HP A 5120 Manual
Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
HP A5120 EI Switch Series Security Configuration Guide Abstract This document describes the software features for the HP A Series products and guides you through the software configuration procedures. These configuration guides also provide configuration examples to help you apply software features to different network scenarios. This documentation is intended for network planners, field technical support and servicing engineers, and network administrators working with the HP A Series products. Part number: 5998-1800 Software version: Release 2208 Document version: 5W100-20110530
Legal and notice information © Copyright 2011 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
iii Contents AAA configuration ··························································································································································· 1 AAA overview ··································································································································································· 1 RADIUS ······································································································································································ 2 HWTACACS ····························································································································································· 7 Domain-based user management ··························································································································· 9 RADIUS server feature of the device ··················································································································· 10 Protocols and standards ······································································································································· 11 RADIUS attributes ·················································································································································· 11 AAA configuration considerations and task list ·········································································································· 14 Configuring AAA schemes ············································································································································ 16 Configuring local users ········································································································································· 16 Configuring RADIUS schemes ······························································································································ 20 Configuring HWTACACS schemes ····················································································································· 30 Configuring AAA methods for ISP domains ················································································································ 36 Configuration prerequisites ·································································································································· 36 Creating an ISP domain ······································································································································· 36 Configuring ISP domain attributes ······················································································································· 36 Configuring AAA authentication methods for an ISP domain ·········································································· 37 Configuring AAA authorization methods for an ISP domain ··········································································· 39 Configuring AAA accounting methods for an ISP domain ··············································································· 40 Tearing down user connections forcibly ······················································································································ 42 Configuring a network device as a RADIUS server ··································································································· 42 RADIUS server functions configuration task list ·································································································· 42 Configuring a RADIUS user ·································································································································· 42 Specifying a RADIUS client ·································································································································· 43 Displaying and maintaining AAA ································································································································ 44 AAA configuration examples ········································································································································ 44 AAA for Telnet users by an HWTACACS server ······························································································· 44 AAA for Telnet users by separate servers ··········································································································· 45 Authentication/Authorization for SSH/Telnet users by a RADIUS server ······················································· 47 AAA for 802.1X users by a RADIUS server ······································································································· 50 Level switching authentication for Telnet users by an HWTACACS server ····················································· 56 RADIUS authentication and authorization for Telnet users by a network device ··········································· 59 Troubleshooting AAA ···················································································································································· 61 Troubleshooting RADIUS ······································································································································ 61 Troubleshooting HWTACACS······························································································································ 62 802.1X fundamentals ···················································································································································· 63 802.1X architecture ······················································································································································· 63 Controlled/uncontrolled port and pot authorization status ······················································································· 63 802.1X-related protocols ·············································································································································· 64 Packet format ························································································································································· 64 EAP over RADIUS ·················································································································································· 66 Initiating 802.1X authentication ··································································································································· 66 802.1X client as the initiator ······························································································································· 66 Access device as the initiator ······························································································································· 66 802.1X authentication procedures ······························································································································ 67 A comparison of EAP relay and EAP termination ······························································································ 67 EAP relay ································································································································································ 68 EAP termination ····················································································································································· 69
iv 802.1X configuration ···················································································································································· 71 HP implementation of 802.1X ······································································································································ 71 Access control methods ········································································································································ 71 Using 802.1X authentication with other features ······························································································ 71 Configuring 802.1X ······················································································································································ 74 Configuration prerequisites ·································································································································· 74 802.1X configuration task list ······························································································································ 74 Enabling 802.1X ··················································································································································· 75 Specifying EAP relay or EAP termination ··········································································································· 75 Setting the port authorization state ······················································································································ 76 Specifying an access control method ·················································································································· 77 Setting the maximum number of concurrent 802.1X users on a port ······························································ 77 Setting the maximum number of authentication request attempts ···································································· 78 Setting the 802.1X authentication timeout timers ······························································································ 78 Configuring the online user handshake function ······························································································· 78 Configuring the authentication trigger function ································································································· 79 Specifying a mandatory authentication domain on a port ··············································································· 80 Enabling the quiet timer ········································································································································ 81 Enabling the periodic online user re-authentication function ············································································ 81 Configuring an 802.1X guest VLAN ··················································································································· 82 Configuring an Auth-Fail VLAN ··························································································································· 83 Displaying and maintaining 802.1X ··························································································································· 84 802.1X configuration examples ··································································································································· 84 802.1X authentication configuration example ·································································································· 84 