Operation Manual Security. Table of Contents

Transcription

1 Table of Contents Table of Contents Chapter 1 Network Security Overview Introduction to the Network Security Features Provided by CMW Hierarchical Line Protection RADIUS-Based AAA Packet Filter and Firewall Firewall Concept Firewall Classification Packet Filter Security Authentication for Route Information Exchange Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Overview Introduction to AAA Introduction to the RADIUS Protocol Introduction to the HWTACACS Protocol Configuring AAA Creating an ISP Domain and Setting the Related Attributes Creating a Local User and Setting the Related Attributes Configuring the RADIUS Protocol Creating a RADIUS Scheme Configuring RADIUS Authentication/Authorization Servers Configuring RADIUS Accounting Servers and Related Attributes Setting the Shared Key for RADIUS Packet Encryption Setting the Maximum Number of RADIUS Request Attempts Setting the Supported RADIUS Server Type Setting the State of RADIUS Servers Setting the Username Format Acceptable to RADIUS Servers Setting the Unit of Data Flows Destined for RADIUS Servers Configuring an IP Address for the NAS to Use as the Source IP Address of RADIUS Packets Setting RADIUS Server Timers Configuring to Send a Trap Packet When the RADIUS Server Goes Down Configuring Local RADIUS Authentication Server Configuring HWTACACS Protocol Creating a HWTACACS Scheme Configuring TACACS Authentication Servers Configuring TACACS Authorization Servers Configuring TACACS Accounting Servers and Related Attributes i

2 Table of Contents Configuring an IP Address for the NAS to Use as the Source IP Address of HWTACACS Packets Setting a Key for TACACS servers Setting the Username Format Acceptable to TACACS Servers Setting the Unit of Data Flows Destined for TACACS Servers Setting TACACS Server Timers Configuring TACACS to Support Super Authentication Right Switching in Super Authentication Setting Super Authentication Mode Setting Super Authentication Scheme Displaying and Debugging AAA and RADIUS and HWTACACS Protocols AAA, RADIUS and HWTACACS Protocol Configuration Example Authentication and Accounting for Telnet/SSH Users Using a RADIUS Server Local Authentication for FTP/Telnet Users Authentication (One Time Authentication) and Accounting for Telnet Users through a TACACS Server Troubleshooting AAA, RADIUS and HWTACACS Protocols Troubleshooting the RADIUS Protocol Troubleshooting the HWTACACS Protocol Chapter 3 ACL Configuration Introduction to ACL ACL Overview Classification of ACL Match Order of ACL ACL Creation Basic ACL Advanced ACL Interface-Based ACL MAC-Based ACL ACL Supporting Fragment Configuring an ACL Configuring a Basic ACL Configuring an Advanced ACL Configuring an Interface-Based ACL Configuring a MAC-Based ACL Adding a Description to an ACL Adding a Comment to an ACL Rule Removing an ACL Configuring a Time Range Creating/Removing a Time Range Displaying and Debugging ACL Typical Configuration Examples of ACL ii

3 Table of Contents Chapter 4 NAT Configuration NAT Overview Introduction to NAT Functions Provided by NAT Many-to-Many Address Translation and Address Translation Control NAPT Static Network Segment Address Translation Bidirectional Network Address Translation Internal Server Easy IP NAT Application Level Gateway Limiting the Maximum Number of TCP Connections through NAT NAT Configuration Configuring Address Pool Configuring NAT Configure Bidirectional NAT Table Configuring Internal Server Enabling NAT ALG Configuring Domain Name Mapping Configuring Address Translation Lifetimes Configuring NAT to Limit the Maximum Number of TCP Connections Displaying and Debugging NAT NAT Configuration Example Troubleshooting NAT Configuration Chapter 5 Firewall Configuration Introduction to Firewall ACL/Packet Filter Application Specific Packet Filter Virtual Firewall Configuring Packet Filter Enabling or Disabling Firewall Setting the Default Filtering Mode of Firewall Enabling Packet Filter Fragment Detection Configuring Upper/Lower Threshold of Fragment Detection Applying ACL on the Interface Displaying and Debugging Packet Filter Packet Filter Configuration Example Configuration Example of Fragment Filtering Through Packet Filter Configuring ASPF Enabling Firewall Configuring ACL Defining an ASPF Policy iii

4 Table of Contents Applying ASPF Policy to Specified Interface Setting the Session Timeout Values Configuring ASPF with Session Logging Configuring Port Mapping Displaying and Debugging ASPF Cautions about ASPF Configuration ASPF Configuration Example Configuring Virtual Firewall Defining a VPN Instance Binding an Interface to a VPN Instance Configuring the Limitation of Virtual Firewall Resources Displaying and Debugging Virtual Firewall Virtual Firewall Configuration Example Black List Introduction to Black List Configuring Black List Displaying and Debugging Black List Black List Configuration Example MAC and IP Address Binding Introduction to MAC and IP Address Binding Configuring MAC and IP Address Binding Displaying and Debugging MAC and IP Address Binding MAC and IP Address Binding Configuration Example Security Zone Configuration Introduction to Security Zone Configuring Security Zone Chapter 6 Transparent Firewall Transparent Firewall Overview Obtaining a MAC Address Table Forwarding and Filtering Configuring Transparent Firewall Configuring Firewall Mode Configuring System IP Address Enabling/Disabling Dynamic ARP Learning Configuring Handling Approach for the Packets with Unknown MAC Address Configuring MAC Address-Based ACLs Applying MAC Address-Based ACL to the Interface Configuring Aging Time of the MAC Forwarding Table Defining Allowed Packet Types Configuring VLAN ID Transparent Transmission Displaying and Debugging Transparent Firewall Transparent Firewall Configuration Example iv

5 Table of Contents Chapter 7 Web and Filtering Introduction to Web and Filtering Configuring Web Filtering Configuring Web Address Filtering Configuring Web Content Filtering Configuring SQL Attack Prevention Configuring Filtering Configuring Address Filtering Configuring Subject Filtering Configuring Content Filtering Configuring Attachment Filtering Displaying and Debugging Filtering Chapter 8 Attack Prevention and Packet Statistics Overview of Attack Prevention and Packet Statistics Introduction to Attack Prevention Classes of Network Attacks Typical Examples of Network Attacks Introduction to Packet Statistics Analysis Configuring Attack Prevention Enabling/Disabling ARP Flood Attack Prevention Configuring ARP Spoofing Attack Prevention Enabling/Disabling the IP Spoofing Attack Prevention Function Enabling/Disabling the Land Attack Prevention Function Enabling/Disabling the Smurf Attack Prevention Function Enabling/Disabling the WinNuke Attack Prevention Function Enabling/Disabling the Fraggle Attack Prevention Function Enabling/Disabling Frag Flood Attack Prevention Enabling/Disabling the SYN Flood Attack Prevention Function Enabling/Disabling the ICMP Flood Attack Prevention Function Enabling/Disabling the UDP Flood Attack Prevention Function Enabling/Disabling the ICMP Redirect Packet Control Function Enabling/Disabling the ICMP Unreachable Packet Control Function Enabling/Disabling the IP Sweep Attack Prevention Function Enabling/Disabling the Port Scan Attack Prevention Function Enabling/Disabling the Attack Prevention Function of the IP Packet Carrying Source Route Enabling/Disabling Attack Prevention for Route Record Options Enabling/Disabling the Tracert Packet Control Function Enabling/Disabling Ping of Death Prevention Function Enabling/Disabling the Teardrop Attack Prevention Function Enabling/Disabling the TCP Flag Validity Detection Function Enabling/Disabling the IP Fragment Packet Detection Function v

6 Table of Contents 8.3 Setting the Warning Level in Monitoring the Number and Rate of Connections Enabling/Disabling the Oversized ICMP Packet Control Function Configuring System-Based Statistics Enabling/Disabling the System-Based Statistics Function Configuring the System-Based Connection Count Monitoring Configuring Alarm Detection for Abnormal System Packet Rate Configuring Zone-Based Statistics Enabling/Disabling the Zone-Based Statistics Function Configuring the Zone-Based Connection Count Monitoring Configuring the Zone-Based Connection Rate Monitoring Configuring IP-Based Statistics Enabling/Disabling the IP-Based Statistics Function Configure the IP-Based Connection Count Monitoring Function Configuring the IP-Based Connection Rate Monitoring Function Displaying and Debugging Attack Prevention and Packet Statistics Displaying and Debugging Attack Prevention Displaying and Debugging Packet Statistics Configuring SMTP Client Configuring Mail Triggering Time Configuring Mail Addresses Displaying and Debugging SMTP Client Configuration Configuring DNS Client Configuring a DNS Server Configuring DNS Cache Displaying and Debugging DNS Client Configuration Attack Prevention and Packet Statistics Configuration Examples Enabling the Land Attack Prevention Function Enabling the SYN Flood Attack Prevention Function Enabling the Address Scanning Attack Prevention Function Enabling the Zone-Based Connection Count Monitoring Function Displaying Statistics Information of Specified IP Address Attack Prevention Troubleshooting Chapter 9 IDS Cooperation Introduction to IDS Cooperation Configuring IDS Cooperation Issuing IDS-Cooperation ACL Rules to Interfaces Displaying and Debugging IDS Cooperation IDS Configuration Examples Chapter 10 Log Maintenance Introduction to Log Configuring Syslog Log Configuring Syslog Log Output Format vi

7 Table of Contents Configuring the Sweep Time for the Syslog Log Buffer Configuring the Log Redirection for the Information Center Binary-Flow Log Configuration Enabling/Disabling Binary-Flow Log Output in Interzone Configuring Host Address and Port of Receiving Binary-Flow Log Clearing Log Log Configuration Example Outputting Attack Prevention Log to Host Outputting Binary-Flow Log to Host vii

