HP A 5120 Manual

							 
171 
To do… Use the command… Remarks 
Display information about users 
blacklisted due to authentication 
failure 
display password-control blacklist 
[ user-name name | ip ipv4-
address | ipv6 ipv6-address ] [ | 
{ begin | exclude | include } 
regular-expression ]  
Available in any view 
Delete users from the blacklist reset password-control blacklist [ 
user-name name ] Available in user view 
Clear history password records  
reset password-control history-
record [ user-name name | super 
[ level level ] ] 
Available in user view 
 
 NOTE: 
The reset password-control history-record command can delete the history password records of one or 
all users even when the password history function is disabled.  
Password control configuration example 
Network requirements 
Implementing the following global password control policy: 
 An  FTP  or  VTY user failing to  provide  the  correct  password  in  two successive login attempts is 
permanently prohibited from logging in. 
 A user can log in five times within 60 days after the password expires. 
 The password aging time is 30 days. 
 The minimum password update interval is 36 hours. 
 The maximum account idle time is 30 days. 
 A password cannot contain the username or the reverse of the username. 
 No character occurs consecutively three or more times in a password. 
Implementing the following super password control policy: 
 A super password must contain at least three types of valid characters, five or more of each type. 
Implementing the following password control policy for local Telnet user test: 
 The password must contain at least 12 characters. 
 The password must consist of at least two types of valid characters, five or more of each type. 
 The password aging time is 20 days. 
Configuration procedure 
# Enable the password control feature globally. 
 system-view 
[Sysname] password-control enable 
# Prohibit the user from logging in forever after two successive login failures. 
[Sysname] password-control login-attempt 2 exceed lock 
# Set the password aging time to 30 days for all passwords.  
						

							 
172 
[Sysname] password-control aging 30 
# Set the minimum password update interval to 36 hours. 
[Sysname] password-control password update interval 36 
# Specify that a user can log in five times within 60 days after the password expires. 
[Sysname] password-control expired-user-login delay 60 times 5 
# Set the maximum account idle time to 30 days. 
[Sysname] password-control login idle-time 30 
# Refuse any password that contains the username or the reverse of the username. 
[Sysname] password-control complexity user-name check 
# Specify that no character of the password can be repeated three or more times consecutively. 
[Sysname] password-control complexity same-character check 
#  Set  the  minimum  number  of  composition  types  for super passwords to  3  and  the  minimum  number  of 
characters of each composition type to 5. 
[Sysname] password-control super composition type-number 3 type-length 5 
# Configure a super password. 
[Sysname] super password level 3 simple 12345ABGFTweuix 
# Create a local user named test. 
[Sysname] local-user test 
# Set the service type of the user to Telnet. 
[Sysname-luser-test] service-type telnet 
# Set the minimum password length to 12 for the local user. 
[Sysname-luser-test] password-control length 12 
# Set the minimum number of password composition types to 2 and the minimum number of characters of 
each password composition type to 5 for the local user. 
[Sysname-luser-test] password-control composition type-number 2 type-length 5 
# Set the password aging time to 20 days for the local user. 
[Sysname-luser-test] password-control aging 20 
# Configure the password of the local user in interactive mode. 
[Sysname-luser-test] password 
Password:*********** 
Confirm :*********** 
Updating user(s) information, please wait........ 
[Sysname-luser-test] quit 
Verification 
# Display the global password control configuration information. 
 display password-control 
Global password control configurations: 
 Password control:                    Enabled 
 Password aging:                      Enabled (30 days) 
 Password length:                     Enabled (10 characters) 
 Password composition:                Enabled (1 types,  1 characters per type) 
 Password history:                    Enabled (max history record:4) 
 Early notice on password expiration: 7 days  
						