802.1X with guest VLAN and VLAN assignment configuration example······················································· 86 802.1X with ACL assignment configuration example ······················································································· 89 EAD fast deployment configuration ····························································································································· 91 EAD fast deployment overview ····································································································································· 91 EAD fast deployment implementation ················································································································· 91 Configuring EAD fast deployment ································································································································ 91 Configuration prerequisites ·································································································································· 91 Configuration procedure ······································································································································ 91 Displaying and maintaining EAD fast deployment ····································································································· 92 EAD fast deployment configuration example ·············································································································· 93 Troubleshooting EAD fast deployment ························································································································· 95 Web browser users cannot be correctly redirected ·························································································· 95 MAC authentication configuration ······························································································································· 96 MAC authentication overview ······································································································································ 96 User account policies ············································································································································ 96 Authentication approaches ·································································································································· 96 MAC authentication timers ··································································································································· 97 Using MAC authentication with other features ··········································································································· 97 VLAN assignment ·················································································································································· 97 ACL assignment ····················································································································································· 97 Guest VLAN ··························································································································································· 97 MAC authentication configuration task list ················································································································· 98 Basic configuration for MAC authentication ··············································································································· 98 Configuration prerequisites ·································································································································· 98 Configuration procedure ······································································································································ 98 Specifying an authentication domain for MAC authentication users ······································································· 99 Configuring a MAC authentication guest VLAN ······································································································ 100 Configuration prerequisites ································································································································ 100 Configuration procedure ···································································································································· 100 Displaying and maintaining MAC authentication ···································································································· 101
v MAC authentication configuration examples ············································································································ 101 Local MAC authentication configuration example ·························································································· 101 RADIUS-based MAC authentication configuration example ·········································································· 103 ACL assignment configuration example ··········································································································· 105 Portal configuration ···················································································································································· 108 Portal overview ····························································································································································· 108 Introduction to portal ··········································································································································· 108 Extended portal functions ··································································································································· 108 Portal system components ··································································································································· 108 Portal system using the local portal server ········································································································ 110 Portal authentication modes ······························································································································· 111 Layer 2 portal authentication process ··············································································································· 111 Portal configuration task list ········································································································································ 112 Configuration prerequisites ········································································································································· 113 Specifying the local portal server for Layer 2 portal authentication ······························································ 114 Configuring the local portal server ···························································································································· 114 Customizing authentication pages ···················································································································· 114 Configuring the local portal server ···················································································································· 117 Enabling Layer 2 portal authentication ······················································································································ 118 Controlling access of portal users ······························································································································ 119 Configuring a portal-free rule ···························································································································· 119 Setting the maximum number of online portal users ························································································ 119 Specifying an authentication domain for portal users ····················································································· 120 Adding a web proxy server port number ········································································································· 120 Enabling support for portal user moving ·········································································································· 121 Specifying the Auth-Fail VLAN for portal authentication ························································································· 122 Specifying the auto redirection URL for authenticated portal users ········································································ 122 Configuring portal detection functions ······················································································································· 123 Logging off portal users ··············································································································································· 123 Displaying and maintaining portal ···························································································································· 123 Portal configuration examples ···································································································································· 124 Configuring Layer 2 portal authentication ········································································································ 124 Troubleshooting portal ················································································································································· 128 Inconsistent keys on the access device and the portal server ········································································· 128 Incorrect server port number on the access device ························································································· 128 Triple authentication configuration ··························································································································· 130 Triple authentication overview ···································································································································· 130 Triple authentication mechanism ······················································································································· 130 Using triple authentication with other features ································································································· 131 Configuring triple authentication ································································································································ 131 Triple authentication configuration examples ··········································································································· 132 Triple authentication basic function configuration example ··········································································· 132 Triple authentication supporting VLAN assignment and Auth-Fail VLAN configuration example ·············· 135 Port security configuration·········································································································································· 140 Port security overview ·················································································································································· 140 Port security features ··········································································································································· 140 Port security modes ············································································································································· 140 Support for guest VLAN and Auth-Fail VLAN ··································································································· 143 Port security configuration task list ····························································································································· 143 Enabling port security ·················································································································································· 144 Configuration prerequisites ································································································································ 144 Configuration procedure ···································································································································· 144 Setting the maximum number of secure MAC addresses ························································································ 144
vi Setting the port security mode ···································································································································· 145 Configuration prerequisites ································································································································ 145 Configuration procedure ···································································································································· 145 Configuring port security features ······························································································································ 146 Configuring NTK ················································································································································· 146 Configuring intrusion protection ························································································································ 147 Configuring port security traps ·························································································································· 147 Configuring secure MAC addresses ·························································································································· 148 Configuration prerequisites ································································································································ 148 Configuration procedure ···································································································································· 148 Ignoring authorization information from the server ·································································································· 149 Displaying and maintaining port security·················································································································· 149 Port security configuration examples ························································································································· 150 Configuring the autoLearn mode ······················································································································· 150 Configuring the userLoginWithOUI mode ········································································································ 152 Configuring the macAddressElseUserLoginSecure mode················································································ 156 Troubleshooting port security ······································································································································ 159 Cannot set the port security mode ····················································································································· 159 Cannot configure secure MAC addresses ········································································································ 160 Cannot change port security mode when a user is online ············································································· 160 User profile configuration ·········································································································································· 161 User profile overview ··················································································································································· 161 User profile configuration task list ······························································································································ 161 Creating a user profile ················································································································································ 161 Configuration prerequisites ································································································································ 161 Creating a user profile ········································································································································ 161 Configuring a user profile ··········································································································································· 162 Enabling a user profile ················································································································································ 162 Displaying and maintaining user profile ··················································································································· 163 Password control configuration ································································································································· 164 Password control overview ········································································································································· 164 Password control configuration task list ····················································································································· 166 Configuring password control ···································································································································· 167 Enabling password control ································································································································· 167 Setting global password control parameters ···································································································· 167 Setting user group password control parameters ···························································································· 168 Setting local user password control parameters ······························································································ 169 Setting super password control parameters ····································································································· 170 Setting a local user password in interactive mode ·························································································· 170 Displaying and maintaining password control ········································································································· 170 Password control configuration example ·················································································································· 171 HABP configuration ···················································································································································· 174 HABP overview ····························································································································································· 174 Configuring HABP ························································································································································ 175 Configuring the HABP server ····························································································································· 175 Configuring an HABP client ······························································································································· 175 Displaying and maintaining HABP····························································································································· 176 HABP configuration example ······································································································································ 176 Network requirements ········································································································································· 176 Configuration procedure ···································································································································· 177 Public key configuration ············································································································································· 179 Asymmetric key algorithm overview ·························································································································· 179 Basic concepts ····················································································································································· 179
vii Key algorithm types ············································································································································ 179 Asymmetric key algorithm applications ············································································································ 179 Configuring the local asymmetric key pair ··············································································································· 180 Creating an asymmetric key pair ······················································································································ 180 Displaying or exporting the local RSA or DSA host public key ····································································· 180 Destroying an asymmetric key pair ··················································································································· 181 Configuring a peer public key ···································································································································· 181 Displaying and maintaining public keys ··················································································································· 182 Public key configuration examples ····························································································································· 182 Configuring a peer public key manually ·········································································································· 182 Importing a peer public key from a public key file·························································································· 184 PKI configuration ························································································································································· 187 PKI overview ································································································································································· 187 PKI terms ······························································································································································· 187 PKI architecture ···················································································································································· 188 PKI applications ··················································································································································· 188 How does PKI work ············································································································································· 189 PKI configuration task list ············································································································································ 189 Configuring an entity DN ············································································································································ 190 Configuring a PKI domain ·········································································································································· 191 Submitting a PKI certificate request ···························································································································· 192 Submitting a certificate request in auto mode ·································································································· 193 Submitting a certificate request in manual mode ····························································································· 193 Retrieving a certificate manually ································································································································ 194 Configuring PKI certificate verification ······················································································································ 195 Destroying a local RSA key pair ································································································································ 196 Deleting a certificate ···················································································································································· 196 Configuring an access control policy ························································································································ 197 Displaying and maintaining PKI ································································································································· 197 PKI configuration examples ········································································································································· 198 Requesting a certificate from a CA running RSA Keon ··················································································· 198 Requesting a certificate from a CA running Windows 2003 Server ···························································· 201 Configuring a certificate attribute-based access control policy ····································································· 204 Troubleshooting PKI ····················································································································································· 206 Failed to retrieve a CA certificate ····················································································································· 206 Failed to request a local certificate ··················································································································· 206 Failed to retrieve CRLs ········································································································································ 207 SSH2.0 configuration ················································································································································· 208 SSH2.0 overview ························································································································································· 208 Introduction to SSH2.0 ······································································································································· 208 How does SSH work ··········································································································································· 208 Configuring the device as an SSH server ················································································································· 210 SSH server configuration task list ······················································································································ 210 Generating a DSA or RSA key pair ·················································································································· 211 Enabling the SSH server function ······················································································································ 211 Configuring the user interfaces for SSH clients ································································································ 212 Configuring a client public key ·························································································································· 212 Configuring an SSH user ···································································································································· 213 Setting the SSH management parameters ········································································································ 214 Configuring the device as an SSH client ··················································································································· 215 SSH client configuration task list ························································································································ 215 Specifying a source IP address/interface for the SSH client ·········································································· 215 Configuring whether first-time authentication is supported ············································································· 216 Establishing a connection between the SSH client and server ······································································· 217
viii Displaying and maintaining SSH ······························································································································· 217 SSH server configuration examples ··························································································································· 218 When switch acts as server for password authentication ··············································································· 218 When switch acts as server for publickey authentication ··············································································· 220 SSH client configuration examples····························································································································· 225 When switch acts as client for password authentication ················································································ 225 When switch acts as client for publickey authentication ················································································ 228 SFTP configuration ······················································································································································ 231 SFTP overview······························································································································································· 231 Configuring the device as an SFTP server ················································································································· 231 Configuration prerequisites ································································································································ 231 Enabling the SFTP server ···································································································································· 231 Configuring the SFTP connection idle timeout period ····················································································· 231 Configuring the device an SFTP client ······················································································································· 232 Specifying a source IP address or interface for the SFTP client······································································ 232 Establishing a connection to the SFTP server ···································································································· 232 Working with SFTP directories ··························································································································· 233 Working with SFTP files ······································································································································ 233 Displaying help information ······························································································································· 234 Terminating the connection to the remote SFTP server ···················································································· 234 SFTP client configuration example ····························································································································· 235 SFTP server configuration example ···························································································································· 238 SSL configuration ························································································································································ 241 SSL overview ································································································································································· 241 SSL security mechanism ······································································································································ 241 SSL protocol stack ··············································································································································· 242 SSL configuration task list ············································································································································ 242 Configuring an SSL server policy ······························································································································· 242 Configuration prerequisites ································································································································ 242 Configuration procedure ···································································································································· 243 SSL server policy configuration example ·········································································································· 243 Configuring an SSL client policy ································································································································ 245 Configuration prerequisites ································································································································ 245 Configuration procedure ···································································································································· 245 Displaying and maintaining SSL ································································································································ 246 Troubleshooting SSL ····················································································································································· 246 SSL handshake failure ········································································································································· 246 TCP attack protection configuration ·························································································································· 248 TCP attack protection overview ·································································································································· 248 Enabling the SYN cookie feature ······························································································································· 248 Displaying and maintaining TCP attack protection ·································································································· 248 IP source guard configuration ··································································································································· 249 IP source guard overview ············································································································································ 249 Introduction to IP source guard ·························································································································· 249 IP source guard binding ····································································································································· 249 Configuring IPv4 source guard binding ···················································································································· 251 Configuring a static IPv4 source guard binding entry ···················································································· 252 Configuring the dynamic IPv4 source guard binding function ······································································· 252 Configuring IPv6 source guard binding ···················································································································· 253 Configuring a static IPv6 source guard binding entry ···················································································· 253 Configuring the dynamic IPv6 source guard binding function ······································································· 254 Displaying and maintaining IP source guard ············································································································ 255 IP source guard configuration examples ··················································································································· 256
ix Static IPv4 source guard binding entry configuration example ····································································· 256 Global static binding excluded port configuration example ·········································································· 257 Dynamic IPv4 source guard binding by DHCP snooping configuration example ······································· 259 Dynamic IPv4 source guard binding by DHCP relay configuration example ·············································· 260 Static IPv6 source guard binding entry configuration example ····································································· 261 Dynamic IPv6 source guard binding by DHCPv6 snooping configuration example ··································· 262 Dynamic IPv6 source guard binding by ND snooping configuration example ··········································· 263 Troubleshooting IP source guard ································································································································ 264 Neither static binding entries nor the dynamic binding function can be configured ·································· 264 ARP attack protection configuration ························································································································· 265 ARP attack protection overview ·································································································································· 265 ARP attack protection configuration task list ············································································································· 265 Configuring ARP defense against IP packet attacks ································································································· 266 Introduction ·························································································································································· 266 Configuring ARP source suppression ················································································································ 266 Enabling ARP black hole routing ······················································································································· 267 Displaying and maintaining ARP defense against IP packet attacks ····························································· 267 Configuring ARP packet rate limit ······························································································································ 267 Introduction ·························································································································································· 267 Configuring ARP packet rate limit ····················································································································· 267 Configuring source MAC address based ARP attack detection ············································································· 268 Introduction ·························································································································································· 268 Configuration procedure ···································································································································· 268 Displaying and maintaining source MAC address based ARP attack detection ········································· 269 Configuring ARP packet source MAC address consistency check ········································································· 269 Introduction ·························································································································································· 269 Configuration procedure ···································································································································· 269 Configuring ARP active acknowledgement ··············································································································· 270 Introduction ·························································································································································· 270 Configuration procedure ···································································································································· 270 Configuring ARP detection ·········································································································································· 270 Introduction ·························································································································································· 270 Enabling ARP detection based on static IP source guard binding Entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses ··············································································································· 271 Configuring ARP detection based on specified objects ·················································································· 272 Configuring ARP restricted forwarding ············································································································· 273 Displaying and maintaining ARP detection ······································································································ 273 ARP detection configuration example I ············································································································· 273 ARP detection configuration example II ············································································································ 275 ARP restricted forwarding configuration example ··························································································· 276 Configuring ARP automatic scanning and fixed ARP ······························································································ 278 Introduction ·························································································································································· 278 Configuration procedure ···································································································································· 278 Configuring ARP gateway protection ························································································································ 279 Introduction ·························································································································································· 279 Configuration procedure ···································································································································· 279 ARP gateway protection configuration example······························································································ 280 Configuring ARP filtering ············································································································································· 280 Introduction ·························································································································································· 280 Configuration procedure ···································································································································· 281 ARP filtering configuration example ·················································································································· 281 ND attack defense configuration ······························································································································ 283 Introduction to ND attack defense ······························································································································ 283 Enabling source MAC consistency check for ND packets······················································································· 284
x Configuring the ND detection function ······················································································································ 284 Introduction to ND detection ······························································································································ 284 Configuring ND detection ·································································································································· 285 Displaying and maintaining ND detection ······································································································· 285 ND detection configuration example ························································································································· 286 Support and other resources ····································································································································· 288 Contacting HP ······························································································································································ 288 Subscription service ············································································································································ 288 Related information ······················································································································································ 288 Documents ···························································································································································· 288 Websites ······························································································································································ 288 Conventions ·································································································································································· 289 Index ············································································································································································· 291