hp msr router series - apache welcome pageh20628. · hp msr router series security configuration...
TRANSCRIPT
-
HP MSR Router Series Security Configuration Guide(V5)
Part number: 5998-8191
Software version: CMW520-R2513
Document version: 6PW106-20150808
-
i
Legal and notice information
© Copyright 2015 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
-
i
Contents
Security overview ························································································································································· 1 Network security threats ··················································································································································· 1 Network security services ················································································································································· 1 Network security technologies ········································································································································· 2
Identity authentication ·············································································································································· 2 Access security ·························································································································································· 2 Data security ····························································································································································· 3 Firewall and connection control ······························································································································ 3 Attack detection and protection ······························································································································ 4 Other security technologies ····································································································································· 5
Configuring AAA ························································································································································· 6 Overview ············································································································································································ 6
RADIUS ······································································································································································ 7 HWTACACS ·························································································································································· 12 Domain-based user management ························································································································ 14 RADIUS server feature of the router ····················································································································· 15 AAA for MPLS L3VPNs ········································································································································· 16 Protocols and standards ······································································································································· 17 RADIUS attributes ·················································································································································· 17
FIPS compliance ····························································································································································· 20 AAA configuration considerations and task list ·········································································································· 20 Configuring AAA schemes ············································································································································ 22
Configuring local users ········································································································································· 22 Configuring RADIUS schemes ······························································································································ 27 Configuring HWTACACS schemes ····················································································································· 39
Configuring AAA methods for ISP domains ················································································································ 45 Creating an ISP domain ······································································································································· 45 Configuring ISP domain attributes ······················································································································· 46 Configuring authentication methods for an ISP domain ··················································································· 47 Configuring authorization methods for an ISP domain ····················································································· 50 Configuring accounting methods for an ISP domain ························································································· 53
Tearing down user connections ···································································································································· 55 Configuring a NAS ID-VLAN binding ·························································································································· 56 Configuring the router as a RADIUS server ················································································································· 56
RADIUS server functions configuration task list ·································································································· 56 Configuring a RADIUS user ·································································································································· 56 Specifying a RADIUS client ·································································································································· 57
Displaying and maintaining AAA ································································································································ 57 AAA configuration examples ········································································································································ 58
Authentication/authorization for Telnet/SSH users by a RADIUS server ························································ 58 Local authentication/authorization for Telnet/FTP users ··················································································· 63 AAA for PPP users by an HWTACACS server ··································································································· 64 Level switching authentication for Telnet users by a RADIUS server ································································ 66 RADIUS authentication/authorization portal users ···························································································· 70 RADIUS authentication and authorization for Telnet users by a network device ··········································· 76
Troubleshooting AAA ···················································································································································· 78 Troubleshooting RADIUS ······································································································································· 78 Troubleshooting HWTACACS ······························································································································ 79
-
ii
802.1X overview ······················································································································································· 80 802.1X architecture ······················································································································································· 80 Controlled/uncontrolled port and port authorization status ······················································································ 80 802.1X-related protocols ·············································································································································· 81
Packet formats ························································································································································ 82 EAP over RADIUS ·················································································································································· 83
Initiating 802.1X authentication ··································································································································· 83 802.1X client as the initiator································································································································ 83 Access device as the initiator ······························································································································· 84
802.1X authentication procedures ······························································································································ 84 Comparing EAP relay and EAP termination ······································································································· 85 EAP relay ································································································································································ 85 EAP termination ····················································································································································· 86
Configuring 802.1X ·················································································································································· 88 HP implementation of 802.1X ······································································································································ 88
Access control methods ········································································································································ 88 Using 802.1X authentication with other features ······························································································ 88
Configuration prerequisites ··········································································································································· 91 802.1X configuration task list ······································································································································· 91 Enabling 802.1X ···························································································································································· 92 Enabling EAP relay or EAP termination ······················································································································· 92 Setting the port authorization state ······························································································································ 93 Specifying an access control method ·························································································································· 94 Setting the maximum number of concurrent 802.1X users on a port ······································································· 94 Setting the maximum number of authentication request attempts ············································································· 95 Setting the 802.1X authentication timeout timers ······································································································· 95 Configuring the online user handshake function ········································································································ 95