							 
173 
 User authentication timeout:         60 seconds 
 Maximum failed login attempts:       2 times 
 Login attempt-failed action:         Lock 
 Minimum password update time:        36 hours 
 User account idle-time:              30 days 
 Login with aged password:            5 times in 60 day(s) 
 Password complexity:                 Enabled (username checking) 
                                      Enabled (repeated characters checking) 
# Display the password control configuration information for super passwords. 
 display password-control super 
 Super password control configurations: 
 Password aging:                      Enabled (30 days) 
 Password length:                     Enabled (10 characters) 
 Password composition:                Enabled (3 types,  5 characters per type) 
# Display the password control configuration information for the local user test. 
 display local-user user-name test 
The contents of local user test: 
 State:                    Active 
 ServiceType:              telnet 
 Access-limit:             Disable           Current AccessNum: 0 
 User-group:               system 
 Bind attributes: 
 Authorization attributes: 
 Password-Aging:                       Enabled (20 day(s)) 
 Password-Length:                      Enabled (12 characters) 
 Password-Composition:                 Enabled (2 type(s),  5 character(s) per type) 
Total 1 local user(s) matched.  
						

							 
174 
HABP configuration 
HABP overview 
The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network devices of 
an  access  device to  bypass  802.1X  authentication  and  MAC  authentication  configured  on  the  access 
device. 
As  shown  in Figure  49,  802.1X  authenticator  Switch  A has  two  switches  attached  to  it: Switch  B  and 
Switch  C. On  Switch  A, 802.1X  authentication  is  enabled  globally  and  on  the  ports  connecting the 
downstream  network  devices.  The  end-user  devices  (the  supplicants) run  the  802.1X  client  software  for 
802.1X authentication. For  Switch  B  and  Switch  D, where an 802.1X  client is  not  supported  (which  is 
typical  of  network  devices),  the  communication  between  them  will  fail  because  they  cannot  pass  802.1X 
authentication and their packets will be blocked on Switch A. To allow the two switches to communicate, 
you can use HABP. 
Figure 49 Network diagram for HABP application 
 
 
HABP  is a  link  layer  protocol  that  works  above  the  MAC  layer.  It  is built  on the client-server  model. 
Generally,  the HABP server is enabled  on  the  authentication device (which  is  configured  with  802.1X  or 
MAC  authentication, such  as Switch  A  in Figure  49),  and the  attached switches function  as the HABP 
clients,  such  as Switch  B  through  Switch  E  in  the example. No  device  can function as  both  an  HABP 
server  and  a  client  at  the  same  time. Typically, the HABP server sends HABP  requests to all  its clients 
periodically to collect their MAC addresses, and the clients respond to the requests. After the server learns 
the  MAC  addresses  of  all  the  clients, it  registers  the  MAC  addresses  as  HABP  entries.  Then,  link  layer 
frames  exchanged  between  the  clients  can  bypass  the 802.1X  authentication on  ports  of  the  server 
without  affecting  the  normal  operation  of  the  whole  network. All  HABP  packets  must  travel  in  a  specified 
VLAN. Communication between the HABP server and HABP clients is implemented through this VLAN.  Internet
Switch BSwitch C
Authenticator
Supplicant
Switch A
SupplicantSupplicant
Switch DSwitch E
Authentication server
802.1X enabled  
						

							 
175 
 CAUTION: 
 In a cluster, if a member switch with 802.1X authentication or MAC authentication enabled is attached with some 
other member switches of the cluster, you also need to configure HABP server on this device. Otherwise, the 
cluster management device will not be able to manage the devices attached to this member switch. 
 For more information about the cluster function, see the Network Management and Monitoring Configuration 
Guide.  
Configuring HABP 
Configuring the HABP server 
An HABP server is usually configured on the authentication device enabled with 802.1X authentication or 
MAC  address  authentication.  The  HABP  server  sends  HABP  requests  to  the  attached  switches  (HABP 
clients)  at  a specified interval,  collecting  their  MAC  addresses from the  responses.  HABP  packets  are 
transmitted in the VLAN specified on the HABP server. 
Follow these steps to configure an HABP server:  
To do… Use the command… Remarks 
Enter system view system-view — 
Enable HABP habp enable Optional 
Enabled by default 
Configure HABP to work in server 
mode and specify the VLAN for 
HABP packets 
habp server vlan vlan-id 
Required 
HABP works in client mode by 
default. 
Set the interval to send HABP 
requests habp timer interval Optional 
20 seconds by default 
 
