Agenda Comware 5 and Comware 7 device based AAA:

Slides:



Advertisements
Similar presentations
Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Advertisements

Mitigating Layer 2 Attacks
WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
VLAN Trunking Protocol (VTP)
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 NGWC – Central Webauth (CWA) using ISE 3850 and 5760 Viten Patel – RTP Wireless.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Managing Networks and Network Devices
Chapter 9: Implementing the Cisco Adaptive Security Appliance
Chapter 6: Securing the Local Area Network
Switching Topic 2 VLANs.
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
7.4 Update - ISE Session.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
 Router Configurations part2 2 nd semester
LAN Switching Virtual LANs. Virtual LAN Concepts A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set of all LAN-connected.
Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.
Basic Edge Core switch Training for Summit Communication.
ArubaOS-Switch Tunneled Node
Pass4itsure Cisco Dumps
Implementing Network-Edge Security with 802.1x
Instructor Materials Chapter 2: Scaling VLANs
SECURE LAB: CREATING A CISCO 3550 VLSM NETWORK
802.1X/MAC/WEB Auth Use Cases and Lessons Learned
WPA Configuration Example WebUI
Module 3: Enabling Access to Internet Resources
Instructor Materials Chapter 7: Access Control Lists
Working at a Small-to-Medium Business or ISP – Chapter 8
Access Control Configuration and Content Filtering
Vmware 2V0-642 VMware Certified Professional 6 - Network Virtualization (NSX v6.2) VCE Question Answers.
Change of VLAN for Wired Guest
Holistic view of 802.1x integration & optimization
Configuring and Troubleshooting Routing and Remote Access
Radius, LDAP, Radius used in Authenticating Users
Chapter 5: Switch Configuration
Pass4itsure Cisco Dumps
Implementing TMG Server Publishing
Switch Concepts and Configuration Part II
Virtual LANs.
Chapter 2: Scaling VLANs
Chapter 5: Network Security and Monitoring
What’s New in Fireware v12.1.1
Chapter 4: Access Control Lists (ACLs)
2018 Huawei H Real Questions Killtest
2018 Real Cisco Dumps IT-Dumps
2018 Valid Cisco Exam Dumps IT-Dumps
Cisco Real Exam Dumps IT-Dumps
Free Dumps With Real Exam Question Answers | Free Update
IIS.
Access Control Lists CCNA 2 v3 – Module 11
Chapter 8: Monitoring the Network
SurfCFCC Secure Wireless Access For Students, Faculty, and Staff.
AbbottLink™ - IP Address Overview
Chapter 10: Advanced Cisco Adaptive Security Appliance
Configuring Cisco 2650 Router By John Teissonniere Manny Jacome
Computer Networks Protocols
What’s New In WatchGuard Wi-Fi Cloud v8.6
Presentation transcript:

Agenda Comware 5 and Comware 7 device based AAA: RADIUS TACACS+ (with RBAC) Comware 5 and Comware 7 endpoint device AAA: MAC Authentication 802.1X Authentication Captive Portal

Device based AAA

Device based AAA support matrix ClearPass Comware 5 Comware 7 RADIUS based AAA ■ TACACS+ based AAA TACACS+ based AAA with RBAC

Comware 5 and RADIUS with ClearPass Switch configuration ssh server enable public-key local create rsa radius scheme clearpass server-type extended primary authentication 10.1.254.21 key simple secretpassword primary accounting 10.1.254.21 key simple secretpassword user-name-format without-domain nas-ip 10.1.254.201 domain radius authentication login radius-scheme clearpass local authorization login radius-scheme clearpass local accounting login radius-scheme clearpass local user-interface vty 0 2 authentication-mode scheme protocol inbound ssh domain default enable radius

Comware 5 and RADIUS with ClearPass ClearPass Configuration Import new H3C dictionary (download from arubanetworks.com) Configure a NAD Create users/roles/rolemappings Create profiles (different access levels) Value = 0, 1, 2 or 3 (0=Access, 1=Monitor, 2=Manager and 3=Administrator) Create a policy (map the profiles) Create a service Test and checkout the Access Tracker <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0"> <TipsHeader exportTime="Thu Apr 20 11:26:16 CEST 2017" version="6.6"/> <Dictionaries> <Vendor vendorEnabled="true" prefix="H3C" name="RADIUS:H3C" id="25506"> <RADIUSAttributes> <Attribute profile="in out" type="Unsigned32" name="H3C-Connect_Id" id="26"/> <Attribute profile="in out" type="Unsigned32" name="H3C-Exec_Privilege" id="29"/> <Attribute profile="in out" type="String" name="H3C-Ip-Host-Addr" id="60"/> <Attribute profile="in out" type="Unsigned32" name="H3C-NAS-Startup-Timestamp" id="59"/> <Attribute profile="in out" type="String" name="H3C_AV_PAIR" id="210"/> <Attribute profile="in out" type="String" name="H3C_WEB_URL" id="250"/> </RADIUSAttributes> </Vendor> </Dictionaries> </TipsContents>

Comware 7 and RADIUS with ClearPass Switch configuration ssh server enable public-key local create rsa radius scheme clearpass server-type extended primary authentication 10.1.254.21 key simple secretpassword primary accounting 10.1.254.21 key simple secretpassword user-name-format without-domain nas-ip 10.1.254.201 domain radius authentication login radius-scheme clearpass local authorization login radius-scheme clearpass local accounting login radius-scheme clearpass local user-interface vty 0 2 authentication-mode scheme protocol inbound ssh domain default enable radius

Comware 7 and RADIUS with ClearPass ClearPass Configuration Configure a NAD Create users/roles/rolemappings Create profiles (different access levels) We are using the Cisco AV pair VSA: shell:roles= * Create a policy (map the profiles) Create a service Test and checkout the Access Tracker

Comware 5 and Tacacs with ClearPass and RBAC Switch configuration ssh server enable public-key local create rsa hwtacacs scheme ClearPass primary authentication 10.1.254.21 key simple secretpassword primary authorization 10.1.254.21 key simple secretpassword primary accounting 10.1.254.21 key simple secretpassword domain tacacs authentication login hwtacacs-scheme ClearPass local authorization login hwtacacs-scheme ClearPass local accounting login hwtacacs-scheme ClearPass local authorization command hwtacacs-scheme ClearPass local accounting command hwtacacs-scheme ClearPass domain default enable tacacs user-interface vty 0 2 authentication-mode scheme command authorization command accounting protocol inbound ssh

Comware 5 and Tacacs with ClearPass and RBAC ClearPass Configuration Configure a NAD Create users/roles/rolemappings Create profiles: Assign Shell service with priv-lvl For RBAC, deny unmatched commands Create a policy (map the profiles) Create a service Test and checkout the Access Tracker Checkout RBAC

Comware 7 and Tacacs with ClearPass and RBAC Switch configuration ssh server enable public-key local create rsa hwtacacs scheme ClearPass primary authentication 10.1.254.21 key simple secretpassword primary authorization 10.1.254.21 key simple secretpassword primary accounting 10.1.254.21 key simple secretpassword domain tacacs authentication login hwtacacs-scheme ClearPass local authorization login hwtacacs-scheme ClearPass local accounting login hwtacacs-scheme ClearPass local authorization command hwtacacs-scheme ClearPass local accounting command hwtacacs-scheme ClearPass domain default enable tacacs user-interface vty 0 2 authentication-mode scheme command authorization command accounting protocol inbound ssh

Comware 7 and Tacacs with ClearPass and RBAC ClearPass Configuration Configure a NAD Create users/roles/rolemappings Create profiles: Assign Shell service with priv-lvl (0-15) For RBAC, deny unmatched commands Create a policy (map the profiles) Create a service Test and checkout the Access Tracker Checkout RBAC

Endpoint based AAA

Device based AAA support matrix ClearPass Comware 5 Comware 7 Captive Portal ■ MAC Authentication 802.1X

Comware 5 & 7 and MAC Authentication/802.1X RADIUS based enforcements ACL is configured locally on the switch VLAN assignment can be based on VLAN Name or VLAN ID Comware does not accept an ACL name via the RADIUS filter-id or url-redirect attributes ACL number must be sent If you do not send an ACL in the RADIUS response and there is no ACL statically configured on the port, all traffic is permitted for that session

