HPE FlexNetwork 5510 HI Switch Series Security Configuration Guide Part number: 5200-0019b Software version: Release 11xx Document version: 6W102-20171020

© Copyright 2015, 2017 Hewlett Packard Enterprise Development LP

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the United States and other countries.

Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

i

Contents

Configuring AAA ·············································································· 1 Overview ·································································································································· 1

RADIUS ···························································································································· 2 HWTACACS ······················································································································ 6 LDAP ································································································································ 9 AAA implementation on the device ························································································ 11 AAA for MPLS L3VPNs ······································································································ 13 Protocols and standards ····································································································· 13 RADIUS attributes ············································································································· 14

FIPS compliance······················································································································ 16 AAA configuration considerations and task list ··············································································· 17 Configuring AAA schemes ········································································································· 18

Configuring local users ······································································································· 18 Configuring RADIUS schemes ····························································································· 22 Configuring HWTACACS schemes························································································ 33 Configuring LDAP schemes ································································································· 40

Configuring AAA methods for ISP domains ···················································································· 43 Configuration prerequisites ·································································································· 43 Creating an ISP domain ······································································································ 43 Configuring ISP domain attributes ························································································· 44 Configuring authentication methods for an ISP domain ······························································ 44 Configuring authorization methods for an ISP domain ······························································· 45 Configuring accounting methods for an ISP domain ·································································· 47

Enabling the session-control feature ···························································································· 48 Setting the maximum number of concurrent login users···································································· 48 Configuring a NAS-ID profile ······································································································ 48 Displaying and maintaining AAA ·································································································· 49 AAA configuration examples ······································································································· 49

AAA for SSH users by an HWTACACS server ········································································· 49 Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ················· 50 Authentication and authorization for SSH users by a RADIUS server ············································ 52 Authentication for SSH users by an LDAP server ····································································· 56

Troubleshooting RADIUS ··········································································································· 61 RADIUS authentication failure ······························································································ 61 RADIUS packet delivery failure ···························································································· 61 RADIUS accounting error ···································································································· 62

Troubleshooting HWTACACS ····································································································· 62 Troubleshooting LDAP ·············································································································· 62

LDAP authentication failure ································································································· 62 802.1X overview ············································································ 64

802.1X architecture ·················································································································· 64 Controlled/uncontrolled port and port authorization status ································································· 64 802.1X-related protocols ············································································································ 65

Packet formats ·················································································································· 65 EAP over RADIUS ············································································································· 66

802.1X authentication initiation ··································································································· 67 802.1X client as the initiator ································································································· 67 Access device as the initiator ······························································································· 67

802.1X authentication procedures ······························································································· 68 Comparing EAP relay and EAP termination ············································································· 68 EAP relay ························································································································ 69 EAP termination ················································································································ 70

Configuring 802.1X ········································································· 72 Access control methods ············································································································ 72 802.1X VLAN manipulation ········································································································ 72

ii

Authorization VLAN ··········································································································· 72 Guest VLAN ····················································································································· 74 Auth-Fail VLAN ················································································································· 75 Critical VLAN ···················································································································· 76 Critical voice VLAN ············································································································ 78

Using 802.1X authentication with other features ············································································· 79 ACL assignment ················································································································ 79 User profile assignment ······································································································ 79 EAD assistant ··················································································································· 79

Configuration prerequisites ········································································································ 80 802.1X configuration task list ······································································································ 80 Enabling 802.1X ······················································································································ 80 Enabling EAP relay or EAP termination ························································································ 81 Setting the port authorization state ······························································································· 82 Specifying an access control method ··························································································· 82 Setting the maximum number of concurrent 802.1X users on a port ···················································· 82 Setting the maximum number of authentication request attempts ······················································· 83 Setting the maximum number of 802.1X authentication attempts for MAC authenticated users ················· 83 Setting the 802.1X authentication timeout timers ············································································ 83 Configuring the online user handshake feature ··············································································· 84

Configuration guidelines ····································································································· 84 Configuration procedure ····································································································· 85

Configuring the authentication trigger feature ················································································· 85 Configuration guidelines ····································································································· 85 Configuration procedure ····································································································· 85