Configuration guidelines ······································································································································ 96 Configuration procedure ······································································································································ 96
Enabling the proxy detection function ························································································································· 96 Configuring the authentication trigger function ·········································································································· 97
Configuration guidelines ······································································································································ 97 Configuration procedure ······································································································································ 98
Specifying a mandatory authentication domain on a port ························································································ 98 Configuring the quiet timer ··········································································································································· 98 Enabling the periodic online user re-authentication function ····················································································· 99 Configuring an 802.1X guest VLAN ··························································································································· 99
Configuration guidelines ······································································································································ 99 Configuration prerequisites ································································································································ 100 Configuration procedure ···································································································································· 100
Configuring an Auth-Fail VLAN ·································································································································· 100 Configuration guidelines ···································································································································· 100 Configuration prerequisites ································································································································ 100 Configuration procedure ···································································································································· 101
Configuring an 802.1X critical VLAN ······················································································································· 101 Configuration guidelines ···································································································································· 101 Configuration prerequisites ································································································································ 101 Configuration procedure ···································································································································· 101
Specifying supported domain name delimiters ········································································································· 102 Displaying and maintaining 802.1X ························································································································· 102 802.1X authentication configuration example ········································································································· 103
Network requirements ········································································································································· 103 Configuration procedure ···································································································································· 103 Verifying the configuration ································································································································· 105
-
iii
802.1X guest VLAN and VLAN assignment configuration example ······································································ 105 Network requirements ········································································································································· 105 Configuration procedure ···································································································································· 106 Verifying the configuration ································································································································· 107
802.1X with ACL assignment configuration example ····························································································· 108 Network requirements ········································································································································· 108 Configuration procedure ···································································································································· 108 Verifying the configuration ································································································································· 109
Configuring EAD fast deployment ························································································································· 110 Overview ······································································································································································· 110
Free IP ··································································································································································· 110 URL redirection ····················································································································································· 110
Configuration prerequisites ········································································································································· 110 Configuring a free IP ··················································································································································· 111 Configuring the redirect URL ······································································································································· 111 Setting the EAD rule timer ··········································································································································· 111 Displaying and maintaining EAD fast deployment ··································································································· 112 EAD fast deployment configuration example ············································································································ 112
Network requirements ········································································································································· 112 Configuration procedure ···································································································································· 113 Verifying the configuration ································································································································· 113
Troubleshooting EAD fast deployment ······················································································································· 114 Web browser users cannot be correctly redirected ························································································ 114
Configuring MAC authentication ··························································································································· 115 Overview ······································································································································································· 115
User account policies ·········································································································································· 115 Authentication methods······································································································································· 115 MAC authentication timers ································································································································· 116
Using MAC authentication with other features ········································································································· 116 VLAN assignment ················································································································································ 116 ACL assignment ··················································································································································· 116
Configuration task list ·················································································································································· 117 Basic configuration for MAC authentication ············································································································· 117
Configuring MAC authentication globally ········································································································ 117 Configuring MAC authentication on a port ····································································································· 118
Specifying a MAC authentication domain ················································································································ 118 Configuring MAC authentication delay ····················································································································· 119 Displaying and maintaining MAC authentication ···································································································· 119 MAC authentication configuration examples ············································································································ 120
Local MAC authentication configuration example··························································································· 120 RADIUS-based MAC authentication configuration example··········································································· 121 ACL assignment configuration example············································································································ 123
Configuring port security ········································································································································ 126 Overview ······································································································································································· 126
Port security features ··········································································································································· 126 Port security modes ············································································································································· 127 Support for WLAN ·············································································································································· 129 Working with guest VLAN and Auth-Fail VLAN ······························································································ 130
Configuration task list ·················································································································································· 130 Enabling port security ·················································································································································· 131 Setting port security's limit on the number of MAC addresses on a port······························································· 131 Setting the port security mode ···································································································································· 132