Comware 5 & 7 and MAC Authentication/802.1X Switch Configuration Configure the RADIUS scheme and Domain Enable port-security globally Configure security parameters per port Other configurations include VLAN’s and ACL’s radius scheme accesssecurity primary authentication 10.1.254.21 key simple secretpassword primary accounting 10.1.254.21 key simple secretpassword accounting-on enable user-name-format without-domain domain accesssecurity authentication lan-access radius-scheme accesssecurity local authorization lan-access radius-scheme accesssecurity local accounting lan-access radius-scheme accesssecurity local dot1x authentication-method eap mac-authentication domain accesssecurity port-security enable port-security mac-move permit (only on Comware 7) interface GigabitEthernet1/0/1 port link-mode bridge port link-type hybrid port hybrid vlan 1 untagged mac-vlan enable stp edged-port undo dot1x multicast-trigger undo dot1x handshake mac-authentication max-user 10 mac-authentication host-mode multi-vlan port-security port-mode userlogin-secure-or-mac-ext mac-authentication host-mode multi-vlan: When the port receives a packet sourced from an authenticated user in a VLAN not matching the existing MAC-VLAN mapping, the device logs off and reauthenticates the user.

Comware 5 & 7 and MAC Authentication/802.1X ClearPass Configuration Configure the Network Access Device Configure users/roles/role mappings Create profiles that contains the VLAN/ACL assignments (different ones for MAC Auth and 802.1X) Create policies with rule mappings for MAC Auth and 802.1X Create a service for MAC authentication and 802.1X authentication

Comware 5 & 7 and MAC Authentication/802.1X Test and check out the Access Tracker (MAC Authentication):

Comware 5 & 7 and MAC Authentication/802.1X Test and check out the Access Tracker (802.1X Authentication):

Comware 5 & 7 and MAC Authentication/802.1X Check out the switch (802.1X Authentication): Comware 5: display dot1x session interface gigabitethernet 1/0/1 display dot1x interface gigabitethernet 1/0/1 Comware 7: display dot1x connection interface gigabitethernet 1/0/1 Check out the switch (MAC Authentication): Comware 5 & 7: display mac-authentication interface gigabitethernet 1/0/1

Comware 5 and ClearPass Captive Portal Comware 5 only supports local web portal The local web portal can use ClearPass as AAA service (including VLAN and ACL push) Configuration steps on the switch: Configure the portal parameters HTTP or HTTPS / Add portal-free rule (for example to allow DHCP or DNS) Optionally set a banner Configure AAA Enable portal on the physical interface Set interface to hybrid mode Enable MAC VLAN (required for MAC address to VLAN mapping) radius scheme webportal server-type extended primary authentication 10.1.254.21 key simple secretpassword primary accounting 10.1.254.21 key simple secretpassword user-name-format without-domain domain webportal authentication portal radius-scheme webportal local authorization portal radius-scheme webportal local accounting portal radius-scheme webportal local domain default enable webportal portal local-server http(s) portal local-server ip 10.1.254.201 portal free-rule 0 source any destination ip 10.1.254.24 mask 255.255.255.255 portal server banner Comware 5 Captive Portal with ClearPass interface GigabitEthernet1/0/2 port link-type hybrid port hybrid vlan 1 untagged mac-vlan enable portal local-server enable portal auth-fail vlan 10

Comware 7 and ClearPass Captive Portal Selected Comware 7 devices support Change of Authorization (CoA): HPE 5130EI (R3115P07) HPE 5130HI (R1308) HPE 5510HI (D1308) Supported CoA commands: Terminate Session: traditional disconnect message; reinitializes authenticator state Bounce Host Port: bounces the port by disabling and re-enabling the port  ClearPass uses this one for the Captive Portal Disable Host Port: administratively disables the port Important: NAD has to be configured as Cisco device (for now) URL redirection and ACL assignment is achieved through H3C AV-Pair VSA

Comware 7 and ClearPass Captive Portal process WAN ClearPass Client connects to switch Switch performs authentication with ClearPass (Mac Auth) ClearPass returns the redirection VSA’s (ACL to allow DHCP/DNS/Webportal) Client redirects to the Web Portal, authenticates (Web Auth) and client logs in Upon successful authentication Web Auth Service issues port bounce Switch performs authentication with ClearPass (Mac Auth)  Successful guest authentication ClearPass returns the “authenticated guest” VSA’s (guest VLAN and ACL) and client gains access Client

