Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 1661 to Favourites
    image text
    Enable zoom 
    							vi 
Managing public keys ··················\
··················\
··················\
··················\
··················\
················ ··················\
················ 245 
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
····  245 
Configuration task list ··················\
··················\
··················\
··················\
··················\
············· ··················\
··················\
······· 245 
Creating a local asymmetric key pair  ··················\
··················\
··················\
··················\
··················\
··················\
············  246 
Displaying or exporting the local host public key ··················\
··················\
··················\
··················\
····· ··················\
····· 246 
Destroying a local asymmetric key pair ··················\
··················\
··················\
··················\
················ ··················\
·········· 248 
Specifying the peer public key on the local device  ··················\
··················\
··················\
··················\
··················\
········  248 
Displaying and maintaining public keys ··················\
··················\
··················\
··················\
················ ··················\
········· 249 
Public key configuration examples  ··················\
··················\
··················\
··················\
··················\
··················\
·················  249 
Manually specifying the peer public key on the local device ··················\
··················\
··················\
············· ····· 249 
Importing a peer public key from a public key file  ··················\
··················\
··················\
··················\
··················\
  251 
Configuring PKI ··················\
··················\
··················\
··················\
··················\
··················\
··· ··················\
··················\
···· 254 
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
····  254 
PKI terms ··················\
··················\
··················\
··················\
··················\
··················\
···························\
··················\
······ 254 
PKI architecture ··················\
··················\
··················\
··················\
··················\
··················\
·· ··················\
··················\
·· 255 
PKI applications ··················\
··················\
··················\
··················\
··················\
··················\
·· ··················\
··················\
· 255 
How PKI operates ··················\
··················\
··················\
··················\
··················\
··················\
·· ··················\
················ 256 
PKI configuration task list ··················\
··················\
··················\
··················\
··················\
········· ··················\
··················\
····· 256 
Configuring an entity DN  ··················\
··················\
··················\
··················\
··················\
··················\
··················\
··············  257 
Configuring a PKI domain ··················\
··················\
··················\
··················\
··················\
··················\
··················\
·············  258 
Configuration guidelines ··················\
··················\
··················\
··················\
··················\
············ ··················\
············ 258 
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 259 
Submitting a PKI ce rtificate request ··················\
··················\
··················\
··················\
··················\
 ··················\
················ 259 
Submitting a certificate  request in auto mode ··················\
··················\
··················\
··················\
········· ················· 260 
Submitting a certificate request in manual mode  ··················\
··················\
··················\
··················\
··················\
···  260 
Retrieving a certificate manually ··················\
··················\
··················\
··················\
··················\
··· ··················\
················· 261 
Configuration guidelines ··················\
··················\
··················\
··················\
··················\
············ ··················\
············ 261 
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 262 
Configuring PKI certif icate verification ··················\
··················\
··················\
··················\
·············· ··················\
·············· 262 
Configuration guidelines ··················\
··················\
··················\
··················\
··················\
············ ··················\
············ 262 
Configuring CRL-checking-enabled  PKI certificate verification ··················\
··················\
··················\
··········· ······ 262 
Configuring CRL-checking-disabled  PKI certificate verification ··················\
··················\
··················\
·········· ······ 263 
Destroying a loca l RSA key pair ··················\
··················\
··················\
··················\
··················\
····· ··················\
··············· 263 
Deleting a certificate ··················\
··················\
··················\
··················\
··················\
·············· ··················\
··················\
········ 263 
Configuring an access control policy ··················\
··················\
··················\
··················\
··················\
 ··················\
············ 264 
Displaying and ma intaining PKI ··················\
··················\
··················\
··················\
··················\
······ ··················\
··············· 264 
PKI configuration examples  ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···········  265 
Requesting a certificate from a CA server running RSA Keon ··················\
··················\
··················\
·············· ··· 265 
Requesting a certificate from a CA server running Windows 2003 Server ··················\
··················\
·············  268 
Configuring a certificate attribute-based access control policy ··················\
··················\
··················\
················ 271 
Troubleshooting PKI ··················\
··················\
··················\
··················\
··················\
················· ··················\
··················\
······ 273 
Failed to retrieve a CA certificate  ··················\
··················\
··················\
··················\
··················\
··················\
··········  273 
