Got it

AR Router Maintenance Guide-FAQ(Security)

Latest reply: Aug 30, 2017 06:34:39 1869 1 0 0 0

2.15  Security

2.15.1  Why Must the Administrator Pass the AAA Authentication?

To ensure device security, the administrator must be authenticated by AAA authentication in local or remote authentication mode. The administrator, however, can log in to the device in non-authentication mode in the VTY interface view.

2.15.2  Why Does RADIUS Authentication Fail When the RADIUS Server Template and RADIUS Server Are Properly Configured?

This problem has the following possible causes:

  • The IP address of the router (a RADIUS client) is not configured on the RADIUS server, so the RADIUS server cannot send an authentication response packet to the router.
  • Different shared keys are configured on the router and the RADIUS server.

2.15.3  Why Does the Server Checking Error Occur During RADIUS Dynamic Authentication?

This error occurs because the RADIUS authentication server is not configured properly.

2.15.4  Why Does HWTACACS Authentication Fail When the HWTACACS Server Template and HWTACACS Server Are Properly Configured?

This failure has the following possible causes:

  • The IP address of the router (a client) is not configured on the HWTACACS server, so the HWTACACS server cannot send an authentication response packet to the router .
  • Different shared keys are configured on the router and the HWTACACS server.

2.15.5  Why Are Accounting Packets Received When Commands Are Run on Devices?

This occurs so that devices can record history commands. To disable this function, run the undo cmd recording-scheme command in the AAA view.

2.15.6  When Does the 802.1x Dynamic VLAN Take Effect?

Dynamic VLAN takes effect on port-based authentication, only for access interfaces, or hybrid interface with untagged PVID.

2.15.7  Why Are the 802.1x Users' IP Addresses Not Displayed After I Run the Display Access-User Command?

The device learns the IP address of an authenticated online user from ARP packets that the user sends. If the user does not send any ARP packets, the device cannot learn or display the user's IP address.

2.15.8  Why Do ACLs Sometimes Not Take Effect?

The device delivers access control lists (ACLs) to MAC-based users only after the IP addresses are learned.

2.15.9  Which Domain Is Preferentially Used to Authenticate Users in mac-authen Mode?

The following domains are listed in descending order of priority:
  1. Domain corresponding to the MAC address that is configured by the mac-authen domain mac-address command in the system view
  2. Domain configured by the mac-authen domain command in the interface view
  3. Domain configured by the mac-authen domain command in the system view
  4. Default domain in the system view
6711c418de1945a6a6d6c41745fe9374 NOTE:

Only V200R007 and earlier versions support this FAQ.

2.15.10  Which Domain Is Used Preferentially by 802.1x Users?

The following domains are listed in descending order of priority:
  1. Domain that belongs to the user
  2. Default domain in the system view

2.15.11  What Are the Functions of the Domain Configured on a WLAN-BSS Interface?

Run the dot1x authentication domain command, you can configure a mandatory accounting authentication domain on a WLAN-BSS interface. The domain is applied to:
  1. mac-authen users for authentication and accounting
  2. Non-authenticated WLAN users for accounting
6711c418de1945a6a6d6c41745fe9374 NOTE:

Only V200R007 and earlier versions support this FAQ.

2.15.12  Which Attributes Are Required by ACLs Dynamically Delivered by the RADIUS Server?

No.

Type

Value

Standard Attribute

Description

31

string

User MAC address.

Yes

-

11

string

ACL number

Yes

You can select either of the two attributes.

82

string

ACL description

No. It is a private attribute designed by Huawei.

2.15.13  Which Attributes Are Required by VLANs Dynamically Delivered by the RADIUS Server?

No.

Type

Value

Standard Attribute

31

string

User MAC address.

Yes

64

integer

13

Yes

65

integer

6

Yes

81

string

VLAN ID

Yes

2.15.14  Why Can Layer 2 ACLs Not Take Effect on AR1200 series?

Fixed local area network (LAN) interfaces on the AR1200 series do not support Layer 2 access control lists (ACLs).

2.15.15  How Do I Control Access Through Specific Source or Destination Addresses?

You can configure access control lists (ACLs) to match source or destination addresses. For example, under the following configuration, the host at 10.1.1.1 can only access hosts on the 10.1.1.18/26 network segment.

<Huawei> system-view
[Huawei] acl 3000
[Huawei-acl-adv-3000] rule permit ip source 10.1.1.1 0 destination 10.1.1.18 0.0.0.63
[Huawei-acl-adv-3000] rule deny ip source 10.1.1.1 0

For configurations of other traffic classifiers, behaviors (actions set to permit), and policies, see Traffic Policy Configuration in the AR Configuration Guide - QoS.

2.15.16  How Do I Restrict the Period During Which Users Can Access Specific Networks?

You can define access control lists (ACLs) with time ranges. For example, under the following configuration, users cannot access 2.2.2.0/24 from 00:00 to 08:00 daily.

<Huawei> system-view
[Huawei] time-range wb 00:00 to 08:00 daily
[Huawei] acl number 3000
[Huawei-acl-adv-3000] rule deny ip destination 2.2.2.0 0.0.0.255 time-range wb
[Huawei-acl-adv-3000] rule permit ip

For configurations of other traffic classifiers, behaviors, and policies, see Traffic Policy Configuration in the AR Configuration Guide - QoS.

2.15.17  How Are deny and permit in ACL Rules Used in Different Services?

The deny and permit clauses in ACL rules have different functions in different services.