Comware 7 and ClearPass Captive Portal Switch Configuration Configure the RADIUS scheme and Domain Enable port-security globally and create a RADIUS dynamic-author server (required for CoA) Configure security parameters per port Other configurations include VLAN’s and ACL’s port link-mode bridge port link-type hybrid port hybrid vlan 1 untagged stp edged-port mac-authentication domain ClearPass port-security port-mode mac-else-userlogin-secure-ext port-security enable radius dynamic-author server client ip 10.1.254.21 key simple secretpassword acl advanced 3001 description WebPortalRedirect rule 0 permit ip destination 10.1.254.21 0 rule 5 permit ip destination 10.1.254.24 0 rule 10 permit udp destination-port eq bootps rule 15 permit udp destination-port eq dns acl advanced 3002 description guestAccess rule 0 deny ip destination 10.1.254.0 255.255.255.0 rule 5 permit ip vlan 10 vlan 11 interface gigabitethernet 1/0/24 description uplink port link-type trunk port trunk permit vlan 10 to 11 radius scheme ClearPass primary authentication 10.1.254.21 key simple secretpassword primary accounting 10.1.254.21 key simple secretpassword accounting-on enable user-name-format without-domain domain ClearPass authentication lan-access radius-scheme ClearPass local authorization lan-access radius-scheme ClearPass local accounting lan-access radius-scheme ClearPass local

Comware 7 and ClearPass Captive Portal (I) ClearPass Configuration Ensure you have the latest H3C RADIUS Dictionary <Attribute profile="in out" type="String" name="H3C_AV_PAIR" id="210"/> Configure the NAD device (set Vendor name to Cisco) Create a profile for web redirection (with H3C AV-Pair VSA’s for redirect and ACL) Create a profile for guest access <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0"> <TipsHeader exportTime="Thu Apr 20 11:26:16 CEST 2017" version="6.6"/> <Dictionaries> <Vendor vendorEnabled="true" prefix="H3C" name="RADIUS:H3C" id="25506"> <RADIUSAttributes> <Attribute profile="in out" type="Unsigned32" name="H3C-Connect_Id" id="26"/> <Attribute profile="in out" type="Unsigned32" name="H3C-Exec_Privilege" id="29"/> <Attribute profile="in out" type="String" name="H3C-Ip-Host-Addr" id="60"/> <Attribute profile="in out" type="Unsigned32" name="H3C-NAS-Startup-Timestamp" id="59"/> <Attribute profile="in out" type="String" name="H3C_AV_PAIR" id="210"/> <Attribute profile="in out" type="String" name="H3C_WEB_URL" id="250"/> </RADIUSAttributes> </Vendor> </Dictionaries> </TipsContents>

Comware 7 and ClearPass Captive Portal (II) ClearPass Configuration Create a policy for MAC Authentication Assign guest role to authenticated guest user (authenticated through web portal) Assign redirect role to authenticated MAC user Create a policy for the port bounce Assign the “Cisco - Bounce-Host-Port” profile and update the endpoint information to known endpoint

Comware 7 and ClearPass Captive Portal (III) ClearPass Configuration Create a service for MAC Authentication Automatically authenticates all MAC Auth requests Depending on “User Authenticated” or “[Guest]” TIPS role either redirect or allow access (enforced through policy) Cache results to allow automatic MAC re-authentication (MAC information cached in ClearPass) Create a WebAuth service that bounces the access port upon successful web authentication

Comware 7 and ClearPass Captive Portal (IV) ClearPass Configuration Create a web portal page Vendor: Aruba Networks Login method: Server initiated to support CoA (MAC Address is provided through the H3C-AVPair VSA) Set login delay long enough for the port to re-authenticate after port bounce Create guest user accounts (assign to the appropriate role mapping)

Comware 7 and ClearPass Captive Portal (V) ClearPass Configuration Put it to the test….

Comware 7 and ClearPass Captive Portal (VI) ClearPass Configuration Put it to the test….

Comware 7 and ClearPass Captive Portal (VII) ClearPass Configuration Put it to the test….

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.