Specifying a mandatory authentication domain on a port ·································································· 86 Configuring the quiet timer ········································································································· 86 Enabling the periodic online user reauthentication feature································································· 87 Configuring an 802.1X guest VLAN ······························································································ 87

Configuration guidelines ····································································································· 87 Configuration prerequisites ·································································································· 88 Configuration procedure ····································································································· 88

Enabling 802.1X guest VLAN assignment delay ············································································· 88 Configuring an 802.1X Auth-Fail VLAN ························································································· 89

Configuration guidelines ····································································································· 89 Configuration prerequisites ·································································································· 90 Configuration procedure ····································································································· 90

Configuring an 802.1X critical VLAN ···························································································· 90 Configuration guidelines ····································································································· 90 Configuration prerequisites ·································································································· 90 Configuring the 802.1X critical VLAN on a port ········································································ 91 Sending EAP-Success packets to users in the 802.1X critical VLAN ············································ 91

Enabling the 802.1X critical voice VLAN ······················································································· 91 Configuration restrictions and guidelines ················································································ 91 Configuration prerequisites ·································································································· 92 Configuration procedure ····································································································· 92

Specifying supported domain name delimiters ················································································ 92 Configuring the EAD assistant feature ·························································································· 93 Displaying and maintaining 802.1X ······························································································ 93 802.1X authentication configuration examples ················································································ 94

Basic 802.1X authentication configuration example ·································································· 94 802.1X guest VLAN and authorization VLAN configuration example ············································· 96 802.1X with ACL assignment configuration example ································································· 98 802.1X with EAD assistant configuration example ·································································· 100

Troubleshooting 802.1X ·········································································································· 102 EAD assistant for Web browser users ·················································································· 102

Configuring MAC authentication ······················································ 103 Overview ······························································································································ 103

User account policies ······································································································· 103 Authentication methods ···································································································· 103 VLAN assignment ············································································································ 104

iii

ACL assignment ·············································································································· 105 User profile assignment ···································································································· 106 Periodic MAC reauthentication ··························································································· 106

Configuration prerequisites ······································································································ 106 Configuration task list·············································································································· 107 Enabling MAC authentication ···································································································· 107 Specifying a MAC authentication domain ···················································································· 108 Configuring the user account format ··························································································· 108 Configuring MAC authentication timers ······················································································· 108 Setting the maximum number of concurrent MAC authentication users on a port ································· 109 Enabling MAC authentication multi-VLAN mode on a port ······························································· 109 Configuring MAC authentication delay ························································································ 110 Enabling parallel processing of MAC authentication and 802.1X authentication ··································· 110

Configuration restrictions and guidelines ·············································································· 111 Configuration procedure ··································································································· 111

Configuring a MAC authentication guest VLAN ············································································· 111 Configuring a MAC authentication critical VLAN ··········································································· 112 Enabling the MAC authentication critical voice VLAN ····································································· 113

Configuration prerequisites ································································································ 113 Configuration procedure ··································································································· 114

Configuring the keep-online feature ··························································································· 114 Enabling MAC authentication offline detection ·············································································· 114 Displaying and maintaining MAC authentication ··········································································· 115 MAC authentication configuration examples ················································································ 115

Local MAC authentication configuration example ··································································· 115 RADIUS-based MAC authentication configuration example ······················································ 117 ACL assignment configuration example ··············································································· 119

Configuring portal authentication ····················································· 123 Overview ······························································································································ 123

Extended portal functions ·································································································· 123 Portal system components ································································································ 123 Portal system using the local portal Web server ····································································· 125 Interaction between portal system components ······································································ 125 Portal authentication modes ······························································································ 126 Portal authentication process ····························································································· 127

Portal configuration task list ······································································································ 129 Configuration prerequisites ······································································································ 129 Configuring a portal authentication server ··················································································· 130 Configuring a portal Web server ································································································ 130 Enabling portal authentication on an interface ·············································································· 131

Configuration restrictions and guidelines ·············································································· 131 Configuration procedure ··································································································· 131

Referencing a portal Web server for an interface ·········································································· 132 Controlling portal user access ··································································································· 132