8 Chapter 1 Network Security Overview Chapter 1 Network Security Overview Note: All the contents below are about SecBlade cards, so the commands in this manual are executed in views corresponding to SecBlade cards instead of the other series switches. 1.1 Introduction to the Network Security Features Provided by CMW SecBlade must be able to withstand malicious attacks from the public network. On the other hand, the accidental but destructive access may also result in significant performance decrease and even the operation failure. CMW provides the following network security characteristics: Authentication, authorization and accounting (AAA) services based on Remote Authentication Dial-In User Service (RADIUS). AAA can provide authentication, authorization, and accounting services on users for preventing illegal access. Authentication protocol that supports CHAP and PAP authentication on PPP line. Packet filter implemented through access control list (ACL) which specifies the type of packets that the SecBlade will permit or deny. Application specific packet filter (ASPF), or status firewall. ASPF is an advanced communication filtering approach that checks the application layer information and monitors the status of connection-oriented application layer protocols, maintains the status information of each connection, and dynamically makes decision on whether to permit or deny a packet. IP security (IPSec), which guarantees the privacy, integrity and validity of packets while being transmitted on the Internet through encryption and data source authentication on the IP layer. Internet key exchange (IKE) that provides the services of key exchange through auto-negotiation and establishment of the security association (SA) to simplify the use and management of IPSec. Event log, which is used to record system security events and trace illegal access in real time. Address translation provided by NAT Gateway (GW), which separates the public network from the intranet, makes the IP addresses of the internal devices 1-1

9 Chapter 1 Network Security Overview unknown to the public network, and hence prevents the attacks from the public network. Dynamic routing protocol authentication that ensures reliable route information to be exchanged. Hierarchical view protection, which classifies users into four levels that are assigned with different configuration rights. A low-level user cannot enter the view of a higher level. The following chapters describe how to configure AAA and RADIUS, user password, firewall and packet filtering. Refer to the VPN part of this manual for IPSec/IKE configuration; refer to NAT Configuration for address translation configuration; refer to the Routing Protocol part of this manual for dynamic routing protocol authentication. 1.2 Hierarchical Line Protection The system command lines are protected in a hierarchical way. In this approach, the command lines are divided into four levels: visit, monitor, system, and manage. You are unable to use the corresponding levels of commands unless you have provided the correct login password. 1.3 RADIUS-Based AAA AAA is used for user access management. It can be implemented via multiple protocols but the AAA discussed here is based on RADIUS. AAA provides: Hierarchical user management. Generally, users are allowed to perform the operations like managing and maintaining the system configuration data, and monitoring and maintaining the device. These operations are crucial to the normal operation of the system. Therefore, it is necessary to classify the users into different levels and grants each with specific rights. In this case, a low-level user can only perform some viewing operations, while only a high-level user can modify data, maintain devices, and perform some other sensitive operations. PPP authentication. With it, username/password authentication will be performed before the setup of a PPP connection. PPP address management and allocation. When setting up a PPP connection, the system may assign the pre-specified IP address to the PPP user. The next chapter will cover the details of RADIUS protocol and its configurations, user password configuration, and PPP user address configuration. For PPP authentication protocols, refer to the User Access part of this manual. 1-2

10 Chapter 1 Network Security Overview 1.4 Packet Filter and Firewall Firewall Concept The firewall can prevent unauthorized or unauthenticated users on the Internet from accessing a protected network while allowing the users on the internal network to access web sites on the Internet and send/receive s. It can also work as an Internet access control GW by permitting only some particular users in an organization to access the Internet. Figure 1-1 A firewall separating the intranet from the Internet Apart from connecting the Internet, the firewall can also protect the mainframe and crucial resources (like data) on the intranet of the organization. Access to the protected data should be permitted by the firewall first, even if the access is initiated from the organization. An external network user must pass through the firewall before it can access the protected network resources. Likewise, an intranet user must pass through the firewall before it can access the external network resources. Thus, the firewall plays the role as a guard and discards the denied packets Firewall Classification Normally, firewalls are classified into two categories: network layer firewalls and application layer firewalls. Network layer firewalls mainly obtain the information of the packet header, such as protocol, source address, destination address, and destination port. Alternatively, they can directly obtain a segment from the packet header. The application layer firewalls, however, analyze the whole information traffic. Firewalls are generally divided into the following categories: 1-3

11 Chapter 1 Network Security Overview Application gateway: It verifies the application layer of all packets. Take a File Transfer Protocol (FTP) application GW as an example. From the perspective of the Client, the FTP GW is an FTP server; however, from the perspective of the Server, it is an FTP client. All the FTP packets must pass through this FTP GW. Circuit-Level Gateway: The term "circuit refers to Virtual Circuit (VC). Before a TCP or UDP connection or a VC is opened, the session reliability must be verified. Packet transmission is allowed only after a valid handshake procedure is accomplished. After the setup of a session, the session information is stored in a table of valid connections maintained by the firewall. A packet can be permitted only if its session information matches an entry in the table. After the session is terminated, the session entry will be deleted from the table. The circuit-level GW authenticates a connection at the session layer. If the authentication is passed, any application can apply through the connection. Take FTP as an example. A circuit-level GW only authenticates an FTP session at the TCP layer at the beginning of the session. If the authentication is passed, all the data can be transmitted through this connection until the session is terminated. Packet filter: The firewall filters each packet based on the items that specified by the user. For example, the firewall compares the source and destination address of packets with the defined rules for a match. A packet filter neither considers the session status, nor analyzes the data. If the user specifies that the packets carrying port number 21 or a port number no less than 1024 are permitted, all the packets matching the rule can pass through the firewall. If the rules are specified based on actual applications, large numbers of malicious packets can be filtered out. Network Address Translation (NAT), also called address proxy, which makes it possible for a private network to access the external network. The NAT mechanism is to substitute the external network address and port number of SecBlade for that of a host on the private network and vice versa. In other words, it is the translation between <Private address + Port number> and <Public address + Port number>. The private address discussed here refers to the internal network or host address, and the public address refers to a globally unique IP address on the Internet. Internet Assigned Number Authority (IANA) provisioned that that the following IP address ranges are reserved for private addresses: to to to In other words, the addresses in these three ranges will be used inside organizations or companies rather than being assigned as Internet addresses. A company can select a proper network address range by taking the future expansion of internal hosts and networks into consideration. The internal network addresses of different companies can be the same. However, it may cause chaos if a company uses network addresses 1-4

12 Chapter 1 Network Security Overview from a network segment range other than the three ranges given above. NAT allows internal hosts to access the Internet resources while keeping their privacy Packet Filter I. Function Generally, a packet filter filters IP packets. For the packets that the SecBlade will forward, the packet filter will first obtain the header information of each packet, including upper protocol carried by the IP layer, source and destination addresses, and source and destination port numbers of the packet. Then, the packet filter compares the above elements with the preset rules to determine whether the packet should be forwarded or discarded. Figure 1-2 illustrates the elements that a packet filter uses for decision making (on IP packets), given the upper layer carried by IP is TCP/UDP. Source/destination IP addresses IP header Packet filtering elements Source/destination ports TCP/UDP header Application layer header Application layer traffic Data Figure 1-2 Packet filtering elements Most packet filter systems do not take any operation on data itself or make content-based filtering. II. ACL Before the system can filter the packets, you should configure ACL rules to specify which type of packets should be allowed or denied. A user should configure an ACL according to the security policy and apply it to a specified interface or all the interfaces on the device. Then, the SecBlade checks all the packets received by the specified interface or all the interfaces based on the ACL, and then forwards or discards the packets matching the rules. In this way, the SecBlade functions as a firewall. 1.5 Security Authentication for Route Information Exchange The SecBlade card operates based on the maintenance of the route forwarding table, which is implemented by dynamic route information exchange among neighboring routers. 1-5

13 Chapter 1 Network Security Overview I. Necessity of implementing security authentication for route information exchange As the neighboring routers on a network need to exchange enormous route information, some unreliable routers may attack other network devices. Enabled with the route authentication function, the SecBlade card will be able to authenticate the route updates received from neighboring routers, and hence will receive only the reliable route information. II. Authentication Implementation The routers exchanging route information share the same key that is sent along with the route information packets. Upon receiving the route information, the routers will authenticate the packets, and verify the key carried by the packets. If the key carried by the packets is the same as the shared key, the packets will be accepted; otherwise, they will be discarded. Authentication can be implemented through simple text authentication and MD5 authentication. The former sends keys in plain text providing lower security, whereas the latter sends encrypted keys providing higher security. 1-6

14 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration 2.1 Overview Introduction to AAA Authentication, Authorization and Accounting (AAA) provides a framework designed to configure a set of three security functions in a consistent manner. The network security mentioned here refers to access control and it includes: Which users can access the network server? Which services can the authorized users enjoy? How to keep accounts for the users who are using network resources? Accordingly, AAA provides the following services: I. Authentication For authentication, the following methods are supported: None authentication: All users are trusted and are not verified. Generally, this method is not recommended. Local authentication: User profiles (including username, password, and attributes) are stored on the broadband access server (BAS). Local authentication features high speed but low cost; the information that can be stored in this approach is however limited depending on hardware. Remote authentication: RADIUS and HWTACACS protocols are supported for remote authentication. In this approach, the BAS acts as the client to communicate with the RADIUS or TACACS authentication server. For RADIUS, you can use standards-based RADIUS protocol or H3C extended RADIUS protocol to complete authentication in conjunction with devices like itellin/cams. II. Authorization For authorization, the following methods are supported: Direct authorization: All users are trusted and directly authorized. Local authorization: Users are authorized according to the relevant attributes of the local user accounts configured on the BAS. HWTACACS authorization: Users are authorized by the TACACS server. If-authenticated authorization: Users are authorized after they are authenticated in any method other than none authentication. 2-1

15 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration RADIUS authorization following successful authentication: With RADIUS, users are authorized only after they pass authentication. In other words, you cannot perform RADIUS authorization without authentication. III. Accounting For accounting, the following methods are supported: None accounting: Users are not accounted. Remote accounting: Users are accounted remotely through the RADIUS server or TACACS account server. Note: Currently, the SecBlade supports accounting for PPP users and Telnet users only, but it does not provide real time accounting for Telnet users. AAA usually utilizes a client/server model, where the client controls user access and the server stores user information. The framework of AAA thus has a high scalability and centralized management. Being a management framework, AAA can be implemented using multiple protocols. In CMW, for example, AAA is implemented based on the RADIUS protocol or HWTACACS protocol Introduction to the RADIUS Protocol I. What is RADIUS Remote authentication dial-in user service (RADIUS) is an information exchange protocol in a distributed client/server model designed for preventing a network from being accessed illegally. It is often used in network environments where both high security and remote access are required, for example, to manage a large number of dispersed dial-in users that use serial ports and modems. The RADIUS system is an important auxiliary part of the Network Access Server (NAS). The RADIUS service involves three components: Protocol: Based on the UDP/IP layer, RFC2865 and 2866 define the RADIUS frame format and the message transfer mechanism, and use UDP port 1812 as the authentication port and UDP port 1813 as the accounting port. Server: RADIUS server runs on the computer or workstation at the center, and maintains authentication and network access information. Client: RADIUS client is located at the Network Access Server (NAS) side anywhere in the network. As the RADIUS client, the NAS (a switch or a router) is responsible for transferring user information to a designated RADIUS server and taking actions based on the response 2-2

16 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration from the server (such as connecting or disconnecting users). The RADIUS server receives user connection requests, authenticates users, and returns the required information to the NAS. In general, the RADIUS server maintains three databases, namely, users, clients and dictionary, as shown in the following figure. The users database stores user information such as username, password, applied protocols, and IP address; the clients database stores information about RADIUS clients such as shared key; and the dictionary database stores the information for interpreting RADIUS protocol attributes and their values. RADIUS Server Users Clients Dictionary Figure 2-1 RADIUS server components In addition, the RADIUS server can act as the client of other AAA servers to provide proxy authentication or accounting service. The RADIUS server supports authentication in many ways, such as PPP-based PAP, CHAP and UNIX-based login. II. Basic message exchange procedure in RADIUS In most cases, user authentication using a RADIUS server involves the proxy function of devices like NAS. Transactions between the RADIUS client and the RADIUS server are authenticated through a shared key, and user passwords are transferred in cipher text across the network for enhanced security. The RADIUS protocol combines the authentication and authorization processes together by sending authorization information in the authentication response message. See the following figure. 2-3

17 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Host RADIUS Client RADIUS Server (1)the user enter username and password (2)Authentication request (3)Authentication accept (4)Accounting-Request (start) (5)Accounting-Response (6)The user accesses resources (7)Accounting-Request (stop) (8)Accounting-Response (9)Notify termination of the access Figure 2-2 Basic message exchange procedure in RADIUS Following is how RADIUS operates: 1) The user enters the username and password. 2) Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server. 3) The RADIUS server compares the received user information against that in the Users database. If the authentication succeeds, it sends back an authentication response (Access-Accept) with user right. If the authentication fails, it returns an Access-Reject message. 4) The RADIUS client determines to permit the user based on the received authentication results. If so, the RADIUS client sends a start accounting request (Accounting-Request) to the RADIUS server, with the value of Status-Type being start. 5) The RADIUS server returns a start-accounting response (Accounting-Response). 6) The RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server, with the value of Status-Type being stop. 7) The RADIUS server returns a stop-accounting response (Accounting-Response). III. RADIUS packet format RADIUS transfers messages in UDP packets, and leverages timer, retransmission and primary/secondary mechanisms to ensure smooth message exchange between the RADIUS server and the RADIUS client. The following figure shows the RADIUS packet format. 2-4

18 Code Identifier Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration 7 Length Authenticator Attribute Figure 2-3 RADIUS packet format The identifier field is used for matching request packets against response packets. It varies with the attribute field and is up on the receiving of valid response packets. However, it keeps unchanged during retransmission. The 16-byte authenticator field is used to authenticate the requests transmitted back from the RADIUS server. It also applies to the password hidden algorithm. There are two kinds of authenticators: request authenticator and response authenticator. Request authenticator is the random code of 16 bytes in length. Response authenticator is the operation result of applying the MD5 algorithm to code, identifier, request authenticator, length, attribute and shared-key. 1) The code field determines the type of a RADIUS packet, as shown in the following table. Table 2-1 Code values Code Packet type Description 1 Access-Request 2 Access-Accept 3 Access-Reject The packet carries user information and flows from the client to the server to help the client determine whether the user can access the network. In this packet, User-Name is required; NAS-IP-Address, User-Password, and NAS-Port are optional. The packet flows from the server to the client. If all the attribute values carried in the Access-Request packet are acceptable, the server allows the user to pass authentication and sends back an Access-Accept response. The packet flows from the server to the client. If any attribute value carried in the Access-Request packet is unacceptable, the server denies the user and sends back an Access-Reject response. 2-5

19 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Code Packet type Description 4 Accounting-Request 5 Accounting-Response The packet carries user information and flows from the client to the server. The server can determine whether to start accounting according to the Acct-Status-Type attribute. The attributes carried in this type of packet are basically the same as those carried by an Access-Request packet. The packet flows from the server to the client, notifying the client that the server has received the Accounting-Request packet and has recorded accounting information. The packet carries such information as number of input/output bytes, number of input/output packets, and session duration. 2) The attribute field contains authentication, authorization, and accounting information, and provides detailed configuration of a request or response packet. This field is represented by the triplet of type, length and value. The following table lists the standard attribute values defined by RFC: Table 2-2 Attribute values Type Attribute type Type Attribute type 1 User-Name 23 Framed-IPX-Network 2 User-Password 24 State 3 CHAP-Password 25 Class 4 NAS-IP-Address 26 Vendor-Specific 5 NAS-Port 27 Session-Timeout 6 Service-Type 28 Idle-Timeout 7 Framed-Protocol 29 Termination-Action 8 Framed-IP-Address 30 Called-Station-Id 9 Framed-IP-Netmask 31 Calling-Station-Id 10 Framed-Routing 32 NAS-Identifier 11 Filter-ID 33 Proxy-State 12 Framed-MTU 34 Login-LAT-Service 13 Framed-Compression 35 Login-LAT-Node 14 Login-IP-Host 36 Login-LAT-Group 15 Login-Service 37 Framed-AppleTalk-Link 16 Login-TCP-Port 38 Framed-AppleTalk-Network 2-6

20 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Type Attribute type Type Attribute type 17 (unassigned) 39 Framed-AppleTalk-Zone 18 Reply_Message (reserved for accounting) 19 Callback-Number 60 CHAP-Challenge 20 Callback-ID 61 NAS-Port-Type 21 (unassigned) 62 Port-Limit 22 Framed-Route 63 Login-LAT-Port The RADIUS protocol is extensible. The No. 26 attribute (Vender-Specific) defined in the protocol allows you to define an extended attribute, as shown in the following figure. Type Length 7 Vendor-ID Vendor-ID Type (specified) Length (specified) Specified attribute value Figure 2-4 A RADIUS packet segment containing the extended attribute IV. RADIUS features The RADIUS protocol is widely used. RADIUS uses UDP as transfer protocol for real time applications and retransmission and primary/secondary mechanisms for higher reliability. Being easy to implement, RADIUS is applicable for multithreading structures on the server side where there are a lot number of users Introduction to the HWTACACS Protocol I. What is HWTACACS Huawei terminal access controller access control system (HWTACACS) is a security protocol enhanced based on TACACS (RFC1492). Similar to the RADIUS protocol, it implements AAA for all users (such as PPP/VPDN/login users) through communications with TACACS servers in the client/server model. Compared with RADIUS, HWTACACS provides more reliable transmission and encryption features, and therefore is more suitable for security control. The following table lists the primary differences between HWTACACS and RADIUS protocols. 2-7

21 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Table 2-3 Comparison between HWTACACS and RADIUS HWTACACS Adopts TCP, providing more reliable network transmission Encrypts the entire packet, including the HWTACACS header Separates authentication from authorization (for example, you can implement authentication and authorization on different TACACS servers) Applies to security control Supports the use of configuration commands through authorization Adopts UDP RADIUS Encrypts only the password field in the authentication packet Brings authentication and authorization together Applies to accounting Not supporting In a typical HWTACACS application, a dial-up or terminal user needs to log in to the SecBlade. Working as the client of HWTACACS in this case, the SecBlade sends the username and password to the TACACS server for authentication. After passing authentication and being authorized, the user can log in to the SecBlade, as shown in Figure 2-5. Terminal user ISDN/PSTN TACACS Server Dial user Switch HWTACACS Client TACACS Server Figure 2-5 Network diagram for a typical HWTACACS application II. Basic message exchange procedure for HWTACACS For example, HWTACACS is used to implement authentication, authorization, and accounting for a telnet user. The basic message exchange procedure is as follows: 1) The user requests access to the SecBlade; the TACACS client sends a start-authentication packet to the TACACS server upon receipt of the request. 2) The TACACS server sends back an authentication response requesting the username; the TACACS client asks the user for the username upon receipt of the response. 2-8

22 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration 3) The TACACS client sends an authentication continuance packet carrying the username after receiving the username from the user. 4) The TACACS server sends back an authentication response requesting the login password. Upon receipt of the response, the TACACS client requests the user for the login password. 5) After receiving the login password, the TACACS client sends an authentication continuance packet carrying the login password to the TACACS server. 6) The TACACS server sends back an authentication response, indicating that the user has passed the authentication. 7) The TACACS client sends the user authorization packet to the TACACS server. 8) The TACACS server sends back an authorization response, indicating that the user has passed the authorization. 9) Upon receipt of the response indicating an authorization success, the TACACS client pushes the configuration interface of the SecBlade to the user. 10) The TACACS client sends a start-accounting request to the TACACS server. 11) The TACACS server sends back an accounting response, indicating that it has received the start-accounting request. 12) The user logs off; the TACACS client sends a stop-accounting request to the TACACS server. 13) The TACACS server sends back a stop-accounting packet, indicating that the stop-accounting request has been received. The following figure illustrates the basic message exchange procedure: 2-9

23 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration User HWTACACS Client HWTACACS Server User logs in Authentication start request packet Request User for the user name Authentication response packet,requesting for the user name User enters the user name Authentication continuance packet carrying the user name Authentication response packet,requesting for the password Request User for password User enters the password Authentication continuance packet carrying the password Authentication success packet Authorization request packet Authorization success packet User is permitted Accounting start request packet Accounting start response packet User quits Accounting stop packet Accounting stop response packet Figure 2-6 AAA procedure for a telnet user 2.2 Configuring AAA AAA configuration tasks include: I. Creating an ISP domain and setting the related attributes Creating an ISP domain Configuring an AAA scheme Configuring the ISP domain state Setting an access limit Enabling accounting optional Defining an address pool and allocating IP addresses to PPP users 2-10