  • Traffic policy

    If packets do not match any ACL rules, the system processes packets according to the original forwarding mode.

    • When the ACL rule defines permit, the system processes packets according to the action in the traffic behavior.

      • If the traffic behavior defines deny, the system discards matching packets.
      • If the traffic behavior defines permit, the system allows matching packets to pass through.
    • When the ACL rule defines deny, the system directly discards matching packets.

    • When no ACL rule is configured, the system processes packets according to the original forwarding mode.

  • IPSec

    • When permit is used in the ACL rule, the system uses IPSec policies to protect traffic matching the ACL rule, and then forwards the traffic.

    • In V2R3C00 version and earlier versions of V2R3C00, when deny is used in the ACL rule, the device rejects packets that match the ACL rule. In V2R3C01 version, when deny is used in the ACL rule, the IPSec policy referencing the ACL does not take effect. That is, the system forwards the packets passing the interface without performing any operation;

    • When packets do not match the permit or deny ACL rule, the IPSec policy referencing the ACL does not take effect, and the device directly forwards packets.

    • When an ACL does not contain rules, the IPSec policy referencing the ACL does not take effect. That is, the system forwards the packets passing the interface without performing any operation.

  • Firewall

    If packets match an ACL rule, the packets are filtered based on the ACL rule; if packets match no ACL rule, the packets are processed based on the default packet filtering mode.

    • When permit is used in the ACL rule:
      • When the ACL is applied to the inbound traffic, the system forwards the packets matching the ACL rule sent from the low-priority zone to the high-priority zone.
      • When the ACL is applied to the outbound traffic, the system forwards the packets matching the ACL rule sent from the high-priority zone to the low-priority zone.
    • When deny is used in the ACL rule:

      • When the ACL is applied to the inbound traffic, the system discards the packets matching the ACL rule sent from the low-priority zone to the high-priority zone.
      • When the ACL is applied to the outbound traffic, the system discards the packets matching the ACL rule sent from the high-priority zone to the low-priority zone.
    • When an ACL does not contain rules:

      • When the ACL is applied to the inbound traffic, the ACL does not take effect, and the system discards all packets sent from the low-priority zone to the high-priority zone.
      • When the ACL is applied to the outbound traffic, the ACL does not take effect, and the system discards all packets sent from the high-priority zone to the low-priority zone.
  • NAT

    • When permit is used in the ACL rule, the system uses the address pool to translate addresses for the packets of which the source IP address is specified in the ACL rule.

    • When permit is not used in the ACL rule, the NAT policy referencing the ACL does not take effect. That is, the system searches routes for packets, but does not translate addresses.

  • Smart policy routing

    • When permit or deny is used in the ACL rule, the system selects routes for the packets matching the ACL rule according to link quality.

    • If packets match no ACL rule, the system searches routes for the packets according to the destination addresses.

    • When the ACL does not contain rules, the smart policy routing referencing the ACL does not take effect, and the system searches routes for the packets according to the destination addresses.

  • Local policy routing

    • When permit is used in the ACL rule, the system executes the behavior specified in the local routing policy for the packets matching the ACL rule. When the behavior is permit, the system enforces the policy on the packets matching the rule. When the behavior is deny, the system searches routes for the packets according to the destination addresses.

    • If packets match no ACL rule, the system searches routes for the packets according to the destination addresses.

    • When deny is used in the ACL rule or the ACL does not contain rules, the local policy routing referencing the ACL does not take effect, and the system searches routes for the packets according to the destination addresses.

  • Telnet

    • When permit is used in the ACL rule:
      • If the ACL is applied in the inbound direction, other devices that match the ACL rule can access the local device.
      • If the ACL is applied in the outbound direction, the local device can access other devices that match the ACL rule.
    • When deny is used in the ACL rule:

      • If the ACL is applied in the inbound direction, other devices that match the ACL rule cannot access the local device.
      • If the ACL is applied in the outbound direction, the local device cannot access other devices that match the ACL rule.
    • When the ACL rule is configured but packets from other devices do not match the rule:

      • If the ACL is applied in the inbound direction, other devices cannot access the local device.
      • If the ACL is applied in the outbound direction, the local device cannot access other devices.
    • When the ACL contains no rule:

      • If the ACL is applied in the inbound direction, any other devices can access the local device.
      • If the ACL is applied in the outbound direction, the local device can access any other devices.
  • FTP

    • Other devices that match the ACL rule can establish an FTP connection with the local device only when permit is used in the ACL rule.

    • When deny is used in the ACL rule, other devices that match the ACL rule cannot establish FTP connections with the local device.

    • When the ACL rule is configured but packets from other devices do not match the rule, other devices cannot establish FTP connections with the local device.

    • When the ACL contains no rule, any other devices can establish FTP connections with the local device.

  • TFTP

    • The local device can establish TFTP connections with other devices that match the ACL rule only when permit is used in the ACL rule.

    • When deny is used in the ACL rule, the local device cannot establish TFTP connections with other devices that match the ACL rule.

    • When the ACL rule is configured but packets from other devices do not match the rule, the local device cannot establish TFTP connections with other devices.

    • When the ACL contains no rule, the local device can establish TFTP connections with any other devices.

  • SNMP

    • When the ACL rule is permit, the NMS with the source IP address specified in this rule can access the local device.

    • When the ACL rule is deny, the NMS with the source IP address specified in this rule cannot access the local device.

    • If a packet matches no ACL rule, the NMS that sends the packet cannot access the local device.

    • When no ACL rule is configured, all NMSs can access the local device.

