HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
6 No. Attribute No. Attribute 27 Session-Timeout 74 ARAP-Security-Data 28 Idle-Timeout 75 Password-Retry 29 Termination-Action 76 Prompt 30 Called-Station-Id 77 Connect-Info 31 Calling-Station-Id 78 Configuration-Token 32 NAS-Identifier 79 EAP-Message 33 Proxy-State 80 Message-Authenticator 34 Login-LAT-Service 81 Tunnel-Private-Group-id 35 Login-LAT-Node 82 Tunnel-Assignment-id 36 Login-LAT-Group 83 Tunnel-Preference 37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response 38 Framed-AppleTalk-Network 85 Acct-Interim-Interval 39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost 40 Acct-Status-Type 87 NAS-Port-Id 41 Acct-Delay-Time 88 Framed-Pool 42 Acct-Input-Octets 89 (unassigned) 43 Acct-Output-Octets 90 Tunnel-Client-Auth-id 44 Acct-Session-Id 91 Tunnel-Server-Auth-id Extended RADIUS attributes The RADIUS protocol features excellent extensibility. Attribute 26 (Vendor-Specific), an attribute defined by RFC 2865, allows a vendor to define extended attributes to implement functions that the standard RADIUS protocol does not provide. A vendor can encapsulate multiple sub-attributes in the type-length-value (TLV) format in RADIUS packets for extension of applications. As shown in Figure 5, a sub-at tribute encapsulated in Attribute 26 consists of the following parts: • Vendor-I D —Indicates the ID of the vendor. Its most significant byte is 0, and the other three bytes contains a code that is compliant to RFC 1700. For more information about the proprietary RADIUS sub-attributes of HP, see HP proprietary RADIUS sub-attributes . • Ve ndor-Type —Indicates the type of the sub-attribute. • Vendor-Length—Indicates the length of the sub-attribute. • Vendor-Data —Indicates the contents of the sub-attribute.
7 Figure 5 Segment of a RADIUS packet cont aining an extended attribute HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between the NAS and the HWTACACS server. HWTACACS typically provides AAA services for Point-to -Point Protocol (PPP) users, Virtual Private Dial-up Network (VPDN) users, and terminal users. In a typical HWTACACS scenario, some terminal users log in to the NAS for operations. Working as the HWTACACS client, the NAS sends the usernames and passwords of the users to the HWTACACS sever for authentication. After passing authentication and being authorized, the users log in to the switch and performs operations, and the HWTACACS server records the operations that each user performs. Differences between HWTACACS and RADIUS HWTACACS and RADIUS both provide authentication, authorization, and accounting services. They have many features in common, such as using a client/server model, using shared keys for user information security, and providing flexibility and extensibility. Table 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP, providing more reliable network transmission. Uses UDP, providing high er transport efficiency. Encrypts the entire packet except for the HWTACACS header. Encrypts only the user password field in an authentication packet. Protocol packets are complicated and authorization is independent of authentication. Authentication and authorization can be deployed on different HWTACACS servers. Protocol packets are simple and the authorization process is combined with the authentication process. Supports authorization of configuration commands. Which commands a user can use depends on both the user level and the AAA authorization. A user can use only commands that are at, or lower than, the user level and authorized by the HWTACACS server. Does not support authorization of configuration commands. Which commands a user can use solely depends on the level of the user. A user can use all the commands at, or lower than, the user level. Basic HWTACACS message exchange process The following example describes how HWTACACS performs user authentication, authorization, and accounting for a Telnet user. TypeLength 0Vendor-ID 71 5 31 Vendor-ID (continued)Vendor-Type Vendor-Length Vendor-Data (Specified attribute value ……) 23 ……
8 Figure 6 Basic HWTACACS message exchange process for a Telnet user HWTACACS operates in the following manner: 1. A Telnet user sends an access request to the HWTACACS client. 2. Upon receiving the request, th e HWTACACS client sends a star t-authentication packet to the HWTACACS server. 3. The HWTACACS server sends back an authentication response to re quest the username. 4. Upon receiving the response, the HWTACACS client asks the user for the username. 5. The user enters the username. 6. After receiving the username from the user, the HWTACACS client sends the server a continue-authentication packet that carries the username. 7. The HWTACACS server sends back an authenticati on response, requesting the login password. 8. Upon receipt of the response, the HWTACACS client asks the user for the login password. Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login password 8) Request for password 9) The user inputs the password 11) Authentication response indicating successful authentication 12) User authorization request packet 13) Authorization response indicating successful authorization 14) The user logs in successfully 15) Start-accounting request 16) Accounting response indicating the start of accounting 17) The user logs off 18) Stop-accounting request 19) Stop-accounting response 10) Authentication cont inuance packet with the login password