24 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration II. Creating a local user and set the related attributes (for local authentication only) Creating an ISP Domain and Setting the Related Attributes I. Creating an ISP domain An Internet service provider (ISP) domain is a group of users that belong to the same ISP. For a username in the userid@isp-name format, gw @test163.net for example, the isp-name (test163.net) following sign is the ISP domain name. When receiving a connection request from a user named userid@isp-name, the SecBlade considers the userid part as the username for authentication and the isp-name part as the domain name. The purpose of introducing ISP domain settings is to support the multi-isp application environment, where users of different ISPs may access the same access device. Because the attributes of ISP users, such as username and password formats, type of service and right may be different, you must differentiate them by setting ISP domains. In ISP domain view, you can configure a complete set of exclusive ISP domain attributes on a per-isp domain basis, including an AAA scheme. For the SecBlade, each supplicant belongs to an ISP domain. Up to 16 domains can be configured in the system. If a user has not reported its ISP domain name, the system puts it into the default domain. Perform the following configurations in system view. Table 2-4 Create/delete an ISP domain Create an ISP domain or enter the specified domain view Remove the specified ISP domain domain { isp-name default { disable enable isp-name } } undo domain isp-name By default, the default ISP domain in the system is system. II. Configuring an AAA scheme You can configure an AAA scheme in two ways. 1) AAA binding mode In this mode, you can use the scheme command to specify a scheme. If you choose the RADIUS or HWTACACS scheme, the corresponding RADIUS or HWTACACS server will perform the authentication, authorization and accounting tasks in a consistent manner. That is, you cannot specify different schemes for authentication, authorization and accounting. If you use the local scheme, only authentication and authorization are implemented. 2-11

25 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration When the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local scheme applies as an alternative scheme in case the RADIUS or TACACS server is not available. If the local scheme applies as the first scheme, only local authentication is performed and the RADIUS, HWTACACS or none scheme cannot be adopted. If the none scheme applies as the first scheme, neither RADIUS nor HWTACACS scheme can be adopted. Perform the following configuration in ISP domain view. Table 2-5 Configure the related attributes of the ISP domain Configure an AAA scheme for the domain Restore the default AAA scheme scheme { radius-scheme radius-scheme-name [ local ] hwtacacs-scheme hwtacacs-scheme-name [ local ] local none } undo scheme [ radius-scheme hwtacacs-scheme none ] The default AAA scheme is local. Caution: The none scheme cannot be used for authenticating an FTP user, because an FTP server implemented with CMW does not support anonymous login. If the scheme none command is used, the privilege level of a user logged into the system is 0. 2) AAA separate mode In this mode, you can use the authentication, authorization or accounting command to select schemes respectively. For example, you can specify the RADIUS scheme for authentication and authorization, and the HWTACACS scheme for optional accounting. This provides users with flexibility in scheme combination. Implementations of AAA services in this mode are listed below. For terminal users Authentication: RADIUS, HWTACACS, local, RADIUS-local, HWTACACS-local or none; Authorization: HWTACACS or none; Accounting: RADIUS, HWTACACS or none. You can custom an AAA scheme according to the above implementations. 2-12

26 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration For FTP users Only authentication applies to FTP users. Authentication: RADIUS, HWTACACS, local, RADIUS-local or HWTACACS-local. For PPP and L2TP users Authentication: RADIUS, HWTACACS, local, RADIUS-local, HWTACACS-local or none; Authorization: HWTACACS or none; Accounting: RADIUS, HWTACACS or none. You can custom an AAA scheme according to the above implementations. For DVPN services At present, for authentication and authorization, only RADIUS, local and RADIUS-local are supported; for accounting, only RADIUS is supported. Perform the following configuration in ISP domain view. Table 2-6 Configure the related ISP domain attributes Configure an authentication scheme for the domain Restore the default authentication scheme Configure an authorization scheme for the domain Restore the default authorization scheme Configure an accounting scheme for the domain Restore the default accounting scheme authentication { radius-scheme radius-scheme-name [ local ] hwtacacs-scheme hwtacacs-scheme-name [ local ] local none } undo authentication authorization { hwtacacs-scheme hwtacacs-scheme-name none } undo authorization accounting { radius-scheme radius-scheme-name hwtacacs-scheme hwtacacs-scheme-name none } undo accounting Note: 3) If AAA separate and AAA binding modes are configured at the same time, the former applies. 4) The RADIUS and local schemes do not support separated authentication and authorization. Therefore, the following should be noted: When the scheme radius-scheme or scheme local command is configured, but the authentication command is not configured, there are two cases: If the 2-13

27 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration authorization none command is configured, the authorization data returned by the RADIUS or local scheme is still valid; if the authorization hwtacacs-scheme command is configured, the HWTACACS scheme is used for authorization. If the scheme radius-scheme or scheme local command is configured as well as the authentication hwtacacs-scheme command is configured at the same time, the HWTACACS scheme is used for authentication and no authorization is performed. III. Configuring the ISP domain state Every ISP domain has two states: active or block. If an ISP domain is in active state, users in the domain can request network services; while in block state, users in the domain cannot request network services, except for those already online users. Perform the following configuration in ISP domain view. Table 2-7 Configure the ISP domain state Configure the ISP domain state state { active block } By default, an ISP domain is in active state upon its creation. IV. Setting an access limit You can specify the maximum number of users that an ISP domain can accommodate by setting an access limit. Perform the following configuration in ISP domain view. Table 2-8 Configure an access limit Set an access limit to limit the number of users that the domain can accommodate Restore the default value access-limit { disable enable max-user-number } undo access-limit By default, no limit is imposed on the number of users that an ISP domain can accommodate upon its creation. V. Enabling accounting optional With the accounting optional command configured, the device does not disconnect the connection to users during accounting even when it finds no active accounting server or fails to communicate with the accounting server. 2-14

28 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration With the accounting optional command, the system always sends accounting information to the accounting server and does not terminate the connection, no matter whether the accounting server responds or performs the accounting service. On contrary, if the none keyword in the scheme command is specified, the system neither sends accounting information to the accounting server nor certainly terminates the connection. If you have specified the RADIUS-scheme or HWTACACS-scheme keyword in the scheme command but have not configured the accounting optional command, the system sends accounting information to the accounting server and, if the server does not respond or perform accounting service, terminates the connection. Perform the following configuration in ISP domain view. Table 2-9 Enable accounting optional Enable accounting optional Disable accounting optional accounting optional undo accounting optional By default, when an ISP domain is created, accounting optional is disabled. VI. Defining an address pool and allocating IP addresses to PPP users Users can obtain IP addresses through PPP negotiation in three ways: Directly allocating IP addresses on the interface without configuring an address pool. Defining address pools in system view and specifying an address pool for the interface (only one is allowed) in interface view to allocate addresses to peers. Defining address pools in domain view and directly allocating addresses from the pools to PPP users orderly. Perform the following configuration in ISP domain view. Table 2-10 Define an IP address pool for PPP users Define an IP address pool used for allocating addresses to PPP users Remove the specified address pool ip pool pool-number low-ip-address [ high-ip-address ] undo ip pool pool-number By default, no address pool is configured. The following are the principles of how to allocating IP addresses to PPP users in AAA: 1) For a domain user with a name either in the form of userid or userid@isp-name, an IP address is allocated as follows: 2-15

29 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration If RADIUS or TACACS authentication/authorization applies, the address that the server has issued to the user is allocated, if there is any. If the server issues an address pool instead of an address, the device searches the address pool in domain view for an address. In case no address is allocated with the above two methods or local authentication is used, the user will be allocated an IP address based on the configuration on the interface. If the remote address ip-address command is configured on the interface and the specified address is not in use, the device assigns the address to the user. If the remote address pool command is configured on the interface, the device searches the specified address pool for an IP address in domain view and assigns the address to the user. If the remote address command is not configured on the interface, the device searches all the address pools for an IP address in domain view and assigns the address to the user. 2) For a user not to be authenticated, the device allocates an IP address from the specified address pool (defined in system view) on the interface. Note: For a user that is to be authenticated and is not assigned any address with the remote address ip-address command, you can change the way of address allocation after the PPP connection is set up Creating a Local User and Setting the Related Attributes Create a local user and configure the related attributes on the security gateway if you select the local authentication scheme in AAA. Note: If you use a RADIUS scheme or HWTACACS scheme to authenticate users, you must configure the RADIUS or TACACS server appropriately. The local configuration in this case does not take effect. I. Creating a local user A local user is a group of users set on the NAS (i.e. the SecBlade). The username is the unique identifier of users in the group. A user requesting network services can pass 2-16

30 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration local authentication as long as its information has been added to the local user database of the NAS. Perform the following configuration in system view. Table 2-11 Create/delete a local user Add a local user Delete a local user and its related attributes Delete all local users or users with the specified service type local-user user-name undo local-user user-name [ service-type level ] undo local-user all [ service-type { ftp ppp ssh telnet terminal } ] By default, there is no local user in the system. II. Setting attributes of a local user The attributes of a local user include password display mode, password, state, and type of service granted. Perform the following configuration in system view. Table 2-12 Set the password display mode for local users Set the password display mode for local users Cancel the password display mode for local users local-user password-display-mode { cipher-force auto } undo local-user password-display-mode Where, auto means that the password will be displayed in the specified display mode (refer to the password command in the following table for reference), and cipher-force means that the password will be displayed in cipher text. Perform the following configurations in local user view. Table 2-13 Set/remove the attributes for the specified user Configure a password for the user Remove the password setting password { simple cipher } password undo password Configure the state for the user state { active block } Remove the state setting undo state { active block } Configure a service type for the user service-type { telnet ssh terminal pad } 2-17