 NOTE: 
The VLAN specified on the HABP server for transmitting HABP packets must be the same as that to 
which the HABP clients belong.  
Configuring an HABP client 
An HABP client is usually configured on each device attached to the authentication device. After receiving 
an  HABP  request  from  the  HABP  server,  an  HABP  client  responds  to  the request,  delivering  its  MAC 
address  to  the  server,  and  forwards  the  HABP  request  to  its  attached  switches.  HABP  packets  are 
transmitted in the VLAN to which the HABP client belongs. 
Follow these steps to configure an HABP client:  
To do… Use the command… Remarks 
Enter system view system-view — 
Enable HABP habp enable Optional 
Enabled by default   
						

							 
176 
To do… Use the command… Remarks 
Configure HABP to work in client 
mode undo habp server 
Optional 
HABP works in client mode by 
default. 
Specify the VLAN to which the 
HABP client belongs habp client vlan vlan-id 
Optional 
By default, an HABP client 
belongs to VLAN 1. 
 
 NOTE: 
The VLAN to which an HABP client belongs must be the same as that specified on the HABP server for 
transmitting HABP packets.  
Displaying and maintaining HABP 
To do… Use the command… Remarks 
Display HABP configuration 
information 
display habp [ | { begin | 
exclude | include } regular-
expression ]  
Available in any view 
Display HABP MAC address table 
entries 
display habp table [ | { begin | 
exclude | include } regular-
expression ] 
Available in any view 
Display HABP packet statistics 
display habp traffic [ | { begin | 
exclude | include } regular-
expression ]  
Available in any view 
 
HABP configuration example 
Network requirements 
As  shown  in Figure  50,  access  devices  Switch  B  and  Switch  C  are  connected  to Switch  A.  802.1X 
authentication  is  configured  on  Switch  A  for  central  authentication  and  management  of  users  (Host  A 
through Host D).  
 For communication between Switch B and Switch C, enable HABP server on Switch A, enable HABP 
client on Switch B and Switch C, and specify VLAN 1 for HABP packets. 
 On Switch A, configure the HABP server to send HABP request packets to the HABP clients in VLAN 
1 at an interval of 50 seconds.  
						

							 
177 
Figure 50 Network diagram for HABP configuration 
 
 
Configuration procedure 
1. Configure Switch A 
# Perform  802.1X  related  configurations on  Switch  A.  For  more  information  about  802.1X  configurations, 
see the chapter ―802.1X configuration.‖  
# Enable HABP. (Because HABP is enabled by default, this configuration is optional.) 
 system-view 
[SwitchA] habp enable 
# Configure HABP to work in server mode, and specify VLAN 1 for HABP packets. 
[SwitchA] habp server vlan 1 
# Set the interval at which the switch sends HABP request packets to 50 seconds. 
[SwitchA] habp timer 50 
2. Configure Switch B 
# Enable HABP. (Because HABP is enabled by default, this configuration is optional.) 
 system-view 
[SwitchB] habp enable 
# Configure  HABP  to  work  in client mode.  (Because HABP  works  in  client  mode  by  default,  this 
configuration is optional.) 
[SwitchB] undo habp server 
# Specify  the  VLAN  to  which  the HABP client belongs  as  VLAN  1.  (Because an  HABP  client  belongs  to 
VLAN 1 by default, this configuration is optional.) 
[SwitchB] habp client vlan 1 
3. Configure Switch C Authentication server
Internet
HABP server
Switch A
HABP clientHABP client
Host AHost BHost CHost D
Switch BSwitch C
VLAN 1VLAN 1
GE1/0/1GE1/0/2  
						

							 
178 
Configurations on Switch C are similar to those on Switch B. 
4. Verify your configuration 
# Display HABP configuration information. 
 display habp 
Global HABP information: 
         HABP Mode: Server 
         Sending HABP request packets every 50 seconds 
         Bypass VLAN: 1 
# Display HABP MAC address table entries. 
 display habp table 
MAC             Holdtime  Receive Port 
001f-3c00-0030  53        GigabitEthernet1/0/2 
001f-3c00-0031  53        GigabitEthernet1/0/1  
						

							 
179 
Public key configuration 
Asymmetric key algorithm overview 
Basic concepts 
 Algorithm: A set of transformation rules for encryption and decryption. 
 Plain text: Information without being encrypted. 
 Cipher text: Encrypted information. 
 Key:  A string  of  characters that controls the  transformation  between  plain  text  and  cipher  text. It is 
used in both the encryption and decryption. 
Key algorithm types 
The  information in  plain  text is  encrypted by  an  algorithm  with  the  help  of  a  key before  being  sent.  The 
resulting cipher  text  is  transmitted across the network to  the  receiver, where  it is  decrypted by  the  same 
algorithm with the help of a key to obtain the original plain text. 
Figure 51 Encryption and decryption 
 
 
The following types  of  key  algorithms are  available,  based  on  whether  the  keys  for  encryption  and 
decryption are the same: 
 Symmetric key  algorithm—The  keys  for  encryption  and  decryption  are  the  same. Commonly  used 
symmetric key  algorithms  include  Advanced Encryption Standard (AES)  and  Data  Encryption 
Standard (DES). 
 Asymmetric  key  algorithm—The  keys  for  encryption  and  decryption  are  different,  one  is  the  public 
key,  and  the  other  is  the  private  key. The information encrypted with  the  public  key  can only be 
decrypted with the corresponding private key, and vice versa. The private key is kept secret, and the 
public  key  may  be  distributed  widely.  The private  key  cannot  be  practically  derived  from  the  public 
key.  
Asymmetric key algorithm applications 
Asymmetric key algorithms can be used for encryption and digital signature. 
 Encryption—The sender uses the public key of the intended receiver to encrypt the information to be 
sent.  Only  the  intended  receiver,  the  holder  of  the  paired private  key,  can  decrypt  the  information. 
This mechanism ensures confidentiality.  EncryptionDecryption
KeyKey
Plain textCipher textPlain text   
						

							 
180 
 Digital  signature—The sender signs  the  information  to  be  sent  by  encrypting  the  information  with 
its  own private  key.  A  receiver  decrypts  the  information  with the  senders  public  key and,  based  on 
whether the information can be decrypted, determines the authenticity of the information. 
The Revest-Shamir-Adleman  Algorithm (RSA), and the Digital  Signature  Algorithm  (DSA) are both 
asymmetric key algorithms. RSA can be used for data encryption/decryption and signature, whereas DSA 
is used for signature only.  
 NOTE: 
Symmetric key algorithms are often used to encrypt/decrypt data for security. Asymmetric key 
algorithms are usually used in digital signature applications for peer identity authentication because 
they involve complex calculations and are time-consuming. In digital signature applications, only the 
digests, which are relatively short, are encrypted.  
Configuring the local asymmetric key pair 
You  can  create  and  destroy  a  local  asymmetric  key  pair,  and export the  host  public  key  of  a  local 
asymmetric key pair. 
Creating an asymmetric key pair 
Follow these steps to create an asymmetric key pair: 
To do… Use the command… Remarks 
Enter system view system-view — 
Create a local DSA key pair, or 
RSA key pairs 
public-key local create { dsa | rsa 
} 
Required 
By default, no key pair is created.  
 
The public-key local create rsa command  generates  two  key  pairs:  one  server  key  pair  and one host  key 
pair.  Each  key  pair  comprises  a public key  and  a  private  key.  The public-key  local  create  dsa command 
generates only one key pair, the host key pair. 
After you enter the command, you are asked to specify the modulus length. The length of an RAS or DSA 
key modulus ranges from 512  to  2048  bits. To  achieve  higher  security,  specify  a modulus  at  least 768 
bits.   
 NOTE: 
Key pairs created with the public-key local create command are saved automatically and can survive 
system reboots.  
Displaying or exporting the local RSA or DSA host public key 
You can  display  the  local  RSA  or  DSA  host  public  key on  the  screen or  export  it to  a  specified  file.  Then, 
you can configure the local RSA or DSA host public key on the remote end so that the remote end can use 
the host public key to authenticate the local end through digital signature. 
Follow these steps to display or export the local RSA or DSA host public key: