HPE FlexNetwork MSR Router Series Comware 7 Security Configuration Guide Part number: 5200-3024 Software version: MSR-CMW710-R0413Document version: 6W102-20170101

© Copyright 2017 Hewlett Packard Enterprise Development LP

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the United States and other countries.

Microsoft® and Windows® are trademarks of the Microsoft group of companies.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

i

Contents

Configuring AAA ··············································································1 Overview ···································································································································· 1

RADIUS ······························································································································ 2 HWTACACS ························································································································ 6 LDAP ·································································································································· 9 AAA implementation on the device ························································································· 12 AAA for MPLS L3VPNs ········································································································ 14 Protocols and standards ······································································································· 14 RADIUS attributes ··············································································································· 15

FIPS compliance ························································································································ 17 AAA configuration considerations and task list ················································································· 18 Configuring AAA schemes ··········································································································· 19

Configuring local users ········································································································· 19 Configuring RADIUS schemes ······························································································· 26 Configuring HWTACACS schemes ························································································· 36 Configuring LDAP schemes ·································································································· 42

Configuring AAA methods for ISP domains ····················································································· 46 Configuration prerequisites···································································································· 47 Creating an ISP domain ········································································································ 47 Configuring ISP domain attributes ·························································································· 48 Configuring authentication methods for an ISP domain ······························································· 50 Configuring authorization methods for an ISP domain ································································ 51 Configuring accounting methods for an ISP domain ··································································· 53

Configuring the session-control feature ·························································································· 55 Configuring the RADIUS DAE server feature ··················································································· 55 Changing the DSCP priority for RADIUS packets ············································································· 56 Setting the maximum number of concurrent login users ····································································· 56 Configuring and applying an ITA policy ·························································································· 57 Configuring a NAS-ID profile ········································································································ 58 Configuring the device ID ············································································································ 58 Displaying and maintaining AAA ··································································································· 58 AAA configuration examples ········································································································ 59

Authentication and authorization for SSH users by a RADIUS server ············································ 59 Local authentication and authorization for SSH users ································································· 62 AAA for SSH users by an HWTACACS server ·········································································· 63 Authentication for SSH users by an LDAP server ······································································ 65 AAA for PPP users by an HWTACACS server ·········································································· 70 ITA configuration example for IPoE users ················································································ 71 Local guest configuration and management example ································································· 75

Troubleshooting RADIUS ············································································································ 77 RADIUS authentication failure ······························································································· 77 RADIUS packet delivery failure ······························································································ 77 RADIUS accounting error ······································································································ 78

Troubleshooting HWTACACS······································································································· 78 Troubleshooting LDAP ················································································································ 78

LDAP authentication failure ··································································································· 78 802.1X overview ············································································ 80

802.1X architecture ···················································································································· 80 Controlled/uncontrolled port and port authorization status ·································································· 80 802.1X-related protocols ············································································································· 81

Packet formats ···················································································································· 81 EAP over RADIUS ··············································································································· 82

802.1X authentication initiation ····································································································· 83 802.1X client as the initiator ·································································································· 83 Access device as the initiator ································································································· 84

802.1X authentication procedures ································································································· 84

ii

Comparing EAP relay and EAP termination ·············································································· 85 EAP relay ·························································································································· 85 EAP termination ·················································································································· 87

Configuring 802.1X ········································································· 89 Access control methods ·············································································································· 89 802.1X VLAN manipulation ·········································································································· 89

Authorization VLAN ············································································································· 89 Guest VLAN ······················································································································· 91 Auth-Fail VLAN ··················································································································· 92 Critical VLAN ······················································································································ 92

Using 802.1X authentication with other features ··············································································· 94 ACL assignment ·················································································································· 94 EAD assistant ····················································································································· 94 SmartOn ···························································································································· 95

Compatibility information ············································································································· 96 Feature and hardware compatibility ························································································ 96 Command and hardware compatibility ····················································································· 96

Configuration prerequisites ·········································································································· 96 802.1X configuration task list ········································································································ 97 Enabling 802.1X ························································································································ 97 Enabling EAP relay or EAP termination ·························································································· 97 Setting the port authorization state ································································································ 98 Specifying an access control method ····························································································· 99 Setting the maximum number of concurrent 802.1X users on a port ····················································· 99 Setting the maximum number of authentication request attempts ······················································ 100 Setting the 802.1X authentication timeout timers ············································································ 100 Configuring online user handshake ······························································································ 100

Configuration guidelines ····································································································· 101 Configuration procedure ····································································································· 101

Configuring the authentication trigger feature ················································································ 101 Configuration guidelines ····································································································· 102 Configuration procedure ····································································································· 102

Specifying a mandatory authentication domain on a port ································································· 102 Setting the quiet timer ··············································································································· 103 Enabling the periodic online user reauthentication feature ································································ 103 Configuring an 802.1X guest VLAN ····························································································· 104

Configuration guidelines ····································································································· 104 Configuration procedure ····································································································· 104

Configuring an 802.1X Auth-Fail VLAN························································································· 104 Configuration guidelines ····································································································· 104 Configuration procedure ····································································································· 104

Configuring an 802.1X critical VLAN ···························································································· 105 Configuration guidelines ····································································································· 105 Configuration procedure ····································································································· 105

Specifying supported domain name delimiters ··············································································· 105 Configuring the EAD assistant feature ·························································································· 106 Configuring 802.1X SmartOn······································································································ 106 Displaying and maintaining 802.1X ······························································································ 107 802.1X authentication configuration examples ··············································································· 108

Basic 802.1X authentication configuration example ································································· 108 802.1X guest VLAN and authorization VLAN configuration example············································ 110 802.1X with ACL assignment configuration example ································································ 112 802.1X with EAD assistant configuration example (with DHCP relay agent) ·································· 114 802.1X with EAD assistant configuration example (with DHCP server) ········································ 117 802.1X SmartOn configuration example ················································································· 119

Troubleshooting 802.1X ············································································································ 120 EAD assistant for Web browser users ··················································································· 120

Configuring MAC authentication ······················································ 122 Overview ································································································································ 122

User account policies ········································································································· 122

iii

Authentication methods ······································································································ 122 VLAN assignment·············································································································· 123 ACL assignment ················································································································ 123 Periodic MAC reauthentication ····························································································· 124

Compatibility information ··········································································································· 124 Feature and hardware compatibility ······················································································ 124 Command and hardware compatibility ··················································································· 124

Configuration prerequisites ········································································································ 125 Configuration task list················································································································ 125 Enabling MAC authentication ····································································································· 125 Specifying a MAC authentication domain ······················································································ 126 Configuring the user account format ···························································································· 126 Configuring MAC authentication timers························································································· 127 Setting the maximum number of concurrent MAC authentication users on a port ·································· 127 Configuring MAC authentication delay·························································································· 128 Enabling MAC authentication multi-VLAN mode on a port ································································ 128 Configuring the keep-online feature ····························································································· 129 Including user IP addresses in MAC authentication requests ···························································· 129 Displaying and maintaining MAC authentication ············································································· 130 MAC authentication configuration examples ·················································································· 130

Local MAC authentication configuration example ····································································· 130 RADIUS-based MAC authentication configuration example ······················································· 132 ACL assignment configuration example ················································································· 134

Configuring portal authentication ····················································· 137 Overview ································································································································ 137

Extended portal functions ···································································································· 137 Portal system components ·································································································· 137 Portal system using the local portal Web server ······································································ 139 Interaction between portal system components ······································································· 139 Portal authentication modes ································································································ 140 Portal support for EAP ········································································································ 141 Portal authentication process ······························································································· 141 Portal packet filtering rules ·································································································· 143 BYOD support ·················································································································· 144 MAC-based quick portal authentication ·················································································· 144

Compatibility information ··········································································································· 145 Feature and hardware compatibility ······················································································ 145 Command and hardware compatibility ··················································································· 145

Portal configuration task list ······································································································· 146 Configuration prerequisites ········································································································ 147 Configuring a portal authentication server ····················································································· 147 Configuring a portal Web server ·································································································· 148 Enabling portal authentication····································································································· 149

Configuration restrictions and guidelines ················································································ 150 Configuration procedure ····································································································· 150

Specifying a portal Web server ··································································································· 151 Controlling portal user access····································································································· 152

Configuring a portal-free rule ······························································································· 152 Configuring an authentication source subnet ·········································································· 153 Configuring an authentication destination subnet ····································································· 154 Setting the maximum number of portal users ·········································································· 154 Specifying a portal authentication domain ·············································································· 155 Specifying a preauthentication domain ·················································································· 156 Specifying a preauthentication IP address pool for portal users ·················································· 157 Enabling strict-checking on portal authorization information ······················································· 158 Enabling portal authentication only for DHCP users ································································· 159 Enabling outgoing packets filtering on a portal-enabled interface ················································ 159

Configuring portal detection features ···························································································· 160 Configuring online detection of portal users ············································································ 160 Configuring portal authentication server detection ···································································· 161 Configuring portal Web server detection ················································································ 162

iv

Configuring portal user synchronization ················································································· 163 Configuring the portal fail-permit feature ······················································································· 163 Configuring BAS-IP for portal packets sent to the portal authentication server ····································· 164 Specifying a format for the NAS-Port-ID attribute ··········································································· 165 Specifying the device ID ············································································································ 166 Enabling portal roaming ············································································································ 166 Logging out online portal users ··································································································· 166 Disabling traffic accounting for portal users ··················································································· 167 Configuring Web redirect ··········································································································· 167 Applying a NAS-ID profile to an interface ······················································································ 168 Configuring the local portal Web server feature ·············································································· 169

Customizing authentication pages ························································································ 169 Configuring a local portal Web server ···················································································· 171 Enabling validity check on wireless clients·············································································· 172 Automatically logging out wireless portal users ······································································· 173 Enabling ARP or ND entry conversion for portal clients ····························································· 173

Configuring HTTPS redirect ······································································································· 174 Configuring MAC-based quick portal authentication ········································································ 174

Configuring a remote MAC binding server ·············································································· 174 Configuring a local MAC binding server ················································································· 175 Specifying a MAC binding server on an interface ····································································· 176 Specifying a MAC binding server on a service template ···························································· 176

Configuring NAS-Port-Type ········································································································ 176 Configuring portal safe-redirect ··································································································· 177 Setting the interval at which an AP reports traffic statistics to the AC ·················································· 179 Excluding an attribute from portal protocol packets ········································································· 179 Enabling portal logging ·············································································································· 179 Configuring portal support for third-party authentication ··································································· 180

Editing buttons and pages for third-party authentication ···························································· 180 Configuring a third-party authentication server ········································································ 181 Specifying an authentication domain for third-party authentication ·············································· 182

Configuring portal temporary pass ······························································································· 182 Displaying and maintaining portal ································································································ 183 Portal configuration examples (wired application) ··········································································· 185

Configuring direct portal authentication ·················································································· 185 Configuring re-DHCP portal authentication ············································································· 194 Configuring cross-subnet portal authentication ········································································ 198 Configuring extended direct portal authentication ···································································· 201 Configuring extended re-DHCP portal authentication ······························································· 204 Configuring extended cross-subnet portal authentication ·························································· 208 Configuring portal server detection and portal user synchronization ············································ 212 Configuring cross-subnet portal authentication for MPLS L3VPNs ·············································· 221 Configuring direct portal authentication with a preauthentication domain ······································ 223 Configuring re-DHCP portal authentication with a preauthentication domain ································· 225 Configuring direct portal authentication using the local portal Web server ····································· 228

Portal configuration examples (wireless application) ······································································· 231 Configuring direct portal authentication ·················································································· 231 Verifying the configuration ··································································································· 239 Configuring MAC-based quick portal authentication ································································· 240

Troubleshooting portal ·············································································································· 248 No portal authentication page is pushed for users ···································································· 248 Cannot log out portal users on the access device ···································································· 248 Cannot log out portal users on the RADIUS server ·································································· 249 Users logged out by the access device still exist on the portal authentication server ······················· 249 Re-DHCP portal authenticated users cannot log in successfully ················································· 249