  • NTP

    By default, the peer device's right to access the NTP service on the local device is peer.

    • When the ACL rule is permit, the peer device with the source IP address specified in this rule can access the NTP service on the local device. The access right of the peer device is configured using the ntp-service access command.

    • When the ACL rule is deny, the peer device with the source IP address specified in this rule cannot access the NTP service on the local device.

    • When a packet matches no ACL rule, the peer device that sends the packet has the default right to access the NTP service on the local device.

    • When no ACL rule is configured, all peer devices have the default right to access the NTP service on the local device.

2.15.18  Can an ACL Rule Match a Time Range That Does Not Exist? Does the ACL Take Effect?

When the ACL rule is configured to match time-range time-name, the configuration takes effect regardless of whether the time-range time-name command has been configured.

If the ACL rule matches no time-range time-name, the device considers that the ACL rule is invalid and the time-range time-name command is in inactive state.

After the time-range time-name command is configured and in active state, the ACL rule automatically updates its status and changes to valid.

2.15.19  Why Is the Actual Rate Limit Different from the ICMP Packet Rate Limit Configured on the Interface Board?

ARa series routers convert the number of packets to a number of bytes when limiting the rate of Layer 3 unicast packets on the interface board. Each Internet Control Message Protocol (ICMP) packet is converted to 84 bytes. For example, if the ICMP packet rate limit is configured as 10 packets per second, the actual rate limit is 840 (84 x 10) bytes per second. If the actual length of ICMP packets is not 84 bytes, the actual rate limit is different from the configured value.

  • If the actual length of ICMP packets is greater than 84 bytes, the actual rate limit is less than the configured rate limit. For example, if the ICMP packet rate limit is configured to be 10 packets per second, and the actual packet length is 320 bytes, the actual rate limit is 840/320 (rounded down) packets per second, that is, 2 packets per second.
  • If the actual length of ICMP packets is less than 84 bytes, the actual rate limit is greater than the configured rate limit. For example, if the ICMP packet rate limit is configured to be 10 packets per second, and the actual packet length is 64 bytes, the actual rate limit is 840/64 (rounded down) packets per second, that is, 13 packets per second.

2.15.20  Why Does the CPCAR Rate Limit Configuration Not Take Effect?

The CPU committed access rate (CPCAR) is configured in the attack defense policy view. The CPCAR takes effect only when the attack defense policy is applied on the main control board or interface board on the local area network (LAN) side.

2.15.21  What Can I Do with Excess ACL Rules Used by a Blacklist in Local Attack Defense?

Excess ACL rules used by a blacklist do not take effect.

2.15.22  After I Enable ARP Gateway Anti-Collision, and Send Gateway Collision ARP Packets from a MAC Address, Why Can the MAC Address Not Forward Traffic?

After the Address Resolution Protocol (ARP) anti-collision function detects gateway collision ARP packets, the system prohibits the source media access control (MAC) address from forwarding packets for three minutes.

2.15.23  After I Send ARP Request Packets with the Same Source IP Address, Why Do I Sometimes Receive Response Packets Only at the Rate of 5 Packets Per Second?

By default, AR series routers limit the rate of Address Resolution Protocol (ARP) packets with the same source IP address to prevent ARP attacks. The default rate limit is 5 packets per second.

2.15.24  Why Is the Actual Suppression Value Different from the Configured Traffic Suppression Value?

The traffic suppression supported by AR series routers is a type of granularity-based suppression.

  • The AR1200 series use the committed information rate (CIR) mode.

    • If the traffic suppression value is between 64 kbit/s and 1000 kbit/s, the granularity is 64 kbit/s. For example, if the traffic suppression value is set to 65 kbit/s, the effective traffic suppression value is 64 kbit/s. If the traffic suppression value is set to 200 kbit/s, the effective traffic suppression value is 128 kbit/s, and so on.
    • If the traffic suppression value is between 1000 kbit/s and 100,000 kbit/s, the granularity is 1000 kbit/s. For example, if the traffic suppression value is set to 1001 kbit/s, the effective traffic suppression value is 1000 kbit/s. If the traffic suppression value is set to 2999 kbit/s, the effective traffic suppression value is 2000 kbit/s, and so on.
  • The AR2200 , AR3200 and AR3600 series use the packet mode. The granularity is 125 packets per second (pps). If the traffic suppression value is set to 10 pps, the effective traffic suppression value is 0 pps. If the traffic suppression value is set to 126 pps, the effective traffic suppression value is 125 pps, and so on.

Therefore, if the traffic suppression value is not set to a multiple of the granularity, the actual suppression value is different from the traffic suppression value that is set. Within a specified granularity range, all suppression values are correct.

2.15.25  After I Enable DAI or IPSG on an Interface, Why Can the Interface Still Forward Packets That Do Not Match the Binding Table?

If the dhcp snooping trusted command is run on the interface, the interface considers all packets to be valid and forwards all packets regardless of whether Dynamic ARP Inspection (DAI) or IP Source Guard (IPSG) is configured.

2.15.26  What Are the Types of Blacklists? (Firewall)

There are two types of blacklists:
  • Static blacklists that are configured manually.
  • Dynamic blacklist that are generated when the system detects scanning attacks.

2.15.27  Which Protocols Does the AR Firewall ASPF Support?

The following protocols are supported:

  • File Transfer Protocol (FTP)

  • Hypertext Transfer Protocol (HTTP)

  • Internet Control Message Protocol (ICMP)

  • Session Initiation Protocol (SIP)

  • Real-Time Streaming Protocol (RTSP)

  • Transmission Control Protocol (TCP)

  • Trivial File Transfer Protocol (TFTP)

  • User Datagram Protocol (UDP)

2.15.28  How Can I View the ACL Hit Count Configured on the Packet Filtering Firewall?

  1. In the system view, run the traffic classifier classifier-name command to create a traffic classifier and access the traffic classifier view. Run the if-match acl { acl-number | acl-name } command to configure ACL rules for traffic classification.
  2. In the system view, run the traffic behavior behavior-name command to create a traffic behavior and access the traffic behavior view. Run the statistic enable command to enable the traffic statistics function.
  3. In the system view, run the traffic policy policy-name command to create a traffic policy and access the traffic policy view. Run the classifier classifier-name behavior behavior-name command to associate a traffic classifier and a traffic behavior with the traffic policy.
  4. In the interface view, run the traffic-policy policy-name inbound command.
  5. Run the display traffic policy statistics interface interface-type interface-number inbound verbose rule-base command to view the ACL hit count configured on the packet filtering firewall.

2.15.29  What Are the Restrictions on Using HWTACACS?

The HWTACACS template used by users, bound to domains, or referenced by accounting stop packets cannot be deleted.

If the HWTACACS server is sending packets, the server IP address cannot be changed.

2.15.30  Can a Router Provide DHCP Snooping Function Without Using a LAN Card?

No, DHCP snooping function can only be provided by the LAN card.

To restrict source MAC addresses without a LAN card installed, the router can use Layer 2 ACL. However, Layer 2 ACL is not a replacement for DHCP snooping.

2.15.31  Does the Router Support User Level Settings Using RADIUS? How Can I Configure It?

Yes, the router can set user levels using RADIUS. The configuration effect is the same as the local user level configuration during AAA local authentication.

You can set the user levels on the RADIUS server.

2.15.32  Can MAC Bypass Authentication Be Configured on a Fixed Port on the SRU?

No, MAC bypass authentication must be configured on LPUs.

2.15.33  What Are the RADIUS Attributes Supported by AR Routers

Table 2-40 describes the standard RADIUS attributes.

Table 2-40  Standard RADIUS attributes

Attribute

No.

Name Attribute Type Usage Remarks
1 User-Name String Depending on the command line configuration, the user name can contain the domain name (such as user0001@isp) or does not contain the domain name (such as user0001). The value is a string of 1 to 129 characters, that is, user name (64 characters) + domain name (64 characters).
2 User-Password String In PAP authentication, the user password is transmitted to the server after being encrypted by NAS. The PAP authentication password supported by the AR routers consists of 0-128 characters. The length of password encapsulated in RADIUS packets is the multiple of 16, and ranges from 16 to 128.
3 CHAP-Password String This attribute is only valid for CHAP authentication. The value is a string of 17 characters, in which CHAP ID contains 1 character and CHAP challenge contains 16 characters.
4 NAS-IP-Address Address This attribute indicates the identifying IP address of the NAS, which is requesting authentication of the user.
  • The value is an interface address if the NAS is bound to an interface.
  • The value is the IP address of the interface sending packets if the NAS is not bound to an interface.
The value contains 4 bytes.
5 NAS-Port Integer This attribute indicates the physical port number of the NAS which is authenticating the user. The formats are as follows:
  • 12-bit slot ID + 8-bit port number + 12-bit VLAN ID. Zeros are added when the bits are not occupied.
  • 8-bit slot ID + 4-bit subcard number + 8-bit port number + 12-bit VLAN ID. Zeros are added when the bits are not occupied.
The value contains 4 bytes.
6 Service-Type Integer When a user is authenticated, this attribute has a fixed value of 2, indicating the Framed type. When an administration is authenticated, this attribute has a fixed value of 6, indicating the Administrator type. The value contains 4 bytes.
7 Framed-Protocol Integer On the switch, the value of Framed-Protocol is set to 1 for non-administrator users, indicating the PPP type. The value is set to 6 for administrators. The value contains 4 bytes.
8 Framed-IP-Address Address This attribute indicates the address to be configured for the user. The following addresses are invalid:
  • 0
  • 0XFFFFFFFE and 0XFFFFFFFF
  • Addresses on network segment 127.0.0.0/8
  • Addresses on network segment 224-255/8
If the user IP address is invalid, the NAS allocates a valid address to the user. For example, after allocating IP address 8.0.0.7 (0x08000007) to a user, the server sets the value of Framed-IP-Address to 0x08000007.
The value contains 4 bytes.
11 Filter-Id String Generally, the attribute contains the ACL number for the user. The value contains 1 to 32 bytes.
14 Login-IP-Host Address This attribute indicates the IP address of an administrator. When this value is 0, 0xFFFFFFFF, or 0xFFFFFFFE in the Access-Accept packet, the NAS does not check the IP address of the administrator. If the value is not 0, 0xFFFFFFFF, or 0xFFFFFFFE, the NAS checks whether the administrator's IP address is the same as the delivered address.

-

15 Login-Service Integer The attribute indicates the type of service used by the login user. 0: telnet; 5: X25-PAD: 50: SSH; 51: FTP; 52: Terminal. The attribute can contain multiple service types.

-

18 Reply-Message String When the attribute is in the Access-Accept packet, it indicates that the message is sent successfully. When the attribute is in the Access-Reject packet, it indicates that the message is rejected. This attribute is valid for only web authentication users. (The web server must support this attribute.) The value contains 1 to 253 bytes.
19 Callback-Number String The attribute indicates the information from the authentication server to be displayed to users, such as the mobile phone numbers.