Failed to request a local certificate ··················\
··················\
··················\
··················\
················· ··················\
········ 273 
Failed to retrieve CRLs ··················\
··················\
··················\
··················\
··················\
············· ··················\
··············· 274 
Configuring IPsec ··················\
··················\
··················\
··················\
··················\
··················\
· ··················\
··················\
··· 275 
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
····  275 
IPsec implementation ··················\
··················\
··················\
··················\
··················\
··················\
··················\
·············  275 
Basic concepts ··················\
··················\
··················\
··················\
··················\
··················\
······················\
··················\
· 276 
IPsec for IPv6 routing protocols  ··················\
··················\
··················\
··················\
··················\
··················\
··············  278 
Protocols and standards ··················\
··················\
··················\
··················\
··················\
············· ··················\
············ 278 
Configuring IPsec for IP v6 routing protocols ··················\
··················\
··················\
··················\
·········· ··················\
········· 278 
Configuring an IP sec proposal ··················\
··················\
··················\
··················\
··················\
······· ··················\
······· 278 
Configuring an  IPsec policy ··················\
··················\
··················\
··················\
··················\
········· ··················\
·········· 280 
    Add page 1662 to Favourites
    image text
    Enable zoom 
    							vii 
Displaying and maintaining IPsec ··················\
··················\
··················\
··················\
··················\
······················\
·············· 281 
IPsec for RIPng configuration example  ··················\
··················\
··················\
··················\
··················\
··················\
···········  281 
Configuring SSH2.0 ··················\
··················\
··················\
··················\
··················\
··················\
 ··················\
················· 286 
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
····  286 
Introduction to SSH2.0 ··················\
··················\
··················\
··················\
··················\
································\
············· 286 
SSH operation ··················\
··················\
··················\
··················\
··················\
··················\
····· ··················\
··················\
 286 
SSH connection across VPNs (availab le only on the HP 5500 EI) ··················\
··················\
··················\
··········  289 
Configuring the switch as an SSH server ··················\
··················\
··················\
··················\
··············· ··················\
········· 289 
SSH server configur ation task list ··················\
··················\
··················\
··················\
··················\
·· ··················\
········ 289 
Generating DSA or  RSA key pairs ··················\
··················\
··················\
··················\
··················\
····· ··················\
··· 289 
Enabling the SSH server function  ··················\
··················\
··················\
··················\
··················\
··················\
···········  290 
Configuring the user interfaces for SSH clients ··················\
··················\
··················\
··················\
······· ················· 290 
Configuring a client public key  ··················\
··················\
··················\
··················\
··················\
··················\
··············  291 
Configuring an SSH user ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 292 
Setting the SSH mana gement parameters ··················\
··················\
··················\
··················\
················· ··············· 293 
Setting the DSCP value for packets sent by the SSH server  ··················\
··················\
··················\
··················\
···· 294 
Configuring the switch as an SSH client ··················\
··················\
··················\
··················\
··············· ··················\
·········· 294 
SSH client configuration task list  ··················\
··················\
··················\
··················\
··················\
··················\
············  294 
Specifying a source IP address/interface for the SSH client ··················\
··················\
··················\
············· ······· 294 
Configuring whether first-time  authentication is supported ··················\
··················\
··················\
·············· ········· 295 
Establishing a connection between  the SSH client and server ··················\
··················\
··················\
············· ···· 296 
Setting the DSCP value for pack ets sent by the SSH client ··················\
··················\
··················\
··············· ········ 296 
Displaying and maintaining SSH ··················\
··················\
··················\
··················\
··················\
······ ··················\
············· 296 
SSH server configuration examples ··················\
··················\
··················\
··················\
··················\
··· ··················\
············ 297 
When the switch acts as a serv er for password authentication ··················\
··················\
··················\
············ ··· 297 
When the switch acts as a server for publickey au thentication ··················\
··················\
··················\
··········· ···· 299 
SSH client configuration examples  ··················\
··················\
··················\
··················\
··················\
··················\
·················  304 
When switch acts as client for password authentication ··················\
··················\
··················\
··················\
 ········ 304 
When switch acts as client  for publickey authentication ··················\
··················\
··················\
················· ········· 307 
Configuring SFTP  ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
····  310 
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
····  310 
Configuring the switch as an SFTP server ··················\
··················\
··················\
··················\
·············· ··················\
········· 310 
Enabling the SFTP server ··················\
··················\
··················\
··················\
