Quidway S5300 Configuration Guide - Security (V100R003 - 02) PDF
Quidway S5300 Configuration Guide - Security (V100R003 - 02) PDF
Quidway S5300 Configuration Guide - Security (V100R003 - 02) PDF
Issue Date
02 2009-08-14
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local office or company headquarters.
Website: Email:
Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but the statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.
Contents
Contents
About This Document.....................................................................................................................1 1 Security Protection on Interfaces............................................................................................1-1
1.1 Overview of Security Protection on Interfaces...............................................................................................1-2 1.1.1 Introduction to Security Protection on Interfaces...................................................................................1-2 1.1.2 Security Protection on Interfaces Supported by the S-switch................................................................1-2 1.2 Configuring Security Protection on an Interface.............................................................................................1-2 1.2.1 Establishing the Configuration Task......................................................................................................1-3 1.2.2 Configuring the Limit on the Number of MAC Addresses Learnt by an Interface...............................1-3 1.2.3 Enabling Security Protection on an Interface.........................................................................................1-4 1.2.4 (Optional) Configuring the Security Protection Action for an Interface................................................1-4 1.2.5 (Optional) Configuring an Interface to Convert Secure Dynamic MAC Addresses to Static MAC Addresses........................................................................................................................................................1-5 1.2.6 Checking the Configuration...................................................................................................................1-5 1.3 Configuration Examples..................................................................................................................................1-5 1.3.1 Example for Configuring Security Protection on an Interface...............................................................1-6
2 MFF Configuration....................................................................................................................2-1
2.1 Introduction to MFF........................................................................................................................................2-2 2.1.1 MFF Overview.......................................................................................................................................2-2 2.1.2 MFF Functions Supported by the S-switch............................................................................................2-3 2.1.3 Update History.......................................................................................................................................2-4 2.2 Configuring MFF............................................................................................................................................2-4 2.2.1 Establishing the Configuration Task......................................................................................................2-4 2.2.2 Enabling MFF Globally.........................................................................................................................2-5 2.2.3 Configuring an MFF Network Interface................................................................................................2-5 2.2.4 Enabling MFF in a VLAN.....................................................................................................................2-6 2.2.5 (Optional) Assigning an IP Address to the Static Gateway...................................................................2-6 2.2.6 (Optional) Enabling Timing Detection of the MAC Address of the Gateway.......................................2-6 2.2.7 (Optional) Assigning an IP Address to the Server.................................................................................2-7 2.2.8 Checking the Configuration...................................................................................................................2-7 2.3 Configuration Examples..................................................................................................................................2-8 2.3.1 Example for Configuring MFF..............................................................................................................2-8
Contents
3.1 Overview of Attack Defense...........................................................................................................................3-2 3.1.1 Introduction to Attack Defense..............................................................................................................3-2 3.1.2 Attack Defense Supported by the S-switch............................................................................................3-2 3.1.3 Logical Relationships Between Configuration Tasks............................................................................3-2 3.2 Configuring the Defense Against IP Spoofing Attacks..................................................................................3-2 3.2.1 Establishing the Configuration Task......................................................................................................3-3 3.2.2 Configuring the Defense Against IP Spoofing Attacks.........................................................................3-3 3.2.3 Checking the Configuration...................................................................................................................3-4 3.3 Configuring the Defense Against Land Attacks.............................................................................................3-4 3.3.1 Establishing the Configuration Task......................................................................................................3-5 3.3.2 Configuring the Defense Against Land Attacks....................................................................................3-5 3.3.3 Checking the Configuration...................................................................................................................3-6 3.4 Configuring the Defense Against Smurf Attacks............................................................................................3-6 3.4.1 Establishing the Configuration Task......................................................................................................3-7 3.4.2 Configuring the Defense Against Smurf Attacks...................................................................................3-7 3.4.3 Checking the Configuration...................................................................................................................3-8 3.5 Configuring the Defense Against SYN Flood Attacks...................................................................................3-8 3.5.1 Establishing the Configuration Task......................................................................................................3-8 3.5.2 Example for Configuring the Defense Against SYN Flood Attacks.....................................................3-9 3.5.3 Checking the Configuration.................................................................................................................3-10 3.6 Configuring the Defense Against ICMP Flood Attacks................................................................................3-10 3.6.1 Establishing the Configuration Task....................................................................................................3-10 3.6.2 Configuring the Defense Against ICMP Flood Attacks.......................................................................3-11 3.6.3 Checking the Configuration.................................................................................................................3-12 3.7 Configuring the Defense Against Ping of Death Attacks.............................................................................3-12 3.7.1 Establishing the Configuration Task....................................................................................................3-12 3.7.2 Configuring the Defense Against Ping of Death Attacks....................................................................3-12 3.7.3 Checking the Configuration.................................................................................................................3-13 3.8 Configuring the Defense Against Teardrop Attacks.....................................................................................3-14 3.8.1 Establishing the Configuration Task....................................................................................................3-14 3.8.2 Configuring the Defense Against Teardrop Attacks............................................................................3-14 3.8.3 Checking the Configuration.................................................................................................................3-15 3.9 Debugging Attack Defense...........................................................................................................................3-16 3.10 Configuration Examples..............................................................................................................................3-16 3.10.1 Example for Configuring the Defense Against Land Attacks............................................................3-16 3.10.2 Example for Configuring the Defense Against SYN Flood Attacks.................................................3-18
Contents
4.2.1 Establishing the Configuration Task......................................................................................................4-4 4.2.2 Enabling Global DHCP Snooping..........................................................................................................4-5 4.2.3 Enabling Local DHCP Snooping...........................................................................................................4-6 4.2.4 Configuring Trusted Interfaces..............................................................................................................4-6 4.2.5 Checking the Configuration...................................................................................................................4-7 4.3 Preventing the Middleman Attack and IP/MAC Spoofing Attack..................................................................4-7 4.3.1 Establishing the Configuration Task......................................................................................................4-8 4.3.2 Enabling Global DHCP Snooping........................................................................................................4-10 4.3.3 Enabling Local DHCP Snooping.........................................................................................................4-10 4.3.4 Enabling Packet Check.........................................................................................................................4-10 4.3.5 Configuring the DHCP Snooping Binding Table................................................................................4-11 4.3.6 Configuring Option 82.........................................................................................................................4-12 4.3.7 Configuring Security Protection on an Interface..................................................................................4-13 4.3.8 Checking the Configuration.................................................................................................................4-13 4.4 Preventing the DoS Attack by Changing the CHADDR Field.....................................................................4-14 4.4.1 Establishing the Configuration Task....................................................................................................4-14 4.4.2 Enabling Global DHCP Snooping........................................................................................................4-16 4.4.3 Enabling Local DHCP Snooping.........................................................................................................4-16 4.4.4 Checking the CHADDR Field in DHCP Request Messages...............................................................4-17 4.4.5 Checking the Configuration.................................................................................................................4-17 4.5 Preventing the Attacker from Sending Bogus Messages for Extending IP Address Leases.........................4-18 4.5.1 Establishing the Configuration Task....................................................................................................4-18 4.5.2 Enabling Global DHCP Snooping........................................................................................................4-19 4.5.3 Enabling Local DHCP Snooping.........................................................................................................4-20 4.5.4 Enabling the Checking of DHCP Request Messages...........................................................................4-20 4.5.5 Configuring Option 82.........................................................................................................................4-21 4.5.6 Checking the Configuration.................................................................................................................4-21 4.6 Configuring the Packet Discarding Alarm....................................................................................................4-22 4.6.1 Establishing the Configuration Task....................................................................................................4-22 4.6.2 Configuring the Packet Discarding Alarm...........................................................................................4-23 4.6.3 Checking the Configuration.................................................................................................................4-24 4.7 Configuring the DHCP Option 82 String......................................................................................................4-25 4.7.1 Configuring the Storage Format of the Option 82 Field......................................................................4-25 4.7.2 Configuring the Circuit ID in the Option 82 Field in the System View..............................................4-25 4.7.3 Configuring the Circuit ID of the Option 82 Field in the Interface View............................................4-26 4.7.4 Configuring the Remote ID in the Option 82 Field in the System View.............................................4-26 4.7.5 Configuring the Remote ID of the Option 82 Field in the Interface View..........................................4-27 4.7.6 Checking the Configuration.................................................................................................................4-27 4.8 Maintaining DHCP Snooping.......................................................................................................................4-27 4.8.1 Backing Up the DHCP Snooping Binding Table.................................................................................4-28 4.8.2 Debugging DHCP Snooping................................................................................................................4-28 4.9 Configuration Examples................................................................................................................................4-28 Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. iii
Contents
Quidway S5300 Series Ethernet Switches Configuration Guide - Security 4.9.1 Example for Configuring DHCP Snooping to Prevent Attacks Against the Network.........................4-28
5 AAA Configuration...................................................................................................................5-1
5.1 Overview of AAA...........................................................................................................................................5-2 5.1.1 Introduction to AAA.............................................................................................................................. 5-2 5.1.2 RADIUS.................................................................................................................................................5-3 5.1.3 HWTACACS......................................................................................................................................... 5-5 5.1.4 Domain-based User Management..........................................................................................................5-6 5.1.5 Local User Management........................................................................................................................ 5-6 5.1.6 References..............................................................................................................................................5-6 5.1.7 Logical Relationships Between Configuration Tasks............................................................................5-7 5.2 Configuring AAA............................................................................................................................................5-7 5.2.1 Establishing the Configuration Task......................................................................................................5-7 5.2.2 Configuring the Authentication Scheme................................................................................................5-8 5.2.3 (Optional) Configuring the Authorization Scheme................................................................................5-9 5.2.4 Configuring the Accounting Scheme.....................................................................................................5-9 5.2.5 (Optional) Configuring the Recording Scheme...................................................................................5-10 5.2.6 Checking the Configuration.................................................................................................................5-11 5.3 Configuring the RADIUS Server..................................................................................................................5-11 5.3.1 Establishing the Configuration Task....................................................................................................5-12 5.3.2 Creating a RADIUS Server Template..................................................................................................5-13 5.3.3 Configuring the RADIUS Authentication Server................................................................................5-13 5.3.4 Configuring the RADIUS Accounting Server.....................................................................................5-14 5.3.5 (Optional) Configuring the Protocol Version for the RADIUS Server................................................5-14 5.3.6 (Optional) Configuring the Shared Key for the RADIUS Server........................................................5-15 5.3.7 (Optional) Configuring the User Name Format for the RADIUS Server............................................5-15 5.3.8 (Optional) Setting the Traffic Unit for the RADIUS Server................................................................5-16 5.3.9 (Optional) Configuring the Retransmission Parameters for the RADIUS Server................................5-16 5.3.10 (Optional) Configuring the NAS Interface for the RADIUS Server..................................................5-17 5.3.11 Checking the Configuration...............................................................................................................5-17 5.4 Configuring the HWTACACS Server...........................................................................................................5-17 5.4.1 Establishing the Configuration Task....................................................................................................5-18 5.4.2 Creating a HWTACACS Server Template..........................................................................................5-19 5.4.3 Configuring the HWTACACS Authentication Server.........................................................................5-19 5.4.4 Configuring the HWTACACS Authorization Server..........................................................................5-20 5.4.5 Configuring the HWTACACS Accounting Server..............................................................................5-20 5.4.6 (Optional) Configuring the Source IP Address of the HWTACACS Server.......................................5-21 5.4.7 (Optional) Configuring the Shared Key for the HWTACACS Server.................................................5-21 5.4.8 (Optional) Configuring the User Name Format for the HWTACACS Server.....................................5-22 5.4.9 (Optional) Setting the Traffic Unit for the HWTACACS Server........................................................5-22 5.4.10 (Optional) Setting the Timer of the HWTACACS Server.................................................................5-23 5.4.11 Checking the Configuration...............................................................................................................5-23 5.5 Configuring a Domain...................................................................................................................................5-24 iv Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
Contents
5.5.1 Establishing the Configuration Task....................................................................................................5-24 5.5.2 Creating a Domain...............................................................................................................................5-24 5.5.3 Configuring Authentication, Authorization, and Accounting Schemes for the Domain.....................5-25 5.5.4 (Optional) Configuring the RADIUS Server Template for the Domain..............................................5-26 5.5.5 (Optional) Configuring the HWTACACS Server Template for the Domain......................................5-26 5.5.6 (Optional) Configuring the Status of the Domain................................................................................5-27 5.5.7 (Optional) Setting the Maximum Number of Access Users for the Domain.......................................5-27 5.5.8 Checking the Configuration.................................................................................................................5-28 5.6 Configuring Local User Management...........................................................................................................5-28 5.6.1 Establishing the Configuration Task....................................................................................................5-28 5.6.2 Creating Local User Accounts.............................................................................................................5-29 5.6.3 (Optional) Configuring the Service Type for Local Users...................................................................5-29 5.6.4 (Optional) Configuring the Authority of Accessing the FTP Directory for Local Users.....................5-30 5.6.5 (Optional) Configuring the Status of Local Users...............................................................................5-30 5.6.6 (Optional) Setting the Priority of Local Users.....................................................................................5-31 5.6.7 (Optional) Setting the Access Limit for Local Users...........................................................................5-31 5.6.8 Checking the Configuration.................................................................................................................5-32 5.7 Maintaining AAA..........................................................................................................................................5-32 5.7.1 Clearing HWTACACS Statistics.........................................................................................................5-32 5.7.2 Debugging AAA..................................................................................................................................5-32 5.8 Configuration Examples................................................................................................................................5-33
Contents
6.5 Configuration Examples................................................................................................................................6-10 6.5.1 Example for Configuring MAC Address Authentication....................................................................6-10
7 802.1X Configuration.................................................................................................................7-1
7.1 Overview of 802.1X........................................................................................................................................7-2 7.1.1 Introduction to 802.1X...........................................................................................................................7-2 7.1.2 802.1X Authentication System.............................................................................................................. 7-2 7.1.3 802.1X Authentication Process..............................................................................................................7-3 7.1.4 Implementation of 802.1X on the S-switch........................................................................................... 7-6 7.1.5 Logical Relationships Between Configuration Tasks............................................................................7-7 7.1.6 Update History....................................................................................................................................... 7-7 7.2 Configuring 802.1X........................................................................................................................................ 7-7 7.2.1 Establishing the Configuration Task......................................................................................................7-7 7.2.2 Enabling 802.1X Globally and on the Interface.....................................................................................7-8 7.2.3 (Optional) Setting the Port Access Control Mode................................................................................. 7-8 7.2.4 (Optional) Setting the Port Access Control Method.............................................................................. 7-9 7.2.5 (Optional) Setting the Maximum Number of Concurrent Access Users................................................7-9 7.2.6 (Optional) Enabling DHCP Trigger.......................................................................................................7-9 7.2.7 (Optional) Setting the Authentication Method for the 802.1X User....................................................7-10 7.2.8 (Optional) Configuring the Guest VLAN............................................................................................7-10 7.2.9 (Optional) Setting the Maximum Number of Times for Sending an Authentication Request.............7-11 7.2.10 (Optional) Setting the Timer Parameters...........................................................................................7-11 7.2.11 (Optional) Enabling the Quiet-Period Timer.....................................................................................7-11 7.2.12 (Optional) Enabling the Handshake-Period Timer.............................................................................7-12 7.2.13 Checking the Configuration...............................................................................................................7-12 7.3 Configuration Examples................................................................................................................................7-13 7.3.1 Example for Configuring 802.1X.........................................................................................................7-13
8 NAC Configuration...................................................................................................................8-1
8.1 Access Mode of NAC..................................................................................................................................... 8-2 8.2 Configuring the NAC Access Based on Web Authentication.........................................................................8-4 8.2.1 Establishing the Configuration Task......................................................................................................8-5 8.2.2 Configuring the Web Authentication Server..........................................................................................8-5 8.2.3 Configuring the Portal Protocol............................................................................................................. 8-6 8.2.4 Configuring Mandatory Web Authentication........................................................................................ 8-7 8.2.5 Configuring a Non-authentication Rule.................................................................................................8-7 8.2.6 Checking the Configuration...................................................................................................................8-8 8.3 Configuring the NAC Access Based on 802.1X Authentication....................................................................8-9 8.4 Configuring the NAC Access Based on MAC Address Authentication.........................................................8-9 8.5 Configuring the NAC Access Based on MAC Bypass Authentication.......................................................... 8-9 8.5.1 Establishing the Configuration Task......................................................................................................8-9 8.5.2 Enabling 802.1X Globally....................................................................................................................8-10 8.5.3 Enabling MAC Bypass Authentication on an Interface.......................................................................8-10 8.5.4 (Optional) Setting the Port Access Control Mode...............................................................................8-11 vi Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
Contents
8.5.5 (Optional) Setting the Port Access Control Method............................................................................8-11 8.5.6 (Optional) Setting the Maximum Number of Concurrent Access Users..............................................8-12 8.5.7 (Optional) Setting the Authentication Method for the 802.1X User....................................................8-12 8.5.8 (Optional) Configuring the Guest VLAN............................................................................................8-12 8.5.9 (Optional) Setting the Maximum Number of Times for Sending an Authentication Request.............8-13 8.5.10 (Optional) Setting the Timer Parameters...........................................................................................8-13 8.5.11 (Optional) Enabling the Quiet-Period Timer.....................................................................................8-14 8.5.12 (Optional) Enabling the Handshake-Period Timer.............................................................................8-14 8.5.13 Checking the Configuration...............................................................................................................8-14 8.6 Configuration Examples................................................................................................................................8-15 8.6.1 Example for Configuring the NAC Access Based on Web Authentication.........................................8-15
9 PPPoE+ Configuration..............................................................................................................9-1
9.1 PPPoE+ Overview...........................................................................................................................................9-2 9.2 PPPoE+ Supported by the S-switch................................................................................................................9-2 9.3 Configuring PPPoE+.......................................................................................................................................9-2 9.3.1 Establishing the Configuration Task......................................................................................................9-2 9.3.2 Enabling PPPoE+ Globally....................................................................................................................9-3 9.3.3 Configuring Actions for an Interface to Process the Original Fields in PPPoE Packets........................9-3 9.3.4 Configuring the Format and Contents of the Fields to be Inserted into PPPoE Packets........................9-4 9.3.5 Configuring an Interface to be Trusted..................................................................................................9-4 9.3.6 Checking the Configuration...................................................................................................................9-4 9.4 Configuration Examples..................................................................................................................................9-5 9.4.1 Example for Configuring PPPoE+.........................................................................................................9-5
Issue 02 (2009-08-14)
vii
Figures
Figures
Figure 1-1 Networking diagram of configuring security protection on an interface........................................... 1-6 Figure 2-1 Networking diagram of configuring dynamic MFF...........................................................................2-8 Figure 3-1 Networking for configuring the defense against Land attacks.........................................................3-16 Figure 3-2 Networking for configuring the defense against SYN flood attacks................................................3-18 Figure 4-1 Networking for the DHCP snooping application on the S-switch......................................................4-3 Figure 4-2 Diagram of preventing the bogus DHCP server attack...................................................................... 4-5 Figure 4-3 Diagram of preventing the middleman attack and IP/MAC spoofing attack..................................... 4-8 Figure 4-4 Diagram of preventing the middleman attack and IP/MAC spoofing attack..................................... 4-9 Figure 4-5 Networking diagram of preventing the DoS attack by changing the CHADDR field.....................4-15 Figure 4-6 Networking diagram of preventing the attacker from sending bogus messages for extending IP address leases...................................................................................................................................................................4-18 Figure 4-7 Networking for configuring DHCP snooping to prevent attacks against the network.....................4-29 Figure 5-1 Message exchange between the RADIUS client and the RADIUS server.........................................5-4 Figure 5-2 Message structure defined by RADIUS............................................................................................. 5-4 Figure 5-3 Networking diagram of AAA...........................................................................................................5-33 Figure 6-1 Networking diagram for configuring local authentication with a fixed username...........................6-10 Figure 7-1 802.1X authentication system.............................................................................................................7-3 Figure 7-2 802.1X authentication process in EAP-MD5 relay mode.................................................................. 7-4 Figure 7-3 802.1X authentication process in EAP termination mode..................................................................7-6 Figure 7-4 Authentication through 802.1X and RADIUS.................................................................................7-13 Figure 8-1 Typical networking of Web authentication........................................................................................ 8-2 Figure 8-2 Typical networking of 802.1x authentication.....................................................................................8-3 Figure 8-3 Example for Configuring Web Authentication.................................................................................8-16 Figure 9-1 Networking diagram of PPPoE+ configurations................................................................................9-5
Issue 02 (2009-08-14)
ix
Tables
Tables
Table 4-1 Attack types and DHCP snooping working modes..............................................................................4-3 Table 4-2 Relationship between the type of attacks and the type of discarded packets.....................................4-22 Table 5-1 Comparisons between HWTACACS and RADIUS............................................................................5-5
Issue 02 (2009-08-14)
xi
Feature description Data preparation Pre-configuration tasks Configuration procedures Checking the configuration Configuration examples
This document guides you through the configuration and applicable environment of the security features of the S-switch.