Configuration prerequisites ································································································································ 132
-
iv
Configuration procedure ···································································································································· 132 Configuring port security features ······························································································································ 133
Configuring NTK ················································································································································· 133 Configuring intrusion protection ························································································································ 134 Enabling port security traps ································································································································ 134
Configuring secure MAC addresses ·························································································································· 135 Configuration prerequisites ································································································································ 136 Configuration procedure ···································································································································· 136
Configuring port security for WLAN ports ················································································································ 137 Setting the port security mode of a WLAN port······························································································· 137 Enabling key negotiation ···································································································································· 138 Configuring a PSK ··············································································································································· 138
Ignoring authorization information from the server ·································································································· 138 Displaying and maintaining port security ·················································································································· 139 Port security configuration examples ························································································································· 139
Configuring the autoLearn mode ······················································································································· 139 Configuring the userLoginWithOUI mode ········································································································ 141 Configuring the macAddressElseUserLoginSecure mode ················································································ 146
Troubleshooting port security ······································································································································ 149 Cannot set the port security mode ····················································································································· 149 Cannot configure secure MAC addresses ········································································································ 149 Cannot change port security mode when a user is online ·············································································· 149
Configuring IPsec ···················································································································································· 151 Overview ······································································································································································· 151
Basic concepts ····················································································································································· 151 IPsec implementation on an encryption card ··································································································· 153 IPsec tunnel interface ··········································································································································· 154 IPsec for IPv6 routing protocols ·························································································································· 155 IPsec RRI································································································································································ 155 Protocols and standards ····································································································································· 156
FIPS compliance ··························································································································································· 156 Implementing IPsec ······················································································································································· 156 Implementing ACL-based IPsec ··································································································································· 157
Configuring an ACL ············································································································································ 158 Configuring an IPsec transform set ···················································································································· 160 Configuring an IPsec policy ······························································································································· 162 Applying an IPsec policy group to an interface ······························································································· 168 Binding an IPsec policy, IPsec policy group, or IPsec profile to an encryption card ··································· 168 Enabling the encryption engine ························································································································· 170 Enabling the IPsec module backup function ····································································································· 170 Configuring the IPsec session idle timeout ········································································································ 170 Enabling ACL checking of de-encapsulated IPsec packets ············································································· 171 Configuring the IPsec anti-replay function ········································································································ 171 Configuring a shared source interface policy group······················································································· 172 Configuring packet information pre-extraction ································································································ 173 Enabling invalid SPI recovery ···························································································································· 173 Configuring IPsec RRI ·········································································································································· 173 Enabling transparent data transmission without NAT ····················································································· 175 Enabling fragmentation before/after encryption ····························································································· 175
Implementing tunnel interface-based IPsec ················································································································ 175 Configuring an IPsec profile ······························································································································· 176 Configuring an IPsec tunnel interface ··············································································································· 178 Enabling packet information pre-extraction on the IPsec tunnel interface ····················································· 179 Applying a QoS policy to an IPsec tunnel interface ························································································ 180
-
v
Configuring IPsec for IPv6 routing protocols ············································································································· 180 Displaying and maintaining IPsec ······························································································································ 181 IPsec configuration examples······································································································································ 182
Configuring manual mode IPsec tunnel ············································································································ 182 Configuring IKE-based IPsec tunnel ··················································································································· 184 Configuring encryption cards for IPsec services ······························································································ 186 Configuring IPsec interface backup ··················································································································· 189 Configuring IPsec with IPsec tunnel interfaces·································································································· 192 Configuring IPsec for RIPng ································································································································ 196 Configuring IPsec RRI ·········································································································································· 200
Configuring IKE ······················································································································································· 203 Overview ······································································································································································· 203
IKE security mechanism ······································································································································· 203 IKE operation ······················································································································································· 203 IKE functions ························································································································································· 204 Relationship between IKE and IPsec ·················································································································· 205 Protocols and standards ····································································································································· 205
FIPS compliance ··························································································································································· 205 IKE configuration task list ············································································································································ 206 Configuring a name for the local security gateway ································································································· 206 Configuring an IKE proposal ······································································································································ 207 Configuring an IKE peer ·············································································································································· 208 Setting keepalive timers ··············································································································································· 210 Setting the NAT keepalive timer ································································································································· 211 Configuring a DPD detector ········································································································································ 211 Disabling next payload field checking ······················································································································ 212 Displaying and maintaining IKE ································································································································· 212 IKE configuration examples ········································································································································ 212