··················\
············ ··················\
············ 310 
Configuring the SFTP connecti on idle timeout period ··················\
··················\
··················\
··················\
··· ·········· 310 
Configuring the switch as an SFTP client  ··················\
··················\
··················\
··················\
··················\
··················\
·······  311 
Specifying a source IP address or interface for the SFTP client ··················\
··················\
··················\
················ 311 
Establishing a connection to the SFTP server  ··················\
··················\
··················\
··················\
··················\
··········  311 
Working with SFTP directories ··················\
··················\
··················\
··················\
··················\
······· ··················\
········ 312 
Working with SFTP files ··················\
··················\
··················\
··················\
··················\
············· ··················\
············· 313 
Displaying help information ··················\
··················\
··················\
··················\
··················\
········· ··················\
·········· 313 
Terminating the connection to  the remote SFTP server ··················\
··················\
··················\
··················\
·· ·········· 314 
Setting the DSCP value for packets sent by the  SFTP client ··················\
··················\
··················\
·············· ········ 314 
SFTP client config uration example ··················\
··················\
··················\
··················\
··················\
··· ··················\
·············· 314 
SFTP server configuration example ··················\
··················\
··················\
··················\
··················\
··· ··················\
············· 318 
Configuring SCP ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
·····  321 
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
····  321 
Configuring the switch as an SCP server ··················\
··················\
··················\
··················\
··············· ··················\
········· 321 
Configuring the switch  as the SCP client ··················\
··················\
··················\
··················\
·············· ··················\
··········· 321 
SCP client configuration example  ··················\
··················\
··················\
··················\
··················\
··················\
··········  322 
SCP server configuration example ··················\
··················\
··················\
··················\
··················\
···· ··················\
···· 323 
Configuring SSL  ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
······  325 
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
····  325 
    Add page 1663 to Favourites
    image text
    Enable zoom 
    							viii 
SSL security mechanism ··················\
··················\
··················\
··················\
··················\
································\
············ 325 
SSL protocol stack ··················\
··················\
··················\
··················\
··················\
··················\
 ··················\
················· 325 
Configuration task list ··················\
··················\
··················\
··················\
··················\
············· ··················\
··················\
······· 326 
Configuring an SSL server policy ··················\
··················\
··················\
··················\
··················\
···· ··················\
··············· 326 
SSL server policy co nfiguration example ··················\
··················\
··················\
··················\
··············· ··················\
· 327 
Configuring an SSL client policy ··················\
··················\
··················\
··················\
··················\
···· ··················\
················ 329 
Displaying and maintaining SSL  ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···  330 
Troubleshooting SSL ··················\
··················\
··················\
··················\
··················\
················· ··················\
··················\
······ 330 
Configuring TCP attack protection ··················\
··················\
··················\
··················\
··················\
··· ··················\
·········· 332 
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
····  332 
Enabling the SYN Cookie feature ··················\
··················\
··················\
··················\
··················\
····· ··················\
············· 332 
Displaying and maintaining  TCP attack protection ··················\
··················\
··················\
··················\
······ ··················\
·· 332 
Configuring IP  source guard ··················\
··················\
··················\
··················\
··················\
········· ··················\
············· 334 
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
····  334 
Static IP source guard entries ··················\
··················\
··················\
··················\
··················\
······ ··················\
··········· 334 
Dynamic IP source guard entries ··················\
··················\
··················\
··················\
··················\
····· ··················\
······ 335 
Configuration  task list ··················\
··················\
··················\
··················\
··················\
············· ··················\
··················\
······· 335 
Configuring the IPv4 source guard function  ··················\
··················\
··················\
··················\
··················\
··················\
··  336 
Configuring IPv4 source guard on a port ··················\
··················\
··················\
··················\
··············· ··················\
 336 
Configuring a static IPv4  source guard entry ··················\
··················\
··················\
··················\
·········· ················· 337 
Setting the maximum number of  IPv4 source guard entries ··················\
··················\
··················\
················· ····· 338 
Configuring the IPv6 source guard function  ··················\
··················\
··················\
··················\
··················\
··················\
··  338 
Configuring IPv6 source guard on a port ··················\
··················\
··················\
··················\
··············· ··················\
 338 
Configuring a static IPv6  source guard entry ··················\
··················\
··················\
··················\
·········· ················· 339 
Setting the maximum number of  IPv6 source guard entries ··················\
··················\
··················\
················· ····· 340 
Displaying and maintain ing IP source guard ··················\
··················\
··················\
··················\
············ ··················\
······ 341 
IP source guard config uration examples ··················\
··················\
··················\
··················\
················ ··················\
········· 341 
Static IPv4 source guar d configuration example ··················\
··················\
··················\
··················\
········ ············· 341 
Dynamic IPv4 source guard using DHCP  snooping configuration example ··················\
··················\
·············  343 
Dynamic IPv4 source guard using DHCP relay configuration example ··················\
··················\
··················\
··  345 
Static IPv6 source guard configuration example ··················\
··················\
··················\
··················\
········ ············· 346 
Dynamic IPv6 source guard using DHCP v6 snooping configuration example ··················\
··················\
········· 346 
Dynamic IPv6 source guard using ND  snooping configuration example ··················\
··················\
·················  348 
Global static IP source guard configuration example ··················\
··················\
··················\
··················\
··· ·········· 349 
Troubleshooting IP  source guard ··················\
··················\
··················\
··················\
··················\
····· ··················\
··············· 350 
Configuring ARP attack protection  ··················\
··················\
··················\
··················\
··················\
··················\
·············  351 
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
····  351 
ARP attack protection configuration task list ··················\
··················\
··················\
··················\
········· ··················\
·········· 351 
Configuring ARP defense agai nst IP packet attacks ··················\
··················\
··················\
··················\
····· ··················\
·· 352 
Configuring ARP so urce suppression ··················\
··················\
··················\
··················\
··················\
·· ··················\
·· 353 
Enabling ARP black hole routing ··················\
··················\
··················\
··················\
··················\
····· ··················\
······ 353 
Displaying and maintaining ARP defe nse against IP packet attacks ··················\
··················\
··················\
·······  353 
Configuration example ··················\
··················\
··················\
··················\
··················\
··············· ··················\
············ 353 
Configuring ARP pac ket rate limit ··················\
··················\
··················\
··················\
··················\
··· ··················\
··············· 355 
Introduction ··················\
··················\
··················\
··················\
··················\
··················\
······ ··················\
··················\
···· 355 
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 355 
Configuring source MAC address  based ARP attack detection ··················\
··················\
··················\
··············· ········ 356 
Configuration  procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 356 
Displaying and maintaining source MAC address based ARP attack detection  ··················\
··················\
······ 356 
Configuration example ··················\
··················\
··················\
··················\
··················\
··············· ··················\
············ 357 
Configuring ARP packet source  MAC address consistency check ··················\
··················\
··················\
············· ······ 358 
Introduc tion ··················\
··················\
··················\
··················\
··················\
··················\
······ ··················\
··················\
···· 358 
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 358 
    Add page 1664 to Favourites
    image text
    Enable zoom 
    							ix 
Configuring ARP active acknowledgement ··················\
··················\
··················\
··················\
················ ··················\
····· 358 
Introduction ··················\
··················\
··················\
··················\
··················\
··················\
······ ··················\
··················\
···· 358 
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 358 
Configuring ARP detection ··················\
··················\
··················\
··················\
··················\
··········· ··················\
··················\
· 359 
Introduction ··················\
··················\
··················\
··················\
··················\
··················\
······ ··················\
··················\
···· 359 
Configuring user validity check ··················\
··················\
··················\
··················\
··················\
····· ··················\
········ 359 
Configuring ARP packe t validity check ··················\
··················\
··················\
··················\
················· ··················\
·· 360 
Configuring ARP restri cted forwarding ··················\
··················\
··················\
··················\
················· ··················\
·· 361 
Displaying and mainta ining ARP detection ··················\
··················\
··················\
··················\
·············· ················ 361 
User validity check configuration example  ··················\
··················\
··················\
··················\
··················\
·············  362 
User validity check and ARP packet validity check configuration example  ··················\
··················\
·············· 363 
ARP restricted forwarding configuration example ··················\
··················\
··················\
··················\
······· ············ 364 
Configuring ARP automatic scanning and fixed ARP  ··················\
··················\
··················\
··················\
··················\
·····  366 
Configuration guidelines ··················\
··················\
··················\
··················\
··················\
············ ··················\
············ 366 
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 367 
Configuring ARP gate way protection ··················\
··················\
··················\
··················\
··················\
·· ··················\
·········· 367 
Configuration guidelines ··················\
··················\
··················\
··················\
··················\
············ ··················\
············ 367 
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 367 
Configuration example ··················\
··················\
··················\
··················\
··················\
··············· ··················\
············ 368 
Configuring ARP filtering  ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···············  368 
Configuration guidelines ··················\
··················\
··················\
··················\
··················\
············ ··················\
············ 369 
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 369 
Configuration example ··················\
··················\
··················\
··················\
··················\
··············· ··················\
············ 369 
Configuring ND a ttack defense ··················\
··················\
··················\
··················\
··················\
······· ··················\
·········· 371 
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
····  371 
Enabling source MAC consistency check for ND packets ··················\
··················\
··················\
··················\
··············· 372 
Configuring the ND detection function ··················\
··················\
··················\
··················\
················· ··················\
··········· 372 
Introduction to ND detection ··················\
··················\
··················\
··················\
··················\
········ ··················\
·········· 372 
Configuration guidelines ··················\
··················\
··················\
··················\
··················\
············ ··················\
············ 373 
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 373 
Displaying and mainta ining ND detection ··················\
··················\
··················\
··················\
··············· ················ 373 
ND detection config uration example ··················\
··················\
··················\
··················\
··················\
·· ··················\
··········· 374 
Network requirements  ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···········  374 
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 374 
Configuring URPF (available  only on the HP 5500 EI) ··················\
··················\
··················\
··················\
··· ············· 376 
URPF over view ··················\
··················\
··················\
··················\
··················\
··················\
····· ··················\
··················\
········· 376 
What is URPF ··················\
··················\
··················\
··················\
··················\
··················\
······ ··················\
··················\
· 376 
URPF check modes ··················\
··················\
··················\
··················\
··················\
··················\
·· ··················\
·············· 376 
How URPF works ··················\
··················\
··················\
··················\
··················\
··················\
···· ··················\
··············· 377 
Network application ··················\
··················\
··················\
··················\
··················\
················· ··················\
·············· 379 
Configuring URPF ··················\
··················\
··················\
··················\
··················\
··················\
·· ··················\
··················\
······· 379 
URPF configuration example ··················\
··················\
··················\
··················\
··················\
·········· ··················\
················· 379 
Configuring SAVI ··················\
··················\
··················\
··················\
··················\
··················\
·· ··················\
··················\
·· 381 
SAVI overview ··················\
··················\
··················\
··················\
··················\
··················\
····· ··················\
··················\
········· 381 
Configuring global SAVI ··················\
··················\
··················\
··················\
··················\
············· ··················\
··················\
·· 381 
SAVI configuration in DHCPv6-onl y address assignment scenario ··················\
··················\
··················\
··········· ······· 382 
SAVI configuration in SLAAC-only  address assignment scenario ··················\
··················\
··················\
············ ········· 384 
SAVI configuration in DHCPv6+SLAAC address assignment scenario  ··················\
··················\
··················\
············ 386 
Configuring blacklist ··················\
··················\
··················\
··················\
··················\
··············· ··················\
··················\
·· 388 
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
····  388 
Configuring the blacklist feature ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···  388 
Displaying and maintaining the blacklist ··················\
··················\
··················\
··················\
·············· ··················\
·········· 388 
    Add page 1665 to Favourites
    image text
    Enable zoom 
    							x 
Blacklist configuration example ··················\
··················\
··················\
··················\
··················\
····· ··················\
················· 389 
Network requirements  ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···········  389 
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
··········· 389 
Verifying the configuration ··················\
··················\
··················\
··················\
··················\
········· ··················\
············ 389 
Index ··················\
··················\
··················\
··················\
··················\
··················\
············· ··················\
··················\
··········· 391 
    Add page 1666 to Favourites
    image text
    Enable zoom 
    							1 
Configuring AAA 
In the HP 5500 Switch Series, only the HP 5500 EI switches support MCE and VPN configurations. 
AAA overview 
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing 
network access management. It can prov ide the following security functions: 
•   Authentication —Identifies users and determines whether a user is valid.  
•   Authorization —Grants different users different rights an d controls their access to resources and 
services. For example, a user who has successfully logged in to the switch can be granted read and 
print permissions to the files on the switch.  
•   Accounting —Records all user network service usage information, including the service type, start 
time, and traffic. The accounting function not only provides the information required for charging, 
but also allows for network security surveillance.  