Configuring port security ································································ 251 Overview ································································································································ 251

Port security features ········································································································· 251 Port security modes ··········································································································· 252

Feature and hardware compatibility ····························································································· 254 Configuration task list················································································································ 254

v

Enabling port security ··············································································································· 255 Setting port security's limit on the number of secure MAC addresses on a port ···································· 255 Setting the port security mode ···································································································· 256 Configuring port security features ································································································ 257

Configuring NTK ··············································································································· 257 Configuring intrusion protection ···························································································· 258

Configuring secure MAC addresses ····························································································· 258 Configuration prerequisites·································································································· 259 Configuration procedure ····································································································· 259

Ignoring authorization information from the server ·········································································· 260 Enabling MAC move ················································································································· 260 Enabling the authorization-fail-offline feature ················································································· 261 Applying a NAS-ID profile to port security ····················································································· 261 Enabling SNMP notifications for port security ················································································ 262 Displaying and maintaining port security ······················································································· 262 Port security configuration examples ···························································································· 262

autoLearn configuration example·························································································· 262 userLoginWithOUI configuration example ·············································································· 265 macAddressElseUserLoginSecure configuration example ························································· 268

Troubleshooting port security ····································································································· 272 Cannot set the port security mode ························································································ 272 Cannot configure secure MAC addresses ·············································································· 272

Configuring user profiles ································································ 273 Overview ································································································································ 273 Command and hardware compatibility·························································································· 273 Configuration restrictions and guidelines ······················································································ 273 Configuring a user profile ··········································································································· 273 Displaying and maintaining user profiles ······················································································· 274

Configuring password control ·························································· 275 Overview ································································································································ 275

Password setting ··············································································································· 275 Password updating and expiration ························································································ 276 User login control ·············································································································· 277 Password not displayed in any form ······················································································ 277 Logging ··························································································································· 277

FIPS compliance ······················································································································ 278 Password control configuration task list ························································································ 278 Enabling password control ········································································································· 278 Setting global password control parameters ·················································································· 279 Setting user group password control parameters ············································································ 280 Setting local user password control parameters ············································································· 281 Setting super password control parameters ··················································································· 281 Displaying and maintaining password control ················································································ 282 Password control configuration example ······················································································· 282

Network requirements ········································································································ 282 Configuration procedure ····································································································· 283 Verifying the configuration ··································································································· 284

Configuring keychains ··································································· 286 Overview ································································································································ 286 Configuration procedure ············································································································ 286 Displaying and maintaining keychain ··························································································· 286 Keychain configuration example ································································································· 287

Network requirements ········································································································ 287 Configuration procedure ····································································································· 287 Verifying the configuration ··································································································· 288

Managing public keys ···································································· 292 Overview ································································································································ 292 FIPS compliance ······················································································································ 292

vi

Creating a local key pair ············································································································ 292 Distributing a local host public key ······························································································· 294

Exporting a host public key·································································································· 294 Displaying a host public key ································································································ 294

Destroying a local key pair ········································································································· 295 Configuring a peer host public key ······························································································· 295

Importing a peer host public key from a public key file ······························································ 295 Entering a peer host public key ···························································································· 296

Displaying and maintaining public keys ························································································ 296 Examples of public key management ··························································································· 296

Example for entering a peer host public key ··········································································· 296 Example for importing a public key from a public key file ··························································· 298

Configuring PKI ··········································································· 301 Overview ································································································································ 301

PKI terminology ················································································································ 301 PKI architecture ················································································································ 302 PKI operation ··················································································································· 302 PKI applications ················································································································ 303 Support for MPLS L3VPN ··································································································· 303

FIPS compliance ······················································································································ 304 PKI configuration task list ·········································································································· 304 Configuring a PKI entity ············································································································· 304 Configuring a PKI domain ·········································································································· 305 Requesting a certificate ············································································································· 307

Configuration guidelines ····································································································· 308 Configuring automatic certificate request ··············································································· 308 Manually requesting a certificate ·························································································· 309

Aborting a certificate request ······································································································ 309 Obtaining certificates ················································································································ 309