Configuring a portal-free rule ····························································································· 132 Configuring an authentication source subnet ········································································· 133 Configuring an authentication destination subnet ···································································· 134 Setting the maximum number of portal users ········································································· 135 Specifying a portal authentication domain ············································································· 135

Configuring portal detection features ·························································································· 136 Configuring online detection of portal users ··········································································· 136 Configuring portal authentication server detection ·································································· 137 Configuring portal Web server detection ··············································································· 138 Configuring portal user synchronization ················································································ 138

Configuring the portal fail-permit feature ····················································································· 139 Configuring BAS-IP for portal packets sent to the portal authentication server ····································· 140 Applying a NAS-ID profile to an interface ···················································································· 141 Enabling portal roaming ··········································································································· 141 Logging out portal users ·········································································································· 142 Configuring the local portal Web server feature ············································································ 142

Customizing authentication pages ······················································································· 142

iv

Configuring a local portal Web server ·················································································· 144 Displaying and maintaining portal ······························································································ 145 Portal configuration examples ··································································································· 145

Configuring direct portal authentication ················································································ 145 Configuring re-DHCP portal authentication ············································································ 153 Configuring cross-subnet portal authentication ······································································· 156 Configuring extended direct portal authentication ··································································· 159 Configuring extended re-DHCP portal authentication ······························································ 162 Configuring extended cross-subnet portal authentication ························································· 166 Configuring portal server detection and portal user synchronization ··········································· 169 Configuring cross-subnet portal authentication for MPLS L3VPNs ············································· 177 Configuring direct portal authentication using local portal Web server ········································· 179

Troubleshooting portal ············································································································ 182 No portal authentication page is pushed for users ·································································· 182 Cannot log out portal users on the access device ··································································· 182 Cannot log out portal users on the RADIUS server ································································· 183 Users logged out by the access device still exist on the portal authentication server ······················ 183 Re-DHCP portal authenticated users cannot log in successfully ················································ 184

Configuring port security ································································ 185 Overview ······························································································································ 185

Port security features ······································································································· 185 Port security modes ········································································································· 185

Configuration task list·············································································································· 188 Enabling port security ············································································································· 188 Setting port security's limit on the number of secure MAC addresses on a port ···································· 189 Setting the port security mode ·································································································· 189 Configuring port security features ······························································································ 190

Configuring NTK ············································································································· 190 Configuring intrusion protection ·························································································· 191

Configuring secure MAC addresses ··························································································· 191 Configuration prerequisites ································································································ 192 Configuration procedure ··································································································· 192

Ignoring authorization information from the server ········································································· 193 Enabling MAC move ··············································································································· 193 Applying a NAS-ID profile to port security ···················································································· 194 Enabling the authorization-fail-offline feature ················································································ 194 Enabling SNMP notifications for port security ··············································································· 195 Displaying and maintaining port security ····················································································· 195 Port security configuration examples ·························································································· 196

autoLearn configuration example ························································································ 196 userLoginWithOUI configuration example ············································································· 198 macAddressElseUserLoginSecure configuration example ························································ 201

Troubleshooting port security ···································································································· 204 Cannot set the port security mode ······················································································· 204 Cannot configure secure MAC addresses ············································································· 205

Configuring password control ·························································· 206 Overview ······························································································································ 206

Password setting ············································································································· 206 Password updating and expiration ······················································································ 207 User login control ············································································································ 208 Password not displayed in any form ···················································································· 208 Logging ························································································································· 208

FIPS compliance···················································································································· 209 Password control configuration task list ······················································································ 209 Enabling password control ······································································································· 209 Setting global password control parameters ················································································· 210 Setting user group password control parameters ·········································································· 211 Setting local user password control parameters ············································································ 212 Setting super password control parameters ················································································· 212 Displaying and maintaining password control ··············································································· 213

v

Password control configuration example ····················································································· 213 Network requirements ······································································································ 213 Configuration procedure ··································································································· 214 Verifying the configuration ································································································· 215

Managing public keys ···································································· 217 Overview ······························································································································ 217 FIPS compliance···················································································································· 217 Creating a local key pair ·········································································································· 217 Distributing a local host public key ····························································································· 219