Related Versions
The following table lists the product versions related to this document. Product Name S5300 Version V100R003
Intended Audience
This document is intended for:
l l l l
Commissioning engineers Data configuration engineers Network monitoring engineers System maintenance engineers
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1
Issue 02 (2009-08-14)
Organization
This document is organized as follows. Chapter 1 Security Protection on Interfaces 2 MFF Configuration Description This chapter describes the basics and configuration of security protection on interfaces. This chapter describes the basics of MAC Forced Forwarding (MFF) and the procedures and examples for configuring MFF. This chapter describes how to implement and configure attack defense on the S-switch. This chapter describes the implementation and configuration procedures of DHCP Snooping on the Sswitch. This chapter describes the basic concepts and configuration procedures of Athenticatoin, Authorization, and Accounting (AAA), Remote Authentication Dial in User Service (RADIUS), Huawei Terminal Access Controller Access Control System (HWTACACS), domains, and local users. This chapter describes the basic concepts of MAC address authentication and the procedure for configuring MAC address authentication, and provides examples for configuring MAC address authentication. This chapter describes the basics, methods, and configuration example of 802.1X. This chapter describes the basics, methods, and configuration example of NAC. This chapter describes the basics, methods, and configuration example of PPPoE Plus.
6 MAC Address Authentication Configuration 7 802.1X Configuration 8 NAC Configuration 9 PPPoE+ Configuration
Conventions
Symbol Conventions
The symbols that may be found in this document are defined as follows. Symbol Description Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury.
Issue 02 (2009-08-14)
Symbol
Description Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injuries. Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results. Indicates a tip that may help you address a problem or save your time. Provides additional information to emphasize or supplement important points of the main text.
General Conventions
Convention Times New Roman Boldface Italic Courier New Description Normal paragraphs are in Times New Roman. Names of files, directories, folders, and users are in boldface. For example, log in as user root. Book titles are in italics. Terminal display is in Courier New. The messages input on terminals by users that are displayed are in boldface.
Command Conventions
Convention Boldface Italic [] { x | y | ... } [ x | y | ... ] { x | y | ... }* Description The keywords of a command line are in boldface. Command arguments are in italics. Items (keywords or arguments) in brackets [ ] are optional. Optional items are grouped in braces and separated by vertical bars. One item is selected. Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected. Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected.
Issue 02 (2009-08-14)
Description Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected. The parameter before the & sign can be repeated 1 to n times. A line starting with the # sign is comments.
GUI Conventions
Convention Boldface > Description Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK. Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.
Keyboard Operations
Format Key Key 1+Key 2 Key 1, Key 2 Description Press the key. For example, press Enter and press Tab. Press the keys concurrently. For example, pressing Ctrl+Alt +A means the three keys should be pressed concurrently. Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.
Mouse Operation
Action Click Double-click Drag Description Select and release the primary mouse button without moving the pointer. Press the primary mouse button twice continuously and quickly without moving the pointer. Press and hold the primary mouse button and move the pointer to a certain position.
Issue 02 (2009-08-14)
Update History
Updates between document versions are cumulative. Therefore, the latest document version contains all updates made to previous versions.
Issue 02 (2009-08-14)
Issue 02 (2009-08-14)
1-1
Static MAC addresses that are manually configured Dynamic or static MAC addresses in a Dynamic Host Configuration Protocol (DHCP) snooping binding table Dynamic MAC addresses learnt before the number of MAC addresses reaches the upper limit
Source MAC addresses that do not fall into the preceding types are considered invalid. When an interface receives packets with invalid source MAC addresses, security protection takes effect on the interface. At present, the S-switch supports the following security protection actions on an interface:
l
restrict: The interface neither learns the source MAC addresses of received packets with invalid source MAC addresses nor forwards the packets, but directly discards them and sends a trap message to the Network Management System (NMS). shutdown: The interface is automatically shut down when receiving packets with invalid source MAC addresses. You have to manually restore the interface if required. protect: The interface neither learns the source MAC addresses of received packets with invalid source MAC addresses nor forwards the packets, but directly discards them.
1.2.3 Enabling Security Protection on an Interface 1.2.4 (Optional) Configuring the Security Protection Action for an Interface 1.2.5 (Optional) Configuring an Interface to Convert Secure Dynamic MAC Addresses to Static MAC Addresses 1.2.6 Checking the Configuration
Pre-configuration Tasks
None.
Data Preparation
Before configuring security protection on an interface, you need the following data. No. 1 2 Data Number of the interface Maximum number of MAC addresses that can be learnt and that of static MAC addresses on the interface
1.2.2 Configuring the Limit on the Number of MAC Addresses Learnt by an Interface
Context
Do as follows on devices on which the limit on the number of MAC addresses learnt by an interface should be configured.
Procedure
Step 1 Run:
system-view
MAC address learning restriction and forwarding restriction are enabled on interfaces of the device.
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 1-3
Step 3 Run:
mac-table limit interface-type interface-number limit-number
The limit on the number of MAC addresses that can be learnt is configured for an interface. By default, the MAC address learning restriction and forwarding restriction on interfaces are disabled on the device. That is, there is no limit on the number of static MAC addresses on an interface. ----End
Procedure
Step 1 Run:
system-view
Security protection is enabled on the interface. By default, security protection is disabled on interfaces of the device. ----End
Procedure
Step 1 Run:
system-view
1-4
Issue 02 (2009-08-14)
A security protection action is configured for the interface. By default, the security protection action on an interface is restrict. ----End
1.2.5 (Optional) Configuring an Interface to Convert Secure Dynamic MAC Addresses to Static MAC Addresses
Context
Do as follows on devices on which security protection on interfaces should be configured.
Procedure
Step 1 Run:
system-view
The interface is configured to convert secure dynamic MAC addresses into static MAC addresses. ----End
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Configure the limit on the number of MAC addresses learnt by the interface. Enable security protection on the interface. Configure the security protection action for the interface.
Data Preparation
To complete the configuration, you need the following data:
l l
Number of the interface Maximum number of MAC addresses learnt by the interface, which is set to 100
Configuration Procedure
1. Configure the limit on the number of MAC addresses learnt by the interface.
<Quidway> system-view [Quidway] mac-address restrict [Quidway] interface GigabitEthernet 0/0/1 [Quidway-GigabitEthernet0/0/1] mac-table limit 100
2. 3. 4.
Verify the configuration. # Run the display current-configuration command to check the configuration of security protection on the interface.
1-6
Issue 02 (2009-08-14)
Configuration Files
Configuration file of the S-switch
# sysname Quidway # mac-address restrict # interface GigabitEthernet0/0/1 mac-table limit 100 port-security enable port-security protect-action shutdown
Issue 02 (2009-08-14)
1-7
2 MFF Configuration
2
About This Chapter
MFF Configuration
This chapter describes the basics of MAC Forced Forwarding (MFF) and the procedures and examples for configuring MFF. 2.1 Introduction to MFF This section describes the definition, principle, and specification of MFF. 2.2 Configuring MFF In an access network, configuring MFF implements Layer 2 isolation between user hosts and enables the traffic between user hosts to be forwarded through ARs. 2.3 Configuration Examples This section provides several configuration examples of MFF.
Issue 02 (2009-08-14)
2-1
2 MFF Configuration
Permits protocol packets to pass through. Sends ARP packets and Dynamic Host Configuration Protocol (DHCP) packets to the CPU for processing. Permits only the unicast packets with the destination address as the MAC address of the gateway to pass through if the MAC address of the gateway is learnt, and discards other packets. Discards the unicast packets with the destination address as the MAC address of the gateway if the MAC address of the gateway is not learnt. Denies multicast and broadcast packets to pass through.
2.
Network interface The MFF network interface refers to the interface that is connected to another network device such as the access switch, the convergence switch, or the gateway. The network interface processes different packets as follows:
l l l
Permits multicast packets and DHCP packets to pass through. Sends ARP packets to the CPU for processing. Denies other broadcast packets to pass through.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
2-2
2 MFF Configuration
The interfaces that connect upstream devices and the gateway, the interfaces that are connected to other downstream MFF devices in a cascading network where multiple MFF devices are connected, or the interfaces connecting devices in a ring network should be configured as network interfaces. The network interface is just a type of interface roles, and is irrelevant to the position of the interface in the network. In a VLAN where MFF is enabled, there are only network interfaces and user interfaces.
Proxy ARP
Proxy ARP ensures Layer 3 interconnection between user hosts. In addition, proxy ARP reduces the number of broadcast packets at the network side and at the user side. MFF processes ARP packets as follows:
l
Responds to ARP requests. Replaces the gateway to respond to ARP packets to the user host so that packets between users are forwarded at Layer 3 through the gateway. Here, ARP requests of user hosts include ARP requests on the gateway and ARP requests on IP information of other users. Replaces the gateway to respond to ARP requests. Replaces the user host to respond to ARP packets to the gateway. If the entry requested by the gateway exists on the MFF, the response is replied according to the entry. If the entry is not created, the request is forwarded. In this manner, broadcast packets are reduced. Monitors ARP packets in the network, and updates the mapping table between IP addresses and MAC addresses of the gateway.
2 MFF Configuration
l l
MFF forwards the packets sent from the user host to the server through the gateway. MFF forwards the packets sent from the server to the user host without using the gateway.
Isolate multiple access users at Layer 2. The traffic between user hosts is forwarded through ARs at Layer 3 so that user traffic can be filtered, scheduled, and charged.
Pre-configuration Tasks
Before configuring basic MFF functions, complete the following tasks: If there are user hosts whose IP addresses are allocated dynamically, you need to:
l l
Data Preparation
To configure basic MFF functions, you need the following data.
2-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
2 MFF Configuration
No. 1 2 3 4
Data ID of the VLAN where MFF needs to be configured Number of the network interface IP address of the static gateway IP address of the server
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
interface interface-type interface-number
This configuration can be performed before MFF is enabled, but takes effect only after MFF is enabled.
----End
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 2-5
2 MFF Configuration
Procedure
Step 1 Run:
vlan vlan-id
----End
Procedure
Step 1 Run:
vlan vlan-id
2.2.6 (Optional) Enabling Timing Detection of the MAC Address of the Gateway
Context
Do as follows on the AN.
2-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
2 MFF Configuration
Procedure
Step 1 Run:
vlan vlan-id
Detection of the MAC address of the gateway is enabled in the VLAN. ----End
Procedure
Step 1 Run:
vlan vlan-id
Run the display mac-forced-forwarding network-port command, and you can view information about the network interface in a VLAN where MFF is enabled. For example:
[Quidway] display mac-forced-forwarding network-port -------------------------------------------------------------------------------VLAN ID Network-ports -------------------------------------------------------------------------------VLAN 111 GigabitEthernet0/0/4
Issue 02 (2009-08-14)
2-7
2 MFF Configuration
Run the display mac-forced-forwarding vlan vlan-id command, and you can view information about the MFF user and gateway in a specified VLAN. For example:
[Quidway] display mac-forced-forwarding vlan 111 ---------------------------------------------------------------------------Servers (none) ---------------------------------------------------------------------------User IP User MAC Gateway IP Gateway MAC ---------------------------------------------------------------------------10.1.1.1 0000-0001-0101 10.1.1.100 0000-0001-0200
2-8
Issue 02 (2009-08-14)
2 MFF Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure DHCP snooping. Enable MFF globally. Configure MFF network interfaces. Enable MFF in a VLAN. (Optional) Configure timing detection of the gateway. (Optional) Configure the server.
Data Preparation
To complete the configuration, you need the following data:
l l l l
ID of the VLAN where MFF needs to be configured Number of the network interface IP address of the static gateway (Optional) IP address of the server
Configuration Procedure
1. Configure DHCP snooping. # Configure DHCP snooping globally on S-switch-A.
[S-switch-A] dhcp snooping enable
2.