9 9. The user enters the password. 10. After receiving the login password, the HWTACACS client sends the HWTACACS server a continue-authentication packet th at carries the login password. 11. The HWTACACS server sends back an authenticati on response to indicate that the user has passed authentication. 12. The HWTACACS client sends the user authoriz ation request packet to the HWTACACS server. 13. The HWTACACS server sends back the authorizatio n response, indicating that the user is now authorized. 14. Knowing that the user is now authorized, the HWTA CACS client pushes its configuration interface to the user. 15. The HWTACACS client sends a start-accounting request to the HWTACACS server. 16. The HWTACACS server sends back an accounting re sponse, indicating that it has received the start-accounting request. 17. The user logs off. 18. The HWTACACS client sends a stop-accounting request to the HWTACACS server. 19. The HWTACACS server sends back a stop-acc ounting response, indicating that the stop-accounting request has been received. Domain-based user management A NAS manages users based on Internet service provid er (ISP) domains. On a NAS, each user belongs to one ISP domain. A NAS determines the ISP domain a user belongs to by the username entered by the user at login, as shown in Figure 7. Figure 7 Det ermining the ISP domain of a user by the username The authentication, authorization, and accounting of a user depends on the AAA methods configured for the domain to which the user belongs. If no specific AAA methods are configured for the domain, the default methods are used. By default, a domain uses local authentication, local authorization, and local accounting. AAA allows you to manage users based on their access types: • LAN users —Users on a LAN who must pass 802.1X or MAC address authentication to access the network. • Login users —Users who want to log in to the switch, including SSH users, Telnet users, Web users, FTP users, and terminal users. Username contains @ domain-name ?A user enters the username in the form of userid@ domain-name or useridUse the AAA methods and attributes of domain domain-name for the user Use the AAA methods and attributes of the default domain for the user Yes No NAS
10 • Po r t a l u s e r s —Users who must pass portal authentication to access the network. In addition, AAA provides the following services for login users to enhance switch security: • Command authorization —Enables the NAS to defer to the authorization server to determine whether a command entered by a login user is permitted for the user, making sure that login users execute only commands they are authorized to execute. For more information about command authorization, see Fundamentals Configuration Guide. • Command accounting —Allows the accounting server to record all commands executed on the switch or all authorized commands successfully executed. For more information about command accounting, see Fundamentals Configuration Guide. • Level switching authentication —Allows the authentication server to authenticate users who perform privilege level switching. As long as passing level switching authentication, users can switch their user privilege levels, without logging out an d disconnecting current connections. For more information about user privilege level switching, see Fundamentals Configuration Guide. You can configure different authentication, authorizat ion, and accounting methods for different types of users in a domain. See Configuring AAA methods for ISP domains . RADIUS server feature of the switch G eneral ly, the R A D I US ser ver ru ns on a c omputer or workstation, and t he R A D I US cl ient ru ns on a NAS. A network device that supports the RADIUS server feature can also serve as the RADIUS server, working with RADIUS clients to implement user authentication, authorization, and accounting. As shown in Figure 8 , the R ADIUS server and client can reside on the same switch or different switches. Using a network device as the RADIUS server simplifi es networking and reduces deployment costs. This implementation is usually deployed on networks by using the clustering feature. In such a scenario, configure the RADIUS server feature on a management device at the distribution layer, so that the device functions as a RADIUS server to cooperate with clus ter member switches at the access layer to provide user authentication and authorization services. Figure 8 Devices functioning as a RADIUS server The switch can serve as a RADIUS server to provide the following functions: • User information management You can create, modify, and delete user informatio n, including the username, password, authority, lifetime, and user description. • RADIUS client information management NASRADIUS serverRADIUS server NAS/ IP network IP network
11 You can create and delete RADIUS clients, which are identified by IP addresses and configured with attributes such as a shared key. With a ma naged client range configured, the RADIUS server processes only the RADIUS packets from the clie nts within the management range. A shared key is used to ensure secure co mmunication between a RADIUS cl ient and the RADIUS server. • RADIUS authentication and authorization With the RADIUS server enabled, the switch checks whether or not the client of an incoming RADIUS packet is under its management. If yes, it verifies the packet validity by using the shared key, checks whether there is an account with the username, whether the password is correct, and whether the user attributes meet the requirements defined on the RADIUS server (for example, whether the account has expired). Then, the RADIUS server assigns the corresponding authority to the client if the authentication succeeds, or denies the client if the authentication fails. NOTE: A RADIUS server running the standar d RADIUS protocol listens on UDP port 1812 for authentication