HP 5920 & 5900 Switch Seriesh20628. · HP 5920 & 5900 Switch Series Security Configuration Guide...
Transcript of HP 5920 & 5900 Switch Seriesh20628. · HP 5920 & 5900 Switch Series Security Configuration Guide...
Part number: 5998-5310a
© Copyright 2015 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
i
Contents
Configuring AAA ························································································································································· 1 Overview ············································································································································································ 1
RADIUS ······································································································································································ 2 HWTACACS ····························································································································································· 7 LDAP ·········································································································································································· 9 AAA implementation on the device ····················································································································· 11 AAA for MPLS L3VPNs ········································································································································· 13 Protocols and standards ······································································································································· 14 RADIUS attributes ·················································································································································· 14
FIPS compliance ····························································································································································· 17 AAA configuration considerations and task list ·········································································································· 17 Configuring AAA schemes ············································································································································ 18
Configuring local users ········································································································································· 18 Configuring RADIUS schemes ······························································································································ 22 Configuring HWTACACS schemes ····················································································································· 32 Configuring LDAP schemes ·································································································································· 39
Configuring AAA methods for ISP domains ················································································································ 42 Configuration prerequisites ·································································································································· 42 Creating an ISP domain ······································································································································· 42 Configuring ISP domain attributes ······················································································································· 43 Configuring authentication methods for an ISP domain ··················································································· 43 Configuring authorization methods for an ISP domain ····················································································· 44 Configuring accounting methods for an ISP domain ························································································· 45
Enabling the session-control feature ····························································································································· 46 Setting the maximum number of concurrent login users ···························································································· 47 Displaying and maintaining AAA ································································································································ 47 AAA configuration examples ········································································································································ 47
AAA for SSH users by an HWTACACS server ·································································································· 47 Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ·························· 49 Authentication and authorization for SSH users by a RADIUS server ····························································· 51 Authentication for SSH users by an LDAP server ······························································································· 54
Troubleshooting RADIUS ··············································································································································· 59 RADIUS authentication failure ······························································································································ 59 RADIUS packet delivery failure ···························································································································· 59 RADIUS accounting error ····································································································································· 60
Troubleshooting HWTACACS ······································································································································ 60 Troubleshooting LDAP ···················································································································································· 60
802.1X overview ······················································································································································· 62 802.1X architecture ······················································································································································· 62 Controlled/uncontrolled port and port authorization status ······················································································ 62 802.1X-related protocols ·············································································································································· 63
Packet formats ························································································································································ 63 EAP over RADIUS ·················································································································································· 64
802.1X authentication initiation ··································································································································· 65 802.1X client as the initiator································································································································ 65 Access device as the initiator ······························································································································· 65
802.1X authentication procedures ······························································································································ 66 Comparing EAP relay and EAP termination ······································································································· 66
ii
EAP relay ································································································································································ 67 EAP termination ····················································································································································· 68
Configuring 802.1X ·················································································································································· 70 HP implementation of 802.1X ······································································································································ 70 Configuration prerequisites ··········································································································································· 70 802.1X configuration task list ······································································································································· 70 Enabling 802.1X ···························································································································································· 71 Enabling EAP relay or EAP termination ······················································································································· 71 Setting the port authorization state ······························································································································ 72 Specifying an access control method ·························································································································· 72 Setting the maximum number of concurrent 802.1X users on a port ······································································· 72 Setting the maximum number of authentication request attempts ············································································· 73 Setting the 802.1X authentication timeout timers ······································································································· 73 Configuring the online user handshake feature ·········································································································· 74 Configuring the authentication trigger feature ············································································································ 74
Configuration guidelines ······································································································································ 74 Configuration procedure ······································································································································ 74
Specifying a mandatory authentication domain on a port ························································································ 75 Configuring the quiet timer ··········································································································································· 75 Enabling the periodic online user reauthentication feature ······················································································· 76 Displaying and maintaining 802.1X ··························································································································· 76 802.1X authentication configuration example ··········································································································· 76
Network requirements ··········································································································································· 76 Configuration procedure ······································································································································ 77 Verifying the configuration ··································································································································· 78
Configuring MAC authentication ······························································································································ 79 Overview ········································································································································································· 79
User account policies ············································································································································ 79 Authentication methods········································································································································· 79
Configuration prerequisites ··········································································································································· 80 Configuration task list ···················································································································································· 80 Enabling MAC authentication ······································································································································ 80 Specifying a MAC authentication domain ·················································································································· 81 Configuring the user account format ···························································································································· 81 Configuring MAC authentication timers ······················································································································ 82 Setting the maximum number of concurrent MAC authentication users on a port ·················································· 82 Configuring MAC authentication delay ······················································································································· 83 Displaying and maintaining MAC authentication ·····································