3.
Configure MFF network interfaces. # Configure GigabitEthernet 0/0/4 as the MFF network interface on S-switch-A.
[S-switch-A] interface gigabitethernet0/0/4 [S-switch-A-GigabitEthernet0/0/4] mac-forced-forwarding network-port
Issue 02 (2009-08-14)
2-9
2 MFF Configuration
[S-switch-A-GigabitEthernet0/0/4] quit
4.
5.
(Optional) Configure timing detection of the gateway. # Configure timing detection of the gateway on S-switch-A.
[S-switch-A-vlan2] mac-forced-forwarding gateway-detect
6.
Configuration Files
l
2-10
Issue 02 (2009-08-14)
2 MFF Configuration
Issue 02 (2009-08-14)
2-11
3
About This Chapter
This chapter describes how to implement and configure attack defense on the S-switch. 3.1 Overview of Attack Defense This section describes the concepts and types of attack defense. 3.2 Configuring the Defense Against IP Spoofing Attacks This section describes how to configure the defense against IP spoofing attacks. 3.3 Configuring the Defense Against Land Attacks This section describes how to configure the defense against Land attacks. 3.4 Configuring the Defense Against Smurf Attacks This section describes how to configure the defense against Smurf attacks. 3.5 Configuring the Defense Against SYN Flood Attacks This section describes how to configure the defense against SYN flood attacks. 3.6 Configuring the Defense Against ICMP Flood Attacks This section describes how to configure the defense against ICMP flood attacks. 3.7 Configuring the Defense Against Ping of Death Attacks This section describes how to configure the defense against Ping of Death attacks. 3.8 Configuring the Defense Against Teardrop Attacks This section describes how to configure the defense against Teardrop attacks. 3.9 Debugging Attack Defense This section describes how to debug attack defense. 3.10 Configuration Examples This section provides several configuration examples of attack defense.
Issue 02 (2009-08-14)
3-1
Denial of Service (DoS) attack: The attacker consumes a large quantity of system resources by sending numerous unsolicited packets or forged connection packets to the S-switch. As a result, the S-switch reboots or crashes, interrupting normal services. Malformed packet attack: The attacker sends a defective IP packet to the S-switch, causing the system to crash during the processing of such an IP packet.
3.2 Configuring the Defense Against IP Spoofing Attacks 3.3 Configuring the Defense Against Land Attacks 3.7 Configuring the Defense Against Ping of Death Attacks 3.8 Configuring the Defense Against Teardrop Attacks 3.6 Configuring the Defense Against ICMP Flood Attacks
To protect an Intranet connected to the S-switch against attacks, you can configure the following attack defense functions. All configuration tasks are not listed in sequence. You can configure them as required.
l l
3.4 Configuring the Defense Against Smurf Attacks 3.5 Configuring the Defense Against SYN Flood Attacks
3.2.1 Establishing the Configuration Task 3.2.2 Configuring the Defense Against IP Spoofing Attacks 3.2.3 Checking the Configuration
Pre-configuration Tasks
Before configuring the defense against IP spoofing attacks, complete the following task:
l l
Create a VLAN and the corresponding VLANIF interface Adding the interface connecting the Extranet to a VLAN and assigning an IP address to the VLANIF interface
Data Preparation
To configure the defense against IP spoofing attacks, you need the following data. No. 1 Data ID of the VLAN that the interface joins
Procedure
Step 1 Run:
system-view
A VLAN is created and the view of the VLAN is displayed. Step 3 Run:
quit
Issue 02 (2009-08-14)
3-3
The defense against IP spoofing attacks is enabled. By default, the defense against IP spoofing attacks is disabled. After the S-switch is enabled with the defense against IP spoofing attacks, the attack information is recorded when the S-switch suffers IP spoofing attacks and a log is output. The log displays the records maintained by the system within the last 30 seconds. The records include the source IP addresses of the attack packets, the start time of the attacks, the end time of the attacks, and the total number of the attack packets. In addition, a maximum of 12 different IP addresses can be displayed. When the attack sources are more than 12, "" is displayed. ----End
Run the display firewall defend flag command on the S-switch. If ip-spoofing is displayed, it means that the defense against IP spoofing attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: ip-spoofing
3.3.1 Establishing the Configuration Task 3.3.2 Configuring the Defense Against Land Attacks 3.3.3 Checking the Configuration
Pre-configuration Tasks
Before configuring the defense against Land attacks, complete the following task:
l l
Create a VLAN and the corresponding VLANIF interface. Adding the interface to a VLAN and assigning an IP address to the VLANIF interface
Data Preparation
To configure the defense against Land attacks, you need the following data. No. 1 Data ID of the VLAN to which the interface belongs
Procedure
Step 1 Run:
system-view
A VLAN is created and the view of the VLAN is displayed. Step 3 Run:
quit
Step 4 Run:
firewall enable
The defense against Land attacks is enabled. By default, the defense against Land attacks is disabled. ----End
Run the display firewall defend flag command on the S-switch. If land is displayed, it means that the defense against Land attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: land
Pre-configuration Tasks
Before configuring the defense against Smurf attacks, complete the following task:
l l
Create a VLAN and the corresponding VLANIF interface Adding the interface to a VLAN and assigning an IP address to the VLANIF interface
Data Preparation
To configure the defense against Smurf attacks, you need the following data. No. 1 Data ID of the VLAN to which the interface belongs
Procedure
Step 1 Run:
system-view
A VLAN is created and the view of the VLAN is displayed. Step 3 Run:
quit
Issue 02 (2009-08-14)
3-7
The defense against Smurf attacks is enabled. By default, the defense against Smurf attacks is disabled. ----End
Run the display firewall defend flag command on the S-switch. If smurf is displayed, it means that the defense against Smurf attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: smurf
Pre-configuration Tasks
Before configuring the defense against SYN flood attacks, complete the following task:
l l
Create a VLAN and the corresponding VLANIF interface. Adding the interface to a VLAN and assigning an IP address to the VLANIF interface
Data Preparation
To configure the defense against SYN flood attacks, you need the following data. No. 1 2 3 Data ID of the VLAN to which the interface belongs IP address of a device to be protected (Optional) Maximum rate of SYN packets
3.5.2 Example for Configuring the Defense Against SYN Flood Attacks
Context
Do as follows on the S-switch to be configured with the defense against SYN flood attacks.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the vlan vlan-id command to create a VLAN and enter the view of the VLAN. Step 3 Run the quit command to return to the system view. Step 4 Run the firewall enable command to enable the firewall. Step 5 Run the firewall defend syn-flood enable command to enable the defense against SYN flood attacks. By default, the defense against SYN flood attacks is disabled. Step 6 Run the interface vlanif vlan-id command to enter the VLANIF interface view. Step 7 Run the firewall defend enable command to enable attack defense. Step 8 Run the quit command to return to the system view. Step 9 (Optional) Run the firewall defend syn-flood ip ip-address [ max-rate rate-number ] command to specify the IP address of a device to be protected from SYN flood attacks and specify relevant parameters. ----End
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-9
Run the display firewall defend flag command on the S-switch. If syn-flood is displayed, it means that the defense against SYN flood attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: syn-flood
Pre-configuration Tasks
Before configuring the defense against ICMP flood attacks, complete the following task:
l l
Create a VLAN and the corresponding VLANIF interface. Adding the interface to a VLAN and assigning an IP address to the VLANIF interface
Data Preparation
To configure the defense against ICMP flood attacks, you need the following data. No. 1 2 3 Data ID of the VLAN to which the interface belongs IP address of a device to be protected (Optional) Maximum rate of ICMP packets
3-10
Issue 02 (2009-08-14)
Procedure
Step 1 Run:
system-view
A VLAN is created and the view of the VLAN is displayed. Step 3 Run:
quit
The global defense against ICMP flood attacks is enabled. By default, the defense against ICMP flood attacks is disabled. Step 9 (Optional) Run: firewall defend icmp-flood ip ip-address [ max-rate rate-number ] The relevant parameters are specified for the device with a specified IP address to be protected from ICMP flood attacks. ----End
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 3-11
Run the display firewall defend flag command on the S-switch. If icmp-flood is displayed, it means that the defense against ICMP flood attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: icmp-flood
Pre-configuration Tasks
Before configuring the defense against Ping of Death attacks, complete the following task:
l l
Create a VLAN and the corresponding VLANIF interface. Adding the interface to a VLAN and assigning an IP address to the VLANIF interface
Data Preparation
To configure the defense against Ping of Death attacks, you need the following data. No. 1 Data ID of the VLAN to which the interface belongs
Context
Do as follows on the S-switch to be configured with the defense against Ping of Death attacks.
Procedure
Step 1 Run:
system-view
A VLAN is created and the view of the VLAN is displayed. Step 3 Run:
quit
The defense against Ping of Death attacks is enabled. By default, the defense against Ping of Death attacks is disabled. ----End
Issue 02 (2009-08-14)
3-13
Run the display firewall defend flag command on the S-switch. If ping-of-death is displayed, it means that the defense against Ping of Death attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: ping-of-death
Pre-configuration Tasks
Before configuring the defense against Teardrop attacks, complete the following task:
l l
Create a VLAN and the corresponding VLANIF interface. Adding the interface to a VLAN and assigning an IP address to the VLANIF interface
Data Preparation
To configure the defense against Teardrop attacks, you need the following data. No. 1 Data ID of the VLAN to which the interface belongs
Procedure
Step 1 Run:
system-view
3-14
Issue 02 (2009-08-14)
A VLAN is created and the view of the VLAN is displayed. Step 3 Run:
quit
The defense against Teardrop attacks is enabled. By default, the defense against Teardrop attacks is disabled. ----End
Run the display firewall defend flag command on the S-switch. If teardrop is displayed, it means that the defense against Teardrop attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: teardrop
Issue 02 (2009-08-14)
3-15
CAUTION
Enabling the debugging affects the system performance. So, after debugging, run the undo debugging all command to disable it at once. When a fault occurs, run the following debugging command in the user view to locate the fault. Action Enable the debugging of attack defense. Command debugging firewall defend { all | ip-spoofing | land | smurf | syn-flood | icmp-flood | ping-of-death | tear-drop }
3-16
Issue 02 (2009-08-14)
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. Add GigabitEthernet0/0/2 to a VLAN and assign an IP address to the VLANIF interface. Enable the defense against Land attacks on the S-switch.
Data Preparation
To complete the configuration, you need the following data:
l l
Numbers of the interfaces on the S-switch ID of the VLAN to which GigabitEthernet0/0/2 is added and the IP address of the VLANIF interface
Configuration Procedure
1. Enable the global attack defense on the S-switch.
<Quidway> system-view [Quidway] firewall enable [Quidway] vlan 2 [Quidwayvlan2] port gigabitethernet 0/0/2 [Quidwayvlan2] quit [Quidway] interface vlanif 2 [QuidwayVlanif2] ip address 192.168.0.1 24 [QuidwayVlanif2] firewall defend enable [QuidwayVlanif2] quit
2. 3.
Verify the configuration. Run the display firewall defend flag command on the S-switch, and you can view that the defense against Land attacks is enabled.
[Quidway] display firewall defend flag The attack defend flag is: land
Configuration Files
l
Issue 02 (2009-08-14)
3-17
3.10.2 Example for Configuring the Defense Against SYN Flood Attacks
Networking Requirements
As shown in Figure 3-2, on the S-switch, GE 0/0/1 is connected to an Intranet and GE 0/0/2 is connected to the Internet. It is required that the defense against SYN flood attacks be enabled on the Figure 3-2 to protect the device at 192.168.1.3. Figure 3-2 Networking for configuring the defense against SYN flood attacks
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. Add GE 0/0/1 and GE 0/0/2 to VLANs respectively and assign an IP address to each VLANIF interface. Configure the defense function on the VLANIF interfaces corresponding to GigabitEthernet 0/0/1 and GigabitEthernet 0/0/2 respectively Configure the defense against SYN flood attacks on the S-switch to protect the device at 192.168.1.3.
Data Preparation
To complete the configuration, you need the following data:
l l
Numbers of the interfaces on the S-switch IDs of the VLANs to which GE 0/0/1 and GE 0/0/2 are respectively added and the IP addresses of the VLANIF interfaces IP address of the device to be protected Maximum rate of SYN packets Maximum number of half-open connections
l l l
Configuration Procedure
1. Add GE 0/0/1 to VLAN 30 and assign an IP address to VLANIF 30.
<Quidway> system-view [Quidway] firewall enable
3-18
Issue 02 (2009-08-14)
2.
3. 4.
Configure the defense against SYN flood attacks. Set the maximum rate of SYN packets to 500 packets per second.
[Quidway] firewall defend syn-flood ip 192.168.1.3 max-rate 500
5.
Verify the configuration. Run the display firewall defend flag command on the S-switch, and you can view that the defense against SYN flood attacks is enabled.
<Quidway> display firewall defend flag The attack defend flag is: syn-flood
Configuration Files
l
Issue 02 (2009-08-14)
3-19
4
About This Chapter
This chapter describes the implementation and configuration procedures of DHCP snooping on the S-switch. 4.1 Overview of DHCP snooping This section describes the concept and types of DHCP snooping. 4.2 Preventing the Bogus DHCP Server Attack This section describes how to prevent the bogus DHCP server attack through the S-switch. 4.3 Preventing the Middleman Attack and IP/MAC Spoofing Attack This section describes how to prevent the middleman attack and IP/MAC spoofing attack through the S-switch. 4.4 Preventing the DoS Attack by Changing the CHADDR Field This section describes how to prevent the DoS attack by changing the CHADDR field. 4.5 Preventing the Attacker from Sending Bogus Messages for Extending IP Address Leases This section describes how to prevent the attacker from sending bogus messages for extending IP address leases. 4.6 Configuring the Packet Discarding Alarm This section describes how to configure the packet discarding alarm. 4.7 Configuring the DHCP Option 82 String This section describes how to configure the DHCP Option 82 string. 4.8 Maintaining DHCP Snooping This section describes how to maintain DHCP snooping. 4.9 Configuration Examples This section provides several examples for configuring DHCP snooping.
Issue 02 (2009-08-14)
4-1
MAC address limit Configuring the trusted/untrusted interfaces Checking the CHADDR field in DHCP messages DHCP snooping binding table
Figure 4-1 shows the DHCP snooping application on the S-switch where DHCP snooping is enabled.
4-2
Issue 02 (2009-08-14)
Figure 4-1 Networking for the DHCP snooping application on the S-switch
As shown in Figure 4-1, the S-switch enabled with DHCP snooping is deployed between the DHCP client and the DHCP relay agent. The S-switch forwards DHCP reply messages received from a trusted interface but discards DHCP reply messages received from an untrusted interface. The DHCP snooping binding table is then generated on the basis of the DHCP reply messages received from the trusted interface. IP packets and ARP packets received from the untrusted interface are forwarded only when there are matching entries in the binding table; otherwise, they are discarded. When DHCP snooping is configured for a VLAN of the S-switch, the S-switch checks packets coming from the VLAN. The working mode of DHCP snooping varies according to the type of attacks, as shown in Table 4-1. Table 4-1 Attack types and DHCP snooping working modes Type of Attacks DHCP exhaustion attack
Issue 02 (2009-08-14)
Type of Attacks Bogus DHCP server attack Middleman attack and IP/MAC spoofing attack DoS attack by changing the value of the CHADDR field Attack of sending bogus messages to extend IP address leases
DHCP Snooping Working Mode Configuring an interface as trusted or untrusted Checking whether the IP packets or ARP packets have matching entries in the DHCP snooping binding table Checking the CHADDR field in DHCP messages Checking whether the DHCP request messages have matching entries in the DHCP snooping binding table
4-4
Issue 02 (2009-08-14)
To prevent the bogus DHCP server attack, you can configure DHCP snooping on the Sswitch, and set the interface at the user side to be untrusted and the interface at the network side to be trusted. In this manner, DHCP reply messages received from the untrusted interface are discarded. Only DHCP reply messages received from the trusted interface are forwarded.
Pre-configuration Tasks
Before preventing the bogus DHCP server attack through the S-switch, complete the following tasks:
l l
The DHCP server and the DHCP relay agent are configured on the upstream router or server of the Sswitch.