AAA usually uses a client/server model. The client runs on the network access server (NAS), which is 
also referred to as the access device. The server maintains user information centrally. In an AAA network, 
a NAS is a server for users but a client for the AAA servers. See  Figure 1.  
Figure 1  Network diagram 
 
 
When a user tries to log in to the NAS, use network resources, or access other networks, the NAS 
authenticates the user. The NAS can transparently pass the user’s authentication, authorization, and 
accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and 
a remote server exchange user information between them. 
In the network shown in Figure 1, ther
 e is a RADIUS server and an HWTACACS server. You can choose 
different servers for different security functions. For example, you can use the HWTACACS server for 
authentication and authorization, and the RADIUS server for accounting. 
You can choose the three security functions provided by AAA as needed. For example, if your company 
only wants employees to be authenticated before they access specific resources, configure an 
authentication server. If network usage information  is needed, you must also configure an accounting 
server.
    Add page 1667 to Favourites
    image text
    Enable zoom 
    							2 
AAA can be implemented through multiple protocols. The switch supports using RADIUS and 
HWTACACS. RADIUS is often used in practice. 
RADIUS 
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that 
uses a client/server model. It can protect networks against unauthorized access and is often used in 
network environments where both high security and remote user access are required.  
RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813 
for accounting.  
RADIUS was originally designed for dial-in user ac cess. With the addition of new access methods, 
RADIUS has been extended to support additional acce ss methods, such as Ethernet and ADSL. RADIUS 
provides access authentication and authorization services, and its accounting function collects and 
records network resource usage information. 
Client/server model 
The RADIUS client runs on the NASs located throughout the network. It passes user information to 
designated RADIUS servers and acts on the responses (for example, rejects or accepts user access 
requests) . 
The RADIUS server runs on the computer or workstat ion at the network center and maintains information 
related to user authentication and network service access. It listens to connection requests, authenticates 
users, and returns user access control information (f or example, rejecting or accepting the user access 
request) to the clients. 
In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary. 
Figure 2  RADIUS server components 
 
 
•  Users —Stores user information, such as usernames, passwords, applied protocols, and IP 
addresses. 
•   Clients —Stores information about RADIUS clients, such as shared keys and IP addresses. 
•   Dictionary —Stores RADIUS protocol attributes and their values. 
Security and authentication mechanisms 
A RADIUS client and the RADIUS server use the shared key to authenticate RADIUS packets and encrypt 
user passwords that are exchanged between them. The keys are never transmitted over the network. This 
security mechanism improves the security of RADIUS communication and prevents user passwords from 
being intercepted on insecure networks. 
A RADIUS server supports multiple user authentication methods. A RADIUS server can also act as the 
client of another AAA server to provide authentication proxy services.  
Basic RADIUS message exchange process 
Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server. 
RADIUS servers
UsersClientsDictionary
    Add page 1668 to Favourites
    image text
    Enable zoom 
    							3 
Figure 3 Basic RADIUS message exchange process 
 
 
RADIUS operates in the following manner: 
1. The host initiates a connection request that ca rries the user’s username and password to the 
RADIUS client. 
2.  Having received the username and password, the  RADIUS client sends an authentication request 
(Access-Request)  to the RADIUS server, with the user password encrypted by using the 
Message-Digest 5 (MD5) algorithm and the shared key.  
3.  The RADIUS server authenticates the username an d password. If the authentication succeeds, the 
server sends back an Access-Accept message containing the user’s authorization information. If 
the authentication fails, the server  returns an Access-Reject message. 
4. The RADIUS client permits or denies the user accord ing to the returned authentication result. If it 
permits the user, it sends a start-accounting requ est (Accounting-Request) to the RADIUS server.  
5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts 
accounting.  
6. The user accesses the network resources. 
7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a 
stop-accounting request (Accounting- Request) to the RADIUS server.  
8. The RADIUS server returns a stop-accountin g response (Accounting-Response) and stops 
accounting for the user.  
RADIUS packet format 
RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS 
server and the client, RADIUS uses a series of me chanisms, including the timer management mechanism, 
the retransmission mechanism, and the backup server mechanism.  Figure 4 sh
ows the RADIUS packet 
format.
    Add page 1669 to Favourites
    image text
    Enable zoom 
    							4 
Figure 4 RADIUS packet format 
 
 
Descriptions of the fields are as follows: 
•  The Code field (1 byte long) indicates the type of the RADIUS packet.  Tabl e  1 gi
ves the possible 
values and their meanings. 