Exporting a host public key ································································································ 219 Displaying a host public key ······························································································· 219

Destroying a local key pair ······································································································· 220 Configuring a peer host public key ····························································································· 220

Importing a peer host public key from a public key file ····························································· 220 Entering a peer host public key ·························································································· 221

Displaying and maintaining public keys ······················································································· 221 Examples of public key management ························································································· 221

Example for entering a peer host public key ·········································································· 221 Example for importing a public key from a public key file ·························································· 223

Configuring PKI ··········································································· 226 Overview ······························································································································ 226

PKI terminology ·············································································································· 226 PKI architecture ·············································································································· 227 PKI operation ················································································································· 227 PKI applications ·············································································································· 228 Support for MPLS L3VPN ································································································· 228

FIPS compliance···················································································································· 229 PKI configuration task list ········································································································· 229 Configuring a PKI entity ··········································································································· 229 Configuring a PKI domain ········································································································ 230 Requesting a certificate ··········································································································· 232

Configuration guidelines ··································································································· 232 Configuring automatic certificate request ·············································································· 233 Manually requesting a certificate ························································································· 233

Aborting a certificate request ···································································································· 234 Obtaining certificates ·············································································································· 234

Configuration prerequisites ································································································ 234 Configuration guidelines ··································································································· 234 Configuration procedure ··································································································· 235

Verifying PKI certificates ·········································································································· 235 Verifying certificates with CRL checking ··············································································· 235 Verifying certificates without CRL checking ··········································································· 236

Specifying the storage path for the certificates and CRLs ······························································· 236 Exporting certificates ·············································································································· 237 Removing a certificate ············································································································· 237 Configuring a certificate-based access control policy ····································································· 238 Displaying and maintaining PKI ································································································· 239 PKI configuration examples ······································································································ 239

Requesting a certificate from an RSA Keon CA server ···························································· 239 Requesting a certificate from a Windows Server 2003 CA server ··············································· 242 Requesting a certificate from an OpenCA server ···································································· 245 Certificate import and export configuration example ································································ 248

Troubleshooting PKI configuration ····························································································· 253 Failed to obtain the CA certificate ······················································································· 254 Failed to obtain local certificates ························································································· 254 Failed to request local certificates ······················································································· 255 Failed to obtain CRLs ······································································································· 255 Failed to import the CA certificate ······················································································· 256 Failed to import a local certificate ························································································ 257 Failed to export certificates ································································································ 257

vi

Failed to set the storage path ····························································································· 258 Configuring IPsec ········································································· 259

Overview ······························································································································ 259 Security protocols and encapsulation modes ········································································· 260 Security association ········································································································· 261 Authentication and encryption ···························································································· 262 IPsec implementation ······································································································· 262 Protocols and standards ··································································································· 263

FIPS compliance···················································································································· 263 IPsec tunnel establishment ······································································································ 263 Implementing ACL-based IPsec ································································································ 264

Feature restrictions and guidelines ······················································································ 264 ACL-based IPsec configuration task list················································································ 264 Configuring an ACL ········································································································· 265 Configuring an IPsec transform set ····················································································· 265 Configuring a manual IPsec policy ······················································································ 267 Configuring an IKE-based IPsec policy················································································· 269 Applying an IPsec policy to an interface ··············································································· 273 Enabling ACL checking for de-encapsulated packets ······························································ 273 Configuring IPsec anti-replay ····························································································· 274 Configuring IPsec anti-replay redundancy ············································································· 274 Binding a source interface to an IPsec policy ········································································· 275 Enabling QoS pre-classify ································································································· 276 Enabling logging of IPsec packets ······················································································· 276 Configuring the DF bit of IPsec packets ················································································ 276

Configuring IPsec for IPv6 routing protocols ················································································ 277 Configuration task list ······································································································· 277 Configuring a manual IPsec profile ······················································································ 278

Configuring SNMP notifications for IPsec ···················································································· 279 Displaying and maintaining IPsec ······························································································ 280 IPsec configuration examples ··································································································· 280