Configuring main mode IKE with pre-shared key authentication ··································································· 212 Configuring aggressive mode IKE with NAT traversal ···················································································· 217
Troubleshooting IKE ····················································································································································· 220 Invalid user ID ······················································································································································ 220 Proposal mismatch ·············································································································································· 220 Failed to establish an IPsec tunnel ····················································································································· 221 ACL configuration error ······································································································································ 221
Configuring IKEv2 ··················································································································································· 222 Overview ······································································································································································· 222
New features in IKEv2 ········································································································································ 223 Protocols and standards ····································································································································· 223
IKEv2 configuration task list ········································································································································ 224 Configuring global IKEv2 parameters ······················································································································· 224
Configuring the cookie challenging function···································································································· 224 Configuring the IKEv2 DPD function ·················································································································· 225 Setting limits on the number of IKEv2 SAs ········································································································ 225 Configuring an address pool for assigning addresses to initiators ······························································· 226
Configuring an IKEv2 proposal ·································································································································· 226 Configuring an IKEv2 policy ······································································································································· 227 Configuring an IKEv2 keyring ···································································································································· 228 Configuring an IKEv2 profile ······································································································································ 228 Displaying and maintaining IKEv2 ····························································································································· 231 IKEv2 configuration examples ···································································································································· 231
Configuring IKEv2 pre-shared key authentication ··························································································· 231 Configuring IKEv2 certificate authentication ···································································································· 237
-
vi
Troubleshooting IKEv2 ················································································································································· 244 No matching IKEv2 proposal found ·················································································································· 244 IPsec tunnels cannot be set up ··························································································································· 245
Configuring PKI ······················································································································································· 246 Overview ······································································································································································· 246
PKI terminology ···················································································································································· 246 PKI architecture ···················································································································································· 247 PKI operation ······················································································································································· 247 PKI applications ··················································································································································· 248 FIPS compliance ·················································································································································· 248
PKI configuration task list ············································································································································ 248 Configuring an entity DN ············································································································································ 249 Configuring a PKI domain ··········································································································································· 250 Requesting a PKI certificate ········································································································································· 252
Configuring automatic certificate request ········································································································· 252 Manually requesting a certificate ······················································································································ 253
Retrieving a certificate manually ································································································································ 254 Verifying PKI certificates ·············································································································································· 255
Verifying certificates with CRL checking ··········································································································· 255 Verifying certificates without CRL checking ······································································································ 256
Destroying the local RSA key pair ······························································································································ 256 Deleting a certificate ···················································································································································· 256 Configuring a certificate access control policy ········································································································· 257 Displaying and maintaining PKI ································································································································· 257 PKI configuration examples ········································································································································· 258
Certificate request from an RSA Keon CA server ···························································································· 258 Certificate request from a Windows 2003 CA server ···················································································· 261 IKE negotiation with RSA digital signature ······································································································· 264 Certificate access control policy configuration example················································································· 266
Troubleshooting PKI configurationTroubleshooting PKI configuration ···································································· 268 Failed to obtain the CA certificate ····················································································································· 268 Failed to request local certificates ····················································································································· 268 Failed to retrieve CRLs ········································································································································ 269
Managing public keys ············································································································································ 270 FIPS compliance ··························································································································································· 270 Configuration task list ·················································································································································· 271 Creating a local asymmetric key pair ························································································································ 271 Displaying or exporting the local host public key ···································································································· 272 Displaying and recording the host public key information ······················································································ 273 Displaying the host public key in a specific format and saving it to a file ···························································· 273 Exporting the host public key in a specific format to a file ····················································································· 273 Destroying a local asymmetric key pair ···················································································································· 274 Configuring the local RSA key pair for certificate request ······················································································ 274 Exporting an RSA key pair ·········································································································································· 274 Importing an RSA key pair ·········································································································································· 275 Specifying the peer public key on the local device ·································································································· 275 Displaying public keys ················································································································································· 276 Public key configuration examples ·······················································