-

24 State String The attribute can be sent by the server to the client in the format of the Access-Challenge packet and must be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.

-

26 Vendor-Specific String This attribute is defined by the vendor.

-

27 Session-Timeout Integer
  • In an Access-Accept packet, this attribute indicates the maximum number of seconds of service to be provided to the user.
  • In an Access-Challenge packet, this attribute indicates the re-authentication duration of EAP users.
The value contains 4 bytes.
28 Idle-Timeout Integer This attribute indicates the idle-cut time, in seconds. The value contains 4 bytes.
29 Termination-Action Integer This attribute indicates what action the NAS should take when the specified service is completed for the user, including re-authentication or forcible disconnection. The value 0 indicates the forcible disconnection and the value 1 indicates re-authentication. The attribute is only valid for 802.1X authentication.
31 Calling-Station-Id String This attribute allows the NAS to send the phone number where the call came from in the Access-Request packet. The value is usually a MAC address.

-

32 NAS-Identifier String This attribute indicates the name of the NAS, namely, the sysname. The value contains 1 to 30 bytes.
40 Acct-Status-Type Integer This attribute indicates the type of the Accounting-Request packet. There are five types:
  • Start (Value=1)
  • Stop (Value=2)
  • Interium-Update (Value=3)
  • Accounting-On(Value=7)
  • Accounting-Off(Value=8)
The value contains 4 bytes.
41 Acct-Delay-Time Integer This attribute indicates how many seconds the client has been trying to send an accounting record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. On a switch, Acct-Delay-Time consists of two parts. One part is difference between the time when RADIUS obtains data from the AAA and the latest update time. The other part is the delay in sending the Account-Request packet, including retransmission time. The value contains 4 bytes.
44 Acct-Session-Id String The format of this attribute is: Host name (7 digits) + slot ID (2 digits) + card number (1 digit) + port number (2 digits) + outer VLAN ID (4 digits) + inner VLAN ID (5 digits) + CPUTICK (6 digits) + connection index of the user (6 digits).

-

45 Acct-Authentic Integer The attribute indicates the authentication type:
  • RADIUS authentication (Value=1)
  • Local authentication (Value=2)
  • Other remote authentication (Value=3)
The value contains 4 bytes.
46 Acct-Session-Time Integer This attribute indicates how many seconds the user has received service for. The value contains 4 bytes.
49 Acct-Terminate-Cause Integer This attribute indicates how the session was terminated. The value contains 4 bytes.
55 Event-Timestamp Integer This attribute is included in an Accounting-Request packet to record the time that the event occurred on the NAS, in seconds since January 1, 1970 00:00 UTC. The value contains 4 bytes.
60 CHAP_Challenge String This attribute is only valid for CHAP authentication. The value is a string of 16 bytes.
61 NAS-Port-Type Integer The attribute indicates the NAS port type, which can be configured on the switch interface. By default, the type is Ethernet (15). The value contains 4 bytes.
64 Tunnel-Type Integer

This attribute indicates the tunnel protocol type.

If the Tunnel-Type value is 13, a VLAN ID is delivered.

-

65 Tunnel-Medium-Type Integer This attribute indicates which transport medium to use when creating a tunnel. It has a fixed value of 6, indicating Ethernet. The value contains 4 bytes.
79 EAP-Message String This attribute encapsulates EAP packets. When the length of an EAP packet exceeds 253 bytes, multiple attributes can be encapsulated.

-

80 Message-Authenticator String This attribute contains encryption information about EAP packets in EAPoR authentication.

-

81 Tunnel-Private-Group-ID String This attribute indicates the group ID for a particular tunneled session. The value is a string of 32 bytes. Currently, the attribute is used to deliver user VLAN IDs.

-

85 Acct_Interim_Interval Integer The attribute indicates the interim accounting interval, in seconds. It is recommended that you set the value to be larger than 60. The value ranges from 0 to 3932100. The value 0 indicates that interim accounting is disabled. The value large than 3932100 indicates that the user cannot log in to the NAS. The value contains 4 bytes.
87 NAS-Port-Id String This attribute identifies the port of the NAS which is authenticating the user. The formats are as follows:
  • 2-bit slot ID + 2-bit subcard number + 3-bit port number + 9-bit VLAN ID
  • Slot=Slot ID;Subslot=Subcard number;Port=Port Number;VLAN ID=VLAN

-

Table 2-41 describes the Huawei private RADIUS attributes.

Table 2-41  Huawei private RADIUS attributes
No. Name Attribute Type Usage Remarks
26-1 HW-Input-Peak-Information-Rate Integer Indicates the upstream peak rate, in bit/s.

-

26-2 HW-Input-Committed-Information-Rate Integer Indicates the upstream average rate, in bit/s.

-

26-3 HW-Input-Committed-Burst-Size Integer Indicates the upstream committed burst size, in bit/s.

-

26-4 HW-Output-Peak-Information-Rate Integer Indicates the downstream peak rate, in bit/s.

-

26-5 HW-Output-Committed-Information-Rate Integer Indicates the downstream average rate, in bit/s.

-

26-6 HW-Output-Committed-Burst-Size Integer Indicates the downstream committed burst size, in bit/s.

-

26-22 HW-Priority Integer Indicates the priority. After this attribute is delivered, HW-Up-Priority and HW-Down-Priority are invalid.
26-28 HW-FTP-Directory String This attribute indicates the initial directory of the FTP user. The maximum length of this field is 64 bytes.
26-29 HW-Exec-Privilege Integer The attribute indicates the administrator priority, such as a Telnet user. The value ranges from 0 to 16, and the value 16 indicates that the user does not have the administrator's authority.

-

26-59 HW-NAS-Startup-Time-Stamp Integer The attribute indicates the time when the device starts. The value is the number of seconds since 1970.
26-60 HW-IP-Host-Address String This attribute indicates the user IP address and MAC address contained in the authentication request packet or accounting request packet, in the format A.B.C.D hh:hh:hh:hh:hh:hh. The IP address and MAC address must be separated by a space. If the user's IP address is detected invalid during authentication, A.B.C.D is set to 255.255.255.255. The value is a string of up to 33 characters in the format "IP address MAC address."
26-61 HW-Up-Priority Integer Indicates the upstream priority.

-

26-62 HW-Down-Priority Integer Indicates the downstream priority.

-

26-77 HW-Input-Peak-Burst-Size Integer Indicates the upstream peak rate, in bit/s.

-

26-78 HW-Output-Peak-Burst-Size Integer Indicates the downstream peak rate, in bit/s.

-

26-82 HW-Data-Filter String Indicates the delivered ACL in the format

acl acl-num key1 key-value1... keyN key-valueN permit/deny.

  • permit: allows users matching the rules to access the network.
  • deny: prevents users matching the rules from accessing the network.
  • acl: delivers ACL rules.
  • acl-num: specifies the ACL number, ranging from 10000 to 10999.
  • keyM(1≤M≤N): indicates the keywords in an ACL rule. The values are as follows:
    • src-ip: source IP address
    • src-ipmask: source IP address mask
    • dest-ip: destination IP address
    • dest-ipmask: destination IP address mask
    • src-mac: source MAC address
    • dest-mac: destination MAC address
    • tcp-srport: source TCP port
    • tcp-dstport: destination TCP port
    • udp-srcport: source UDP port
    • udp-dstport: destination UDP port
  • key-valueM(1<M<N): value corresponding to ACL keyword, including IP address, IP address mask, MAC address, and port number.
NOTE:
  • All the keywords are case-insensitive.
  • All the keywords and/or key values are separated by spaces.
  • Key values cannot be placed behind permit and deny.
  • The keywords are arranged in any sequence.

-

26-254 HW-Version String Indicates the switch version.

-

26-255 HW-Product-ID String Indicates the switch name.

-

  • Table 2-42 lists the attributes in RADIUS authentication packets.

  • Table 2-43 lists the attributes in RADIUS accounting packets.

  • Table 2-44 lists the attributes in RADIUS authorization packets (COA&DM).

  • Table 2-45 describes the Acct-Terminate-Cause attribute.

6711c418de1945a6a6d6c41745fe9374 NOTE:
In the following tables, the value 1 indicates that the attribute must be included in the packet; the value 0 indicates that the attribute is not included in the packet (the attribute is invalid even if it is included in the packet); the value 0-1 indicates that the attribute may be included once in the packet or not included in the packet; the value 0+ indicates that the attribute is not included or included multiple times in the packet.
Table 2-42  RADIUS authentication packet
Attribute Access-Request Access-Accept Access-Reject Access-Challenge
User-Name (1) 1 0 0 0
User-Password (2) 0-1 0 0 0
Chap-Password (3) 0-1 0 0 0
NAS-IP-Address (4) 1 0 0 0
NAS-Port (5) 1 0 0 0
Service-Type (6) 1 0-1 0 0
Framed-Protocol (7) 1 0-1 0 0
Framed-IP-Address (8) 0-1 0-1 0 0
Filter-Id (11) 0 0-1 0 0
Login-IP-Host (14) 0-1 0-1 0 0
Login-Service(15) 0 0-1 0 0
Reply-Message (18) 0 0-1 0-1 0
Callback-Number(19) 0 0-1 0 0
State (24) 0-1 0-1 0 0-1
Session-Timeout (27) 0 0-1 0 0-1
Idle-Timeout (28) 0 0-1 0 0
Termination-Action (29) 0 0-1 0 0-1
Calling-Station-Id (31) 1 0 0 0
NAS-Identifier (32) 1 0 0 0
Acct-session-id (44) 1 0 0 0
CHAP_Challenge (60) 0-1 0 0 0
NAS-Port-Type (61) 1 0 0 0
Tunnel-Type (64) 0 0-1 0 0
Tunnel-Medium-Type (65) 0 0-1 0 0
EAP-Message (79) 0 0-1 0-1 1
Message-Authenticator (80) 0 0-1 0-1 1
Tunnel-Private-Group-ID (81) 0 0-1 0 0
Acct_Interim_Interval (85) 0 0-1 0 0
NAS-Port-Id (87) 1 0 0 0
Ftp_directory (284) 0 0-1 0 0
HW-Exec-Privilege (285) 0 0-1 0 0
hw_NAS_Startup_Timestamp-315 1 0 0 0
HW-IP-Host-Address (316) 1 0 0 0
hw-Data-Fliter (338) 0 0-1 0 0
HW-Version (510) 1 0 0 0
HW-Product-ID (511) 1 0 0 0
Table 2-43  RADIUS accounting packet
Attribute Accounting-Request (Start) Accounting-Request (Interium-Update) Accounting-Request (Stop) Accounting-Response (start) Accounting-Response (Interium-Update) Accounting-Response (Stop)
User-Name (1) 1 1 1 0 0 0
NAS-IP-Address (4) 1 1 1 0 0 0
NAS-Port (5) 1 1 1 0 0 0
Service-Type (6) 1 1 1 0 0 0
Framed-Protocol (7) 1 1 1 0 0 0
Framed-IP-Address (8) 1 1 1 0 0 0
Filter-Id (11) 1 1 1 0 0 0
Session-Timeout (27) 0 0 0 0-1 0-1 0
Calling-Station-Id (31) 1 1 1 0 0 0
NAS-Identifier (32) 1 1 1 0 0 0
Acct-Status-Type (40) 1 1 1 0 0 0
Acct-Delay-Time (41) 0 1 1 0 0 0
Acct-Session-Id (44) 1 1 1 0 0 0
Acct-Authentic (45) 1 1 1 0 0 0
Acct-Session-Time (46) 0 1 1 0 0 0
Acct-Terminate-Cause (49) 0 0 1 0 0 0
Event-Timestamp (55) 1 1 1 0 0 0
NAS-Port-Type (61) 1 1 1 0 0 0
Tunnel-Type (64) 0-1 0-1 0-1 0 0 0
Tunnel-Medium-Type (65) 0-1 0-1 0-1 0 0 0
Tunnel-Private-Group-ID (81) 0 0 0 0 0 0
NAS-Port-Id (87) 1 1 1 0 0 0
HW-IP-Host-Address (316) 1 1 1 0 0 0
Agent-Circuit-Id (26-1) 0-1 0 0 0 0 0
Agent-Remote-Id (26-2) 0-1 0 0 0 0 0
Table 2-44  RADIUS authorization packet (COA&DM)
Attribute COA REQUEST COA ACK COA NAK DM REQUEST DM ACK DM NAK
User-Name (1) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-IP-Address (4) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-Port (5) 0-1 0-1 0-1 0-1 0-1 0-1
Framed-IP-Address (8) 0-1 0-1 0-1 0-1 0-1 0-1
Filter-Id (11) 0-1 0 0 0 0 0
Session-Timeout (27) 0-1 0 0 0 0 0
Idle-Timeout (28) 0-1 0 0 0 0 0
Calling-Station-Id (31) 0-1 0-1 0-1 0-1 0-1 0-1
NAS-Identifier (32) 0-1 0-1 0-1 0-1 0-1 0-1
Acct-Session-Id (44) 1 1 1 1 1 1
Acct_Interim_Interval (85) 0-1 0 0 0 0 0
Error-Cause (101) 0 0 1 0 0 1
HW-Data-Filter (26-82) 0-1 0 0 0 0 0
HW-Input-Peak-Information-Rate (26-1) 0-1 0 0 0 0 0
HW-Input-Committed-Information-Rate (26-2) 0-1 0 0 0 0 0
HW-Input-Committed-Burst-Size (26-3) 0-1 0 0 0 0 0
HW-Output-Peak-Information-Rate (26-4) 0-1 0 0 0 0 0
HW-Output-Committed-Information-Rate (26-5) 0-1 0 0 0 0 0
HW-Output-Committed-Burst-Size (26-6) 0-1 0 0 0 0 0
HW-Priority (26-22) 0-1 0 0 0 0 0
HW-Up-Priority (26-61) 0-1 0 0 0 0 0
HW-Down-Priority (26-62) 0-1 0 0 0 0 0
HW-Input-Peak-Burst-Size (26-77) 0-1 0 0 0 0 0
HW-Output-Peak-Burst-Size (26-78) 0-1 0 0 0 0 0
Table 2-45   Acct-Terminate-Cause attribute
Type No. Description
User Request 1 The user requests to go offline.
Lost Carrier 2 Handshake fails or heartbeat expires.
Lost Service 3 The connection initiated by the peer device is torn down.
Idle Timeout 4 The user is disconnected because the idle timer expires.
Session Timeout 5 The user is disconnected because the session times out.
Admin Reset 6 The administrator force the user to go offline.
Admin Reboot 7 The administrator restarts the device.
Port Error 8 The port is faulty.
NAS Error 9 An internal error occurs in the NAS.
NAS Request 10 The NAS requests to go offline.
NAS Reboot 11 The NAS is restarted.
Port Unneeded 12 The port is unavailable.
Port Preempted 13 The port is occupied.
Port Suspended 14 The port is suspended.
Service Unavailable 15 The service is not supported.
Callback 16 A callback is performed.
User Error 17 A user-side fault occurs, for example, user session timeout.
Host Request 18 A host sends a logout request to the server, and receives a DECLINE packet.

2.15.34  Level 1 Is Configured for a User on the RADIUS Server, But the User Has More Rights Than Rights Defined in Level 1 After Login. Why?

Run the display current-configuration command to check the device configuration and check whether the command-privilege level command is used to change the level.

2.15.35  How Do I Delete and View the Firewall and NAT Flow Table?

Run the reset session all command in the system view to clear the firewall and NAT flow table.

Run the display session command in any view to check the firewall and NAT flow table.

2.15.36  How Do I Convert RADIUS Attributes After Replacing an ME60 Gateway with an AR Router?

After an AR router replaces an ME60 gateway, some RADIUS attributes of the AR router need to be converted into corresponding RADIUS attributes of the ME60 gateway so that the AR router can properly connect to the RADIUS server.

For example, the mapping of Huawei proprietary attributes of the AR router and ME60 gateway is as follows:

  • Proprietary RADIUS attribute 1 (HW-Input-Peak-Information-Rate) of the AR router corresponds to proprietary RADIUS attribute 3 of the ME60 gateway.
  • Proprietary RADIUS attribute 3 (HW-Input-Committed-Burst-Size) of the AR router corresponds to proprietary RADIUS attribute 1 of the ME60 gateway.

According to the preceding mapping, convert proprietary RADIUS attribute 1 to proprietary RADIUS attribute 3, and proprietary RADIUS attribute 3 to proprietary RADIUS attribute 1 on the AR router.

  • Run the radius-server attribute translate command in the RADIUS server template view to enable RADIUS attribute translation.
  • Run the radius-attribute translate HW-Input-Peak-Information-Rate HW-Input-Committed-Burst-Size receive command in the RADIUS server template view to convert proprietary RADIUS attribute 1 in received packets to proprietary RADIUS attribute 3.
  • Run the radius-attribute translate HW-Input-Committed-Burst-Size HW-Input-Peak-Information-Rate receive command in the RADIUS server template view to convert proprietary RADIUS attribute 3 in received packets to proprietary RADIUS attribute 1.

When receiving packets containing proprietary RADIUS attribute 1 or 3 from the RADIUS server, the AR router can properly obtain attribute information.

For the mapping between other attributes, for example, between proprietary RADIUS attribute 4 (HW-Output-Peak-Information-Rate) of the AR router and proprietary RADIUS attribute 6 of the ME60 gateway, you can configure attribute translation similarly. For details about the mapping between attributes, see the RADIUS attribute table for the AR router and that for the ME60 gateway in the corresponding product documentation.

2.15.37  Why Is Service (Such as Voice) Interrupted After Being Configured with NAT or Firewall

The aging time of session table is shorter than the aging time of the service. The session table is aged out, while the service is not. The service packets sent after session table aging are discarded, so the service is interrupted. Run the firewall-nat session aging-time command to increase the TCP/UDP timeout interval.

2.15.38  How Do I Change the Aging Time of the Firewall Session Table?

Procedure

<Huawei> system-view
[Huawei] firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media |  rtsp | rtsp-media | pptp | pptp-data } aging-time time-value

More information

The Router creates a session table for data flows of each protocol, such as TCP, UDP, and ICMP, to record the connection status of the protocol. An aging time is set for the session table. If a record in the session table does not match any packet within the aging time, the system deletes the record.

By default, the aging time of each protocol is as follows:
  • DNS: 120 seconds
  • FTP: 120 seconds
  • FTP-data: 120 seconds
  • HTTP: 120 seconds
  • ICMP: 20 seconds
  • TCP: 600 seconds
  • TCP-proxy: 10 seconds
  • UDP: 120 seconds
  • SIP: 1800 seconds
  • SIP-media: 120 seconds
  • RTSP: 60 seconds
  • RTSP-media: 120 seconds
  • PPTP: 600 seconds
  • PPTP-data: 600 seconds

The default aging time is recommended.

AR510 series do not support the sip and sip-media keywords.

2.15.39  Top Questions Collected from Customer Service Hotline and Solutions

No. Question Solution
1 How to configure the ACL-based packet filtering firewall

Example for Configuring the ACL-based Packet Filtering Firewall

2 How to change the aging time of the firewall session table

How Do I Change the Aging Time of the Firewall Session Table?

2.15.40  How Do I Take Measures to Prevent Internal Network Attacks?

Internal network attacks refer to attacks from Layer 2 protocol packets. Attacks often use ARP to attack network devices. ARP attack defense measures are often used:
  • Strict ARP learning: The device learns only the ARP Reply packets in response to the ARP Request packets sent by itself. Run the arp learning strict command to enable strict ARP learning.
  • ARP gateway anti-collision: If an attacker sends an ARP packet with the source IP address as the gateway address, ARP entries are modified incorrectly. ARP gateway anti-collision can solve this problem. Run the arp anti-attack gateway-duplicate enable command to enable the ARP gateway anti-collision function.
  • Sending gratuitous ARP packets: To ensure that packets sent by hosts on the internal network are forwarded to the gateway or prevent malicious users from intercepting these packets, the device sends gratuitous ARP packets at intervals to update the gateway address in ARP entries of the hosts. Run the arp gratuitous-arp send enable command to enable the device to send gratuitous ARP packets. By default, the device sends gratuitous ARP packets every 90s.
6711c418de1945a6a6d6c41745fe9374 NOTE:

If too many security measures are used, device performance may deteriorate.

2.15.41  How Do I Check Binding Between IP Addresses and MAC Addresses on a Layer 3 Interface?

IP source guard can be configured only on a Layer 2 interface, so the following solution is used:

  1. Create static ARP entries.
  2. Configure ACLs to allows only IP packets matching static ARP entries to pass through.

2.15.42  Which models support IPSG?

  • In earlier versions of V200R003, only the 8FE1GE and 24GE cards of the AR2200 and AR3200 support IPSG.
  • After versions of V200R005C10, all series support IPSG. 4GE-2S, 4ES2G-S, 4ES2GP-S and 9ES2 cards do not support IPSG. Because IPSG supports Layer 2 and Layer 3 traffic monitoring, so AR100&AR120&AR150&AR160&AR200&AR1200 series support only Layer 3 traffic monitoring.
From group: Router
  • x
  • convention:

WoodWood
Created Aug 30, 2017 06:34:39

AR Router Maintenance Guide-FAQ(Security)-2430981-1
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.