Configuring a manual mode IPsec tunnel for IPv4 packets ······················································· 280 Configuring an IKE-based IPsec tunnel for IPv4 packets ·························································· 283 Configuring IPsec for RIPng ······························································································ 285

Configuring IKE ··········································································· 290 Overview ······························································································································ 290

IKE negotiation process ···································································································· 290 IKE security mechanism ··································································································· 291 Protocols and standards ··································································································· 292

FIPS compliance···················································································································· 292 IKE configuration prerequisites ································································································· 292 IKE configuration task list ········································································································· 292 Configuring an IKE profile ········································································································ 293 Configuring an IKE proposal ····································································································· 295 Configuring an IKE keychain ···································································································· 296 Configuring the global identity information ··················································································· 297 Configuring the IKE keepalive feature ························································································· 298 Configuring the IKE NAT keepalive feature ·················································································· 298 Configuring IKE DPD ·············································································································· 298 Enabling invalid SPI recovery ··································································································· 299 Setting the maximum number of IKE SAs ···················································································· 300 Configuring SNMP notifications for IKE ······················································································· 300 Displaying and maintaining IKE ································································································· 301 IKE configuration examples ······································································································ 301

Main mode IKE with pre-shared key authentication configuration example ··································· 301 Verifying the configuration ································································································· 304

Troubleshooting IKE ··············································································································· 304 IKE negotiation failed because no matching IKE proposals were found ······································· 304 IKE negotiation failed because no IKE proposals or IKE keychains are specified correctly ·············· 304 IPsec SA negotiation failed because no matching IPsec transform sets were found ······················· 305

vii

IPsec SA negotiation failed due to invalid identity information ··················································· 305 Configuring IKEv2 ········································································ 309

Overview ······························································································································ 309 IKEv2 negotiation process ································································································· 309 New features in IKEv2 ······································································································ 310 Protocols and standards ··································································································· 310

Feature and software version compatibility ·················································································· 310 IKEv2 configuration task list ····································································································· 311 Configuring an IKEv2 profile ····································································································· 311 Configuring an IKEv2 policy ····································································································· 314 Configuring an IKEv2 proposal ·································································································· 314 Configuring an IKEv2 keychain ································································································· 316 Configure global IKEv2 parameters ···························································································· 317

Enabling the cookie challenging feature ··············································································· 317 Configuring the IKEv2 DPD feature ····················································································· 317 Configuring the IKEv2 NAT keepalive feature ········································································ 317

Displaying and maintaining IKEv2 ······························································································ 318 IKEv2 configuration examples ··································································································· 318

IKEv2 with pre-shared key authentication configuration example ··············································· 318 IKEv2 with RSA signature authentication configuration example ················································ 321

Troubleshooting IKEv2 ············································································································ 326 IKEv2 negotiation failed because no matching IKEv2 proposals were found ································· 326 IPsec SA negotiation failed because no matching IPsec transform sets were found ······················· 326 IPsec tunnel establishment failed ························································································ 326

Configuring SSH ·········································································· 328 Overview ······························································································································ 328

How SSH works ·············································································································· 328 SSH authentication methods ······························································································ 329 SSH support for Suite B ···································································································· 330

Feature and software version compatibility ·················································································· 331 FIPS compliance···················································································································· 331 Configuring the device as an SSH server ···················································································· 331

SSH server configuration task list ······················································································· 331 Generating local key pairs ································································································· 332 Enabling the Stelnet server ································································································ 332 Enabling the SFTP server ································································································· 333 Enabling the SCP server ··································································································· 333 Configuring NETCONF over SSH ······················································································· 333 Configuring user lines for SSH login ···················································································· 334 Configuring a client's host public key ··················································································· 334 Configuring an SSH user ·································································································· 335 Configuring the SSH management parameters ······································································ 336 Specifying a PKI domain for the SSH server ·········································································· 337

Configuring the device as an Stelnet client ·················································································· 338 Stelnet client configuration task list ······················································································ 338 Specifying the source IP address for SSH packets ································································· 338 Establishing a connection to an Stelnet server ······································································· 339 Establishing a connection to an Stelnet server based on Suite B ··············································· 342

Configuring the device as an SFTP client ·····················