Data Preparation
To prevent the bogus DHCP server attack through the S-switch, you need the following data. No. 1 2 3 Data Name of the interface to be added to a VLAN ID of the VLAN to which the interfaces belong Name of the interface to be configured as trusted
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
DHCP snooping is enabled in the VLAN. By default, DHCP snooping is disabled. ----End
Procedure
Step 1 Run:
system-view
The VLAN view is displayed. The VLAN should be the one to which the interface connected to the DHCP server belongs. Step 3 Run:
dhcp snooping trusted interface interface-type interface-number
Run the display dhcp snooping global command. You can view that global DHCP snooping is enabled.
<Quidway> display dhcp snooping global dhcp snooping enable
Run the display this command in the VLAN view. You can check the information about trusted interfaces.
<Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] display this # vlan 10 dhcp snooping enable dhcp snooping trusted interface GigabitEthernet0/0/2 # return
4.3.5 Configuring the DHCP Snooping Binding Table 4.3.6 Configuring Option 82 4.3.7 Configuring Security Protection on an Interface 4.3.8 Checking the Configuration
4-8
Issue 02 (2009-08-14)
Figure 4-4 Diagram of preventing the middleman attack and IP/MAC spoofing attack
To prevent the middleman attack and the IP/MAC spoofing attack, configure DHCP snooping on the S-switch and use the DHCP snooping binding table. The received packets can be forwarded only when they match with entries in the binding table; otherwise, packets are discarded.
Pre-configuration Tasks
Before preventing the middleman attack and the IP/MAC spoofing attack through the Sswitch, complete the following tasks:
l l
The DHCP server and the DHCP relay agent are configured on the upstream router or server of the Sswitch.
Data Preparation
To prevent the middleman attack and the IP/MAC spoofing attack through the S-switch, you need the following data. No. 1 2 3 Data Name of the interface to be added to a VLAN ID of the VLAN to which the interfaces belong Static IP addresses from which packets are forwarded
Issue 02 (2009-08-14)
4-9
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
DHCP snooping is enabled in the VLAN. By default, DHCP snooping is disabled. ----End
Procedure
Step 1 Run:
system-view
The GigabitEthernet interface view or Eth-Trunk interface viewis displayed. The interface should be at the user side. Step 3 Run:
dhcp snooping check arp enable alarm arp enable threshold
Checking the rate of sending DHCP packets to the DHCP protocol stack is enabled on the Sswitch.The rate of sending DHCP packets to the DHCP protocol stack is set. By default, the S-switch is disabled from checking the rate of sending DHCP packets to the DHCP protocol stack. And it checks 100 DHCP packets per second. ----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
The VLAN view is displayed. The VLAN should be the one to which the interface at the user side belongs. Step 3 Run:
dhcp snooping bind-table static ip-address ip-address mac-address mac-address interface interface-type interface-number
A static entry binding the IP address and MAC address is configured in the DHCP snooping table. The static binding table contains the MAC address, IP address, VLAN ID, and interface information. If users access the network through static IP addresses, user packets can be forwarded by the S-switch only after the MAC address, IP address, VLAN ID, and inbound interface of the packets match entries in the static binding table. Otherwise, user packets are discarded. If users are assigned static IP addresses, you can configure static binding entries for these static IP addresses. If static entries are not configured in the DHCP snooping binding table, packets from all users with static IP addresses are discarded. All static users thus cannot access the DHCP server. The dynamic entries in the DHCP snooping binding table require no configuration. They are automatically generated when DHCP snooping is enabled. The static entries, however, need to be configured through commands. ----End
Procedure
Step 1 Run:
system-view
The VLAN view is displayed. The VLAN should be the one to which the interface at the user side belongs. Step 3 Run:
dhcp option82 rebuild enable interface interface-type interface-number1 [ to interface-number2 ]
The Option 82 field is forcibly appended to the DHCP messages on a specified interface in the VLAN. By default, the Option 82 field cannot be forcibly appended.
4-12 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
The DHCP reply messages are broadcast packets. Thus, the S-switch cannot determine to which interface the packets are sent. As a result, dynamic binding entries do not include interfaces. To protect the S-switch against attacks with the forged Option 82 field, you can enable the Sswitch to forcibly append the Option 82 field to DHCP messages. The Option 82 field is appended to DHCP discovery messages if original DHCP discovery messages are not appended with the Option 82 field. If the original DHCP discovery messages are appended with the Option 82 field, the original Option 82 field is removed and a new one is appended. ----End
Procedure
Step 1 Run:
system-view
The S-switch is enabled to restrict MAC address learning and packet forwarding. Step 3 Run:
mac-table limit interface-type interface-number limit-number
The limit on the number of MAC addresses that can be learnt by an interface is configured. Step 4 Run:
interface interface-type interface-number
Security protection is enabled on the interface. By default, the S-switch is disabled from restricting MAC address learning and packet forwarding. If the S-switch is not enabled to restrict MAC address learning and packet forwarding, you cannot enable security protection on interfaces. ----End
Issue 02 (2009-08-14)
4-13
Action Check information about global DHCP snooping. Check information about the DHCP snooping binding table.
Command display dhcp snooping global display dhcp snooping bind-table { all | dynamic | ip-address ip-address | mac-address mac-address | static | vlan vlan-id | interface interface-type interface-number } display dhcp option82 vlan vlan-id [ interface interface-type interface-number ]
Run the display dhcp snooping global command. You can view that global DHCP snooping is enabled.
<Quidway> display dhcp snooping global dhcp snooping enable
Run the display dhcp snooping bind-table command. You can view the static entries generated in the DHCP snooping binding table.
<Quidway> display dhcp snooping bind-table ip-address 10.1.1.1 bind-table: ifname vrf vsi p/cvlan mac-address ip-address tp lease ------------------------------------------------------------------------------GE0/0/1 0000-0020/0000 003e-0001-0001 010.001.001.001 S 0 ------------------------------------------------------------------------------binditem count: 1 binditem total count: 1
Run the display dhcp option82 command. You can view the Option 82 status.
<Quidway> display dhcp option82 vlan 20 interface gigabitethernet 0/0/1 dhcp option82 rebuild enable interface GigabitEthernet0/0/1
obtain IP addresses. To prevent the DHCP exhaustion attack, you can apply the MAC address limit, that is, limit to the number of MAC addresses learned on interfaces. This protects the Sswitch against attacks of sending a large number of DHCP request messages through various MAC addresses. Figure 4-5 Networking diagram of preventing the DoS attack by changing the CHADDR field
The attacker may change the CHADDR field carried in a DHCP message instead of the source MAC address in the frame header to apply for IP addresses continuously. If the S-switch checks the validity of packets based on the source MAC address in the frame header, attack packets can still be forwarded normally. The MAC address limit cannot take effect in this manner. To prevent the attacker from changing the CHADDR field, you can configure DHCP snooping on the S-switch to check the CHADDR field carried in DHCP request messages. If the CHADDR field matches the source MAC address in the frame header, the messages are forwarded. Otherwise, the messages are discarded.
Pre-configuration Tasks
Before preventing the DoS attack by changing the CHADDR field, complete the following tasks:
l l
The DHCP server and the DHCP relay agent are configured on the upstream router or server of the Sswitch.
Data Preparation
To prevent the DoS attack by changing the CHADDR field, you need the following data.
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-15
No. 1 2
Data Name of the interface to be added to a VLAN ID of the VLAN to which the interfaces belong
Procedure
Step 1 Run:
system-view
Global DHCP snooping is enabled. By default, DHCP snooping is disabled. All the other DHCP snooping configurations can be performed only after global DHCP snooping is enabled. ----End
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the interface interface-type interface-number command to enter the GigabitEthernet interface view, 10GE interface view or Eth-Trunk interface view. The interface should be at the user side. Step 3 Run the dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold command to enable the interface to check the CHADDR field in DHCP request messages. By default, checking the CHADDR field is disabled. ----End
Run the display dhcp snooping global command. You can view that global DHCP snooping is enabled.
<Quidway> display dhcp snooping global dhcp snooping enable
Run the display dhcp snooping interface command. You can view the DHCP snooping configuration on the interface.
<Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping check dhcp-chaddr enable arp total 0 ip total 0 dhcp-rate-drop total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0
Issue 02 (2009-08-14)
4-17
4.5 Preventing the Attacker from Sending Bogus Messages for Extending IP Address Leases
This section describes how to prevent the attacker from sending bogus messages for extending IP address leases. 4.5.1 Establishing the Configuration Task 4.5.2 Enabling Global DHCP Snooping 4.5.3 Enabling Local DHCP Snooping 4.5.4 Enabling the Checking of DHCP Request Messages 4.5.5 Configuring Option 82 4.5.6 Checking the Configuration
To prevent the attacker from sending bogus messages to extend IP address leases, you can configure DHCP snooping on the S-switch to check the source IP address and source MAC address of DHCP request messages.
4-18 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
If there are no entries that match the source IP address in the DHCP snooping binding table, the DHCP request messages are forwarded. If there are entries that match the source IP address but do not match the source MAC address, the DHCP request messages are discarded.
Pre-configuration Tasks
Before preventing the attacker from sending bogus messages for extending IP address leases through the S-switch, complete the following tasks:
l l
The DHCP server and the DHCP relay agent are configured on the upstream router or server of the Sswitch.
Data Preparation
To prevent the attacker from sending bogus messages for extending IP address leases through the S-switch, you need the following data. No. 1 2 3 Data Name of the interface to be added to a VLAN ID of the VLAN to which the interfaces belong Static IP addresses from which packets are forwarded
Procedure
Step 1 Run:
system-view
Global DHCP snooping is enabled. By default, DHCP snooping is disabled. All the other DHCP snooping configurations can be performed only after global DHCP snooping is enabled. ----End
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-19
Procedure
Step 1 Run:
system-view
DHCP snooping is enabled in the VLAN. By default, DHCP snooping is disabled. ----End
Procedure
Step 1 Run:
system-view
The Eth-Trunk interface viewis displayed. The interface should be at the user side. Step 3 Run:
dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold
The checking of DHCP request messages is enabled on the interface. By default, checking DHCP request messages is disabled. ----End
4-20 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
Procedure
Step 1 Run:
system-view
The VLAN view is displayed. The VLAN should be the one to which the interface at the user side belongs. Step 3 Run:
dhcp option82 rebuild enable interface interface-type interface-number1 [ to interface-number2 ]
The Option 82 field is forcibly appended to the DHCP messages on a specified interface in the VLAN. By default, the Option 82 field cannot be forcibly appended. The DHCP reply messages are broadcast packets. Thus, the S-switch cannot determine to which interface the packets are sent. As a result, the related dynamic binding entries cannot be generated. To protect the S-switch against attacks with the forged Option 82 field, you can enable the Sswitch to forcibly append the Option 82 field to DHCP messages. The Option 82 field is appended to DHCP discovery messages if original DHCP discovery messages are not appended with the Option 82 field. If the original DHCP discovery messages are appended with the Option 82 field, the original Option 82 field is removed and a new one is appended. ----End
Issue 02 (2009-08-14)
4-21
Run the display dhcp snooping global command. You can view that global DHCP snooping is enabled.
<Quidway> display dhcp snooping global dhcp snooping enable
Run the display dhcp snooping interface command. You can view the DHCP snooping configuration on the interface.
<Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping check dhcp-request enable arp total 0 ip total 0 dhcp-rate-drop total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0
Run the display dhcp option82 command. You can view the Option 82 status.
<Quidway> display dhcp option82 vlan 20 interface gigabitethernet 0/0/1 dhcp option82 rebuild enable interface GigabitEthernet0/0/1
Attack of sending bogus messages to extend IP address leases Attack of sending DHCP request messages
4-22
Issue 02 (2009-08-14)
After the packet discarding alarm is enabled, an alarm is generated when the number of discarded packets on the S-switch reaches the threshold.
Pre-configuration Tasks
Before configuring the packet discarding alarm, complete the following tasks:
l l l
Configuring the DHCP server Configuring the DHCP relay agent Configuring the discarding of DHCP reply messages from the untrusted interface at the user side Configuring the checking of ARP packets, IP packets, and DHCP request messages Configuring the checking of the CHADDR field in DHCP request messages Configuring the checking of the rate of sending DHCP messages
NOTE
l l l
The DHCP server and the DHCP relay agent are configured on the upstream router or server of the Sswitch.
Data Preparation
To configure the packet discarding alarm, you need the following data. No. 1 2 3 4 5 Data Alarm threshold for the number of discarded ARP packets Alarm threshold for the number of discarded IP packets Alarm threshold for the number of discarded DHCP CHADDR packets Alarm threshold for the number of discarded DHCP reply messages Alarm threshold for the number of discarded DHCP request messages
Procedure
Step 1 Run:
system-view
Issue 02 (2009-08-14)
4-23
The ARP packet discarding alarm is enabled on the interface, and the threshold that triggers the alarm is set. Step 4 Run:
dhcp snooping check dhcp-chaddr enable alarm dhcp-chaddr enable threshold
The DHCP Request packet discarding alarm is enabled on the interface, and the threshold that triggers the alarm is set. Step 5 Run:
dhcp snooping alarm dhcp-reply enable threshold
The DHCP Reply packet discarding alarm is enabled on the interface, and the threshold that triggers the alarm is set. Step 6 Run:
dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold
The DHCP Request packet discarding alarm is enabled on the interface, and the threshold that triggers the alarm is set. Step 7 Run:
dhcp snooping check ip enable alarm ip enable threshold
The IP packet discarding alarm is enabled on the interface, and the threshold that triggers the alarm is set. Step 8 Run:
dhcp snooping check dhcp-rate enable rate alarm dhcp-rate enable threshold
The alarm is enabled for the rate of sending DHCP messages to the protocol stack, and the threshold that triggers the alarm is set. ----End
Run the display dhcp snooping global command. You can view that global DHCP snooping is enabled.
<Quidway> display dhcp snooping global dhcp snooping enable
4-24
Issue 02 (2009-08-14)
Run the display dhcp snooping interface command. You can view the DHCP snooping configuration on the interface.
<Quidway> display dhcp snooping interface gigabitethernet 0/0/1 dhcp snooping check arp enable dhcp snooping alarm arp enable dhcp snooping alarm arp threshold 50 arp total 0 ip total 0 dhcp-rate-drop total 0 dhcp-request total 0 chaddr&src mac total 0 dhcp-reply total 0
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dhcp snooping enable command to enable DHCP snooping on the S-switch. By default, DHCP snooping is disabled. Step 3 Run the dhcp snooping information format { hex | ascii } command to configure the storage format of the Option 82 field. By default, the storage format for the Option 82 field is hex. ----End
4.7.2 Configuring the Circuit ID in the Option 82 Field in the System View
Context
Do as follows on the S-switch.
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-25
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dhcp snooping information circuit-id string string command to configure the circuit ID in the Option 82 field. By default, the circuit ID in the Option 82 field is the ID of the VLAN to which the interface receiving the DHCP client's request belongs. ----End
4.7.3 Configuring the Circuit ID of the Option 82 Field in the Interface View
Context
Do as follows on the S-switch.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the interface interface-type interface-number to enter the GigabitEthernet interface view. Step 3 Run the dhcp snooping information [ vlan vlan-id ] circuit-id string string command to configure the circuit ID in the Option 82 field. By default, the circuit ID in the Option 82 field is the bridge MAC address of the DHCP snooping device that receives the DHCP client's request.
NOTE
With vlan vlan-id specified, the customized circuit ID applies only to the DHCP packets from the specified VLAN. With no vlan vlan-id specified, the customized circuit ID applies to all DHCP packets that pass through the current interface.
----End
4.7.4 Configuring the Remote ID in the Option 82 Field in the System View
Context
Do as follows on the S-switch.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dhcp snooping information remote-id { sysname | string string } command to configure the remote ID in the Option 82 field. By default, the remote ID in the Option 82 field is the bridge MAC address of the DHCP snooping device that receives the DHCP client's request.
4-26 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
If you have configured the remote ID both in the interface view and in the system view, the remote ID configured in the interface view is applied. If no remote ID ID is configured in the interface view, the remote ID configured in the system view is applied.
----End
4.7.5 Configuring the Remote ID of the Option 82 Field in the Interface View
Context
Do as follows on the S-switch.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the interface interface-type interface-number to enter the GigabitEthernet interface view. Step 3 Run the dhcp snooping information [ vlan vlan-id ] remote-id string string command to configure the remote ID in the Option 82 field. By default, the remote ID in the Option 82 field is the bridge MAC address of the DHCP snooping device that receives the DHCP client's request.
NOTE
With vlan vlan-id specified, the customized remote ID applies only to the DHCP packets from the specified VLAN. With no vlan vlan-id specified, the customized remote ID applies to all DHCP packets that pass through the current interface.
----End
If the backup of the binding table is configured, the system automatically backs up the binding table to a specified path every 24 hours. If no backup binding table exists, the DHCP snooping dynamic binding table is lost after the Sswitch reboots. As a result, users cannot obtain IP addresses dynamically from the DHCP server so that they cannot communicate normally.
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it immediately. When an operation fault occurs, run the following debugging command in the user view to display the debugging information and locate the fault. Action Enable DHCP snooping debugging. Command debugging dhcp snooping
4.9.1 Example for Configuring DHCP Snooping to Prevent Attacks Against the Network
Networking Requirements
You can configure DHCP snooping to prevent the following network attacks:
l
4-28
Middleman and IP/MAC spoofing attack DoS attack by changing the value of the CHADDR field Attack of sending bogus messages to extend IP address leases
As shown in Figure 4-7, to prevent attacks against the network, you need to configure trusted/ untrusted interfaces, enable packet check, set up a static binding table, and enable the sending of alarms to the NMS on the S-switch. Two DHCP clients access the network through the static IP addresses 10.1.1.2 and 10.1.1.3 respectively. It is required that a static DHCP snooping binding table be configured to ensure the forwarding of packets from the DHCP clients. Figure 4-7 Networking for configuring DHCP snooping to prevent attacks against the network
Configuration Roadmap
The configuration roadmap is as follows: 1. 2.
Issue 02 (2009-08-14)
Enable DHCP snooping globally and in the VLAN view. Set the interface at the network side to be trusted.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 4-29
3. 4. 5. 6.
Enable packet check. Configure a static binding table. Configure Option 82 and create a binding table covering accurate interface information. Configure the sending of alarms to the NMS.
Data Preparation
To complete the configuration, you need the following data:
l l l
IDs of VLANs to which the interfaces belong Static IP addresses and MAC addresses assigned to users Threshold for sending alarms to the NMS
Configuration Procedure
The following describes how to configure the S-switch. For the configuration procedures for the other devices shown in Figure 4-7, refer to the related configuration guides. 1. Configure DHCP snooping on the S-switch. # Enable global DHCP snooping.
[Quidway] dhcp snooping enable
# Configure the VLAN to which the interfaces at the user side belong.
[Quidway] vlan 100 [Quidway-vlan100] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet0/0/1] port [Quidway-GigabitEthernet0/0/1] quit [Quidway] interface gigabitethernet [Quidway-GigabitEthernet0/0/2] port [Quidway-GigabitEthernet0/0/2] quit 0/0/1 trunk allow-pass vlan 100 0/0/2 trunk allow-pass vlan 100
# Configure the VLAN to which the interface at the network side belong.
[Quidway] interface gigabitethernet 0/0/3 [Quidway-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 [Quidway-GigabitEthernet0/0/3] quit
2.
3.
4.
4-30
Issue 02 (2009-08-14)
5.
6.
Configure the sending of alarms to the NMS. # Enable the sending of alarms to the NMS.
[Quidway]interface gigabitethernet [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]dhcp [Quidway-GigabitEthernet0/0/1]quit [Quidway]interface gigabitethernet [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]dhcp [Quidway-GigabitEthernet0/0/2]quit 0/0/1 snooping snooping snooping snooping snooping 0/0/2 snooping snooping snooping snooping snooping alarm alarm alarm alarm alarm alarm alarm alarm alarm alarm arp enable ip enable dhcp-chaddr enable dhcp-request enable dhcp-reply enable arp enable ip enable dhcp-chaddr enable dhcp-request enable dhcp-reply enable
7.
Verify the configuration. Run the display dhcp snooping bind-table command and the display dhcp option82 command. You can view that DHCP snooping is enabled in the system view. You can also view the configurations of sending alarms to the NMS and the statistics on the discarded packets. # Check DHCP snooping configurations in the system view.
[Quidway]display dhcp snooping global dhcp snooping enable
[Quidway]display dhcp option82 vlan 100 interface gigabitethernet 0/0/1 dhcp option82 rebuilt enable interface gigabitethernet 0/0/1
Configuration Files
The following lists configuration files of the S-switch.
# sysname Quidway # vlan batch 100 # dhcp snooping enable # vlan 100 dhcp snooping enable dhcp snooping trusted interface GigabitEthernet0/0/3 dhcp option82 rebuild enable interface GigabitEthernet0/0/1 dhcp option82 rebuild enable interface GigabitEthernet0/0/2 dhcp option82 rebuild enable interface GigabitEthernet0/0/3 dhcp snooping bind-table static ip-address 10.1.1.3 mac-address 0000-005e-008a interface GigabitEthernet0/0/2 dhcp snooping bind-table static ip-address 10.1.1.2 mac-address 0000-005e-008b interface GigabitEthernet 0/0/1 # interface GigabitEthernet0/0/1 port trunk allow-pass vlan 100 dhcp snooping check arp enable dhcp snooping alarm arp enable dhcp snooping alarm arp threshold 10 dhcp snooping check ip enable dhcp snooping alarm ip enable dhcp snooping alarm ip threshold 10 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 10 dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 10 dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 10 # interface GigabitEthernet0/0/2 port trunk allow-pass vlan 100 dhcp snooping check arp enable dhcp snooping alarm arp enable dhcp snooping alarm arp threshold 10 dhcp snooping check ip enable dhcp snooping alarm ip enable dhcp snooping alarm ip threshold 10 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 10 dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 10 dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 10 # interface GigabitEthernet0/0/3 port trunk allow-pass vlan 100 # return #
4-32
Issue 02 (2009-08-14)
5 AAA Configuration
5
About This Chapter
AAA Configuration
This chapter describes the basic concepts and configuration procedures of Athenticatoin, Authorization, and Accounting (AAA), Remote Authentication Dial in User Service (RADIUS), Huawei Terminal Access Controller Access Control System (HWTACACS), domains, and local users. 5.1 Overview of AAA This section describes the basic principle and concepts of AAA and user management. 5.2 Configuring AAA This section describes how to configure AAA. 5.3 Configuring the RADIUS Server This section describes how to configure the RADIUS server. 5.4 Configuring the HWTACACS Server This section describes how to configure the HWTACACS server. 5.5 Configuring a Domain This section describes how to configure a domain. 5.6 Configuring Local User Management This section describes how to configure local user management. 5.7 Maintaining AAA This section describes how to clear or debug AAA. 5.8 Configuration Examples This section provides an example for configuring AAA.
Issue 02 (2009-08-14)
5-1
5 AAA Configuration
Authentication It determines the users that can access the network. Authorization It authorizes users to use certain services. Accounting It records the network resource usage of users.
Generally, AAA adopts the client/server model. In this model, the client runs at the resource side that is managed through AAA, whereas the server collects and keeps all user information. This model features good extensibility and facilitates concentrated management over user information.
Authentication
AAA, implemented on the S-switch, provides the following authentication modes:
l
Non-authentication Users are completely trusted and there is no check on their validity. This authentication mode is not recommended.
Local authentication For local authentication, user information, including the user name, password, and attributes, is configured on the S-switch. This authentication mode features high processing speed and low operation cost; however, the capacity of information storage is restricted by the hardware of the device.
Remote authentication Users are remotely authenticated through the RADIUS protocol or the HWTACACS protocol. In this process, the S-switch serves as the client to communicate with the RADIUS or HWTACACS authentication server. The RADIUS protocol can be either a standard RADIUS protocol or an extended RADIUS protocol of Huawei, which is used on the
5-2
Issue 02 (2009-08-14)
5 AAA Configuration
iTELLIN or the Comprehensive Access Management Server (CAMS) to complete the authentication.
Authorization
AAA, implemented on the S-switch, provides the following authorization modes:
l
Non-authorization Users are completely trusted and directly authorized. Local authorization Local users are authorized based on their attributes configured on the S-switch. HWTACACS authorization Users are authorized by the HWTACACS server. If-authenticated authorization Users are authorized if they pass the authentication and the authentication mode is not nonauthentication.
RADIUS authorization RADIUS authentication and RADIUS authorization are bound together. Therefore, RADIUS authorization cannot be performed separately. The RADIUS server authorizes users immediately after they pass the RADIUS authentication.
Accounting
AAA, implemented on the S-switch, provides the following accounting modes:
l
Non-accounting Free services are provided. Remote accounting It supports remote accounting through the RADIUS server or the HWTACACS server.
5.1.2 RADIUS
AAA can be implemented through many protocols, of which the RADIUS protocol is the most commonly used. The RADIUS protocol was initially used for managing a large number of scattered users who accessed the network through serial interfaces and modems. Later, this protocol is widely applied to the network access server (NAS) system. RADIUS prescribes how to transmit user information and accounting information between the NAS and the RADIUS server. The authentication information between the NAS and the RADIUS server is transmitted with a key. This can protect the user password from theft on an insecure network. To obtain the right to access certain networks or to use some network resources, a user needs to set up a connection with the NAS through a network. In this case, the NAS is in charge of authenticating the user or the connection. After this authentication, the NAS sends the AAA information about the user to the RADIUS server. The RADIUS server receives connection requests from users, authenticates users, and then sends the required configuration information back to the NAS.
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-3
5 AAA Configuration
To log in to the S-switch, a user first sends its user name and password to the S-switch. On receiving the user name and password, the RADIUS client on the S-switch sends a request to the RADIUS server for authentication. If the request is legal, the RADIUS server completes the authentication and returns required user authentication information to the S-switch. Authentication information is transmitted between the S-switch and the RADIUS server with a key, that is, authentication information is transmitted on the network only after being encrypted. This can protect user information against theft on an insecure network. The exchange of accounting information is the same as that of authentication and authorization information.
Code: indicates the message type, such as the access request, access permission, and accounting request. Identifier: is a string of ascending numbers for matching the request and response packets. Length: indicates the total length of all fields. Authenticator: is a value for checking the validity of a RADIUS message. Attribute: is the main body of a message, providing the attributes of the user.
5-4
Issue 02 (2009-08-14)
5 AAA Configuration
Features of RADIUS
Using the User Datagram Protocol (UDP) as the transmission protocol, RADIUS features good and real-time performance. In addition, RADIUS features high reliability by providing retransmission and standby server mechanisms. RADIUS is easy to implement and is applicable to the multithreading structure of the server for a large number of users. Owing to these features, RADIUS is widely applied. As the RADIUS client, the S-switch provides the following functions:
l
Functions defined in the standard and extended RADIUS protocols including RFC 2865 and RFC 2866 Functions defined in Huawei extended RADIUS+v1.1 Active detection of the RADIUS server: After receiving an AAA authentication or accounting message, the RADIUS client enables the server detection if the status of the current server is Down. The RADIUS client then transforms the message into a packet that functions as the server-probe packet, and sends the packet to the server. If the client receives a response packet from the RADIUS server, the client considers the server as available. Caching Accounting Stop packets locally and retransmitting them: If the number of retransmission failures exceeds the set value, the Accounting Stop packets are stored into the buffer queue. The system periodically scans the queue, extracts the packets, and then sends them to the specified server. After the sending, the system enables a timer. If the transmission fails or no response packet comes from the server within the timeout period, the packets are replaced into the buffer queue. Automatic switchover of the RADIUS server: When the timer expires, you can send packets to another server in the configured server group if the current server does not work or the number of transmissions exceeds the maximum number.
l l
5.1.3 HWTACACS
HWTACACS is an access control protocol based on TACACS (RFC1492). Like RADIUS, HWTACACS carries out several AAA services in server/client mode. Compared with RADIUS, HWTACACS is more reliable in transmission by encrypting the packets. Table 5-1 shows the comparisons between HWTACACS and RADIUS. Table 5-1 Comparisons between HWTACACS and RADIUS HWTACACS Uses the Transmission Control Protocol (TCP) to provide reliable transmission. Encrypts the main structure of the authentication packet except the standard HWTACACS header. Separates authentication from authorization. Is suitable for security control.
Issue 02 (2009-08-14)
RADIUS Uses UDP. Encrypts only the password field in the authentication packet. Performs authentication together with authorization. Is suitable for accounting.
5-5
5 AAA Configuration
HWTACACS Authorizes users to use the commands for configuring the device.
RADIUS None.
5.1.6 References
For more information about AAA and RADIUS, refer to the following documents:
l l
RFC2865: Remote Authentication Dial In User Service (RADIUS) RFC2866: RADIUS Accounting
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
5-6
5 AAA Configuration
RFC2867: RADIUS Accounting Modifications for Tunnel Protocol Support RFC2869: RADIUS Extensions RFC2903: Generic AAA Architecture RFC2904: AAA Authorization Framework RFC2906: AAA Authorization Requirements
The network devices need to be protected. Illegal access needs to be denied. The credibility of legal users is low.
NOTE
Issue 02 (2009-08-14)
5-7
5 AAA Configuration
Pre-configuration Tasks
None.
Data Preparation
To configure AAA, you need the following data. No. 1 2 3 4 5 6 Data Name of the authentication scheme and authentication mode (Optional) Name of the authorization scheme and authorization mode Name of the accounting scheme, accounting mode, and interval for real-time accounting (Optional) Policy for accounting start failures, policy for real-time accounting failures, and maximum number of real-time accounting failures (Optional) Name of the recording scheme, name of the HWTACACS server template related to the recording mode, and events to be recorded Types and numbers of the interfaces at the server side and the client side
Procedure
Step 1 Run:
system-view
An authentication scheme is created and the authentication scheme view is displayed. Step 4 Run:
authentication-mode { hwtacacs | radius | local }*[ none ]
or
authentication-mode none
5 AAA Configuration
In this step, more than one authentication mode can be chosen, with the none mode as the last choice. During the actual authentication, the order for the modes to take effect is determined by the order of input commands. The next mode takes effect only after the preceding one becomes invalid. ----End
Procedure
Step 1 Run:
system-view
An authorization scheme is created and the authorization scheme view is displayed. Step 4 Run:
authorization-mode { hwtacacs | if-authenticated | local }*[ none ]
or
authorization-mode none
The authorization mode is set. In this step, more than one authorization mode can be chosen, with the none mode as the last choice. During the actual authorization, the order for the modes to take effect is determined by the order of input commands. The next mode takes effect only after the preceding one becomes invalid. ----End
Procedure
Step 1 Run:
system-view
Issue 02 (2009-08-14)
5-9
5 AAA Configuration
An accounting scheme is created and the accounting scheme view is displayed. Step 4 Run:
accounting-mode { hwtacacs | none | radius }
Real-time accounting is enabled and the accounting interval is set. By default, the value of interval is 5, in minutes. Step 6 (Optional) Run:
accounting interim-fail [ max-times times ] [offline | online ]
The policy for real-time accounting failures is configured. By default, the value of times is 3. Step 7 (Optional) Run:
accounting start-fail [ offline | online ]
The policy for accounting start failures is configured. By default, the policy for accounting start failures is offline. ----End
You can configure the recording scheme only when HWTACACS has been enabled and the HWTACACS server template has been set.
Procedure
Step 1 Run:
system-view
5-10
Issue 02 (2009-08-14)
5 AAA Configuration
A recording scheme is created and the recording scheme view is displayed. Step 4 Run:
recording-mode hwtacacs template-name
The recording scheme view is quit and the AAA view is displayed. Step 6 Run:
cmd recording-scheme recording-scheme-name
The commands that are used by the user are recorded on the device. Step 7 Run:
outbound recording-scheme recording-scheme-name
The operations that are implemented on the device are recorded for the client. Step 6 and Step 7 are not listed in sequence. ----End
5 AAA Configuration
5.3.4 Configuring the RADIUS Accounting Server 5.3.5 (Optional) Configuring the Protocol Version for the RADIUS Server 5.3.6 (Optional) Configuring the Shared Key for the RADIUS Server 5.3.7 (Optional) Configuring the User Name Format for the RADIUS Server 5.3.8 (Optional) Setting the Traffic Unit for the RADIUS Server 5.3.9 (Optional) Configuring the Retransmission Parameters for the RADIUS Server 5.3.10 (Optional) Configuring the NAS Interface for the RADIUS Server 5.3.11 Checking the Configuration
Although most RADIUS configurations have default ones, you can modify them as required. The configurations, however, can be modified only when the RADIUS server template is not in use.
Pre-configuration Tasks
None.
Data Preparation
To configure the RADIUS server, you need the following data. No. 1 2 3 4 5 6 7 8
5-12
Data Name of the RADIUS server template IP address, interface number, and source interface number of the primary RADIUS server for authentication and accounting (Optional) IP address, interface number, and source interface number of the secondary RADIUS server for authentication and accounting (Optional) Retransmission times or prohibited retransmission of Accounting Stop packets (Optional) Protocol version of the RADIUS server (Optional) Shared key of the RADIUS server (Optional) User name format (with or without the domain name) of the RADIUS server (Optional) Traffic unit of the RADIUS server
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
5 AAA Configuration
No. 9 10
Data (Optional) Response timeout period and retransmission times of the RADIUS server (Optional) NAS interface format and its ID format of the RADIUS server
Procedure
Step 1 Run:
system-view
A RADIUS server template is created and the RADIUS view is displayed. ----End
Procedure
Step 1 Run:
system-view
Issue 02 (2009-08-14)
5-13
5 AAA Configuration
Procedure
Step 1 Run:
system-view
5.3.5 (Optional) Configuring the Protocol Version for the RADIUS Server
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
5 AAA Configuration
5.3.6 (Optional) Configuring the Shared Key for the RADIUS Server
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
5.3.7 (Optional) Configuring the User Name Format for the RADIUS Server
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
Issue 02 (2009-08-14)
5-15
5 AAA Configuration
The user name format is configured for the RADIUS server. ----End
5.3.8 (Optional) Setting the Traffic Unit for the RADIUS Server
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
5.3.9 (Optional) Configuring the Retransmission Parameters for the RADIUS Server
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
The response timeout period is set for the RADIUS server. Step 4 Run:
radius-server retransmit retry-times
5-16
Issue 02 (2009-08-14)
5 AAA Configuration
The retransmission times are set for the RADIUS server. Step 3 and Step 4 are not listed in sequence. ----End
5.3.10 (Optional) Configuring the NAS Interface for the RADIUS Server
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
The NAS interface format is configured for the RADIUS server. Step 4 Run:
radius-server nas-port-id-format { new | old }
The ID format of the NAS interface is configured for the RADIUS server. Step 3 and Step 4 are not listed in sequence. ----End
5 AAA Configuration
5.4.2 Creating a HWTACACS Server Template 5.4.3 Configuring the HWTACACS Authentication Server 5.4.4 Configuring the HWTACACS Authorization Server 5.4.5 Configuring the HWTACACS Accounting Server 5.4.6 (Optional) Configuring the Source IP Address of the HWTACACS Server 5.4.7 (Optional) Configuring the Shared Key for the HWTACACS Server 5.4.8 (Optional) Configuring the User Name Format for the HWTACACS Server 5.4.9 (Optional) Setting the Traffic Unit for the HWTACACS Server 5.4.10 (Optional) Setting the Timer of the HWTACACS Server 5.4.11 Checking the Configuration
The configuration of the HWTACACS server differs from that of the RADIUS server as follows: The S-switch does not check whether the HWTACACS template is in use when you modify attributes of the HWTACACS server except for deleting the configuration of the server. By default, no authentication key is configured for the HWTACACS server. HWTACACS can process Accounting Stop packets on both integrated devices and distributed devices.
Pre-configuration Tasks
None.
Data Preparation
To configure AAA, you need the following data. No. 1 2 3 4 5
5-18
Data Name of the HWTACACS server template IP address and interface number of the primary HWTACACS server for authentication, authorization, and accounting (Optional) IP address and interface number of the secondary HWTACACS server for authentication, authorization, and accounting (Optional) Retransmission times or prohibited retransmission of Accounting Stop packets (Optional) Source IP address of the HWTACACS server
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
5 AAA Configuration
No. 6 7 8 9
Data (Optional) Shared key of the HWTACACS server (Optional) User name format (with or without the domain name) of the HWTACACS server (Optional) Traffic unit of the HWTACACS server (Optional) Response timeout period of the HWTACACS server and the time for restoring the primary HWTACACS server to be active
Procedure
Step 1 Run:
system-view
A HWTACACS server template is created and the HWTACACS view is displayed. ----End
Procedure
Step 1 Run:
system-view
Issue 02 (2009-08-14)
5-19
5 AAA Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
5-20
Issue 02 (2009-08-14)
5 AAA Configuration
Procedure
Step 1 Run:
system-view
5.4.7 (Optional) Configuring the Shared Key for the HWTACACS Server
Context
Do as follows on the S-switch.
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 5-21
5 AAA Configuration
Procedure
Step 1 Run:
system-view
5.4.8 (Optional) Configuring the User Name Format for the HWTACACS Server
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
The user name format is configured for the HWTACACS server. ----End
5.4.9 (Optional) Setting the Traffic Unit for the HWTACACS Server
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
5-22
Issue 02 (2009-08-14)
5 AAA Configuration
Procedure
Step 1 Run:
system-view
The response timeout period is set for the HWTACACS server. Step 4 Run:
hwtacacs-server timer quiet time
Issue 02 (2009-08-14)
5-23
5 AAA Configuration
Pre-configuration Tasks
Configure the RADIUS or HWTACACS server template if the remote authentication, authorization, and accounting schemes are adopted.
Data Preparation
To configure a domain, you need the following data. No. 1 2 3 4 Data Domain name Names of the authentication, authorization and accounting schemes to be used for the domain (Optional) Name of the RADIUS or HWTACACS template to be used for the domain (Optional) Maximum number of access users allowed in the domain
5 AAA Configuration
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
5.5.3 Configuring Authentication, Authorization, and Accounting Schemes for the Domain
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
5 AAA Configuration
Step 6 Run:
accounting-scheme accounting-scheme-name
5.5.4 (Optional) Configuring the RADIUS Server Template for the Domain
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
5.5.5 (Optional) Configuring the HWTACACS Server Template for the Domain
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
5-26
Issue 02 (2009-08-14)
5 AAA Configuration
Procedure
Step 1 Run:
system-view
5.5.7 (Optional) Setting the Maximum Number of Access Users for the Domain
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
Issue 02 (2009-08-14)
5-27
5 AAA Configuration
The maximum number of access users is set for the domain. ----End
Pre-configuration Tasks
None.
5-28 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
5 AAA Configuration
Data Preparation
To configure AAA, you need the following data. No. 1 2 3 4 5 6 Data User names and passwords (Optional) Service type of local users (Optional) Name of the FTP directory for local users (Optional) Status of local users (Optional) Priority of local users (Optional) Maximum number of local access users
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 02 (2009-08-14)
5-29
5 AAA Configuration
Through this configuration procedure, user management based on the service type is implemented.
----End
5.6.4 (Optional) Configuring the Authority of Accessing the FTP Directory for Local Users
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
The authority of accessing the FTP directory is configured for local users. ----End
Procedure
Step 1 Run:
system-view
5-30
Issue 02 (2009-08-14)
5 AAA Configuration
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
Issue 02 (2009-08-14)
5-31
5 AAA Configuration
CAUTION
HWTACACS statistics cannot be restored after you clear it. So, confirm the action before you use the commands. Action Clear statistics about the HWTACACS server. Clear statistics about Accounting Stop packets on the HWTACACS server. Command reset hwtacacs-server statistics { all | accounting | authentication | authorization } reset hwtacacs-server accounting-stop-packet { all | ip ip-address }
5 AAA Configuration
CAUTION
Debugging affects the performance of the system. So, after debugging, run the undo debugging all command to disable it at once. When an AAA fault occurs, run the following debugging commands in the user view to locate the fault. For details about debugging, see Chapter 6 "Debugging and Diagnosis." Action Debug RADIUS packets. Debug the HWTACACS server. Command debugging radius packet debugging hwtacacs { all | error | event | message | receive-packet | send-packet }
Networking Requirements
It is required that Telnet users be authenticated through the RADIUS protocol. A maximum of five Telnet users can log in to the S-switch. Telnet users are first authenticated by the RADIUS authentication server. If the RADIUS authentication server does not respond, the non-authentication mode is adopted. The IP address of the RADIUS authentication server is 1.1.1.1. There is no secondary authentication server. By default, the interface number is 1812.
Networking diagram
See . Figure 5-3 Networking diagram of AAA
Issue 02 (2009-08-14)
5-33
5 AAA Configuration
Configuration Procedure
# Configure the mode in which users access the S-switch to only Telnet and set the AAA authentication for users.
[S-switch-A] user-interface vty 0 4 [S-switch-A-ui-vty0-4] protocol inbound telnet [S-switch-A-ui-vty0-4] authentication-mode aaa [S-switch-A-ui-vty0-4] quit
# Set the shared key and retransmission times for the RADIUS server.
[S-switch-A-radius-shiva] radius-server shared-key it-is-my-secret [S-switch-A-radius-shiva] radius-server retransmit 2 [S-switch-A-radius-shiva] quit
# Configure the authentication scheme r-n and set the authentication mode to radius and none in sequence, that is, if the RADIUS authentication server does not respond, the nonauthentication is adopted.
[S-switch-Aaaa] authentication-scheme r-n [S-switch-A-aaa-authen-r-n] authentication-mode radius none [S-switch-A-aaa-authen-r-n] quit
# Configure the default domain. Adopt the authentication scheme r-n, default accounting scheme (non-accounting scheme), and the RADIUS template shiva in the domain view.
[S-switch-A-aaa] domain default [S-switch-A-aaa-domain-default] authentication-scheme r-n [S-switch-A-aaa-domain-default] radius-server shiva
Configuration Files
# sysname S-switch-A # radius-server template shiva radius-server shared-key it-is-my-secret radius-server authentication 1.1.1.1 1812 radius-server retransmit 2 # aaa authentication-scheme default authentication-scheme r-n authentication-mode radius none # authorization-scheme default # accounting-scheme default # domain default authentication-scheme r-n radius-server shiva
5-34
Issue 02 (2009-08-14)
5 AAA Configuration
Issue 02 (2009-08-14)
5-35
Issue 02 (2009-08-14)
6-1
Remote Authentication Dial-In User Service (RADIUS) server authentication Local authentication
After confirming the authentication mode, you can select one of the following types of authentication usernames:
l
MAC-address usenames: The MAC address of a user is used as a usename for authentication. Fixed username: All users that use the same MAC address use the username and password pre-configured on an S-switch; therefore, whether users can pass the authentication depends on the correctness of the username and password, and the maximum number of users allowed to use the username.
When the MAC-address username type is adopted, the S-switch takes the MAC address of a detected user as the username and password of the user, and sends it to the RADIUS server. When the fixed username type is adopted, the S-switch takes the locally configured username and password as the username and password of a user to be authenticated, and sends them to the RADIUS server.
Users that pass the authentication on the RADIUS server can access the network.
When the MAC-address username type is adopted, the MAC address of an access user is configured as the local username and the password for the authentication.Whether the local username contains delimiter - should be consistent with the format of a username configured on a device; otherwise, MAC address authentication fails.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
6-2
When the fixed username type is adopted, the MAC addresses of all the users match the configured local username and password automatically.
Offline-detect timer: specifies the interval for an S-switch to check whether a user goes offline. When a user goes offline, the S-switch immediately notifies the RADIUS server to stop charging the user. Quiet timer: specifies the period for a switch to wait to re-authenticate a user that fails in the authentication. During this period, the S-switch does not process the authentication requests of the user. Server-timeout timer: specifies the timeout period of the connection between an S-switch and the RADIUS server. During the authentication process, if the connection between an S-switch and a RADIUS server times out, the authentication fails.
Guest VLAN
When the authentication of a user connected to an interface fails, the interface is added to a guest VLAN if the conditions for validating a guest VLAN are met. The user connected to the interface can access network resources of the guest VLAN. This is an authorization method of enabling users that fail in the authentication to access limited resource of specific VLANs.
6.2.5 Configuring a Fixed Username for a MAC Address Authentication User 6.2.6 (Optional)Configuring a Domain Name for a MAC Address Authentication User 6.2.7 (Optional)Configuring Timers for MAC Address Authentication 6.2.8 Checking the Configuration
l l
If MAC address authentication is enabled on an interface, 802.1x cannot be enabled on the interface; if 802.1x is enabled on an interface, MAC address authentication cannot be enabled on the interface. If MAC address authentication is enabled on an interface, VLAN mapping cannot be enabled on the interface; if VLAN mapping is enabled on an interface, MAC address authentication cannot be enabled on the interface.
Pre-configuration Tasks
Before configuring MAC address authentication, complete the following tasks:
l
Connecting interfaces and configuring physical parameters for the interfaces to ensure that the physical layer status of the interfaces is Up Configuring parameters of the link layer protocol for interfaces and ensuring that the status of the link layer protocol on the interfaces is Up
Data Preparation
To configure MAC address authentication, you need the following data. No. 1 Data Number of an interface to be authenticated
Procedure
Step 1 Run the system-view command to enter the system view.
6-4 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
Step 2 Run the mac-authen command to enable global MAC address authentication. ----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the mac-authen interface { interface-type interface-number1 [ to interface-number2 ] } command to enable MAC address authentication on a specified interface.
NOTE
In addition, you can run the mac-authen command in the interface view to enable MAC address authentication on the interface.
----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the mac-authen username macaddress command to configure a MAC address as a username for MAC address authentication. By default, a MAC address without delimiter - is used as a username for MAC address authentication. Step 3 (Optional)Run the mac-authen username macaddress format with-hyphen command to configure a MAC address with delimiter - as a username for MAC address authentication. ----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the mac-authen username fixed command to configure a fixed username for a MAC address authentication user. Step 3 Run the mac-authen username username command to configure a username for MAC address authentication. Step 4 Run the mac-authen password password command to configure a password for MAC address authentication. ----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the mac-authen domain isp-name command to configure a domain name for a MAC address authentication user.
NOTE
Configure an authentication domain for a MAC address authentication user. Check whether there is an available domain before configuring the domain; otherwise, the system prompts that an error occurs.
----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the mac-authen timer offline-detect offline-detect-value command to configure the value of the offline-detect timer. The default value is 300 seconds.
6-6 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
Step 3 Run the mac-authen timer quiet-period quiet-value command to configure the value of the quiet timer. The default value is 60 seconds. Step 4 Run the mac-authen timer server-timeout server-timeout-value command to configure the value of the server timeout timer. The default value is 30 seconds. ----End
Procedure
Step 1 Run the display mac-authen command to view the status of MAC address authentication. ----End
Example
Run the display mac-authen command to check the configuration results of MAC address authentication. For example:
<Quidway> display mac-authen Mac address authentication is Enabled. Fixed username: test Fixed Password: test123 Offline detect period is 60s Quiet period is 65s Server response timeout value is 66s Guest VLAN reauthenticate period is 30s Max online user is 1024 Current online user is 0 Current domain: not configured
Applicable Environment
After the authentication of a user connected to an interface fails, the interface is added to a guest VLAN. The MAC address of the user is added to the MAC address table of the guest VLAN. Thus, the user can access network resources of the guest VLAN. By configuring the maximum number of MAC address authentication users, you can control users accessing an interface. The number of users accessing an interface of an S-switch reaches a limit value, the S-switch does not trigger MAC address authentication for subsequent users accessing the interface. Therefore, these users cannot access the network normally.
Pre-configuration Tasks
Before configuring enhanced MAC address authentication, complete the following tasks:
l l l
Enabling MAC address authentication Creating a VLAN to be configured as a guest VLAN Configuring the maximum number of MAC address authentication users to one.
Data Preparation
To configure enhanced MAC address authentication, you need the following data. No. 1 2 Data Number of an interface on a S-switch that performs MAC address authentication ID of a guest VLAN
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the interface interface-type interface-number to enter the GigabitEthernet interface view. Step 3 Run the mac-authen guest-vlan vlan-id command to configure a guest VLAN on the interface. Step 4 (Optional) Run the mac-authen timer guest-vlan reauthenticate-period interval command to configure the interval for the S-switch to re-authenticate users of the guest VLAN. Step 5 Run the quit command to return to the system view. ----End
6-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
6.3.3 Configuring the Maximum Number of MAC Address Authentication Users on an Interface
Context
To set the maximum number of online users on an interface of a S-switch, do as follows on the S-switch.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the interface interface-type interface-number to enter the GigabitEthernet interface view. Step 3 Run the mac-authen max-user user-number command to set the maximum number of MAC address authentication users on the interface. Step 4 Run the quit command to return to the system view. ----End
Procedure
Step 1 Run the display mac-authen command to check the configuration of enhanced MAC address authentication. ----End
Example
Run the display mac-authen command to check the configuration results of enhanced MAC address authentication. For example:
<Quidway> display mac-authen Mac address authentication is Enabled. Fixed username: Fixed Password: test123 Offline detect period is 60s Quiet period is 65s Server response timeout value is 66s Guest VLAN reauthenticate period is 30s Max online user is 1024 Current online user is 0 Current domain: not configured
Issue 02 (2009-08-14)
6-9
CAUTION
Statistics of MAC address authentication cannot be restored after you clear them. So, confirm the action before you use the command.
Procedure
Step 1 After confirming the action of resetting the statistics of MAC address authentication, run the reset mac-authentication statistics [ interface { interface-type interface-number1 [ to interface-number2 ] } ] command in the user view to clear them. ----End
The administrator of the S-switch wants to perform MAC address authentication on users accessing GigabitEthernet 0/0/1 to control users' access to the Internet. Local authentication with a fixed username is adopted; the fixed username is set to huawei@default; the fixed password is set to huawei. Only users that pass the authentication can access the Internet.
Figure 6-1 Networking diagram for configuring local authentication with a fixed username
6-10
Issue 02 (2009-08-14)
Configuration Roadmap
The configuration roadmap is as follows:
l l
Add a local access user and configure the username and password for the user. Configure MAC address authentication on GigabitEthernet 0/0/1 and configure default VLAN. Adopt a fixed username for MAC address authentication. Enable global MAC address authentication.
NOTE
l l
Configure global MAC address authentication after setting all related parameters. Otherwise, authorized users may fail to access the Internet.
Data Preparation
To complete this configuration, you need the following data:
l l l l
Interface for authentication Username for authentication Password for authentication Authentication type
Procedure
Step 1 Add a local access user to an S-switch, and configure the username and password for the user.
<Quidway> system-view [Quidway] aaa [Quidway-aaa] local-user huawei@default password simple huawei [Quidway-aaa] local-user huawei@default service-type ppp [Quidway-aaa] authorization-scheme default [Quidway-aaa-author-default] authorization-mode none [Quidway-aaa-author-default] quit [Quidway-aaa] quit
Step 2 Configure MAC address authentication on GigabitEthernet 0/0/1 and configure default VLAN.
[Quidway] vlan batch 10 [Quidway-aaa] interface gigabitethernet 0/0/1 [QuidwayGigabitEthernet0/0/1] port default vlan 10 [QuidwayGigabitEthernet0/0/1] mac-authen [QuidwayGigabitEthernet0/0/1] quit
----End
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 6-11
Configuration Files
Configuration file of the S-switch
# sysname Quidway # vlan batch 10 # mac-authen mac-authen username fixed mac-authen username huawei@default mac-authen password huawei # interface GigabitEthernet0/0/1 port default vlan 10 mac-authen # aaa local-user huawei@default password simple huawei local-user huawei@default service-type ppp authentication-scheme default # authorization-scheme default authorization-mode none # accounting-scheme default # domain default # return
6-12
Issue 02 (2009-08-14)
7 802.1X Configuration
7
About This Chapter
802.1X Configuration
This chapter describes the basics, methods, and configuration example of 802.1X. 7.1 Overview of 802.1X This section describes the basic concepts of 802.1X and the 802.1X functions supported by the S-switch. 7.2 Configuring 802.1X This section describes the scenario, procedures, and precautions for configuring 802.1X. 7.3 Configuration Examples This section describes a configuration example of 802.1X.
Issue 02 (2009-08-14)
7-1
7 802.1X Configuration
The supplicant is usually a user terminal installed with the 802.1X client software provided by Huawei or the Windows XP operating system. The supplicant initiates the 802.1X authentication by running the 802.1X client software. The supplicant must support the Extensible Authentication Protocol over LAN (EAPoL). The authenticator is usually a network device supporting the 802.1X protocol. The authenticator provides the interface, either physical or logical, for LAN access of the supplicant. The authentication server is usually a Remote Authentication Dial-In User Service (RADIUS) server for implementing authentication, authorization, and accounting (AAA). The authentication server stores information such as the user name, password, user VLAN, committed access rate (CAR) parameters, priority, and user access control list (ACL).
The authenticator and the authentication server exchange information through the Extensible Authentication Protocol (EAP). The supplicant and the authenticator exchange information through EAPoL defined in the IEEE 802.1X standard.
The authenticator encapsulates authentication data in an EAP packet and then encapsulates the EAP packet in an upper-layer AAA protocol packet such as the RADIUS protocol packet. In
7-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
7 802.1X Configuration
this manner, the authentication data can travel through the complex network to reach the authentication server. Figure 7-1 802.1X authentication system
The three authentication entities involve the following basic concepts: 1. 2. PAE The Port Access Entity (PAE) performs the algorithm and implements the protocol. Controlled or uncontrolled interface
l l
In authorized mode, a controlled interface can transmit packets in both directions; in unauthorized mode, a controlled interface cannot receive packets from the supplicant. An uncontrolled interface can bidirectionally transmit EAPoL protocol packets in either mode to ensure that the supplicant sends and receives packets at any time.
3.
Controlled direction In unauthorized mode, you can set an interface to be unidirectionally controlled or bidirectionally controlled. If an interface is unidirectionally controlled, it can send packets to the supplicant but cannot receive packets from the supplicant.
NOTE
802.1X authentication initiated by the supplicant The supplicant sends an EAPoL-Start packet to the authenticator through the client software and initiates the authentication.
802.1X authentication initiated by the authenticator On detecting an unauthenticated user accessing the network, the authenticator sends an EAP-Request/Identity packet to the user and initiates the authentication.
The 802.1X authentication system supports the EAP relay mode and the EAP termination mode to exchange information for user authentication. Take the 802.1X authentication initiated by the supplicant as an example. The authentication processes in preceding modes are as follows:
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-3
7 802.1X Configuration
The authentication process is as follows: 1. The user runs the 802.1X client program, enters the assigned and registered user name and password, and sends an EAPoL-Start packet to the authenticator.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
7-4
7 802.1X Configuration
2. 3.
After receiving the EAPoL-Start packet, the authenticator returns an EAP-Request/Identity packet, requiring the supplicant to send the entered user name. The supplicant responds with an EAP-Response/Identity packet, carrying the user name to the authenticator. The authenticator receives the EAP-Response/Identity packet, encapsulates the packet into a RADIUS Access-Request packet, and sends it to the authentication server. After receiving the user name from the authenticator, the authentication server searches for the password corresponding to the user name, encrypts the password through a randomly generated encryption word, and at the same time, sends the encryption word in a RADIUS Access-Challenge packet to the authenticator. After receiving the encryption word in the EAP-Request/MD5 Challenge packet from the authenticator, the supplicant encrypts the password with the encryption word and then sends it in an EAP-Response/MD5 Challenge packet to the authentication server through the authenticator. The authentication server compares the password in the RADIUS Access-Request packet from the authenticator with the local password generated through the MD5 algorithm. If the two passwords are the same, the authentication server responds with RADIUS AccessAccept and EAP-Success packets. After the authenticator receives the packets, the interface becomes authorized and the user can access the network through this interface. After the interface becomes authorized, the authenticator periodically sends handshake packets to the supplicant to monitor the online user. By default, the authenticator disconnects a user after sending two handshake packets but receiving no response. In this manner, network resource waste caused by the authenticator's unawareness of abnormal user disconnection is prevented.
4.
5.
6.
7.
Issue 02 (2009-08-14)
7-5
7 802.1X Configuration
The difference between the EAP termination mode and the EAP relay mode is: In EAP termination mode, the authenticator randomly generates an encryption word for user password encryption, and then sends the user name, random encryption word, and password encrypted on the supplicant to the RADIUS server for authentication.
Supporting a physical interface connected to multiple users Supporting MAC-based and port-based access control methods
7-6
Issue 02 (2009-08-14)
7 802.1X Configuration
Pre-configuration Tasks
The 802.1X protocol provides only an implementation scheme for user identity authentication. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring 802.1X, complete the following tasks:
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-7
7 802.1X Configuration
l
Configuring the Internet Service Provider (ISP) authentication domain and AAA scheme, that is, RADIUS or local authentication scheme, for the 802.1X user Configuring the user name and password on the RADIUS server if RADIUS authentication is selected. Adding the user name and password manually on the S-switch if local authentication is selected.
Data Preparation
None.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x command to enable 802.1X globally. By default, 802.1X is disabled globally and on an interface.
NOTE
To add the interface to the dynamic VLAN delivered by the server, you also need to run the port hybrid untagged vlan command in the interface view. In this manner, frames from the VLAN can pass through the interface in untagged mode.
Step 3 Run the dot1x interface interface-type interface-number1 [ to interface-number2 ] command to enable 802.1X on the specified interface. Or run the interface interface-type interfacenumber command to enter the interface view and then run the dot1x command to enable 802.1X on the interface. ----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-type interface-number1 [ to interface-number2 ] ] command to set the port access control mode. By default, the port access control mode is auto. ----End
7-8 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
7 802.1X Configuration
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x port-method { mac | port } [ interface { interface-type interface-number1 [ to interface-number2 ] }] command to set the port access control method. By default, the port access control method is mac. ----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x max-user user-number [ interface { interface-type interface-number1 [ to interface-number2 ] } ] command to set the maximum number of concurrent access users on the interface. By default, an interface allows up to eight concurrent access users. By default, an interface allows up to 256 concurrent access users. ----End
Procedure
Step 1 Run:
system-view
Dynamic Host Configuration Protocol (DHCP) trigger is enabled for user authentication.
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-9
7 802.1X Configuration
7.2.7 (Optional) Setting the Authentication Method for the 802.1X User
Context
Do as follows on the S-switch.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x authentication-method { chap | eap | pap} command to set the authentication method for the 802.1X user. By default, the authentication method of an 802.1X user is chap. ----End
Enabling 802.1X Setting the maximum number of concurrent access users to 1 on the interface Setting the port access control mode to auto on the interface Creating a VLAN to be configured as the guest VLAN
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x guest-vlan vlan-id [ interface { interface-type interface-number1 [ to interfacenumber2 ] }] command to configure the guest VLAN on the interface. Or run the interface interface-type interface-number command to enter the interface view and then run the dot1x guest-vlan vlan-id command to configure the guest VLAN on the interface. By default, no guest VLAN is configured on an interface.
NOTE
The configured guest VLAN takes effect only when the maximum number of concurrent access users on the interface is 1. If the maximum number of concurrent access users on interface is not 1, you can configure the guest VLAN, whereas the configured guest VLAN does not take effect. Assign different VLAN IDs to the voice VLAN, default VLAN, and 802.X guest VLAN on the interface to ensure normal services.
----End
7-10 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
7 802.1X Configuration
7.2.9 (Optional) Setting the Maximum Number of Times for Sending an Authentication Request
Context
Do as follows on the S-switch.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x retry max-retry-value command to set the maximum number of times for sending an authentication request to the access user. By default, the S-switch can send an authentication request to an access user twice. ----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x timer { client-timeout client-timeout-value | handshake-period handshakeperiod-value | quiet-period quiet-period-value | reauthenticate-period reauthenticate-periodvalue | server-timeout server-timeout-value | tx-period tx-period-value} command to set the timer parameters. By default, the settings of the timers are as follows:
l l l l l l
The timeout period of the response from the client is 30s. The interval for sending handshake packets is 15s. The quiet period of a user failing the authentication is 60s. The authentication interval is 3600s. The timeout period of the response from the server is 30s. The interval for sending authentication requests is 30s.
----End
7 802.1X Configuration
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x quiet-period command to enable the quiet-period timer. By default, the quiet-period timer is disabled. ----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x handshake command to enable the handshake-period timer. By default, the handshake-period timer is enabled. ----End
----End
Example
Run the display dot1x command, you can view that the 802.1x is enabled globally and on interface.
[Quidway] display dot1x Global 802.1x is Enabled CHAP authentication is Enabled DHCP-trigger is Disabled Handshake is Enabled Quiet function is disabled Configuration:Handshake Period Client Timeout Quiet Period
3600s 30s
Total maximum 802.1x user resource number is 1024 Total current used 802.1x resource number is 3 GigabitEthernet0/0/1 current state : UP 802.1x protocol is Enabled Port control type is Auto Authentication method is MAC-based Reauthentication is enabled Max online user is 256 Current online user is 1 Guest VLAN is disabled
7-12
Issue 02 (2009-08-14)
7 802.1X Configuration
Failure: 0 RX : 0
Context
7.3.1 Example for Configuring 802.1X
The user must be authenticated on an interface of the S-switch before accessing the Internet; the MAC-based access control method is adopted. RADIUS authentication is performed for the user. If the RADIUS server does not respond, local authentication is performed for the user. The user name of the local 802.1X access user is localuser@test and the password is localpass. Configure the S-switch to remove the domain name from the user name before sending it to the RADIUS server.
Configuration Roadmap
The configuration roadmap is as follows:
l
Create a VLANIF interface, assign an IP address to it. And add all the interfaces to the corresponding VLANs. Create a local access user and configure the user name and password for the user. Configure the domain for local authentication.
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 7-13
l l
Issue 02 (2009-08-14)
7 802.1X Configuration
l l l
Configure the domain for RADIUS authentication. Create a RADIUS scheme. Enable 802.1X authentication on the specified interface, and set the number of max user on the interface to 1. Enable 802.1X authentication globally.
NOTE
Perform this step after setting all related parameters. Otherwise, authorized users may fail to access the Internet.
Data Preparation
To configure 802.1X, you need the following data.
l l l l l l l
IP address of the VLANIF interface IP address of the RADIUS server Interface for authentication User name for authentication Domain for authentication Password for authentication Service type
Procedure
Step 1 Create a VLANIF interface and assign an IP address to it on the S-switch.
<Quidway> system-view [Quidway] vlan 10 [Quidway-vlan10] port gigabitethernet 0/0/1 [Quidway-vlan10] quit [Quidway-vlan10] interface vlanif 10 [Quidway-Vlanif10] ip address 10.10.1.1 255.255.255.0 [Quidway-Vlanif10] quit [Quidway] vlan 100 [Quidway-vlan100] port gigabitethernet 0/0/2 [Quidway-vlan100] port gigabitethernet 0/0/3 [Quidway-vlan100] interface vlanif 100 [Quidway-Vlanif100] ip address 192.168.0.1 255.255.255.0 [Quidway-Vlanif100] quit
Step 2 Create a local access user, and configure the user name and password for the user.
<Quidway> system-view [Quidway] aaa [Quidway-aaa] local-user localuser@test password simple localpass [Quidway-aaa] local-user localuser@test service-type ppp
7-14
Issue 02 (2009-08-14)
7 802.1X Configuration
----End
Configuration Files
Configuration files of the S-switch
# sysname Quidway # vlan batch 10 100
Issue 02 (2009-08-14)
7-15
7 802.1X Configuration
# dot1x # radius-server template account radius-server shared-key 3300 radius-server authentication 192.168.0.10 1000 radius-server accounting 192.168.0.10 1001 # interface Vlanif10 ip address 10.10.1.1 255.255.255.0 # interface Vlanif100 ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet0/0/1 port default vlan 10 dot1x dot1x max-user 1 # interface GigabitEthernet0/0/2 port default vlan 100 # interface GigabitEthernet0/0/3 port default vlan 100 # aaa local-user localuser@test password simple localpass local-user localuser@test service-type ppp authentication-scheme default authentication-scheme test authentication-scheme server authentication-mode radius # authorization-scheme default authorization-scheme test authorization-mode none # accounting-scheme default accounting-scheme account accounting-mode radius # domain default domain test authentication-scheme test authorization-scheme test domain remote authentication-scheme server accounting-scheme account radius-server account # # return
7-16
Issue 02 (2009-08-14)
8 NAC Configuration
8
About This Chapter
8.1 Access Mode of NAC This section describes access modes of NAC.
NAC Configuration
This chapter describes the basics, configuration methods, and configuration examples of NAC.
8.2 Configuring the NAC Access Based on Web Authentication This section how to configure the NAC access based on Web authentication. 8.3 Configuring the NAC Access Based on 802.1X Authentication The procedure for configuring the NAC access based on 802.1X authentication is the same as that for configuring 802.1X authentication. For more details, see 802.1X authentication. 8.4 Configuring the NAC Access Based on MAC Address Authentication For the procedure of configuring the NAC access based on MAC address authentication , please refer to MAC address authentication. 8.5 Configuring the NAC Access Based on MAC Bypass Authentication This section describes how to configure the NAC access based on MAC bypass authentication. 8.6 Configuration Examples This section provides an example for configuring the NAC access based on Web authentication.
Issue 02 (2009-08-14)
8-1
8 NAC Configuration
Basics
Network Admission Control (NAC) refers to a technology that is used to control the access and isolation of users on the network.
The PC does not need to be installed with terminal software. The S-switch forcibly redirects the user to the Web authentication page. After the user enters the user name and password,
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
8-2
8 NAC Configuration
the S-switch forwards them to the RADIUS server for authentication. In this case, the user can access the isolation area only.
l
The Access Control Server (ACS), functioning as the RADIUS server, replies that the user passes the authentication. An HTTP link is established between the PC and ACS. The ACS checks whether the PC passes the authentication. If the PC has passed the authentication, the user can access the common information area or the core information area according to the authority of the user.
the mode based on interfaces:Once one device connected to an interface passes the 802.1x authentication, other devices connected to the interface are allowed to access the Sswitch; the mode based on MAC addresses:each device needs to be authenticated before accessing the S-switch.
The typical networking of access based on 802.1x authentication is shown in Figure 8-2. Figure 8-2 Typical networking of 802.1x authentication
Detecting that a user goes online, the S-switch sends an EAP authentication request. If the user does not respond after several requests, the S-switch detects that the user is not installed with terminal software, and then expands the authority of the user to access the isolation
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 8-3
Issue 02 (2009-08-14)
8 NAC Configuration
area. The S-switch can also redirect the user to the URL to instruct the user to download terminal software.
l
After a specified period of time, the S-switch implements 802.1X authentication on the user if detecting that the user is installed with terminal software. After the user passes 802.1X authentication, an HTTP link is established between the PC and the ACS, and the ACS checks whether the PC passes the authentication. If yes, the ACL is updated, and the PC can access the working area. If the user is not installed with terminal software but configured with MAC bypass authentication, the MAC address of the user is used as the user name and password to pass the MAC address authentication. If failing to pass MAC address authentication, the user goes offline, and the S-switch does not implement MAC address authentication or detection for a period of time. After the timeout period, the S-switch implements detection again and determines that the user fails to pass the authentication, if the user is not configured with MAC address authentication. After the ACS detects that the PC is infected with virus, the S-switch delivers an ACL to allow the user to access the isolation area only, and redirects the user to the URL to update its virus library or install a corresponding patch. After the user updates its virus library, the ACS detects that the user is secured, and the Sswitch updates the ACL through the COA interface on the RADIUS server. In this case, the user is allowed to access the working area.
8 NAC Configuration
8.2.1 Establishing the Configuration Task 8.2.2 Configuring the Web Authentication Server 8.2.3 Configuring the Portal Protocol 8.2.4 Configuring Mandatory Web Authentication 8.2.5 Configuring a Non-authentication Rule 8.2.6 Checking the Configuration
Pre-configuration Tasks
None.
Data Preparation
To configure Web authentication, you need the following data. No. 1 2 3 4 Data Name, IP address, port number, shared key, and Uniform Resource Locator (URL) of the Web authentication server Version of the Portal protocol, listening port number of the S-switch, and source interface Whether to transparently transmit the RADIUS authentication result to the Web authentication server (Optional) Whether to use mandatory Web authentication
IP address and name of the Web authentication server Port number of the Web authentication server Shared key of the Web authentication server URL of the Web authentication server
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 8-5
Issue 02 (2009-08-14)
8 NAC Configuration
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
If all is specified during the configuration of the port number of the Web authentication server, the configured port number is used as the destination port number of all the packets sent from the S-switch to the Web authentication server, and the destination port number of the packets received from the Web authentication server is used as the source port number of the packets.
----End
Version of the Portal protocol. The Portal protocol has two versions, that is, V1 and V2. The S-switch supports both versions. Listening port number. The listening port number refers to the port number of the interface through which the S-switch monitors the messages of the Web authentication server. By default, the S-switch monitors the messages of the Web authentication server through port 2000. Whether to transparently transmit RADIUS messages. The transparent transmission of RADIUS messages indicates that after receiving the authentication result from the RADIUS server, the S-switch forwards the authentication result directly to the Web authentication server without any processing.
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
8 NAC Configuration
The S-switch is configured to transparently transmit RADIUS messages. By default, the S-switch transparently transmits RADIUS messages to the Web authentication server. ----End
Procedure
Step 1 Run:
system-view
The mandatory Web authentication server is configured. The URL to which the Web authentication server redirects a user is in the format of "http:// www.isp.com/index.htm." ----End
8 NAC Configuration
Procedure
Step 1 Run:
system-view
----End
Example
Run the display this command and you can detect that Web authentication is correctly configured on the S-switch.
[S-switch-Vlanif2] display this # interface Vlanif2 ip address 10.1.1.1 255.255.255.0 web-auth-server webserver #
Run the display this command and you can detect that the current configuration of the Sswitch is correct.
[Quidway-aaa] display this # aaa authentication-scheme nac authentication-mode none domain nac authentication-scheme nac local-user huawei@nac password simple 888 local-user huawei@nac service-type web # return
8-8
Issue 02 (2009-08-14)
8 NAC Configuration
8 NAC Configuration
Pre-configuration Tasks
The 802.1X protocol provides only an implementation scheme for user identity authentication. To complete the user identity authentication, you need to select the RADIUS or local authentication method. Before configuring 802.1X, complete the following tasks:
l
Configuring the Internet Service Provider (ISP) authentication domain and AAA scheme, that is, RADIUS or local authentication scheme, for the 802.1X user Configuring the user name and password on the RADIUS server if RADIUS authentication is selected. Adding the user name and password manually on the S-switch if local authentication is selected.
Data Preparation
None.
Procedure
Step 1 Run:
system-view
Procedure
Step 1 Run:
system-view
8-10
Issue 02 (2009-08-14)
8 NAC Configuration
MAC bypass authentication is enabled on an interface. After MAC bypass authentication is enabled on an interface, MAC address authentication is automatically performed if 802.1X authentication fails for a long period of time. The MAC address of the user is sent to the RADIUS server as the user name and password for authentication. By default, MAC bypass authentication is disabled on an interface. ----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x port-control { auto | authorized-force | unauthorized-force } [ interface interface-type interface-number1 [ to interface-number2 ] ] command to set the port access control mode. By default, the port access control mode is auto. ----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x port-method { mac | port } [ interface { interface-type interface-number1 [ to interface-number2 ] }] command to set the port access control method. By default, the port access control method is mac. ----End
Issue 02 (2009-08-14)
8-11
8 NAC Configuration
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x max-user user-number [ interface { interface-type interface-number1 [ to interface-number2 ] } ] command to set the maximum number of concurrent access users on the interface. By default, an interface allows up to eight concurrent access users. By default, an interface allows up to 256 concurrent access users. ----End
8.5.7 (Optional) Setting the Authentication Method for the 802.1X User
Context
Do as follows on the S-switch.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x authentication-method { chap | eap | pap} command to set the authentication method for the 802.1X user. By default, the authentication method of an 802.1X user is chap. ----End
Enabling 802.1X Setting the maximum number of concurrent access users to 1 on the interface Setting the port access control mode to auto on the interface Creating a VLAN to be configured as the guest VLAN
8 NAC Configuration
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x guest-vlan vlan-id [ interface { interface-type interface-number1 [ to interfacenumber2 ] }] command to configure the guest VLAN on the interface. Or run the interface interface-type interface-number command to enter the interface view and then run the dot1x guest-vlan vlan-id command to configure the guest VLAN on the interface. By default, no guest VLAN is configured on an interface.
NOTE
The configured guest VLAN takes effect only when the maximum number of concurrent access users on the interface is 1. If the maximum number of concurrent access users on interface is not 1, you can configure the guest VLAN, whereas the configured guest VLAN does not take effect. Assign different VLAN IDs to the voice VLAN, default VLAN, and 802.X guest VLAN on the interface to ensure normal services.
----End
8.5.9 (Optional) Setting the Maximum Number of Times for Sending an Authentication Request
Context
Do as follows on the S-switch.
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x retry max-retry-value command to set the maximum number of times for sending an authentication request to the access user. By default, the S-switch can send an authentication request to an access user twice. ----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x timer { client-timeout client-timeout-value | handshake-period handshakeperiod-value | quiet-period quiet-period-value | reauthenticate-period reauthenticate-periodvalue | server-timeout server-timeout-value | tx-period tx-period-value} command to set the timer parameters. By default, the settings of the timers are as follows:
Issue 02 (2009-08-14) Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. 8-13
8 NAC Configuration
l l l l l l
The timeout period of the response from the client is 30s. The interval for sending handshake packets is 15s. The quiet period of a user failing the authentication is 60s. The authentication interval is 3600s. The timeout period of the response from the server is 30s. The interval for sending authentication requests is 30s.
----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x quiet-period command to enable the quiet-period timer. By default, the quiet-period timer is disabled. ----End
Procedure
Step 1 Run the system-view command to enter the system view. Step 2 Run the dot1x handshake command to enable the handshake-period timer. By default, the handshake-period timer is enabled. ----End
----End
Example
Run the display dot1x command, and you can detect that 802.1X authentication is enabled globally and on GigabitEthernet 0/0/1.
8-14 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
8 NAC Configuration
3600s 30s
Total maximum 802.1x user resource number is 1024 Total current used 802.1x resource number is 3 GigabitEthernet0/0/1 current state : UP 802.1x protocol is Enabled Port control type is Auto Authentication method is MAC-based Reauthentication is enabled Max online user is 256 Current online user is 1 Guest VLAN is disabled Authentication Success: 0 EAPOL Packets: TX : 0 Failure: 0 RX : 0
8.6.1 Example for Configuring the NAC Access Based on Web Authentication
Networking Requirements
As shown in Figure 8-3, the user accesses the Web authentication server through the S-switch for identity authentication. After the user enters the user name and password, the S-switch forwards them to the RADIUS server for authentication. The user can access the Internet only after passing the authentication.
l
The IP address of the Web authentication server is 10.1.1.1; the port number of the Web authentication server is 50100; the listening port number is 2000; and the key is HuaweiTech. The user name and password of the Web authentication user are huawei and 888 respectively; the IP address of the Web authentication user is 10.1.1.2. The access type of the Web authentication user is Web.
Issue 02 (2009-08-14)
8-15
8 NAC Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. 2. 3. 4. 5. 6. Configure the user name and password of the Web authentication user. Set the access type of the Web authentication user to Web. Configure the Web authentication server. Configure a non-authentication rule for the Web authentication user. Create and enter the VLANIF interface view. Bind the Web authentication server in the VLANIF interface view to redirect all HTTP request packets to the Web authentication server.
Data Preparation
To complete the configuration, you need the following data:
l l l l l
User name and password of the Web authentication user Access type of the Web authentication user IP address, name, port number, and shared key of the Web authentication server URL of the Web authentication server being http://www.isp.com/index.htm VLAN ID and IP address of the VLANIF interface being 2 and 10.1.1.1 respectively
Configuration Procedure
1. Configure the user name and password of the Web authentication user as huawei and 888 respectively.
<S-switch> system-view [S-switch] aaa [S-switch-aaa] authentication-scheme nac [S-switch-aaa-authen-nac] authentication-mode none [S-switch-aaa-author-nac] quit [S-switch-aaa] domain nac [S-switch-aaa-domain-nac] authentication-scheme nac [S-switch-aaa-domain-nac] quit [S-switch-aaa] local-user huawei@nac password simple 888
2.
8-16
8 NAC Configuration
3.
Configure the IP address of the Web authentication server as 10.1.1.1, the port number of the Web authentication server as 50100, the listening port number as 2000, and the key as HuaweiTech.
[S-switch] web-auth-server webserver 10.1.1.1 port 50100 key HuaweiTech url http://www.isp.com/index.htm.
4.
Configure the IP address of the Web authentication server, 10.1.1.1, to implement the nonauthentication rule.
[S-switch] portal free-rule 1 destination ip 10.1.1.1 mask 255.255.255.0
5.
6. 7.
Verify the configuration. Run the display this command in the VLANIF interface view to check whether the Sswitch is correctly configured.
[S-switch-Vlanif2] display this # interface Vlanif2 ip address 10.1.1.1 255.255.255.0 web-auth-server webserver #
Run the display this command in the AAA view to check whether the S-switch is correctly configured.
[S-switch-aaa] display this # aaa authentication-scheme nac authentication-mode none domain nac authentication-scheme nac local-user huawei@nac password simple 888 local-user huawei@nac service-type web # return
8.
Check whether the PC functioning as the client is correctly configured. On the PC, open the IE browser and enter the address of the Web authentication server http://10.1.1.1/ or any other address. Then, the authentication page of the Web authentication server is displayed. After a user enters the correct user name and password, the user can access the Internet.
Configuration Files
# sysname S-switch # vlan batch 2 # web-auth-server webserver 10.1.1.1 port 50100 key HuaweiTech portal free-rule 1 destination ip 10.1.1.1 mask 255.255.255.0 # interface Vlanif2 ip address 10.1.1.1 255.255.255.0 web-auth-server webserver
Issue 02 (2009-08-14)
8-17
8 NAC Configuration
# aaa authentication-scheme nac authentication-mode none domain nac authentication-scheme nac local-user huawei@nac password simple 888 local-user huawei@nac service-type web # return
8-18
Issue 02 (2009-08-14)
9 PPPoE+ Configuration
9
About This Chapter
9.1 PPPoE+ Overview 9.2 PPPoE+ Supported by the S-switch
PPPoE+ Configuration
This chapter describes the basics, configuration procedures, and configuration examples of PPPoE+.
9.3 Configuring PPPoE+ This section describes how to configure PPPoE+. 9.4 Configuration Examples This section provides a configuration example of PPPoE+.
Issue 02 (2009-08-14)
9-1
9 PPPoE+ Configuration
Pre-configuration Tasks
None.
Data Preparation
To configure PPPoE+, you need the following data.
9-2 Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd. Issue 02 (2009-08-14)
9 PPPoE+ Configuration
No. 1 2
Data Numbers of interfaces related to PPPoE authentication Format and contents of the fields to be inserted into PPPoE packets
Procedure
Step 1 Run:
system-view
9.3.3 Configuring Actions for an Interface to Process the Original Fields in PPPoE Packets
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
Actions are configured for an interface to process the original fields in PPPoE packets. Step 3 (Optional) Run:
interface interface-type interface-number
9 PPPoE+ Configuration
Actions are configured for an interface to process the original fields in PPPoE packets. ----End
9.3.4 Configuring the Format and Contents of the Fields to be Inserted into PPPoE Packets
Context
Do as follows on the S-switch.
Procedure
Step 1 Run:
system-view
The format and contents of the fields to be added to PPPoE packets are configured. ----End
Procedure
Step 1 Run:
system-view
9 PPPoE+ Configuration
Action Check information about the globally-configured circuit-id and remote-id parameters. Check the actions configured on the device to process the original fields in PPPoE packets.
Command display pppoe intermediate-agent information format display pppoe intermediate-agent information policy
Issue 02 (2009-08-14)
9-5
9 PPPoE+ Configuration
Configuration Roadmap
The configuration roadmap is as follows: 1. Enable PPPoE+ globally or on specified interfaces of the S-switch.
NOTE
2. 3. 4.
Configure actions for the S-switch to process PPPoE packets. Configure the format and contents of the fields to be inserted by the S-switch into PPPoE packets. Configure the interfaces connecting the PPPoE server on the S-switch to be trusted.
Data Preparation
None.
Configuration Procedure
1. Enable PPPoE+ on the S-switch.
<Quidway> system-view [Quidway] pppoe intermediate-agent information enable
2.
Configure all interfaces to replace the original fields in PPPoE packets with the circuit-id fields configured on the local S-switches.
[Quidway] pppoe intermediate-agent information policy replace
3.
Configure the S-switch to add the circuit-id fields in the extended format to PPPoE packets. That is, the circuit-id fields are filled in the hexadecimal format.
[Quidway] pppoe intermediate-agent information format circuit-id extend
4.
Configuration Files
Configuration file of the S-switch
# sysname Quidway # pppoe intermediate-agent information enable pppoe intermediate-agent information format circuit-id extend # interface GigabitEthernet0/0/3 pppoe uplink-port trusted # return
9-6
Issue 02 (2009-08-14)