Table 1  Main values of the Code field 
Code Packet type  Description 
1 Access-Request  From the client to the server. A packet of this type carries user 
information for the server to authen
ticate the user. It must contain 
the User-Name attribute and can op tionally contain the attributes 
of NAS-IP-Address, User-P assword, and NAS-Port. 
2 Access-Accept  From the server to the client. If 
all the attribute values carried in 
the Access-Request are acceptable, the authentication succeeds, 
and the server sends an Access-Accept response. 
3 Access-Reject  From the server to the client. If 
any attribute value carried in the 
Access-Request is unacceptable, the authentication fails and the 
server sends an Access-Reject response. 
4 Accounting-Request  From the client to the server. A packet of this type carries user 
information for the server to start or stop accounting for the user. 
The Acct-Status-Type attribute in 
the packet indicates whether to 
start or stop accounting. 
5 Accounting-Response  From the server to the client. The server sends a packet of this 
type to notify the client that it has received the 
Accounting-Request and has successfully recorded the 
accounting information. 
 
•
  The Identifier field (1 byte long) is used to match request and response packets and to detect 
duplicate request packets. Request and response packets  o f  t h e  s a m e  t yp e  h ave  t h e  s a m e  i d e n t i fi e r.    
•   The Length field (2 bytes long) indicates the length of the entire packet, including the Code, 
Identifier, Length, Authenticator, and Attribute fields. Bytes beyond this length are considered 
padding and are ignored at the receiver. If the length of a received packet is less than this length, 
the packet is dropped. The value of this field is in the range of 20 to 4096. 
•   The Authenticator field (16 bytes long) is used to authenticate replies from the RADIUS server and to 
encrypt user passwords. There are two types of authenticators: request authenticator and response 
authenticator.
    Add page 1670 to Favourites
    image text
    Enable zoom 
    							5 
•  The Attributes field (variable in length) carries the specific authentication, authorization, and 
accounting information that defines the configuration details of the request or response. This field 
may contain multiple attributes, each with three sub-fields: 
{ Ty p e — (1  b y t e  l o n g )  Ty p e  o f  t h e  a t t r i b u t e .  I t  i s  i n  t h e  r a n g e  o f  1  t o  255.  C o m m o n l y  u s e d  R A D I U S  
attributes are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868.  Tabl e  2  sh
ows a list 
of the attributes. For more information about commonly used standard RADIUS attributes, see 
 Commonly used standard RADIUS attributes . 
{ Length —(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value 
fields. 
{  Value — ( U p  t o  253  by t e s )  Va l u e  o f  t h e  a t t r i b u t e.  I t s format and content depend on the Type and 
Length fields. 
Table 2  Commonly used RADIUS attributes  
No. Attribute  No.  Attribute 
1 User-Name  45 Acct-Authentic 
2 User-Password 46 Acct-Session-Time 
3 CHAP-Password 47 Acct-Input-Packets 
4 NAS-IP-Address 48 Acct-Output-Packets 
5 NAS-Port  49 Acct-Terminate-Cause 
6 Service-Type 50 Acct-Multi-Session-Id 
7 Framed-Protocol  51 Acct-Link-Count 
8 Framed-IP-Address  52 Acct-Input-Gigawords 
9 Framed-IP-Netmask  53 Acct-Output-Gigawords 
10 Framed-Routing 54  (unassigned) 
11 Filter-ID 55  Event-Timestamp 
12 Framed-MTU  56-59 (unassigned) 
13 Framed-Compression  60  CHAP-Challenge 
14 Login-IP-Host  61  NAS-Port-Type 
15 Login-Service 62  Port-Limit 
16 Login-TCP-Port  63  Login-LAT-Port 
17 (unassigned) 64  Tunnel-Type 
18 Reply-Message  65  Tunnel-Medium-Type 
19 Callback-Number 66  Tunnel-Client-Endpoint  
20 Callback-ID 67  Tunnel-Server-Endpoint 
21 (unassigned)  68  Acct-Tunnel-Connection 
22 Framed-Route  69  Tunnel-Password 
23 Framed-IPX-Network  70  ARAP-Password 
24 State  71  ARAP-Features 
25 Class 72  ARAP-Zone-Access 
26 Vendor-Specific  73  ARAP-Security
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide