Page 1 Access Security Guide 2610 2610-PWR ProCurve Switches R.11.XX www.procurve.com...
Page 3 ProCurve Switch 2610 Series Switch 2610-PWR Series December 2007 Access Security Guide...
Page 4 OpenSSH Project for use in the OpenSSH Toolkit. For more information on OpenSSH, visit http:// www.openssh.com. SSL on ProCurve Switches is based on the OpenSSL software toolkit. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more information on OpenSSL, visit http://www.openssl.org.
Page 5: Table Of Contents
Contents Product Documentation Software Feature Index ......... . xiv 1 Getting Started Contents .
Page 6 Front-Panel Button Functions ....... . . 2-8 Configuring Front-Panel Security ......2-10 Password Recovery .
Page 7 Terminology Used in TACACS Applications: ......4-3 General System Requirements ........4-5 General Authentication Setup Procedure .
Page 8 Controlling Web Browser Interface Access When Using RADIUS Authentication ..........5-18 Configuring RADIUS Authorization .
Page 9 The Packet-filtering Process ....... . . 6-14 Operating Rules for Dynamic Port ACLs ..... . . 6-14 Configuring an ACL in a RADIUS Server .
Page 10 8 Configuring Secure Socket Layer (SSL) Contents ............8-1 Overview .
Page 11 Managing ACL Resource Consumption ......9-18 Traffic Management and Improved Network Performance ... 9-22 Security .
Page 12 Traffic/Security Filters Contents ............10-1 Overview .
Page 13 5. Enable 802.1X Authentication on the Switch ....11-26 6. Optional: Reset Authenticator Operation ....11-26 7.
Page 14 Configuring and Monitoring Port Security Contents ............12-1 Overview .
Page 15 Overview of IP Mask Operation ......13-4 Menu: Viewing and Configuring IP Authorized Managers ..13-5 CLI: Viewing and Configuring Authorized IP Managers .
Page 17: Product Documentation
Electronic Publications The latest version of each of the publications listed below is available in PDF format on the ProCurve Web site, as described in the Note at the top of this page. Management and Configuration Guide—Describes how to configure, ■...
Page 18: Software Feature Index
Product Documentation Software Feature Index For the software manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. (Note that some software features are not supported on all switch models.) Feature Management and...
Page 19 Product Documentation Feature Management and Advanced Traffic Access Security Configuration Management Guide File Transfers Friendly Port Names GVRP IGMP Interface Access (Telnet, Console/Serial, Web) Jumbo Packets IP Addressing IP Routing LACP Link LLDP LLDP-MED MAC Address Management MAC Lockdown MAC Lockout MAC-based Authentication Monitoring and Analysis Multicast Filtering...
Page 20 Product Documentation Feature Management and Advanced Traffic Access Security Configuration Management Guide Port-Based Access Control Port-Based Priority (802.1Q) Power over Ethernet (PoE) Quality of Service (QoS) RADIUS ACLs RADIUS Authentication and Accounting Routing Secure Copy sFlow SFTP SNMP Software Downloads (SCP/SFTP, TFTP, Xmodem) Source-Port Filters Spanning Tree (STP, RSTP, MSTP) SSH (Secure Shell) Encryption...
Page 21 Product Documentation Feature Management and Advanced Traffic Access Security Configuration Management Guide VLANs Web-based Authentication Xmodem xvii...
Page 22 Product Documentation xviii...
Page 23 Getting Started Contents Introduction ........... 1-2 Overview of Access Security Features .
Page 24: Getting Started
Getting Started Introduction Introduction This Access Security Guide describes how to use ProCurve’s switch security features to protect access to your switch. This guide is intended to support the following switches: ProCurve Series 2610 ■ ProCurve Series 2610-PWR ■ For an overview of other product documentation for the above switches, refer to “Product Documentation”...
Page 25: Management Access Security Protection
Table 1-1 on page 1-4 provides an overview of the type of protection offered by each switch security feature. Note ProCurve recommends that you use local passwords together with your switch’s other security features to provide a more comprehensive security fabric than if you use only local passwords.
Page 26: General Switch Traffic Security Guidelines
Getting Started Overview of Access Security Features Table 1-1. Management Access Security Protection Security Feature Offers Protection Against Unauthorized Client Access to Offers Protection Switch Management Features Against Unauthorized Client Connection Telnet SNMP Access to the (Net Mgmt) Browser Client Network Local Manager and Operator PtP:...
Page 27: Conventions
For example (the switch model is highlighted here in bold italics): “Web and MAC Authentication for the Series 2610/2610-PWR Switches”. Command Syntax Statements Syntax: aaa port-access authenticator <...
Page 28: Command Prompts
Port Identity Examples This guide describes software applicable to both chassis-based and stackable ProCurve switches. Where port identities are needed in an example, this guide uses the chassis-based port identity system, such as “A1”, “B3 - B5”, “C7”, etc. However, unless otherwise noted, such examples apply equally to the stackable switches, which for port identities typically use only numbers, such as “1”, “3-5”, “15”, etc.
Page 29: Sources For More Information
■ software feature, refer to “Product Documentation” on page xiii. Note For the latest version of all ProCurve switch documentation, including release notes covering recently added features, visit the ProCurve Networking website at www.procurve.com. Click on Technical support, and then click on Product manuals.
Page 30: Need Only A Quick Start
If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using multiple VLANs, ProCurve recommends that you use the Switch Setup screen to quickly configure IP addressing.
Page 31: To Set Up And Install The Switch In Your Network
(optionally) configuring other basic features. Interpreting LED behavior. ■ For the latest version of the Installation and Getting Started Guide and other documentation for your switch, visit the ProCurve website. (Refer to “Product Documentation” on page xiii of this guide for further details.)
Page 32 Getting Started Need Only a Quick Start? 1-10...
Page 33 Configuring Username and Password Security Contents Overview ............2-2 Configuring Local Password Security .
Page 34: Configuring Username And Password Security
Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames none — — page 2-6 Set a Password none page 2-4 page 2-5 page 2-6 Delete Password Protection page 2-4 page 2-6 page 2-6 Show front-panel-security — page 1-13 —...
Page 35 Configuring Username and Password Security Overview To configure password security: 1. Set a Manager password pair (and an Operator password pair, if applicable for your system). 2. Exit from the current console session. A Manager password pair will now be needed for full access to the console. If you do steps 1 and 2, above, then the next time a console session is started for either the menu interface or the CLI, a prompt appears for a password.
Page 36: Configuring Local Password Security
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the web browser interface. From the Main Menu select: 3.
Page 37: Cli: Setting Passwords And Usernames
Configuring Username and Password Security Configuring Local Password Security If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter. If you do not have physical access to the switch, you will need Manager-Level access: Enter the console at the Manager level.
Page 38: Web: Setting Passwords And Usernames
Configuring Username and Password Security Configuring Local Password Security To Remove Password Protection. Removing password protection means to eliminate password security. This command prompts you to verify that you want to remove one or both passwords, then clears the indicated password(s). (This command also clears the username associated with a password you are removing.) For example, to remove the Operator password (and username, if assigned) from the switch, you would do the following:...
Page 39: Front-Panel Security
Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together).
Page 40: Front-Panel Button Functions
Configuring Username and Password Security Front-Panel Security As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch. Front-Panel Button Functions The front panel of the switch includes the Reset button and the Clear button.
Page 41 Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.
Page 42: Configuring Front-Panel Security
Configuring Username and Password Security Front-Panel Security 3. Release the Reset button and wait for about one second for the Self-Test LED to start flashing. Self Test Reset Clear When the Self-Test LED begins flashing, release the Clear button Self Test Reset Clear...
Page 43 Configuring Username and Password Security Front-Panel Security • Configure the Clear button to reboot the switch after clearing any local usernames and passwords. This provides an immediate, visual means (plus an Event Log message) for verifying that any usernames and passwords in the switch have been cleared. •...
Page 44 Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to “Password Recovery Process” on page 2-18.) (Default: Enabled.) CAUTION: Disabling this option removes the ability to recover a password on the switch.
Page 45 Configuring Username and Password Security Front-Panel Security Indicates the command has disabled the Clear button on the switch’s front panel. In this case the Show command does not include the reset- on-clear status because it is inoperable while the Clear Password functionality is disabled, and must be reconfigured whenever Clear Password is re-enabled .
Page 46 Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel.
Page 47 Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on clear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-9. Example of Re-Enabling the Clear Button’s Default Operation Changing the Operation of the Reset+Clear Combination In their default configuration, using the Reset+Clear buttons in the combina...
Page 48: Password Recovery
(the default) on the switch prior to an attempt ■ to recover from a lost username/password situation ■ Contacting your ProCurve Customer Care Center to acquire a one-time use password Disabling or Re-Enabling the Password Recovery Process Disabling the password recovery process means that the only method for...
Page 49 Configuring Username and Password Security Front-Panel Security Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form of the command) disables the ability to recover a lost password. When this feature is enabled, the switch allows management access through the password recovery process described below. This provides a method for recovering from a lost manager username (if configured) and password.
Page 50: Password Recovery Process
2. Contact your ProCurve Customer Care Center for further assistance. Using the switch’s MAC address, the ProCurve Customer Care Center will generate and provide a “one-time use” alternate password you can use with the to gain management access to the switch.
Page 51 Configuring Username and Password Security Front-Panel Security N o t e The alternate password provided by the ProCurve Customer Care Center is valid only for a single login attempt. You cannot use the same “one-time-use” password if you lose the password a second time.