31 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Remove the service type setting Configure a privilege level for the user Restore the default Authorize the user to use DVPN service Cancel the authorization Authorize the user to use FTP service and specify a directory the user can access Cancel the authorization and restore the directory that the user can access to the default Authorize the user to use the PPP service Cancel the authorized PPP service undo service-type { telnet ssh terminal pad } level level undo level service-type dvpn undo service-type dvpn service-type ftp [ ftp-directory directory] undo service-type ftp [ ftp-directory ] service-type ppp undo service-type ppp By default, no service is authorized to users. The default privilege level of a user is 0. Note: If you specify an authentication method that requires the username and password, including local authentication, RADIUS authentication and HWTACACS authentication, the level of the commands that a user can use after login depends on the privilege level of the user, or the priority of user interface as with other authentication methods. For an SSH user using RSA public key authentication, the commands that he can use depend on the priority level configured for the user interface. 2.3 Configuring the RADIUS Protocol The RADIUS protocol is configured on a per-radius scheme basis. In a real networking environment, a RADIUS scheme may comprise an independent RADIUS server or a pair of primary and secondary RADIUS servers with the same configuration but different IP addresses. Accordingly, every RADIUS scheme has the following attributes: IP addresses of primary and secondary servers, shared key, and type of RADIUS server. Actually, configuration of the RADIUS protocol only involves the parameters necessary for information exchange between the NAS and the RADIUS server. To bring these parameters into effect, you need to configure a domain to reference the RADIUS 2-18

32 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration scheme with these parameters in ISP domain view. For more information about configuration commands, refer to the Configuring AAA. RADIUS protocol configuration includes: Creating a RADIUS Scheme Configuring RADIUS Authentication/Authorization Servers Configuring RADIUS Accounting Servers and Related Attributes Configuring optional accounting Enabling stop-accounting buffer and Retransmission Setting the Maximum Number of RADIUS Request Attempts Setting the Shared Key for RADIUS Packet Encryption Setting the Maximum Number of RADIUS Request Attempts Setting the Supported RADIUS Server Type Setting the State of RADIUS Servers Setting the Username Format Acceptable to RADIUS Servers Setting the Unit of Data Flows Destined for RADIUS Servers Configuring an IP Address for the NAS to Use as the Source IP Address of RADIUS Packets Setting RADIUS Server Timers Configuring to Send a Trap Packet When the RADIUS Server Goes Down Configuring Local RADIUS Authentication Server Among these tasks, creating a RADIUS scheme and configuring RADIUS authentication/authorization server are required, while other tasks are optional Creating a RADIUS Scheme As mentioned earlier, the RADIUS protocol is configured on a per-radius scheme basis. To configure the RADIUS protocol, you must create a RADIUS scheme and enter its view. You can use the following commands to create or delete a RADIUS scheme. Perform the following configurations in system view. Table 2-14 Create a RADIUS scheme Create a RADIUS scheme and enter its view Delete a RADIUS scheme radius scheme radius-scheme-name undo radius scheme radius-scheme-name A RADIUS scheme can be referenced by several ISP domains at the same time. 2-19

33 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration By default, the system has a RADIUS scheme named system whose attributes are all default values. Caution: FTP, terminal, and SSH are not standard attribute values of the RADIUS protocol, so you need to define them in the attribute login-service (the standard attribute 15): Login-service(50) = SSH Login-service(51) = FTP Login-service(52) = Terminal After that, reboot the RADIUS server is required Configuring RADIUS Authentication/Authorization Servers You can use the following commands to configure IP addresses and port numbers of RADIUS authentication/authorization servers. Perform the following configuration in RADIUS view. Table 2-15 Configure RADIUS authentication/authorization servers Configure IP address and port number of the primary RADIUS authentication/authorization server Restore IP address and port number of the primary RADIUS authentication/authorization server to the default values Configure IP address and port number of the secondary RADIUS authentication/authorization server Restore IP address and port number of the secondary RADIUS authentication/authorization server to the default values primary authentication ip-address [ port-number ] undo primary authentication secondary authentication ip-address [ port-number ] undo secondary authentication As authorization information from the RADIUS server is sent to the RADIUS clients in authentication response packets, so you do not need to specify a separate authorization server. 2-20

34 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration In real networking environments, you may specify two RADIUS servers as the primary and secondary authentication/authorization servers respectively, or specify one server to function as both Configuring RADIUS Accounting Servers and Related Attributes I. Configuring RADIUS accounting servers You can use the following commands to configure IP addresses and port numbers of RADIUS accounting servers. Perform the following configuration in RADIUS view. Table 2-16 Configure RADIUS accounting servers Configure IP address and port number of the primary RADIUS accounting server Restore IP address and port number of the primary RADIUS accounting server to the default value Configure IP address and port number of the secondary RADIUS accounting server Restore IP address and port number of the secondary RADIUS accounting server to the default value primary accounting ip-address [ port-number ] undo primary accounting secondary accounting ip-address [ port-number ] undo secondary accounting In practice, you can specify two RADIUS servers as the primary and the secondary accounting servers respectively; or specify one server to function as both. To configure IP address and port number of the RADIUS server, you must ensure an active route between it and the NAS for normal interaction. In addition, since RADIUS uses different UDP ports to receive and send authentication/authorization and accounting packets, you must assign different numbers to the authentication/authorization port and the accounting port, which are 1812 and 1813 respectively as recommended by RFC2138/2139. You can assign port numbers different from the two recommended values in the RFC, however. (For example, in the early stage of RADIUS server implementation, 1645 and 1646 were often assigned to the authentication/authorization port and accounting port). In practice, make sure that the port settings on the SecBlade and the RADIUS server are consistent. You can use the display radius scheme command to view the IP addresses and port numbers of the primary and secondary accounting servers in the RADIUS scheme. 2-21

35 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Note: After accounting is completed successfully, both update accounting and stop accounting packets will be sent to the accounting server used when accounting. No primary-secondary switching will occur even if this server is not available. The switching occurs only in the initial stage of authentication, authorization and accounting process. II. Configuring optional accounting With the accounting optional command configured, the device does not disconnect the connection to the user during the accounting, even when it finds no available accounting server or fails to communicate with the accounting server. Perform the following configuration in RADIUS domain view. Table 2-17 Enable optional accounting Enable optional accounting. Disable optional accounting. accounting optional undo accounting optional By default, when an RADIUS scheme is created, optional accounting is disabled. III. Enabling stop-accounting buffer and Retransmission Given the influence of a stop accounting packet on billing and eventually charging, it has importance for both users and ISPs. Therefore, the NAS should make its best effort to send the stop accounting packet to the RADIUS accounting server. If the SecBlade receives no response from the RADIUS accounting server, it buffers the packet locally and sends repeatedly until the RADIUS accounting server responds, or it discards the packet when the predefined attempt times is reached. You can use the following commands to enable stop-accounting buffer. Perform the following configuration in RADIUS view. Table 2-18 Enable stop-accounting buffer and retransmission Enable stop-accounting buffer Disable stop-accounting buffer Enable stop-accounting retransmission and specify the maximum number of retries stop-accounting-buffer enable undo stop-accounting-buffer enable retry stop-accounting retry-times 2-22

36 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Disable stop-accounting retransmission and restore the default undo retry stop-accounting By default, the stop-accounting buffer function is enabled and the maximum number of transmission attempts is set to 500. IV. Configuring the maximum number of real-time accounting request attempts A RADIUS server usually determines the online state of a user using the connection timeout timer. If the RADIUS sever receives no real time accounting packets from the NAS for a long time, it considers that the line or device fails and stops user accounting. To work with this feature of the RADIUS server, the NAS is required to terminate user connections simultaneously with the RADIUS server when unpredictable faults occur. The SecBlade allows you to set the maximum number of real time accounting request attempts. The NAS terminates a user connection if it has received no response after the maximum number of real time accounting request attempts is reached. You can use the following command to set the maximum number of real time accounting request attempts. Perform the following configuration in RADIUS view. Table 2-19 Set the maximum number of real time accounting request attempts Set the maximum number of real time accounting request attempts Restore the default retry realtime-accounting retry-times undo retry realtime-accounting By default, the maximum number of real time accounting request attempts is Setting the Shared Key for RADIUS Packet Encryption The RADIUS client (the SecBlade) and the RADIUS server use the MD5 algorithm to encrypt the packets exchanged between them. Both verify the validity of packets through a shared key. Only when the same key is used can they properly receive the packets and make responses. Perform the following configurations in RADIUS view. 2-23

37 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Table 2-20 Set the shared key for RADIUS packet encryption Set the shared key for RADIUS authentication/authorization packet encryption Restore the default Set the shared key for RADIUS accounting packet encryption Restore the default key authentication string undo key authentication key accounting string undo key accounting By default, the shared key none is used for RADIUS authentication/authorization and accounting packet encryption Setting the Maximum Number of RADIUS Request Attempts Since RADIUS uses UDP packets to carry data, the communication process is not reliable. If the RADIUS server does not respond to the NAS when the response timer times out, the NAS should retransmit the RADIUS request to the RADIUS server. If the RADIUS server does not respond when the retry-times is reached, the NAS considers the communication with the current RADIUS server has been disconnected and turns to another RADIUS server. You can use the following command to set the maximum number of RADIUS request attempts. Perform the following configurations in RADIUS view. Table 2-21 Set the maximum number of RADIUS request attempts Set the maximum number of RADIUS request attempts. Restore the default retry retry-times undo retry By default, a RADIUS request can be sent up to three times Setting the Supported RADIUS Server Type You can use the following command to set the supported RADIUS server type. Perform the following configurations in RADIUS view. 2-24

38 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Table 2-22 Set the supported RADIUS server type Set the supported RADIUS server type server-type { extended standard } Restore the default undo server-type By default, in system scheme, the RADIUS server type is extended; in the newly created RADIUS scheme, the RADIUS server type is standard. Note: If a H3C CAMS server is used, some parameters, such as service type, EXEC priority level, and FTP directory, take effect only after service-type is configured as extended Setting the State of RADIUS Servers For primary and secondary servers (no matter they are authentication/authorization servers or accounting servers) in a RADIUS scheme, if the primary server is disconnected from the NAS due to some fault, the NAS automatically turns to the secondary server. However, after the primary one recovers, the NAS does not resume the communication with it at once; instead, the NAS continues communicating with the secondary one and turns to the primary one again only after the secondary one fails. To have the NAS communicate with the primary server right after its recovery, you can manually set the primary server state to active. When the primary and secondary servers are active or block, the NAS sends packets to the primary one only. Perform the following configurations in RADIUS view. Table 2-23 Set RADIUS server state Set the state of the primary RADIUS authentication/authorization server Set the state of the primary RADIUS accounting server Set the state of the secondary RADIUS authentication/authorization server Set the state of the secondary RADIUS accounting server state primary authentication { block active } state primary accounting { block active } state secondary authentication { block active } state secondary accounting { block active } 2-25

39 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration You can use the display radius scheme command to view the server state in the RADIUS scheme Setting the Username Format Acceptable to RADIUS Servers As mentioned above, the supplicants are generally named in userid@isp-name format. The part is the ISP domain name. The SecBlade will put the users into different ISP domains according to domain names. However, some earlier RADIUS servers reject the username with ISP domain name. In this case, you have to remove the domain name before sending the username to these RADIUS servers. The SecBlade provides the following command to specify whether the username to be sent to the RADIUS server carries ISP domain name or not. Table 2-24 Set username format acceptable to the RADIUS server Set the username format transmitted to the RADIUS server user-name-format { with-domain without-domain } Note: If a RADIUS scheme is configured not to allow usernames to include ISP domain names, the RADIUS scheme shall not be simultaneously used in more than one ISP domain. Otherwise, the RADIUS server will regard two users in different ISP domains as the same user by mistake if they have the same username (excluding their respective domain names.) By default, in system scheme, the NAS server sends user names without ISP domain names to the RADIUS server; in the newly created RADIUS scheme, the NAS server sends user names with ISP domain names to the RADIUS server Setting the Unit of Data Flows Destined for RADIUS Servers The SecBlade provides you with the following command to define the unit of data flows sent to RADIUS servers. 2-26

40 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Table 2-25 Set the unit of data flows destined for RADIUS servers Set the unit of data flows transmitted to RADIUS servers Restore the default data-flow-format data { byte giga-byte kilo-byte mega-byte } packet { giga-packet kilo-packet mega- packet one-packet } undo data-flow-format In a RADIUS scheme, the default data flow unit is byte and the default data packet unit is one packet Configuring an IP Address for the NAS to Use as the Source IP Address of RADIUS Packets Perform the following configuration in the specified views. Table 2-26 Configure an IP address for the NAS Configure an IP address for the NAS to use as the source IP address of RADIUS packets (RADIUS view) Remove the configuration (RADIUS view) Configure an IP address for the NAS to use as the source IP address of RADIUS packets (System view) Remove the configuration (System view) nas-ip ip-address undo nas-ip radius nas-ip ip-address undo radius nas-ip You can use either command to bind a source address with the NAS. By default, no source address is specified and the source address of a packet is the IP address of the interface where it is sent Setting RADIUS Server Timers I. Setting the response timeout timer If the NAS receives no response from the RADIUS server after sending a RADIUS request (authentication/authorization or accounting request) for a period, the NAS has to resend the request, thus ensuring the user can obtain the RADIUS service. You can use the following commands to set the response timeout timer. Perform the following configuration in RADIUS view. 2-27

41 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Table 2-27 Set the response timeout timer Set the response timeout timer Restore the default timer response-timeout seconds undo timer response-timeout By default, the response timeout timer for the RADIUS server is set to three seconds. II. Setting the quiet timer for the primary RADIUS server Perform the following configuration in RADIUS view. Table 2-28 Configure the quiet timer for the primary RADIUS server Configure the quiet timer for the primary RADIUS server Restore the default timer quiet minutes undo timer quiet By default, the primary RADIUS server must wait five minutes before it resumes the active state. III. Setting the real time accounting timer The setting of real time accounting timer is indispensable to real time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the RADIUS accounting server at intervals of this value. Perform the following configuration in RADIUS view. Table 2-29 Set the real time accounting timer Set the real time accounting timer Restore the default timer realtime-accounting minutes undo timer realtime-accounting Where minutes represents the interval for real time accounting and it must be a multiple of three. The setting of real time accounting timer somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval means higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users. 2-28

42 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Table 2-30 Recommended ratio of real time accounting interval to user number User number Realtime accounting interval (minute) ú1000 ú15 The real time accounting interval defaults to 12 minutes Configuring to Send a Trap Packet When the RADIUS Server Goes Down Perform the following configuration in system view. Table 2-31 Configure the RADIUS server to send a trap packet Configure to send a trap packet when the RADIUS server goes down Configure not to send a trap packet when the RADIUS server goes down radius trap { authentication-server-down accounting-server-down } undo radius trap { authentication-server-down accounting-server-down } By default, the RADIUS server does not send a trap packet when it goes down Configuring Local RADIUS Authentication Server The SecBlade provides simple local RADIUS server function, including authentication and authorization, called RADIUS authentication server function. Table 2-32 Configure local RADIUS authentication server Configure local RADIUS authentication server remove the configuration local-server nas-ip ip-address key password undo local-server nas-ip ip-address 2-29

43 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration By default, a local RADIUS authentication server with the NAS-IP as and key as none is created. Note: When the local RADIUS authentication server function is enabled, the UDP port number for the authentication/authorization services must be 1645 and that for the accounting service must be The key password configured here must be the same with the key password configured by the key authentication command in RADIUS view. The device supports 16 local RADIUS authentication servers at most, including the default one created by the system. 2.4 Configuring HWTACACS Protocol The configuration tasks of HWTACACS include: Creating a HWTACACS Scheme Configuring TACACS Authentication Servers Configuring TACACS Authorization Servers Configuring TACACS Accounting Servers and Related Attributes Configuring an IP Address for the NAS to Use as the Source IP Address of HWTACACS Packets Setting a Key for TACACS servers Setting the Username Format Acceptable to TACACS Servers Setting the Unit of Data Flows Destined for TACACS Servers Setting TACACS Server Timers Note: Compared with RADIUS configuration, note that: The system only checks users are using the current HWTACACS scheme when you delete the scheme. By default, the TACACS server has no key. Among these configuration tasks, creating a HWTACACS scheme and configuring TACACS authentication/authorization servers are mandatory, while others are optional at your discretion. 2-30

44 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Creating a HWTACACS Scheme As aforementioned, the HWTACACS protocol is configured on a per-scheme basis. Therefore, you must create a HWTACACS scheme and enter HWTACACS view before you perform other configuration tasks. Perform the following configuration in system view. Table 2-33 Create a HWTACACS scheme Create a HWTACACS scheme and enter HWTACACS view Delete a HWTACACS scheme hwtacacs scheme hwtacacs-scheme-name undo hwtacacs scheme hwtacacs-scheme-name In HWTACACS view, you can configure the HWTACACS scheme. Up to 128 HWTACACS schemes can be supported and only the inactive schemes can be deleted. By default, no HWTACACS scheme exists Configuring TACACS Authentication Servers Perform the following configuration in HWTACACS view. Table 2-34 Configure TACACS authentication servers Configure the primary TACACS authentication server Delete the primary TACACS authentication server Configure the secondary TACACS authentication server Delete the secondary TACACS authentication server primary authentication ip-address [ port ] undo primary authentication secondary authentication ip-address [ port ] undo secondary authentication The primary and secondary authentication servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration. The default port number is 49. If you execute this command repeatedly, the new settings will overwrite the old settings. A server can be deleted only when it is not used by any active TCP connection for sending authentication packets. 2-31

45 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Configuring TACACS Authorization Servers Perform the following configuration in HWTACACS view. Table 2-35 Configure TACACS authorization servers Configure the primary TACACS authorization server Delete the primary TACACS authorization server Configure the secondary TACACS authorization server Delete the secondary TACACS authorization server primary authorization ip-address [ port ] undo primary authorization secondary authorization ip-address [ port ] undo secondary authorization Note: If HWTACACS authentication is configured for a user which has not deployed a TACACS authorization server, the user cannot log in regardless of its user type. The primary and secondary authorization servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration. The default port number is 49. If you execute this command repeatedly, the new settings will overwrite the old settings. A server can be deleted only when it is not used by any active TCP connection for sending authorization packets Configuring TACACS Accounting Servers and Related Attributes I. Configuring TACACS accounting servers Perform the following configuration in HWTACACS view. Table 2-36 Configure TACACS accounting servers Configure the primary TACACS accounting server Delete the primary TACACS accounting server Configure the secondary TACACS accounting server primary accounting ip-address [ port ] undo primary accounting secondary accounting ip-address [ port ] 2-32

46 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Delete the secondary TACACS accounting server undo secondary accounting The primary and secondary accounting servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration. The default port number is 49. The default IP address of TACACS accounting server is If you execute this command repeatedly, the new settings will overwrite the old settings. A server can be deleted only when it is not used by any active TCP connection for sending accounting packets. Note: After accounting is completed successfully, both update accounting and stop accounting packets will be sent to the server used when accounting. No primary-secondary switching will occur even if this server is not available. The switching occurs only in the initial authentication, authorization and accounting process. II. Enabling stop-accounting packet retransmission Perform the following configuration in HWTACACS view. Table 2-37 Configure stop-accounting packet retransmission Enable stop-accounting packet retransmission and set the maximum number of transmission attempts. Disable stop-accounting packet retransmission and restore the default retry stop-accounting retry-times undo retry stop-accounting By default, stop-accounting packet retransmission is enabled, and the maximum number of transmission attempts is Configuring an IP Address for the NAS to Use as the Source IP Address of HWTACACS Packets Perform the following configuration. 2-33

47 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Table 2-38 Configure an IP address for the NAS Configure an IP address for the NAS to use as the source IP address of HWTACACS packets (HWTACACS view) Remove the configuration (HWTACACS view) nas-ip ip-address undo nas-ip Configure an IP address for the NAS to use as the source IP address of HWTACACS packets (System view) hwtacacs ip-address nas-ip Remove the configuration (System view) undo hwtacacs nas-ip By default, no source address is specified and the source address of a packet is the address of the interface where the packet is sent Setting a Key for TACACS servers When using a TACACS server as an AAA server, you can set a key to improve the security of communications between the SecBlade and the TACACS server. Perform the following configuration in HWTACACS view. Table 2-39 Set a key for TACACS servers Configure a key for TACACS accounting, authorization or authentication server Remove the configuration key { accounting authorization authentication } string undo key { accounting authorization authentication } No key is configured by default Setting the Username Format Acceptable to TACACS Servers A username is usually in the userid@isp-name format, with the domain name If a TACACS server does not accept a username with domain name, you can remove the domain name and resend it to the TACACS server. Perform the following configuration in HWTACACS view. 2-34

48 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Table 2-40 Set the username format acceptable to the TACACS server Send a username with domain name Send a username without domain name user-name-format with-domain user-name-format without-domain By default, each username sent to a TACACS server contains a domain name Setting the Unit of Data Flows Destined for TACACS Servers Perform the following configuration in HWTACACS view. Table 2-41 Set the unit of data flows destined for TACACS servers Set the unit of data flows destined for TACACS servers data-flow-format data { byte giga-byte kilo-byte mega-byte } data-flow-format packet { giga-packet kilo-packet mega-packet one-packet } Restore the default undo data-flow-format { data packet } By default, data is sent in bytes. The packets are measured in the unit of one packet Setting TACACS Server Timers I. Setting the response timeout timer Since HWTACACS is implemented based on TCP, response timeout or TCP timeout may terminate the connection to TACACS servers. Perform the following configuration in HWTACACS view. Table 2-42 Set the response timeout timer Set the response timeout time Restore the default timer response-timeout seconds undo timer response-timeout The default response timeout timer is set to five seconds. II. Setting the quiet timer for the primary TACACS server Perform the following configuration in HWTACACS view. 2-35

49 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Table 2-43 Set the quiet timer for the primary TACACS server Set the quiet timer for the primary TACACS server Restore the default timer quiet minutes undo timer quiet By default, the primary TACACS server must wait five minutes before it resumes the active state. III. Setting the real time accounting timer The setting of real time accounting timer is indispensable to real time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the RADIUS accounting server at intervals of this value. Perform the following configuration in HWTACACS view. Table 2-44 Set the real time accounting timer Set a real time accounting interval Restore the default timer realtime-accounting minutes undo timer realtime-accounting The interval is in minutes and must be a multiple of 3. The setting of real time accounting timer somewhat depends on the performance of the NAS and the TACACS server: a shorter interval means higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users. Table 2-45 Recommended ratio of minute to the number of users User number Real time accounting interval (in minutes) ú 1000 ú 15 The real time accounting timer defaults to 12 minutes. 2-36

50 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration 2.5 Configuring TACACS to Support Super Authentication With the super level command, a user can gain a higher right level when he or she logs in to the firewall. In the process, a super password can be used for authentication. All users at one level use the same password, which is not flexible and is of low security. The TACACS supports super authentication, that is, a user name and super password are configured on the TACACS server. Consequently, it enhances flexibility and security of setting management significantly Right Switching in Super Authentication The system allows you to configure super authentication in each user interface view. The system supports four authentication modes: super-password scheme super-password + scheme scheme + super-password After logging into the device, a user can execute the super level command to change the current right to a desired level. There are the following cases: I. The requested right is not higher than the current right In this case, the user directly obtains the requested right without being authenticated. II. The requested right is higher than the current right In this case, the system handles the command according to the super authentication mode configured in the current user interface view. 1) super password You can set a super password for each level of right. If a password is set for the requested level of right, the system asks the user to enter a password. If the password is correct, the user can obtain the requested right. Otherwise, the system prompts that the user fails the authentication. If no password is set for the requested level of right, the user cannot obtain the right. 2-37

51 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Caution: If no super password is set for the requested level of right, the processing is somewhat different from the previous procedure. Previously, only users connecting the console port can obtain the right. Now, no one can obtain the right. 2) scheme In the AAA authentication mode (in this mode, a user needs to enter a username and password at the time of login), the system asks the user to enter a password after the user executes the super level command. Then, the username and entered super password are sent to the TACACS server for authentication. If authentication succeeds, the user can obtain the requested right. Otherwise, the system prompts that the user fails the authentication. In the none or password authentication mode (in this mode, a user needs not to enter a username at the time of login), the system asks the user to enter a username and super password after the user executes the super level command. Then, the entered username and password are sent to the TACACS server for authentication. If authentication succeeds, the user can obtain the requested right. Otherwise, the system prompts that the user fails the authentication. 3) scheme + super password In this case, the system uses the scheme authentication in preference to the super password authentication mode. If the TACACS server configured in the scheme is not available or no authentication scheme is configured in the domain, the system will turn to the super password authentication mode. 4) super password + scheme In this case, the system uses the super password authentication in preference to the scheme authentication mode. If no super password is configured, the system will turn to the scheme authentication mode Setting Super Authentication Mode Perform the following configurations in user interface view. Table 2-46 Setting super authentication mode Set super authentication mode Restore the default super authentication-mode { super-password scheme } * undo super authentication-mode 2-38

52 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration By default, the super authentication mode is super password Setting Super Authentication Scheme The system allows you to configure each domain with a super authentication scheme. The scheme can only be a HWTACACS scheme, rather than RADIUS or local scheme. When a HWTACACS scheme is referenced by the super authentication scheme of a domain, the scheme cannot be removed. If no scheme is specified or the specified scheme does not exist, TACACS authentication will fail. Perform the following configurations in ISP domain view. Table 2-47 Setting super authentication scheme Set super authentication scheme Remove the configured super authentication scheme authentication super hwtacacs-scheme hwtacacs-scheme-name undo authentication super By default, no super authentication scheme is configured. 2.6 Displaying and Debugging AAA and RADIUS and HWTACACS Protocols After the above configuration, you can: Execute the display commands in any view to view the running of the AAA and RADIUS/HWTACACS configurations and to check the configuration effect. Execute the reset commands in user view to reset the configurations. Execute the debugging commands in user view for debugging. Table 2-48 Display and debug the AAA protocol Display the configuration information of the specified ISP domain or all the ISP domains Display connection information associated with the specified or all users display domain [ isp-name ] display connection [ domain isp-name ip ip-address mac mac-address radius-scheme radius-scheme-name ucibindex ucib-index user-name user-name ] 2-39

53 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Display information about the specified or all local users display local-user [ domain isp-name service-type { dvpn telnet ssh terminal ftp ppp } state { active block } user-name user-name ] Table 2-49 Display and debug the RADIUS protocol Display information about the specified or all the RADIUS schemes Display statistics of RADIUS packets Display information on the stop-accounting packets in the buffer Display statistics of the local RADIUS authentication server Enable RADIUS packet debugging Disable RADIUS packet debugging Enable local RADIUS authentication server debugging Disable local RADIUS authentication server debugging Clear stop-accounting packets from the buffer Clear statistics of RADIUS servers display radius scheme [ radius-scheme-name ] display radius statistics display stop-accounting-buffer { radius-scheme radius-scheme-name session-id session-id time-range start-time stop-time user-name user-name } display local-server statistics debugging radius packet undo debugging radius packet debugging local-server { all error event packet } undo debugging local-server { all error event packet } reset stop-accounting-buffer { radius-scheme radius-scheme-name session-id session-id time-range start-time stop-time user-name user-name } reset radius statistics Table 2-50 Display and debug the HWTACACS protocol Display information about the specified or all the HWTACACS schemes Display information on the stop-accounting packets in the buffer Enable HWTACACS debugging display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ] display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name debugging hwtacacs { all error event message receive-packet send-packet } 2-40

54 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Disable HWTACACS debugging Clear stop-accounting packets in the buffer Clear statistics of TACACS servers undo debugging hwtacacs { all error event message receive-packet send-packet } reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name reset hwtacacs statistics {accounting authentication authorization all } 2.7 AAA, RADIUS and HWTACACS Protocol Configuration Example Authentication and Accounting for Telnet/SSH Users Using a RADIUS Server Note: Authentication configuration on the RADIUS server for SSH users is similar to that for Telnet users. The following uses the configuration for Telnet users as an example. I. Network requirements As shown in the following figure, configure the SecBlade to use the RADIUS server to provide authentication and accounting services for Telnet users. Connect the SecBlade to the RADIUS server (functions as both authentication and accounting servers) whose IP address is /24. On the SecBlade, set the shared keys both for packet exchange with the authentication server and with the accounting server as expert. Use a H3C CAMS server as the RADIUS server. Set server type in the RADIUS scheme to standard or extended if a third-party RADIUS server is used and to extended if a H3C CAMS server is used. On the RADIUS server, set the shared key for packet exchange with the SecBlade as expert; set the authentication and accounting port numbers; add the usernames and login passwords of the Telnet users. If the SecBlade is configured in the RADIUS scheme not to remove the domain name from the user name but send the full username to the RADIUS server, the Telnet usernames added onto the RADIUS server must be in the userid@isp-name format. 2-41

55 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration II. Network diagram /24 VLAN 30 VLAN /24 SecBlade /24 VLAN / /24 Switch VLAN 10 Telent User Radius Server /24 Figure 2-7 Network diagram for remote RADIUS authentication on Telnet users III. Configuration procedure 1) Radius Server IP address: /24. Gateway: ) Telnet User IP address: /24. 3) Switch (SecBlade) # Configure VLANs. <Switch> system-view [Switch] vlan 10 [Switch-vlan10] quit [Switch] vlan 30 [Switch-vlan30] quit [Switch] vlan 50 [Switch-vlan50] quit # Configure IP addresses for VLAN interfaces. [Switch] interface vlan-interface 10 [Switch-Vlan-interface10] ip address [Switch-Vlan-interface10] quit [Switch] interface vlan-interface 30 [Switch-Vlan-interface30] ip address [Switch-Vlan-interface30] quit # Configure a static route. 2-42

56 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration [Switch] ip route-static # Configure interface aggregation for the SecBlade (the SecBlade card resides in slot 2). [Switch] secblade aggregation slot 2 # Create a SecBlade module named test. [Switch] secblade module test # Specify the SecBlade interface as VLAN interface. [Switch-secblade-test] secblade-interface vlan-interface 30 # Configure the VLAN to be protected. [Switch-secblade-test] security-vlan 50 # Map the SecBlade module to the SecBlade card in the specified slot. [Switch-secblade-test] map to slot 2 [Switch-secblade-test] quit [Switch] quit # Log into the SecBlade card in the specified slot. <Switch> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade> system-view # Create sub interfaces. [SecBlade] interface GigabitEthernet 0/0.1 [SecBlade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [SecBlade-GigabitEthernet0/0.1] ip address [SecBlade-GigabitEthernet0/0.1] quit [SecBlade] interface GigabitEthernet 0/0.2 [SecBlade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade-GigabitEthernet0/0.2] ip address [SecBlade-GigabitEthernet0/0.2] quit # Add the sub interface of the internal network to the trust zone. [SecBlade] firewall zone trust [SecBlade-zone-trust] add interface GigabitEthernet 0/0.1 [SecBlade-zone-trust] quit # Add the sub interface of the external network to the untrust zone. [SecBlade] firewall zone untrust [SecBlade-zone-untrust] add interface GigabitEthernet 0/0.2 [SecBlade-zone-untrust] quit # Configure a static route. 2-43

57 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration [SecBlade] ip route-static # Configure the Telnet user to use AAA authentication mode. [SecBlade] user-interface vty 0 4 [SecBlade-ui-vty0-4] authentication-mode scheme # Configure the domain. [SecBlade] domain cams [SecBlade-isp-cams] access-limit enable 10 [SecBlade-isp-cams] accounting optional [SecBlade-isp-cams] quit # Configure a RADIUS scheme. [SecBlade] radius scheme cams [SecBlade-radius-cams] primary authentication [SecBlade-radius-cams] primary accounting [SecBlade-radius-cams] key authentication expert [SecBlade-radius-cams] key accounting expert [SecBlade-radius-cams] server-type extended [SecBlade-radius-cams] user-name-format with-domain [SecBlade-radius-cams] quit # Configure to associate the domain with the RADIUS. [SecBlade] domain cams [SecBlade-isp-cams] scheme radius-scheme cams [SecBlade-isp-cams] quit Telnet users use usernames in the userid@cams format to log onto the network and are to be authenticated as cams domain users. # Quit SecBlade configuration view. [SecBlade] quit <SecBlade> quit [Switch] Local Authentication for FTP/Telnet Users Note: Configuring local authentication for FTP users is similar to that for Telnet users. The following example is based on Telnet users. 2-44

58 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration I. Network requirements Configure the SecBlade to authenticate the login Telnet users locally (see the following figure). II. Network diagram /24 VLAN 30 VLAN /24 SecBlade /24 VLAN / /24 Switch VLAN 10 Internet Telent User /24 Figure 2-8 Network diagram for local authentication for Telnet user III. Configuration procedure 1) Telnet User IP address: /24. Gateway: ) Switch (SecBlade) # Configure VLANs. <Switch> system-view [Switch] vlan 10 [Switch-vlan10] quit [Switch] vlan 30 [Switch-vlan30] quit [Switch] vlan 50 [Switch-vlan50] quit # Configure IP addresses for VLAN interfaces. [Switch] interface vlan-interface 10 [Switch-Vlan-interface10] ip address [Switch-Vlan-interface10] quit [Switch] interface vlan-interface 30 [Switch-Vlan-interface30] ip address [Switch-Vlan-interface30] quit 2-45

59 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration # Configure a static route. [Switch] ip route-static # Configure interface aggregation of SecBlade (the SecBlade card resides in slot 2). [Switch] secblade aggregation slot 2 # Create a SecBlade module named test. [Switch] secblade module test # Specify the SecBlade interface as VLAN interface. [Switch-secblade-test] secblade-interface vlan-interface 30 # Set the VLAN to be protected. [Switch-secblade-test] security-vlan 50 # Map the SecBlade module to the SecBlade card in the specified slot. [Switch-secblade-test] map to slot 2 [Switch-secblade-test] quit [Switch] quit # Log into the SecBlade card in the specified slot. <Switch> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade> system-view # Create sub interfaces. [SecBlade] interface GigabitEthernet 0/0.1 [SecBlade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [SecBlade-GigabitEthernet0/0.1] ip address [SecBlade-GigabitEthernet0/0.1] quit [SecBlade] interface GigabitEthernet 0/0.2 [SecBlade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade-GigabitEthernet0/0.2] ip address [SecBlade-GigabitEthernet0/0.2] quit # Add the sub interface of the internal network to the trust zone. [SecBlade] firewall zone trust [SecBlade-zone-trust] add interface GigabitEthernet 0/0.1 [SecBlade-zone-trust] quit # Add the sub interface of the external network to the untrust zone. [SecBlade] firewall zone untrust [SecBlade-zone-untrust] add interface GigabitEthernet 0/0.2 [SecBlade-zone-untrust] quit # Configure a static route. 2-46

60 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration [SecBlade] ip route-static [SecBlade] ip route-static # Configure the Telnet user to use AAA authentication. [SecBlade] user-interface vty 0 4 [SecBlade-ui-vty0-4] authentication-mode scheme # Create a local user named telnet. [SecBlade] local-user telnet@system [SecBlade-luser-telnet@system] service-type telnet [SecBlade-luser-telnet@system] password simple extended [SecBlade-luser-telnet@system] quit [SecBlade] domain system [SecBlade-isp-system] scheme local [SecBlade-isp-system] quit Telnet users use usernames in the userid@system format to log onto the network and are to be authenticated as system domain users. # Quit SecBlade configuration view. [SecBlade] quit <SecBlade> quit Authentication (One Time Authentication) and Accounting for Telnet Users through a TACACS Server I. Network requirements As shown in the following figure, configure the SecBlade to use the TACACS server to provide one time password authentication and accounting services for Telnet users. Connect the SecBlade to the TACACS server (functions as both authentication and accounting servers) whose IP address is /24. On the SecBlade, set the shared keys both for packet exchange with the authentication server and with the accounting server as expert. The TACACS server uses one time password authentication. The SecBlade sends the full username to the TACACS server without removing the domain name. The Telnet usernames sent to the TACACS server must be in the test@tacacs format. 2-47

61 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration II. Network diagram /24 VLAN 30 VLAN /24 SecBlade /24 VLAN / /24 Switch VLAN 10 Telent User TACACS Server /24 Figure 2-9 Network diagram for remote TACACS authentication on Telnet user III. Configuration procedure 1) TACACS Server IP address: /24. Gateway: ) Telnet User IP address: /24. 3) Switch (SecBlade) # Configure VLANs. <Switch> system-view [Switch] vlan 10 [Switch-vlan10] quit [Switch] vlan 30 [Switch-vlan30] quit [Switch] vlan 50 [Switch-vlan50] quit # Configure IP addresses for VLAN interfaces. [Switch] interface vlan-interface 10 [Switch-Vlan-interface10] ip address [Switch-Vlan-interface10] quit [Switch] interface vlan-interface 30 [Switch-Vlan-interface30] ip address [Switch-Vlan-interface30] quit # Configure a static route. 2-48

62 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration [Switch] ip route-static # Configure interface aggregation for the SecBlade (the SecBlade card resides in slot 2). [Switch] secblade aggregation slot 2 # Create a SecBlade module named test. [Switch] secblade module test # Specify the SecBlade interface as VLAN interface. [Switch-secblade-test] secblade-interface vlan-interface 30 # Set the VLAN to be protected. [Switch-secblade-test] security-vlan 50 # Map the SecBlade module to the SecBlade card in the specified slot. [Switch-secblade-test] map to slot 2 [Switch-secblade-test] quit [Switch] quit # Log into the SecBlade card in the specified slot. <Switch> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade> system-view # Create sub interfaces. [SecBlade] interface GigabitEthernet 0/0.1 [SecBlade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [SecBlade-GigabitEthernet0/0.1] ip address [SecBlade-GigabitEthernet0/0.1] quit [SecBlade] interface GigabitEthernet 0/0.2 [SecBlade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade-GigabitEthernet0/0.2] ip address [SecBlade-GigabitEthernet0/0.2] quit # Add the sub interface of the internal network to the trust zone. [SecBlade] firewall zone trust [SecBlade-zone-trust] add interface GigabitEthernet 0/0.1 [SecBlade-zone-trust] quit # Add the sub interface of the external network to the untrust zone. [SecBlade] firewall zone untrust [SecBlade-zone-untrust] add interface GigabitEthernet 0/0.2 [SecBlade-zone-untrust] quit # Configure a static route. 2-49

63 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration [SecBlade] ip route-static # Configure the Telnet user to use AAA authentication. [SecBlade] user-interface vty 0 4 [SecBlade-ui-vty0-4] authentication-mode scheme # Configure the domain. [SecBlade] domain cams [SecBlade-isp-cams] access-limit enable 10 [SecBlade-isp-cams] accounting optional [SecBlade-isp-cams] quit # Configure the RADIUS scheme. [SecBlade] hwtacacs scheme system [SecBlade-hwtacacs-system] primary authentication [SecBlade-hwtacacs-system] primary accounting [SecBlade-hwtacacs-system] key authentication expert [SecBlade-hwtacacs-system] key accounting expert [SecBlade-hwtacacs-system] server-type extended [SecBlade-hwtacacs-system] user-name-format with-domain [SecBlade-hwtacacs-system] quit # Configure to associate the domain with the TACACS. [SecBlade] domain tacacs [SecBlade-isp-tacacs] scheme tacacs-scheme system 4) Configure the TACACS server Configure the IP address Configure the shared key Add username test@ tacacs Enable one-time authentication 5) Login procedure Configure one-time password authentication for Telnet users as follows: Figure 2-10 Telnet user login interface 2-50

64 Chapter 2 AAA and RADIUS/HWTACACS Protocol Configuration Step 1: Type username test@tacacs. Step 2: Choose to use the winkey.exe calculator to get the login password at the prompt s/key 89 gf Figure 2-11 Calculate login password In the above figure: Type the prompt 89 gf55236 in the Challenge field. Type the private password (test for example) in the Password field. The Response field outputs the calculation result, that is, the password you need to type in the login interface. Step 3: Type the calculated password in the login interface and you are authorized to access. 2.8 Troubleshooting AAA, RADIUS and HWTACACS Protocols Troubleshooting the RADIUS Protocol The RADIUS protocol of the TCP/IP protocol suite is located at the application layer. It mainly defines how to exchange user information between a NAS and a RADIUS server of an ISP. So it is very likely to get invalid. Symptom 1: User authentication/authorization always fails Troubleshooting: Check that: 1) The username is in the userid@isp-name format or a default ISP domain is specified on the NAS. 2) The user exists in the database on the RADIUS server. 3) The password input by the user is correct. 4) The same shared key is configured on both the RADIUS server and the NAS. 5) The NAS can communicate with the RADIUS server (by pinging the RADIUS server). Symptom 2: RADIUS packets cannot reach the RADIUS server. 2-51