Configuration prerequisites·································································································· 310 Configuration guidelines ····································································································· 310 Configuration procedure ····································································································· 310

Verifying PKI certificates ············································································································ 311 Verifying certificates with CRL checking ················································································· 311 Verifying certificates without CRL checking ············································································ 312

Specifying the storage path for the certificates and CRLs ································································ 312 Exporting certificates ················································································································ 312 Removing a certificate··············································································································· 313 Configuring a certificate-based access control policy ······································································ 314 Displaying and maintaining PKI ·································································································· 315 PKI configuration examples ········································································································ 315

Requesting a certificate from an RSA Keon CA server ····························································· 315 Requesting a certificate from a Windows Server 2003 CA server ················································ 318 Requesting a certificate from an OpenCA server ····································································· 321 IKE negotiation with RSA digital signature from a Windows Server 2003 CA server ······················· 324 Certificate-based access control policy configuration example ··················································· 327 Certificate import and export configuration example ································································· 328

Troubleshooting PKI configuration ······························································································· 334 Failed to obtain the CA certificate ························································································· 334 Failed to obtain local certificates ··························································································· 334 Failed to request local certificates ························································································· 335 Failed to obtain CRLs ········································································································· 336 Failed to import the CA certificate ························································································· 336 Failed to import a local certificate ························································································· 337 Failed to export certificates·································································································· 337 Failed to set the storage path ······························································································ 338

Configuring IPsec ········································································· 339 Overview ································································································································ 339

Security protocols and encapsulation modes ·········································································· 339 Security association ··········································································································· 341

vii

Authentication and encryption ······························································································ 341 IPsec implementation ········································································································· 342 IPsec RRI ························································································································ 344 Protocols and standards ····································································································· 345

FIPS compliance ······················································································································ 345 IPsec tunnel establishment ········································································································ 345 Implementing ACL-based IPsec ·································································································· 346

Configuring an ACL ··········································································································· 347 Configuring an IPsec transform set ······················································································· 350 Configuring a manual IPsec policy ························································································ 352 Configuring an IKE-based IPsec policy ·················································································· 354 Applying an IPsec policy to an interface ················································································· 357 Enabling ACL checking for de-encapsulated packets ······························································· 358 Configuring IPsec anti-replay ······························································································· 358 Configuring IPsec anti-replay redundancy ·············································································· 359 Binding a source interface to an IPsec policy ·········································································· 360 Enabling QoS pre-classify ··································································································· 360 Enabling logging of IPsec packets ························································································ 361 Configuring the DF bit of IPsec packets ················································································· 361 Configuring IPsec RRI ········································································································ 362

Configuring IPsec for IPv6 routing protocols ·················································································· 363 Configuration task list ········································································································· 363 Configuring a manual IPsec profile ······················································································· 363

Configuring IPsec for tunnels······································································································ 365 Configuration task list ········································································································· 365 Configuring an IKE-based IPsec profile ················································································· 365 Applying an IKE-based IPsec profile to a tunnel interface ·························································· 366

Configuring SNMP notifications for IPsec ······················································································ 367 Configuring IPsec fragmentation ································································································· 367 Setting the maximum number of IPsec tunnels ·············································································· 368 Enabling logging for IPsec negotiation·························································································· 368 Displaying and maintaining IPsec ································································································ 368 IPsec configuration examples ····································································································· 369

Configuring a manual mode IPsec tunnel for IPv4 packets ························································ 369 Configuring an IKE-based IPsec tunnel for IPv4 packets ··························································· 372 Configuring an IKE-based IPsec tunnel for IPv6 packets ··························································· 376 Configuring IPsec for RIPng ································································································ 379 Configuring IPsec RRI ········································································································ 382 Configuring IPsec tunnel interface-based IPsec for IPv4 packets ················································ 386

Configuring IKE ··········································································· 391 Overview ································································································································ 391

IKE negotiation process ······································································································ 391 IKE security mechanism ····································································································· 392 Protocols and standards ····································································································· 393

FIPS compliance ······················································································································ 393 IKE configuration prerequisites ···········