Login
- Released At: 09-12-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
H3C EIA ARP Spoofing Gateway Attack Prevention
Configuration Examples
Product Version: EIA (E6602)
Document version: 5W103-20240226
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Example: Configuring ARP spoofing gateway attack prevention
Verifying configuration before gateway binding
Verifying configuration after gateway binding
Introduction
The following information provides an example of binding gateway information of users that pass 802.1X authentication to protect the users from ARP spoofing gateway attacks.
Feature usage guide
Application scenarios
The following information applies to enterprise and campus networks that are vulnerable to ARP spoofing gateway attacks.
Prerequisites
· The access device must support 802.1X.
· The user PC runs the Windows operating system and has an iNode client installed.
Example: Configuring ARP spoofing gateway attack prevention
Network configuration
As shown in Figure 1, a company uses 802.1X authentication to authenticate users when they access the network. The gateway binding feature on the EIA protects the PC from ARP spoofing gateway attacks.
· Configure the IP address of the EIA server as 192.168.40.238. In a cluster deployment environment, specify the northbound service virtual IP as the IP address of the EIA server.
To identify the northbound service virtual IP of the EIA server in a cluster deployment:
a. Enter https://ip_address:8443/matrix/ui in the address bar of the browser to open the Matrix page. ip_address represents the northbound service virtual IP or node IP address.
b. On the top navigation bar, click DEPLOY. From the left navigation pane, select Clusters.
c. Click the Cluster Parameters tab. Use the IP address in the Northbound Service Virtual IP field as the IP address of the EIA server.
· Configure the IP address of the access device as 192.168.30.111 and the interface that connects to the PC as GE1/0/9.
· Configure the IP address of the PC as 192.168.30.235.
· Configure the IP address of the remote host used for testing as 192.168.40.239.
Software versions used
This configuration example was created and verified on the following platforms:
· EIA (E6602)
· H3C S3600-28TP-EI Comware Software, Version 5.20, Release 2103
· iNode PC 7.3 (E0617)
Procedures
Procedures and information in the examples might be slightly different depending on the software or hardware version.
Configuring the EIA server
Adding an access device
1. On the top navigation bar, click Automation. From the left navigation pane, select User > Access Service > Access Device Management > Access Device.
2. Click Add.
Figure 3 Adding an access device
3. In the Device List area, click Add IPv4 Device. In the dialog box that opens, enter the IP address of the access device in the Device IP field, and then click Confirm. Make sure the IP address of the access device meets the following requirements:
¡ If the RADIUS scheme contains a NAS IP specified by using the nas ip command for the access device, specify that IP address on the EIA server.
¡ If the RADIUS scheme does not contain a NAS IP, specify the IP address of the Layer 3 Ethernet interface or VLAN interface that connects the access device to the EIA server.
Figure 4 Adding an access device
4. Configure access configuration parameters.
¡ Authentication Port: Specify the RADIUS authentication service port on the EIA server. It must be the same as that specified on the access device. Typically, use default service port 1812.
¡ Accounting Port: Specify the RADIUS accounting service port on the EIA server. It must be the same as that specified on the access device. Typically, use default service port 1813.
¡ Shared Key/Confirm Shared Key: Enter a shared key for communication between the EIA server and the access device. The shared key specified on the EIA server must be the same as that specified on the access device. In this example, enter movie.
¡ Use the default settings for the other parameters.
|
|
NOTE: You must use the EIA server to provide both authentication and accounting services. You cannot use the EIA server as the authentication server and another server as the accounting server. |
Figure 5 Access configuration parameters
5. Click Confirm. Verify that the access device has been added to the access device list.
Figure 6 Verifying that the access device has been added to the access device list
Configuring a user gateway
On the EIA, configure a user gateway for the access device to define the gateway configuration used by the user. The server determines the deployed gateway based on the IP address of the access device, and deploys the gateway information to the client. Then, the client sends packets to the user gateway. This prevents ARP attacks.
|
|
IMPORTANT: · Make sure the IP-MAC mapping of a user gateway is unique on an access device. · The user gateway description cannot exceed 128 characters. · You can add a maximum of 300 user gateways on an access device. |
To configure a user gateway:
1. On the top navigation bar, click Automation. From the left navigation pane, select User > Access Service > Access Device Management > Access Device.
2. Click the 
button and then
select User Gateway in the Operation
column for the access device to be configured.
3. Click Add. In the dialog box that opens, enter the IP address and the MAC address of the user gateway.
Figure 9 Adding a user gateway
4. Click Confirm. Verify that the user gateway has been added to the user gateway list.
Figure 10 Verifying that the user gateway has been added to the user gateway list
Adding an access policy
This example adds an access policy that doesn't perform any access control.
To add an access policy:
1. On the top navigation bar, click Automation. From the navigation pane, select User > Access Service > Access Policy > Access Policy.
2. Click Add. On the page that opens, enter the access policy name, which is Access Policy-802.1X in this example. Use the default settings for the other parameters.
Figure 12 Adding an access policy (1)
Figure 13 Adding an access policy (2)
|
|
NOTE: To deploy authorization information, make sure the attributes are supported on the device. For the authentication binding information to take effect, you must configure the corresponding information in the RADIUS attributes on the device. In this example, you do not need to deploy authorization information. The default settings apply. |
3. Click Confirm. Verify that the access policy has been added to the access policy list.
Figure 14 Verifying that the access policy has been added to the access policy list
Adding an access service
An access service is a collection of policies for user authentication and authorization.
To add an access service:
1. On the top navigation bar, click Automation. From the navigation pane, select User > Access Service > Access Service.
2. Click Add. On the page that opens, perform the following tasks:
¡ Enter Access Service-802.1X in the Service Name field.
¡ Enter arp in the Service Suffix field.
¡ Select Access Policy-802.1X from the Default Access Policy list.
¡ Use the default settings for the other parameters.
Table 1 Access service parameter description
|
Parameter |
Description |
|
Service Name |
Enter a service name, which must be unique. |
|
Service Suffix |
Enter a service suffix, which identifies the name of the domain to be used for user authentication. The service suffix, authentication username, authentication domain, and the device's RADIUS scheme command are closely related to each other. For more information about the matrix of these elements, see Table 2. |
|
Default Access Policy |
Specify an access policy as the default access policy in access scenarios that are not included in the service. |
|
Default Proprietary Attribute Assignment Policy |
Specify the default proprietary attribute assignment policy. If a user that uses the service does not match an access device group when the user accesses the network, the system deploys proprietary attributes to the access device according to the configuration of the default proprietary attribute assignment policy. |
|
Default Max. Devices for Single Account |
Specify the maximum number of endpoints to be bound to the same user account in access scenarios that are not included in the service. This field is available only when the EIP component is deployed. The value range for this field is 0 to 999. Value 0 indicates that the number of endpoints to be bound to the same user account is not limited. |
|
Default Max. Number of Online Endpoints |
Specify the maximum number of online endpoints using the same user account in access scenarios that are not included in the service. The value range for this field is 0 to 999. Value 0 indicates that the number of online endpoints using the same user account is not limited. |
|
Description |
Enter a description for the access service. |
|
Transparent Authentication |
Select this option to enable transparent authentication for the access service. When an endpoint user first passes authentication by entering the correct username and password, the RADIUS server automatically authenticates the user by matching the MAC address to the bound account, without user intervention. Transparent authentication includes transparent portal authentication and transparent MAC authentication. In transparent portal authentication, the access service is also bound with the MAC address and user account, and must be matched for subsequent user authentication. |
|
Authentication username |
Authentication domain |
Device's RADIUS scheme command |
Service suffix on EIA |
|
X@Y |
Y |
user-name-format with-domain |
Y |
|
user-name-format without-domain |
No suffix |
||
|
X |
[Default Domain] Default domain on the device |
user-name-format with-domain |
[Default Domain] |
|
user-name-format without-domain |
No suffix |
Figure 16 Adding an access service
3. Click Confirm. Verify that the access service has been added to the access service list.
Figure 17 Verifying that the access service has been added to the access service list
Adding an access user
An access user is the identity credential used by a user for network access, which includes information about the account name, password, and access service.
To add an access user:
1. On the top navigation bar, click Automation. From the navigation pane, select User > Access User > All Access Users.
2. Click Add. On the page that opens, configure the access user parameters.
Table 3 Access user parameter description
|
Parameter |
Description |
|
User Name/Identity Number |
Enter the username and identity number of the user. |
|
Account Name |
Uniquely identifies an account user. The user uses the account name to apply for and use services. The account name is a string of up to 200 characters that cannot contain the Tab key or special characters #+/?%&=*'@\"[]()<>` |
|
Password/Password Confirm |
Enter the same password for identity verification. The password is a string of up to 32 characters. The two fields cannot be empty. |
|
Access Service |
Select Access Service-802.1X. |
Figure 18 Adding an access user
Figure 19 Selecting an access service
3. Click Confirm. Verify that the access user has been added to the access user list.
Figure 20 Verifying that the access user has been added to the access user list
Configuring the access device
An access device is used for controlling user access. Only users that pass authentication can access the network.
To configure the access device:
1. Telnet to the access device from the Windows CLI.
2. Enter system view.
<AccDevice>system-view
System View: return to User View with Ctrl+Z.
3. Create a RADIUS scheme named arpPolicy. Specify EIA as the primary authentication server and primary accounting server and configure the keys for communication with the servers. Make sure the keys are the same as those configured when you add an access device. For more information. see "Adding an access device."
[AccDevice]radius scheme arpPolicy
New Radius scheme
[AccDevice -radius-arpPolicy]primary authentication 192.168.40.238 1812
[AccDevice -radius-arpPolicy]primary accounting 192.168.40.238 1813
//Specify the extended service type for the H3C deivce.
[AccDevice -radius-arpPolicy]server-type extended
[AccDevice -radius-arpPolicy]key authentication movie
[AccDevice -radius-arpPolicy]key accounting movie
//Include domain names in the usernames sent to the RADIUS server. For information about the configuration matrix, see Table 2.
[AccDevice -radius-arpPolicy]user-name-format with-domain
[AccDevice -radius-arpPolicy]quit
4. Create an ISP domain named arp and configure authentication, authorization, and accounting methods for login users. The ISP domain name must be the same as the service suffix configured when you add an access device. For more information. see "Adding an access device."
[AccDevice]domain arp
New Domain added.
[AccDevice -isp-arp]authentication lan-access radius-scheme arpPolicy
[AccDevice -isp-arp]authorization lan-access radius-scheme arpPolicy
[AccDevice -isp-arp]accounting lan-access radius-scheme arpPolicy
[AccDevice -isp-arp]quit
5. Configure the authentication method.
//802.1X authentication supports PAP, CHAP, and EAP authentication. To perform certificate-based authentication, specify the EAP authentication. To use the Windows client for authentication, do not specify the PAP authentication. In this example, specify the EAP authentication.
[AccDevice]dot1x authentication-method eap
EAP authentication enabled already.
//To have 802.1X authentication take effect, you must enable 802.1X authentication globally and on an interface.
[AccDevice]dot1x
802.1X is enabled globally.
[AccDevice]dot1x interface GigabitEthernet1/0/9
802.1X is enabled on port GigabitEthernet1/0/9.
Verifying the configuration
Verifying configuration before gateway binding
1. Before the user log in through the iNode client, test the connectivity to the remote host on the PC and view the gateway information,. The test result shows that the connectivity to the remote host is normal, and the ARP entry for the gateway is learned dynamically.
2. Use ARP spoofing gateway attack software to simulate an attack. After the PC is attacked, check the gateway information on the PC. The MAC address of the gateway has been changed, and the remote host cannot be pinged.
Verifying configuration after gateway binding
1. Open the iNode client and use the 802.1X connection. Enter the username and password and then click the connect button.
Figure 21 Authentication window
2. After you pass the authentication, the EIA deploys gateway configuration to the access device.
3. View gateway configuration on the PC and test the connectivity between the PC and the remote host. The ARP entry for the gateway is statically configured and the communication between the PC and remote host is normal. Simulate an ARP spoofing gateway attack. The communication between the PC and remote host is still normal and the MAC address of the gateway remains unchanged.