© Copyright 2015 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
i
Contents
Configuring AAA ························································································································································· 1 Overview ············································································································································································ 1
RADIUS ······································································································································································ 2 HWTACACS ····························································································································································· 7 LDAP ·········································································································································································· 9 AAA implementation on the device ····················································································································· 11 AAA for MPLS L3VPNs ········································································································································· 13 Protocols and standards ······································································································································· 14 RADIUS attributes ·················································································································································· 14
FIPS compliance ····························································································································································· 17 AAA configuration considerations and task list ·········································································································· 17 Configuring AAA schemes ············································································································································ 18
Configuring local users ········································································································································· 18 Configuring RADIUS schemes ······························································································································ 22 Configuring HWTACACS schemes ····················································································································· 32 Configuring LDAP schemes ·································································································································· 39
Configuring AAA methods for ISP domains ················································································································ 42 Configuration prerequisites ·································································································································· 42 Creating an ISP domain ······································································································································· 42 Configuring ISP domain attributes ······················································································································· 43 Configuring authentication methods for an ISP domain ··················································································· 43 Configuring authorization methods for an ISP domain ····················································································· 44 Configuring accounting methods for an ISP domain ························································································· 45
Enabling the session-control feature ····························································································································· 46 Setting the maximum number of concurrent login users ···························································································· 47 Displaying and maintaining AAA ································································································································ 47 AAA configuration examples ········································································································································ 47
AAA for SSH users by an HWTACACS server ·································································································· 47 Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ·························· 49 Authentication and authorization for SSH users by a RADIUS server ····························································· 51 Authentication for SSH users by an LDAP server ······························································································· 54
Troubleshooting RADIUS ··············································································································································· 59 RADIUS authentication failure ······························································································································ 59 RADIUS packet delivery failure ···························································································································· 59 RADIUS accounting error ····································································································································· 60
Troubleshooting HWTACACS ······································································································································ 60 Troubleshooting LDAP ···················································································································································· 60
802.1X overview ······················································································································································· 62 802.1X architecture ······················································································································································· 62 Controlled/uncontrolled port and port authorization status ······················································································ 62 802.1X-related protocols ·············································································································································· 63
Packet formats ························································································································································ 63 EAP over RADIUS ·················································································································································· 64
802.1X authentication initiation ··································································································································· 65 802.1X client as the initiator································································································································ 65 Access device as the initiator ······························································································································· 65
802.1X authentication procedures ······························································································································ 66 Comparing EAP relay and EAP termination ······································································································· 66
ii
EAP relay ································································································································································ 67 EAP termination ····················································································································································· 68
Configuring 802.1X ·················································································································································· 70 HP implementation of 802.1X ······································································································································ 70 Configuration prerequisites ··········································································································································· 70 802.1X configuration task list ······································································································································· 70 Enabling 802.1X ···························································································································································· 71 Enabling EAP relay or EAP termination ······················································································································· 71 Setting the port authorization state ······························································································································ 72 Specifying an access control method ·························································································································· 72 Setting the maximum number of concurrent 802.1X users on a port ······································································· 72 Setting the maximum number of authentication request attempts ············································································· 73 Setting the 802.1X authentication timeout timers ······································································································· 73 Configuring the online user handshake feature ·········································································································· 74 Configuring the authentication trigger feature ············································································································ 74
Configuration guidelines ······································································································································ 74 Configuration procedure ······································································································································ 74
Specifying a mandatory authentication domain on a port ························································································ 75 Configuring the quiet timer ··········································································································································· 75 Enabling the periodic online user reauthentication feature ······················································································· 76 Displaying and maintaining 802.1X ··························································································································· 76 802.1X authentication configuration example ··········································································································· 76
Network requirements ··········································································································································· 76 Configuration procedure ······································································································································ 77 Verifying the configuration ··································································································································· 78
Configuring MAC authentication ······························································································································ 79 Overview ········································································································································································· 79
User account policies ············································································································································ 79 Authentication methods········································································································································· 79
Configuration prerequisites ··········································································································································· 80 Configuration task list ···················································································································································· 80 Enabling MAC authentication ······································································································································ 80 Specifying a MAC authentication domain ·················································································································· 81 Configuring the user account format ···························································································································· 81 Configuring MAC authentication timers ······················································································································ 82 Setting the maximum number of concurrent MAC authentication users on a port ·················································· 82 Configuring MAC authentication delay ······················································································································· 83 Displaying and maintaining MAC authentication ·····································