requests, but an HP switch listens on UDP port 1645 instead when actin g as the R ADI U S ser ver . Be su r e to specify 1645 as the authentication port number on th e RADIUS client when you use an HP switch as the RADIUS server. AAA for MPLS L3VPNs (available only on the HP 5500 EI) In an MPLS L3VPN scenario where clients in different VPNs are centrally authenticated, you can deploy AAA across VPNs to enable forwarding RADIUS and HWTACACS packets across MPLS VPNs. With the AAA across VPNs feature, the PE at the left side of the MPLS backbone serves as a NAS and transparently delivers the AAA packets of private users in VPN 1 and VPN 2 to the AAA servers in VPN 3 for centralized authentication, as shown in Figure 9. A uthentication packets of private users in different VPNs do not affect each other. Figure 9 Network diagram NOTE: This feature can also help an MCE to implement po rtal authentication for VPNs. For more information about MCE, see Layer 3 - IP Routing Configuration Guide. Protocols and standards The following protocols and standards are related to AAA, RADIUS, and HWTACACS: P MPLS backbone PE PE CE CE CE VPN 1 VPN 2 VPN 3 RADIUS server HWTACACS server NAS Host Host
12 • RFC 2865, Remote Authentication Dial In User Service (RADIUS) • RFC 2866, RADIUS Accounting • RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support • RFC 2868, RADIUS Attributes for Tunnel Protocol Support • RFC 2869, RADIUS Extensions • RFC 1492, An Access Control Protocol, Sometimes Called TACACS RADIUS attributes Commonly used standard RADIUS attributes No. Attribute Description 1 User-Name Name of the user to be authenticated. 2 User-Password User password for PAP authentication, present only in Access-Request packets in PAP authentication mode. 3 CHAP-Password Digest of the user password for CHAP authentication, present only in Access-Request packets in CHAP authentication mode. 4 NAS-IP-Address IP address for the server to identify a client. Usually, a client is identified by the IP address of the access interface on the NAS, namely the NAS IP address. This attribute is present in on ly Access-Request packets. 5 NAS-Port Physical port of the NAS that the user accesses. 6 Service-Type Type of service that the user has requested or type of service to be provided. 7 Framed-Protocol Encapsulation protocol for framed access. 8 Framed-IP-Address IP address assigned to the user. 11 Filter-ID Name of the filter list. 12 Framed-MTU Maximum transmission unit (MTU) for th e data link between the user and NAS. For example, with 802.1X EAP authentica tion, NAS uses this attribute to notify the server of the MTU for EAP packets, so as to avoid oversized EAP packets. 14 Login-IP-Host IP address of the NA S interface that the user accesses. 15 Login-Service Type of the service that the user uses for login. 18 Reply-Message Text to be displayed to the user, which ca n be used by the server to indicate, for example, the reason of the authentication failure. 26 Vendor-Specific Vendor specific attribute. A packet ca n contain one or more such proprietary attributes, each of which can co ntain one or more sub-attributes. 27 Session-Timeout Maximum duration of service to be provid ed to the user before termination of the session. 28 Idle-Timeout Maximum idle time permitted for the user before termination of the session. 31 Calling-Station-Id User identification that the NAS sends to the server. For the LAN access service provided by an HP device, this attribut e carries the MAC address of the user in the format HHHH-HHHH-HHHH. 32 NAS-Identifier Identification that the NAS uses for indicating itself.
13 No. Attribute Description 40 Acct-Status-Type Type of the Accounting-Request packe t. Possible values are as follows: • 1 —Start. • 2 —Stop. • 3 —Interim-Update. • 4 —Reset-Charge. • 7 —Accounting-On. (Defined in 3GPP, the 3rd Generation Partnership Project.) • 8 —Accounting-Off. (Defined in 3GPP.) • 9 to 14 —Reserved for tunnel accounting. • 15 —Reserved for failed. 45 Acct-Authentic Authentication method used by the use r. Possible values are as follows: • 1 —RADIUS. • 2 —Local. • 3 —Remote. 60 CHAP-Challenge CHAP challenge generated by the NAS for MD5 calculation during CHAP authentication. 61 NAS-Port-Type Type of the physical port of the NAS that is authenticating the user. Possible values are as follows: • 15 —Ethernet. • 16 —Any type of ADSL. • 17 —Cable (with cable for cable TV). • 201—VLAN. • 202—ATM. I f t h e p o r t i s a n A T M o r E t h e r n e t o n e and VLANs are implemented on it, the value of this attribute is 201. 79 EAP-Message Used for encapsulating EAP packets to allow the NAS to authenticate dial-in users via EAP without having to understand the EAP protocol. 80 Message-Authentic ator Used for authentication and checking of authentication packets to prevent spoofing Access-Requests. This attribut e is used when RADIUS supports EAP authentication. 87 NAS-Port-Id String for describing the port of the NAS that is authenticating the user. HP proprietary RADIUS sub-attributes No. Sub-attribute Description 1 Input-Peak-Rate Peak rate in the direction from the user to the NAS, in bps. 2 Input-Average-Rate Average rate in the direction from the user to the NAS, in bps. 3 Input-Basic-Rate Basic rate in the direction from the user to the NAS, in bps. 4 Output-Peak-Rate Peak rate in the direction from the NAS to the user, in bps. 5 Output-Average-Rate Average rate in the di rection from the NAS to the user, in bps. 6 Output-Basic-Rate Basic rate in the direction from the NAS to the user, in bps. 15 Remanent_Volume Remaining, available total traffic of the connection, in different units for different server types.
14 No. Sub-attribute Description 20 Command Operation for the session, used for session control. It can be: • 1 —Trigger-Request. • 2 —Terminate-Request. • 3 —SetPolicy. • 4 —Result. • 5 —PortalClear. 24 Control_Identifier Identification for retransmitted packet s. For retransmitted packets of the same session, this attribute must take the same value. For retransmitted packets of different sessions, this a ttribute may take the same value. The client response of a retransmitted pack et must also carry this attribute and the value of the attribute must be the same. For Accounting-Request packets of the start, stop, and interim update types, the Control-Identifier attrib ute, if present, makes no sense. 25 Result_Code Result of the Trigger-Request or SetPolicy operation. A value of zero means the operation succeeded. Any other value means the operation failed. 26 Connect_ID Index of the user connection. 28 Ftp_Directory Working directory of the FTP user. For an FTP user, when the RADIUS client acts as the FTP server, this attribute is used to set the FTP directory on the RADIUS client. 29 Exec_Privilege Priority of the EXEC user. 59 NAS_Startup_Timestamp Startup time of the NAS in seconds, which is represented by the time elapsed after 00:00:00 on Jan. 1, 1970 (UTC). 60 Ip_Host_Addr User IP address and MAC address carried in authentication and accounting requests, in the format A.B.C.D hh:hh:hh:hh:hh:hh. A space is required between the IP address and the MAC address. 61 User_Notify Information to be sent from the server to the client transparently. 62 User_HeartBeat Hash value assigned after an 802. 1X user passes authentication, which is a 32-byte string. This attribute is stored in the user list on the device and is used for verifying the handshake me ssages from the 802.1X user. This attribute exists in only Access-Acce pt and Accounting-Request packets. 140 User_Group User groups assigned after the SSL VPN user passes authentication. A user may belong to more than one user group. In this case, the user groups are delimited by semi-colons. This attribute is used for cooperation with the SSL VPN device. 141 Security_Level Security level assigned after the SSL VPN user passes security authentication. 201 Input-Interval-Octets Bytes input wi thin a real-time accounting interval. 202 Output-Interval-Octets Bytes output within a real-time accounting interval. 203 Input-Interval-Packets Packets input within an ac counting interval, in the unit set on the device. 204 Output-Interval-Packets Packets output within an accounting interval, in the unit set on the device. 205 Input-Interval-Gigawords Result of bytes input with in an accounting interval divided by 4G bytes. 206 Output-Interval-Gigawords Result of bytes output within an accounting interval divided by 4G bytes.
15
No. Sub-attribute Description
207 Backup-NAS-IP Backup source IP address for sending RADIUS packets.
255 Product_ID Product name.
AAA configuration considerations and task list
To configure AAA, you must complete these tasks on the NAS:
1. Configure the required AAA schemes.
{ Local authentication —Configure local users and the related attributes, including the usernames
and passwords of the users to be authenticated.
{ Remote authentication—Configure the required R ADIUS and HW TACACS schemes. You must
configure user attributes on the servers accordingly.
2. Configure AAA methods for the users’ ISP domains.
{ Authentication method—No authentication ( none), local authentication ( local), or remote
authentication ( scheme)
{ Authorization method —No authorization (none), local authorization ( local), or remote
authorization ( scheme)
{ Accounting method —No accounting (none), local accounting ( local), or remote accounting
(scheme )
Figure 10 AAA configuration diagram
Table 4 AAA configuration task list
Task Remarks
Configuring AAA
schemes Configuring local users
Required.
Complete at le
ast one task.
Configuring RADIUS schemes
Configure the RADIUS and
HWTACACS schemes
Authorization method
Accounting method
Configure AAA methods
Create an ISP domain
and enter its view
local (the default)
None
schemeAuthentication method
Configure local users and related attributes
+
+
Local AAA
Remote AAA
No AAA
local(the default)
None
scheme
local (the default)
None
scheme