatory-domain aabbcc.net Verifying the configuration Use the display dot1x interface ten-gigabitethernet 1/1/5 command to verify the 802.1X configuration. After an 802.1X user gets online by entering correct username and password, you can use the display dot1x sessions - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 87
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 88
.) Configuring the user account format (Optional.) Configuring MAC authentication timers (Optional.) Set the maximum number of concurrent MAC authentication users on the port Enabling MAC authentication You cannot enable MAC authentication on a port already in a link aggregation group or a service - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 89
interface-type interface-number b. mac-authentication domain domain-name Remarks N/A Use either method. By default, the system default authentication domain is used for MAC authentication users. Configuring the user account format To configure the MAC authentication user account format: Step - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 90
format fixed [ account name ] [ password { cipher | simple } password ] Remarks Use either method. By default, the device uses the MAC address of a user as the username and password for MAC authentication. The MAC address is in lower case without hyphens. Configuring MAC authentication timers MAC - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 91
mac-authentication max-user users on the port user-number Remarks N/A N/A By default, the maximum number of concurrent MAC authentication users is 256. Displaying and maintaining MAC authentication Execute display commands in any view and reset commands in user view. Task Display - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 92
mac Fixed password: Not configured Offline detect period is 180s Quiet period is 180s Server response timeout value is 100s Max number of users is 1024 per slot Current number of online users is 1 Current authentication domain is aabbcc Silent MAC user info: MAC Addr VLAN ID From Port Port Index - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 93
the device to detect whether a user has gone offline every 180 seconds, and if a user fails authentication, deny the user for 180 seconds. • Configure all users to belong to the ISP domain 2000. • Use a shared user account for all users, with the username aaa and password 123456. Figure 34 Network - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 94
is 2000 Silent MAC user info: MAC Addr VLAN ID From Port Port Index Ten-GigabitEthernet1/1/5 is link-up MAC authentication is enabled Max number of online users is 256 Current number of online users is 1 Current authentication domain: Not configured Authentication attempts: successful 1, failed - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 95
MAC Addr Auth state 00e0-fc12-3456 authenticated 86 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 96
action on each detected illegal frame. The action can be disabling the port temporarily, disabling the port permanently, or blocking frames from the illegal MAC address for three minutes (not user configurable). Port security modes Port security supports the following categories of security - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 97
NTK or intrusion protection action. By default, outgoing frames of a port are not restricted by port security. Only when they trigger the NTK feature, are they restricted by the predefined NTK action. The maximum number of users a port supports equals the maximum number of secure MAC addresses that - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 98
-address static and mac-address dynamic commands. For more information about configuring MAC address table entries, see Layer 2-LAN Switching Configuration Guide. A port in secure mode allows only frames sourced from secure MAC addresses and MAC addresses configured by using the mac-address dynamic - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 99
mode except that this mode supports multiple 802.1X and MAC authentication users as the keyword Ext implies. Configuration task list Tasks at a glance Remarks (Required.) Enabling port security N/A (Optional.) Setting port security's limit on the number of secure MAC addresses on - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 100
MAC address table configuration in Layer 2-LAN Switching Configuration Guide. To set the maximum number of secure MAC addresses allowed on a port: Step 1. Enter system view. 2. Enter interface view. 3. Set the maximum number of secure MAC addresses allowed on a port. Command system-view interface - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 101
undo port-security port-mode command to restore the default port security mode. Configuring port security features Configuring NTK The NTK feature checks the destination MAC addresses in outbound frames to make sure frames are forwarded only to authenticated devices. The NTK feature supports the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 102
system view. 2. Enter interface view. 3. Configure the NTK feature. Command system-view interface interface-type interface-number port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } Remarks N/A N/A By default, NTK is disabled on a port and all frames are allowed to be sent - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 103
MAC addresses. The port allows only frames sourced from a secure MAC address or a MAC address configured by using the mac-address dynamic or mac-address static command to pass through. Configuration prerequisites • Enable port security. • Set port security's limit on the number of MAC addresses - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 104
interface-number port-security authorization ignore Remarks N/A N/A By default, a port uses the authorization information received from the authentication server. Displaying and maintaining port security Execute display commands in any view: Task Command Display the port security configuration - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 105
See Figure 35. Configure port Ten-GigabitEthernet 1/1/5 on the device, as follows: • Accept up to 64 users on the port without authentication. • Permit the port to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC aging timer to 30 minutes. • After the number of secure MAC - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 106
seconds. After the configuration takes effect, the port allows for MAC address learning, and you can view the number of learned MAC addresses in the Current number of secure MAC addresses field. To view more information about the learned MAC addresses, use the display this command in interface view - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 107
802.1X user and a user that uses one of the specified OUI values to be authenticated. Figure 36 Network diagram Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Reference. Make sure - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 108
dot1x authentication-method chap 3. Configure port security: # Enable port security. [Device] port-security enable # Add five OUI values. (You can add up to 16 OUI values. The port permits only one user matching one of the OUIs to pass authentication.) [Device] port-security oui index 1 mac-address - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 109
of secure MAC addresses: Not configured Current number of secure MAC addresses: 1 Authorization is permitted After an 802.1X user goes online, you can see that the number of secure MAC addresses saved by the port is 1. You can use the display dot1x command to display information about online 802 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 110
fixed username and password for MAC authentication of all users. • Set the total number of MAC authenticated users and 802.1X authenticated users to 64. • Enable NTK (ntkonly mode) to prevent frames from being sent to unknown MAC addresses. Figure 37 Network diagram Configuration procedure Make sure - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 111
aaa Fixed password: ****** Offline detect period is 60s Quiet period is 5s Server response timeout value is 100s Max number of users is 1024 per slot Current number of online users is 3 Current authentication domain is sun Silent MAC user info: MAC Addr From Port Port Index Ten-GigabitEthernet1 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 112
request 2 Max number of 802.1X users is 1024 per slot Current number of online 802.1X users is 1 Ten- port is an authenticator Authentication mode is Auto Port access control type is MAC-based 802.1X multicast-trigger is enabled Mandatory authentication domain: Not configured Max online users - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 113
Troubleshooting port security Cannot set the port security mode Symptom Cannot set the port security mode for a port. Analysis For a port operating in a port security mode other than noRestriction, you cannot change the port security mode directly by using the port-security port-mode command. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 114
about local users, see "Configuring AAA." • To switch from one user role to another, a user must enter a password for authentication. This password is called a super password. For more information about super passwords, see Fundamentals Configuration Guide. Password setting Minimum password length - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 115
number cannot be repeated three or more times consecutively. For example, password a111 is not complex enough. Password updating and expiration Password updating This function allows you to set the minimum interval at which users can change their passwords. If a user logs in to change the password - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 116
through console ports to the password control blacklist. If a user fails to provide the correct password after the specified number of consecutive attempts, the system takes one of the following actions: • Blocks the user's login attempts until the user is manually removed from the password control - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 117
user adding events to the password control blacklist. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. Password control configuration - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 118
policy. 6. Configure the password complexity checking policy. Command system-view Remarks N/A password-control aging aging-time The default setting is 90 days. password-control update interval interval password-control length length password-control composition type-number type-number [ type - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 119
password length for the user group. password-control length length By default, the minimum password length of the user group is the same as the global minimum password length. 5. Configure the password composition policy for the user group. password-control composition type-number type-number - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 120
the local user belongs. If no minimum password length is configured for the user group, the global setting applies to the local user. 5. Configure the password composition policy for the local user. password-control composition type-number type-number [ type-length type-length ] By default, the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 121
Execute display commands in any view and reset commands in user view. Task Display password control configuration. Display information about users in the password control blacklist. Delete users from the password control blacklist. Clear history password records. Command display password-control - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 122
-control super composition type-number 4 type-length 5 # Configure a super password used for switching to user role network-operator as 123456789ABGFTweuix@#$%! in plain text. [Sysname] super password role network-operator simple 123456789ABGFTweuix@#$%! Updating user information. Please wait - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 123
-manage-test] password Password: Confirm : Updating user information. Please wait ... ... [Sysname-luser-manage-test] quit Verifying the configuration # Display the global password control configuration. display password-control Global password control configurations: Password control - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 124
key algorithm still depends on key size as with any symmetric key algorithm. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. 115 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 125
512 to 2048 bits. pair. 1024 by default. N/A At least 768 bits. The command only creates one host key pair. 2048 bits. N/A The command only creates one host key pair. 192 bits. N/A NOTE: Only SSH 1.5 uses the RSA server key pair. Configuration procedure To create a local key pair: Step - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 126
local key pairs. Command public-key local create { dsa | ecdsa | rsa } [ name key-name ] Remarks By default, no local key pair the peer device.) • Displaying a host public key (Use this method if you must manually enter the key on the peer device.) Exporting a host public key in a specific format - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 127
view: Task Display local RSA public keys. Display local DSA public keys. Command display public-key local rsa public [ name key-name ] display public-key key-name ] NOTE: Do not distribute the RSA server public key serverkey (default) to a peer device. Destroying a local key pair To avoid key - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 128
you configure no more than 20 peer public keys on the device. Importing a peer host public key from a public key file Step 1. Enter system view. 2. Import a peer host public key from a public key file. Command system-view public-key peer keyname import sshkey filename Remarks N/A By default, no - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 129
RSA to authenticate Device A. • Manually specify the host public key of Device A on Device B. Figure 39 Network diagram Device A Device B Configuration procedure 1. Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 130
hostkey (default) Key Configure Device B: # Enter the host public key of Device A in public key view. The key must be literally the same as displayed on Device A. system-view [DeviceB] public-key peer devicea Enter public key view. Return to system view with "peer-public-key end" command - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 131
key of Device A from the public key file to Device B. Figure 40 Network diagram Configuration procedure 1. Configure Device A: # Create local RSA key pairs with default names on Device A, and use the default modulus length 1024 bits. system-view [DeviceA] public-key local create rsa The - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 132
-key local rsa public Key name: hostkey (default) Key type: RSA Time when key pair user with the username ftp and password 123, and configure the FTP user role as network-admin. [DeviceA] ftp server enable [DeviceA] local-user ftp [DeviceA-luser-ftp] password simple 123 [DeviceA-luser-ftp] service - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 133
kbyte/s) ftp> quit 221-Goodbye. You uploaded 0 and downloaded 1 kbytes. 221 Logout. # Import the host public key from the key file devicea.pub. system-view [DeviceB] public-key peer devicea import sshkey devicea.pub Verifying the configuration # Verify that the host public key is the same - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 134
referred to supports the following SSH applications: • Secure Telnet-Stelnet provides secure and reliable network terminal access services. Through Stelnet, a user can securely log in to a remote server. Stelnet can protect devices against attacks, such as IP spoofing and plain text password - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 135
commands. To execute commands of more than 2000 bytes, save the commands in a configuration file, upload it to the server through SFTP, and use it to restart the server. SSH authentication methods When the device acts as an SSH server, it supports the following authentication methods: • Password - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 136
requires clients to pass either password authentication or publickey authentication. FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 137
key pairs on the SSH server. Configuration guidelines • SSH supports locally generated DSA and RSA key pairs with default names rather than with specified names. For more information about the commands that are used to generate keys, see Security Command Reference. • The public-key local create rsa - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 138
user interface view. user-interface vty number [ ending-number ] 3. Set the login authentication mode to scheme. authentication-mode scheme Remarks N/A N/A By default, the authentication mode is password. For more information about this command, see Fundamentals Command Reference. Configuring - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 139
display ssh user-information command to display all SSH users, including the password-only SSH users, for centralized management. If such an SSH user has been created, make sure you have specified the correct service type and authentication method. Configuration guidelines When you configure an SSH - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 140
server, the device does not support the authentication method of any or publickey. For information about configuring local users and remote authentication, see "Configuring AAA." Configuration procedure To configure an SSH user, and specify the service type and authentication method: Step 1. Enter - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 141
[ ipv6 ] acl-number 8. Configure the SFTP connection idle timeout period. sftp server idle-timeout time-out-value 9. Specify the maximum number of concurrent online SSH aaa session-limit ssh max-sessions users. Remarks N/A By default, the SSH server supports SSH1 clients. This command is not - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 142
Stelnet clients in the authentication service, HP recommends that you specify a type interface-number | ipv6 ipv6-address } N/A Use either command. By default, an supports the first authentication by default. When the device accesses an Stelnet server for the first time but it is not configured - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 143
to an Stelnet server. Command • Establish a connection to an IPv4 Stelnet server: { In non-FIPS mode: ssh2 server [ port-number ] [ vpn-instance keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * Remarks Use one of the commands. Available in user view. 134 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 144
SFTP client SFTP client configuration task list Tasks at the manageability of SFTP clients in the authentication service, HP recommends that you specify a loopback interface as address | interface interface-type interface-number } Remarks N/A Use either command. By default, an SFTP client uses the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 145
can simplify the configuration on the SFTP client, but it is not reliable. To establish a connection to an SFTP server: Task Establish a connection to an SFTP server. Command • Establish a connection to an IPv4 SFTP server: { In non-FIPS mode: sftp server [ port-number ] [ vpn-instance vpn - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 146
SFTP server. Download a file from the remote server and save it locally. Upload a local file to the SFTP server. Command rename old- command functions as the ls command. Available in SFTP client view. The delete command functions as the remove command. Displaying help information This configuration - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 147
of the server to authenticate the server. When acting as an SCP client, the device supports the first authentication by default. When the device accesses an SCP server for the first time but it is not configured with the host public key of the SCP server, it can access the server and locally - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 148
interface-type interface-number | ipv6 ipv6-address } ] * Remarks Use one of the commands. Available in user view. Displaying and maintaining SSH Execute display commands in any view. Task Command Display the source IP address or source interface information configured for the SFTP client - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 149
client that runs on the host and are assigned the user role network-admin for configuration management. The switch acts as the Stelnet server and uses password authentication. The username and password of the client are saved on the switch. Figure 41 Network diagram Stelnet client 192.168.1.56/24 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 150
. (Optional. If an SSH user is not created, password authentication is used by default.) [Switch] ssh user client001 service-type stelnet authentication-type password 2. Establish a connection to the Stelnet server: There are different types of Stelnet client software, such as PuTTY, and OpenSSH - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 151
Network requirements As shown in Figure 43, you can log in to the switch through the Stelnet client (SSH2) that runs on the host and are assigned the user role network-admin for configuration management. The switch acts as the Stelnet server and uses publickey authentication and the RSA public - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 152
, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server. There are different types of Stelnet client software, such as PuTTY, and OpenSSH. This example uses an Stelnet client that runs PuTTY version - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 153
Figure 45 Generating process c. After the key pair is generated, click Save public key, enter a file name (key.pub in this example), and click Save. Figure 46 Saving a key pair on the client 144 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 154
file key.pub and name it switchkey. [Switch] public-key peer switchkey import sshkey key.pub # Create an SSH user client002 with the authentication method publickey, and assign the public key switchkey to the user. [Switch] ssh user client002 service-type stelnet authentication-type publickey assign - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 155
local device management user client002 with the service type ssh and the user role network-admin. [Switch] local-user client002 class manage [Switch-luser-manage-client002] service-type ssh [Switch-luser-manage-client002] authorization-attribute user-role network-admin [Switch-luser-manage-client002 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 156
Figure 48 Specifying the SSH version e. Select Connection > SSH > Auth from the navigation tree. f. Click Browse... to bring up the file selection window, navigate to the private key file (private.ppk in this example) and click OK. The window shown in Figure 49 appears. 147 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 157
runs on Switch A and are assigned the user role network-admin for configuration management. Switch B acts as the Stelnet server and uses password authentication. The username and password of the client are saved on Switch B. Figure 50 Network diagram Configuration procedure 1. Configure the Stelnet - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 158
quit # Create an SSH user client001 with the service type stelnet and the authentication method password. (Optional. If an SSH user is not created, password authentication is used by default.) [SwitchB] ssh user client001 service-type stelnet authentication-type password 2. Establish a connection to - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 159
key of the server is saved locally, you can successfully log in to Switch B next time after entering the correct password. { If you configure the host public key of the server on the client, perform the following configurations: # In public key view, enter the host public key of server. To display - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 160
enter the correct password, you successfully log in to Switch B. Publickey authentication enabled Stelnet client configuration example Network requirements As shown in Figure 51, you can log in to Switch B through the Stelnet client that runs on Switch A and are assigned the user role network-admin - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 161
through FTP or TFTP. (Details not shown.) 2. Configure the Stelnet server: # Generate the RSA key Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys Create the key pair successfully authentication mode for the user interfaces to AAA. [SwitchB] user-interface vty 0 15 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 162
public key, because the client supports the first authentication by default. SFTP configuration examples This section provides examples of configuring SFTP on switches. Unless otherwise noted, devices in the configuration examples are in non-FIPS mode. Password authentication enabled SFTP server - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 163
. If the SSH user is not created, password authentication is used by default.) [Switch] ssh user client002 service-type sftp authentication-type password 2. Establish a connection between the SFTP client and the SFTP server: The device supports different types of SFTP client software. This example - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 164
the following command: open 192.168.1.45 b. Enter username client002 and password aabbcc as prompted to log in to the SFTP server. Figure 53 SFTP client interface Publickey authentication enabled SFTP client configuration example Network requirements As shown in Figure 54, you can log in to Switch - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 165
take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys Create the key pair successfully. # Export the host pubkey to the server through FTP or TFTP. (Details not shown.) 2. Configure the SFTP server: # Generate the RSA key pairs. system-view - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 166
user client001 with the service type sftp, authentication method publickey, and public key switchkey. [SwitchB] ssh user client001 service sftp 192.168.0.1 identity-key rsa Username: client001 Connecting to 192.168.0.1 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 167
the configuration example are in non-FIPS mode. Network requirements As shown in Figure 55, Switch A acts as the SCP client, and Switch B acts as the SCP server. After login, the user is assigned the user role network-admin and can securely transfer files with Switch B. Switch B uses the password - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 168
Vlan-interface2] quit # Create a local device management user named client001 with the plaintext password aabbcc, the service type ssh, and the user role network-admin. [SwitchB] local-user client001 class manage [SwitchB-luser-manage-client001] password simple aabbcc [SwitchB-luser-manage-client001 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 169
-client001] quit # Configure the SSH user client001 with service type scp and authentication method password. (Optional. If an SSH user is not created, password authentication is used by default.) [SwitchB] ssh user client001 service-type scp authentication-type password 2. Configure an IP address - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 170
source IP address and source MAC address. It supports these types of binding entries: • IP-interface LAN and their IP addresses are manually configured. For example, you can configure a static binding entry on an ARP detection feature to check user validity. IP source guard use static IPv6 binding - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 171
can automatically obtain user information from other modules to generate IPv4 binding entries. On interfaces configured with the dynamic IPv4 source guard function, IP source guard cooperates with different modules to generate IPv4 binding entries dynamically: • On an Ethernet port, IP source guard - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 172
. Command system-view interface interface-type interface-number 3. Configure a static IPv4 ip source binding ip-address binding entry. ip-address [ mac-address mac-address ] [ vlan vlan-id ] Remarks N/A These types of interfaces are supported: Ethernet interface and VLAN interface. By default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 173
are supported: Ethernet port and VLAN interface. By default, the function is disabled on an interface. Configuring a static IPv6 source guard binding entry on an interface Step 1. Enter system view. 2. Enter interface view. Command system-view interface interface-type interface-number Remarks - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 174
id option is supported in only Ethernet interface view. NOTE: You cannot configure the same static binding entry on one interface multiple times, but you can configure the same static binding entry on different interfaces. Displaying and maintaining IP source guard Execute display commands in any - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 175
B, only IP packets from Host A can pass. • On port Ten-GigabitEthernet 1/1/5 of Switch B, only IP packets from Host B can pass. Figure 57 Network diagram Configuration procedure 1. Configure Switch A: # Configure IP addresses for the interfaces. (Details not shown.) # Enable IPv4 source guard on - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 176
binding entries on Switch B. The output shows that the static IPv4 source guard binding entries are configured successfully. recorded in a DHCP snooping entry. Enable dynamic IPv4 source guard on port Ten-GigabitEthernet 1/1/5 to filter received packets based on DHCP snooping entries, - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 177
Layer 3-IP Services Configuration Guide. 2. Configure DHCP snooping on the switch: # Configure IP addresses for the interfaces. (Details not shown.) # Enable DHCP snooping. system-view [Switch] dhcp snooping enable # Configure Ten-GigabitEthernet 1/1/6 as a trusted port. [Switch] interface - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 178
ip verify source ip-address mac-address [Switch-Vlan-interface100] quit 2. Configure the DHCP relay agent: # Enable the DHCP service. [Switch] dhcp enable # Enable recording DHCP relay client entries. [Switch] dhcp relay client-information record # Configure VLAN-interface 100 to work in DHCP relay - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 179
example Network requirements As shown in Figure 60, the host is connected to port Ten-GigabitEthernet 1/1/5 of the switch. Configure a static IPv6 source guard binding entry for Ten-GigabitEthernet 1/1/5 of the switch to allow only IPv6 packets from the host to pass. Figure 60 Network diagram - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 180
automatic scanning and fixed ARP (configured on gateways) • Configuring ARP gateway protection (configured on access devices) • Configuring ARP filtering (configured on access devices) Configuring unresolvable IP attack protection If a device receives a large number of unresolvable IP packets from - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 181
VLAN 20. Each area connects to the gateway (Device) through an access switch. A large number of ARP requests are detected in the office area and are considered as the consequence of an unresolvable IP attack. To prevent such attacks, configure ARP source suppression and ARP black hole routing. 172 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 182
sends a large number of ARP packets to an ARP detection enabled device, the device CPU is overloaded because all ARP packets are redirected to the CPU for inspection. As a result, the device fails to provide other functions or even crash. To solve this problem, you can configure ARP packet rate - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 183
: Step 1. Enter system view. 2. Enter Ethernet interface or aggregate interface view. 3. Enable ARP packet rate limit and configure the rate limit. Command system-view interface interface-type interface-number arp rate-limit [ pps ] Remarks N/A N/A By default, ARP packet rate limit is enabled and - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 184
Figure 62, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway may crash and cannot process requests from the clients. To solve this problem, configure source MAC-based ARP attack detection on the gateway. 175 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 185
62 Network diagram IP network ARP attack protection Gateway Device Server 0012-3f 86-e 94c Host A Host B Host C Host D Configuration considerations An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address. To prevent such attacks - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 186
Command system-view 2. Enable ARP packet source MAC address consistency check. arp valid-check enable Remarks N/A By default, ARP packet source MAC address consistency check is disabled. Configuring ARP active acknowledgement Configure this feature on gateway devices to prevent user spoofing - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 187
Enter Ethernet interface view or aggregate interface view. 6. (Optional.) Configure the interface as a trusted interface excluded from ARP detection. Command system-view vlan vlan-id arp detection enable quit interface interface-type interface-number arp detection trust Remarks N/A N/A By default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 188
dst-mac | ip | src-mac } * 6. Enter Ethernet interface view or aggregate interface view. interface interface-type interface-number 7. (Optional.) Configure the interface as a trusted interface excluded from arp detection trust ARP detection. Remarks By default, ARP detection is disabled. N/A By - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 189
validity check and ARP packet validity check configuration example Network requirements As shown in Figure 63, configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries and DHCP snooping entries for connected hosts. Figure 63 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 190
received before the scan is terminated. • The arp fixup command is a one-time operation and converts existing dynamic ARP entries to static ones. • The device has a limit on the total number of static ARP entries, including the manually configured and the converted. As a result, some dynamic ARP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 191
configure ARP gateway protection: Step 1. Enter system view. 2. Enter Ethernet interface and aggregate interface view. Command system-view interface interface-type interface-number 3. Enable ARP gateway protection for a specified gateway. arp filter source ip-address Remarks N/A N/A By default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 192
launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B. Configure Switch B to block such attacks. Figure 64 Network diagram Configuration procedure # Configure ARP gateway protection on Switch B. system-view [SwitchB - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 193
Ethernet interface or aggregate interface view. 3. Enable ARP filtering and configure a permitted entry. Command system-view Remarks N/A interface interface-type interface-number N/A arp filter binding ip-address mac-address By default Configuration procedure # Configure ARP filtering on Switch - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 194
[SwitchB-Ten-GigabitEthernet1/1/6] arp filter binding 10.1.1.3 000f-e349-1234 After the configuration is complete, Ten-GigabitEthernet 1/1/5 permits ARP packets from Host A, and discards other ARP packets. Ten-GigabitEthernet 1/1/6 permits ARP packets from Host B and discards other ARP packets. 185 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 195
Configuring uRPF Unicast Reverse Path Forwarding (uRPF) protects a network against source address spoofing attacks, such as DoS and DDoS attacks. Attackers send packets with a forged source address to access a system that uses IP-based authentication, in the name of authorized users service supports - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 196
Figure 67 uRPF work flow uRPF works in the following steps: 1. uRPF checks source address validity: { Discards packets with a source broadcast address. { Discards packets with an all-zero source address but a non-broadcast destination address. (A packet with source address 0.0.0.0 and destination - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 197
step 9. 7. uRPF checks whether the check mode is loose: { If yes, proceeds to step 8. { If not, uRPF checks whether the output interface of the default route matches the receiving interface of the packet: if yes, proceeds to step 8. If not, proceeds to step 9. 8. The packet passes the check and is - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 198
, the routing table size might decrease by half. • If the number of routes exceeds half the routing table size of the switch, the uRPF function cannot be enabled to avoid loss of routes and packets. • Global uRPF configuration takes effect on both IPv4 and IPv6 routes. To enable uRPF globally: Step - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 199
any view. Task Display uRPF configuration Command display ip urpf [ slot slot-number ] Configuration example Network requirements As shown in Figure 69, a client (Switch A) directly connects to an ISP switch (Switch B). Enable strict uRPF check on Switch A and Switch B to prevent source address - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 200
and it is also supported between FIPS mode and non-FIPS mode. After a configuration rollback between FIPS mode and non-FIPS mode, delete the local user, configure a new local user (local user attributes including password, user role, and service type), save the current configuration file, specify it - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 201
only use the configured username and password to log in to the FIPS device. After login, you are assigned a user role of crypto officer. Manual reboot To use manual reboot to enter FIPS mode, follow these steps: 1. Enable the password control function globally. 2. Set the number of character types - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 202
configurations, including configuring password control and a local user. For more information, see "Manual reboot." • If you choose the automatic reboot method and saving the current configuration is required, execute the save command • SSH, SNMPv3, and IPsec do not support DES, 3DES, RC4, and MD5. • - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 203
-test failure information. NOTE: If a self-test fails, contact HP Support. Power-up self-tests The power-up self-test, also called fails. • Continuous random number generator test-This test is run when a random number is generated. If two consecutive random numbers are different, the test succeeds - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 204
console port to log in to the device in FIPS mode. Configuration procedure # If you want to save the current configuration, execute the save command before for the password, see the displayed information. Press ENTER to get started. login: root Password: First login or password reset. For - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 205
password: confirm: Updating user information. Please wait ... ... ... # Display the current FIPS mode state. display fips status FIPS mode is enabled. # Display the default configuration file. more fips-startup.cfg # password-control enable # local-user root class manage service - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 206
displayed information. Press ENTER to get started. login: test Password: First login or password reset. For security reason, you need to change your pass word. Please enter your password. old password: new password: confirm: Updating user information. Please wait Sysname> # Display the current FIPS - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 207
QoS classification rules, see ACL and QoS Configuration Guide. Overview IP Security (IPsec) is negotiation overhead and simplified maintenance by supporting the IKE protocol. IKE provides automatic IPsec to all IP-based application systems and services without modifying them. • Encryption on a per - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 208
the data before encapsulating the data to IP packets. ESP supports encryption algorithms such as DES, 3DES, and AES, and authentication algorithms HMAC-MD5 and HMAC-SHA1. Both AH and ESP provide authentication services, but the authentication service provided by AH is stronger. In practice, you can - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 209
bit number that identifies an SA. It is transmitted in the AH/ESP header. An SA can be set up manually or through IKE. • Manual mode-Configure all parameters for the SA through commands. This configuration mode is complex and does not support some advanced features (such as periodic key update), but - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 210
the tunnel. The IPsec tunnel can be manually configured beforehand, or it can be set up configured IPsec policy. Interface-based IPsec supports setting up IPsec tunnels based on ACLs. ACL-based IPsec To implement ACL-based IPsec, configure an ACL to define the data flows to be protected, reference - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 211
the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. IPsec tunnel establishment The switch supports establishing only ACL-based IPsec tunnels. An ACL-based IPsec tunnel - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 212
interface. Complete the following tasks to configure ACL-based IPsec: Tasks at a glance (Required.) Configuring an ACL (Required.) Configuring an IPsec transform set (Required.) Configure an IPsec policy (use either method): • Configuring a manual IPsec policy • Configuring an IKE-based IPsec policy - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 213
SAs negotiated after the changes. To apply the changes to existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up by using the updated parameters. To configure an IPsec transform set: Step 1. Enter system view. 2. Create an IPsec transform set and enter its view - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 214
mode: ah authentication-algorithm sha1 Remarks Configure at least one command. By default, no security algorithm is specified. You supports only the transport mode. By default, the PFS feature is not used for SA negotiation. For more information about PFS, • In non-FIPS mode: see "Configuring - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 215
manual 3. (Optional.) Configure a description for the IPsec policy. description text By default, no IPsec policy exists. By default, no description is configured. 4. Specify an ACL for the IPsec policy. security acl [ ipv6 ] { acl-number | name acl-name } By default, an IPsec policy references - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 216
Configure an SPI for the inbound or outbound IPsec SA. 8. Configure keys for the IPsec SA. Command Remarks By default number • To configure an SPI for the outbound IPsec SA: sa spi outbound { ah | esp } spi-number By default, no SPI is configured for the inbound or outbound IPsec SA. • Configure - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 217
sets for the IPsec policy. description text By default, no description is configured. security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ] By default, no ACL is specified for the IPsec policy. An IPsec policy can reference only one ACL. transform-set transform-set - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 218
Command 6. Specify an IKE profile for the IPsec policy. ike-profile profile-name Remarks By default, the IPsec policy references no IKE profile, and it uses the IKE parameters configured in system view for negotiation. An IPsec policy can reference only one IKE profile and it cannot reference - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 219
configured. By default, no ACL is specified for 4. (Optional.) Specify an ACL for security acl [ ipv6 ] { acl-number | the IPsec policy template. the IPsec policy template. name acl-name } [ aggregation | per-host ] An IPsec policy template can reference specified by this command must be the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 220
. 2. Enter interface view. Command system-view interface interface-type interface-number 3. Apply an IPsec policy to the interface. ipsec { policy | ipv6-policy } policy-name Remarks N/A N/A By default, no IPsec policy is applied to the interface. An interface can reference only one IPsec policy - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 221
Command system-view ipsec decrypt-check enable Remarks N/A By default, this feature is enabled. Configuring service data manually created IPsec SAs. According to the IPsec protocol, only IPsec SAs negotiated by IKE support anti-replay checking. IMPORTANT: • IPsec anti-replay is enabled by default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 222
in service interruption. To solve these problems, Command system-view ipsec { ipv6-policy | policy } policy-name local-address interface-type interface-number Remarks N/A By default Configuration Guide. To enable the QoS pre-classify feature: Step 1. Enter system view. Command system-view Remarks - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 223
number [ isakmp | manual ] • To enter IPsec policy template view: ipsec { policy-template | ipv6-policy-template } template-name seq-number qos pre-classify Remarks Use either command. By default IP header to the new IP header. You can configure the DF bit in system view and interface view. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 224
system view. Command system-view Remarks N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the DF bit of IPsec packets on the interface. ipsec df-bit { clear | copy | set } By default, the interface uses the global DF bit setting. To configure the DF - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 225
HMAC-SHA1. • Manually set up IPsec SAs. Figure 73 Network diagram Configuration procedure 1. Configure Switch A: # Configure an IP address manual IPsec policy entry, with the policy name map1 and sequence number 10. [SwitchA] ipsec policy map1 10 manual # Apply ACL 3101. [SwitchA-ipsec-policy-manual - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 226
-key inbound esp simple gfedcba [SwitchA-ipsec-policy-manual-map1-10] quit # Apply the IPsec policy map1 to interface VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipsec policy map1 2. Configure Switch B: # Configure an IP address for VLAN-interface 1. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 227
command to display IPsec SAs on Switch A and Switch B. This example uses Switch A. [SwitchA] display ipsec sa Interface: Vlan-interface 1 IPsec policy: map1 Sequence number: 10 Mode: manual tunnel between Switch A and Switch B to protect data flows between the switches. Configure the IPsec - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 228
Switch A: # Configure an IP address for VLAN-interface 1. system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 2.2.2.1 255.255.255.0 [SwitchA-Vlan-interface1] quit # Define an ACL to identify data flows between Switch A and Switch B. [SwitchA] acl number - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 229
Switch B: # Configure an IP address for VLAN-interface 1. system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 2.2.3.1 255.255.255.0 [SwitchB-Vlan-interface1] quit # Define an ACL to identify data flows between Switch B and Switch A. [SwitchB] acl number - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 230
and 2.2.2.1. [SwitchB-ipsec-policy-manual-map1-10] local-address 2.2.3.1 [SwitchB-ipsec-policy-manual-use1-10] remote-address 2.2.2.1 # configuration After the previous configurations, IKE negotiation is triggered to set up IPsec SAs when there are end-to-end packets between Switch A and Switch - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 231
specified, the term "IKE" in this chapter refers to IKEv1. Overview Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec, dramatically simplifying the configuration and maintenance of IPsec. IKE is not intended - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 232
Key exchange-Used for exchanging the DH public value and other values like the random number. The two peers use the exchanged data to generate key data and use the peers. The device supports Pre-shared key authentication-Two communicating peers use the pre-configured shared key for identity - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 233
that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode. IKE configuration prerequisites Determine the following parameters prior to IKE configuration: • The algorithms to be used during IKE - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 234
priority number has a higher priority. c. If a tie still exists, the device prefers an IKE profile configured earlier. To configure an IKE profile: Step 1. Enter system view. 2. Create an IKE profile and enter its view. Command system-view ike profile profile-name Remarks N/A By default, no - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 235
proposal-number& By default, an IKE profile references no IKE proposals and uses the IKE proposals configured in system view for IKE negotiation. 7. Configure the local ID. local-identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 236
SA. If all user-defined IKE proposals are found mismatching, the two peers use their default IKE proposals to establish configure an IKE proposal: Step 1. Enter system view. Command system-view Remarks N/A 2. Create an IKE proposal and enter its view. ike proposal proposal-number By default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 237
the existence of the match local address command. An IKE keychain with the match local address command configured has a higher priority. b. If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller priority number has a higher priority. c. If a tie still exists - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 238
keychain. Command match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-name ] } priority number Remarks By default, an IKE keychain can be applied to any local interface or IP address. The default priority is 100. Configuring the global - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 239
supported on the peer. The IKE keepalive function sends keepalives at regular intervals, which consumes network bandwidth and resources. • The keepalive timeout time configured interval. Command system-view ike nat-keepalive seconds Remarks N/A The default interval is 20 seconds. Configuring IKE - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 240
is not triggered during a DPD retry. To configure IKE DPD: Step 1. Enter system view. 2. Enable sending IKE DPD messages. Command Remarks system-view N/A ike dpd interval interval-seconds [ retry seconds ] { on-demand | periodic } By default, IKE DPD is disabled. Enabling invalid SPI - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 241
limit | max-sa sa-limit } Remarks N/A By default, there is no limit to the maximum number of IKE SAs. Displaying and maintaining IKE Execute display commands in any view and reset commands in user view. Task Display configuration information about all IKE proposals. Display information about the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 242
[SwitchA-vlan-interface1] quit # Configure ACL 3101 to identify traffic between Switch A and Switch B. [SwitchA] acl number 3101 [SwitchA-acl-adv-3101] [SwitchA-ipsec-policy-isakmp-map1-10] remote-address 2.2.2.2 # Reference ACL 3101 to identify the traffic to be protected. [SwitchA-ipsec-policy- - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 243
Vlan-interface1 [SwitchB-Vlan-interface1] ip address 2.2.2.2 255.255.255.0 [SwitchB-Vlan-interface1] quit # Configure ACL 3101 to identify traffic between Switch B and Switch A. [SwitchB] acl number 3101 [SwitchB-acl-adv-3101] rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.0 0 [SwitchB-acl-adv - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 244
protected. [SwitchB-ipsec-policy-isakmp-use1-10] security acl 3101 # Reference IPsec transform set tran1 for the IPsec policy. [SwitchB-ipsec-policy-isakmp use1 Verifying the configuration When there is traffic between Switch A and Switch B, IKE negotiation is triggered. Troubleshooting IKE IKE - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 245
IPsec transform sets were found Symptom 1. 2. The display ike sa command shows that the IKE SA negotiation succeeded and the IKE SA is in RD state, but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet. The following - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 246
two ends have matching IPsec transform sets. 2. Modify the IPsec configuration to make sure the two ends have matching IPsec transform sets. IPsec SA negotiation failed due to invalid identity information Symptom 1. The display ike sa command shows that the IKE SA negotiation succeeded and the IKE - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 247
display ipsec policy IPsec Policy: policy1 Interface: Vlan-interface1 Sequence number: 1 Mode: isakmp Description: Security data flow: 3000 Selector : 2. Verify that the ACL referenced by the IPsec policy is correctly configured. If the flow range defined by the responder's ACL is smaller than - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 248
1. 2. 3. Sequence number: 1 Mode: isakmp were found and the IPsec policy is referencing an IKE profile, remove the reference. If the flow range defined by the responder's ACL is smaller than that 192.168.222.0 0.0.0.255 Configure the missing settings (for example, the remote address). 239 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 249
Acronyms. Websites • HP.com http://www.hp.com • HP Networking http://www.hp.com/go/networking • HP manuals http://www.hp.com/support/manuals • HP download drivers and software http://www.hp.com/support/downloads • HP software depot http://www.software.hp.com • HP Education http://www.hp.com/learn - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 250
Command conventions Convention Boldface Italic [ ] { x | y | ... } [ x | y | ... ] { x | y | ... } * [ x | y | ... ] * & # Description Bold text represents commands bold text. For example, the New User window appears; click OK. Multi-level or damage to hardware or software. An alert that calls - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 251
wired-WLAN switch. Represents an access point. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device. Represents a security card, such as a firewall card, a load-balancing card, or a NetStream card. Port numbering in examples - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 252
port max number concurrent users, 70 port security authentication control mode, 87 port security client macAddressElseUserLoginSecure configuration, 101 port security client userLoginWithOUI configuration, 97 port security configuration, 87, 90 port security feature configuration, 92 port security - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 253
38 LDAP version specification, 37 local accounting method, 12 local authentication method, 12 local authorization method, 12 local user attribute configuration, 19 local user configuration, 18 MPLS L3VPN implementation, 13 no accounting method, 12 no authentication method, 12 no authorization method - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 254
client macAddressElseUserLoginSecure configuration, 101 port security client userLoginWithOUI configuration, 97 port security configuration, 87, 90 port security MAC address autoLearn mode configuration, 96 RADIUS user authentication mechanisms, 2 SCP file transfer with password authentication, 158 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 255
initiation, 62 802.1X configuration, 68, 68, 75 command AAA command accounting method, 12 AAA command authorization method, 12 comparing 802.1X EAP relay/termination authentication modes, 64 complexity policy (password control), 106 composition policy (password control), 105 conditional self - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 256
user account format, 80 MAC local authentication, 82 MAC RADIUS-based authentication, 84 main mode IKE, 232 manual IPsec policy, 206 manual IPsec tunnel for IPv4 packets, 216 mirror image ACLs for IPsec, 204 number limit for IKE SAs, 231 password control, 105, 108, 112 port security, 87, 90 port - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 257
configuration with DHCP snooping, 167 digital signature public key, 115 directory LDAP directory service, 9 SFTP, 137 displaying 802.1X, 75 AAA, 44 AAA local users/local user source guard, 165 LDAP, 39 MAC authentication, 82 password control, 112 port security, 95 public key, 120 RADIUS, 30 SFTP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 258
, 125 SSH server configuration, 127 entering FIPS mode (automatic reboot), 192, 195 FIPS mode (manual reboot), 192, 196 entering peer public key, 119, 120 establishing SFTP server connection, 135 Stelnet server connection, 133 Ethernet 802.1X overview, 59 expiration of password early notification - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 259
, 33 SSH user local authentication+HWTACACS authorization+RADIUS accounting, 46 traffic statistics units, 34 troubleshooting, 57 username format, 34 I ignoring port security server authorization information, 95 IKE aggressive mode in phase 1, 222 configuring global ID, 229 configuring IKE DPD - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 260
, 227 security mechanism, 223 troubleshooting, 235 IKE-based IPsec policy configuring by referencing IPsec policy template, 209 direct configuration, 208 IMC RADIUS session-control feature configuration, 44 implementing 802.1X HP MAC-based access control, 68 802.1X HP port-based access control, 68 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 261
QoS pre-classify, 213 encapsulation modes, 198 encryption, 200 IKE, 222 IKE configuration, 224 IKE negotiation failure (no proposal or keychain referenced correctly), 236 IKE negotiation failure troubleshooting (no proposal match), 235 IKE negotiation process, 222 IKE security mechanism, 223 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 262
94 port security secure MAC address port limit, 91 troubleshooting port security secure MAC addresses, 104 MAC authentication configuration, 78, 79 displaying, 82 domain specification, 80 enable, 79 local method, 78, 82 maintaining, 82 max number concurrent port users configuration, 81 port security - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 263
maintaining password control, 112 management public key, 115 managing public keys, 115 manual reboot entering FIPS mode, 192, 196 minimum password 69 802.1X online user handshake function, 72 802.1X periodic online user re-authentication, 74 802.1X port max number concurrent users, 70 ARP active - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 264
number concurrent port users configuration, 81 MAC authentication methods, 78 MAC authentication timer configuration, 81 MAC authentication user account format, 80 password control enable, 108 password control global parameters, 109 password control local user parameters, 110 password control user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 265
import from file, 119 public key peer configuration, 119 Perfect Forward Secrecy. See PFS PFS(IKE), 224 policy MAC authentication user account policies, 78 password control configuration, 105, 108, 112 RADIUS security policy server IP address configuration, 30 port 802.1X access control method, 70 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 266
, 80 MAC authentication enable, 79 MAC authentication max number concurrent port users configuration, 81 MAC local authentication configuration, 82 MAC RADIUS-based authentication configuration, 84 security. See port security port security 802.1X authentication, 89 authentication modes, 87 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 267
232 configuring manual IPsec policy, 206 configuring manual IPsec tunnel for IPv4 packets, 216 configuring number limit for IKE SAs, 231 configuring password control, 108, 112 configuring port security, 90 configuring port security client macAddressElseUserLoginSecure, 101 configuring port security - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 268
MAC authentication, 82 maintaining password control, 112 maintaining RADIUS, 30 saving host public key to file, 117 setting 802.1X authentication request max number attempts, 71 setting 802.1X authentication timeout timers, 71 setting 802.1X max number concurrent users on port, 70 setting 802.1X - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 269
setting MAC authentication max number concurrent port users, 81 setting password control global parameters, 109 setting password control local user parameters, 110 setting password control user group parameters, 110 setting port security mode, 91 setting RADIUS max request transmission attempts, 26 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 270
accounting, 46 traffic statistics units, 25 troubleshooting, 56 troubleshooting accounting error, 57 troubleshooting authentication failure, 56 troubleshooting packet delivery failure, 56 user authentication mechanisms, 2 username format, 25 rate limit configuration, 173 real-time HWTACACS real-time - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 271
mode (automatic reboot), 195 entering FIPS mode (manual reboot), 196 expired password login, 107 FIPS configuration, 191 FIPS self-test, 194 fixed ARP configuration, 181 IKE configuration, 222, 224 IKE profile configuration, 225 IKE proposal configuration, 227 implementing ACL-based IPsec, 202 IP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 272
MAC RADIUS-based authentication configuration, 84 manual reboot, 192 password control configuration, 105, 108, 112 password control enable, 108 password control global parameters, 109 password control local user parameters, 110 password control user group parameters, 110 password event logging, 108 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 273
control method, 70 802.1X mandatory port authentication domain, 73 HWTACACS accounting password authentication configuration, 153 SSH user local authentication+HWTACACS authorization+RADIUS accounting, 46 Stelnet client device configuration, 132 Stelnet client password authentication configuration - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 274
, 81 MAC authentication server timeout timer configuration, 81 traffic AAA HWTACACS traffic statistics units, 34 AAA RADIUS traffic statistics units, 25 triggered self-test, 194 triggering self-test, 194 troubleshooting HWTACACS, 57 LDAP, 57 port security, 104 port security mode cannot be set, 104 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 275
Path Forwarding. Use uRPF updating passwords, 106, 106 uRPF check modes, 186 configuration, 186, 189, 190 displaying, 190 network application, 189 operation, 186 user 802.1X periodic online user re-authentication, 74 802.1X port max number concurrent users, 70 ARP user validity check, 177 ARP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 276
, 198 W WLAN 802.1X overview, 59 port security client macAddressElseUserLoginSecure configuration, 101 port security client userLoginWithOUI configuration, 97 port security configuration, 87, 90 port security MAC address autoLearn mode configuration, 96 working with SFTP directories, 137 with
HP 6125XLG Blade Switch
Security
Configuration Guide
Part number: 5998-3718
Software version: Release 2306
Document version: 6W100-20130912