Page 52 Configuring Username and Password Security Front-Panel Security 2-20...
Page 53: Web And Mac Authentication
Web and MAC Authentication Contents Overview ............3-2 Client Options .
Page 54: Overview
Web and MAC Authentication Overview Overview Feature Default Menu Configure Web Authentication — 3-18 — Configure MAC Authentication — 3-23 — Display Web Authentication Status and Configuration — 3-28 — Display MAC Authentication Status and Configuration — 3-31 — Web and MAC Authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access.
Page 55: Client Options
Web and MAC Authentication Overview for clients capable of interactive logons. (The process does not use either a client device configuration or a logon session.) MAC authentication is well- suited for clients that are not capable of providing interactive logons, such as telephones, printers, and wireless access points.
Page 56: General Features
Web and MAC Authentication Overview General Features Web and MAC authentication include the following: On a port configured for Web or MAC Authentication, the switch ■ operates as a port-access authenticator using a RADIUS server and the CHAP protocol. Inbound traffic is processed by the switch alone, until authentication occurs.
Page 57: How Web And Mac Authentication Operate
Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Authenticator Operation Before gaining access to the network clients first present their authentication credentials to the switch. The switch then verifies the supplied credentials with a RADIUS authentication server.
Page 58 Web and MAC Authentication How Web and MAC Authentication Operate Figure 3-2. Progress Message During Authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access.
Page 59 Web and MAC Authentication How Web and MAC Authentication Operate moves have not been enabled (client-moves) on the ports, the session ends and the client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port’s VLAN memberships made while it is an authorized port take affect at the end of the session.
Page 60 Web and MAC Authentication How Web and MAC Authentication Operate 4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked. The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate).
Page 61: Terminology
Authentication Server: The entity providing an authentication service to the switch, for example, a RADIUS server. Authenticator: In ProCurve switch applications, a device that requires a client or device to provide the proper credentials (MAC address, or username and password) before being allowed access to the network.
Page 62: Operating Rules And Notes
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports concurrent 802.1X and either Web- or MAC- authentication operation on a port (with up to 8 clients allowed). However, concurrent operation of Web- or MAC-authentication with other types of authentication on the same port is not supported.
Page 63 Web and MAC Authentication Operating Rules and Notes • During an authenticated client session, the following hierarchy deter mines a port’s VLAN membership: 1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.
Page 64: General Setup Procedure For Web/Mac Authentication
1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this is not required for a Web- or MAC-based configuration, ProCurve recommends that you use a local user name and password pair, at least until your other security measures are in place, to protect the switch configuration from unauthorized access.)
Page 65: Additional Information For Configuring The Radius Server To Support Mac Authentication
Web and MAC Authentication General Setup Procedure for Web/MAC Authentication c. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN” for an authenticated client session on a port, then the port’s VLAN membership remains unchanged during authenticated client ses sions.
Page 66 Web and MAC Authentication General Setup Procedure for Web/MAC Authentication Configure the client device’s (hexadecimal) MAC address as both ■ username and password. Be careful to configure the switch to use the same format that the RADIUS server uses. Otherwise, the server will deny access.
Page 67: Configuring The Switch To Access A Radius Server
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Configuring the Switch To Access a RADIUS Server RADIUS Server Configuration Commands radius-server [host <ip-address> [auth-port UDP-PORT | acct-port below UDP- PORT]] [key < global-key-string >] below timeout 3-16 retransmit 3-16...
Page 68 Web and MAC Authentication Configuring the Switch To Access a RADIUS Server timeout <1-15> The server response timeout interval in seconds. Default: 5 seconds retransmit <1-5> Specifies the maximum number of retransmission attempts. Default: 3 attempts dead-time <1-1440> (in minutes) If the switch does not receive a response from a specific RADIUS server, the switch does not send any new authen...
Page 69 Web and MAC Authentication Configuring the Switch To Access a RADIUS Server ProCurve(config)# radius-server host 192.168.32.11 key 2Pzo22 ProCurve(config)# show radius Status and Counters - General RADIUS Information Deadtime(min) :0 Timeout(secs) :5 Retransmit Attempts :3 Global Encryption Key : Auth...
Page 70: Configuring Web Authentication
2. Identify or create a redirect URL for use by authenticated clients. ProCurve recommends that you provide a redirect URL when using Web Authentication. If a redirect URL is not specified, web browser behavior following authentication may not be acceptable.
Page 71: Configure The Switch For Web-Based Authentication
Web and MAC Authentication Configuring Web Authentication Configure the Switch for Web-Based Authentication Command Page Configuration Level aaa port-access web-based dhcp-addr 3-19 aaa port-access web-based dhcp-lease 3-19 [no] aaa port-access web-based [e] < port-list > 3-20 [auth-vid] 3-20 [client-limit] 3-20 [client-moves] 3-20 [logoff-period]...
Page 72 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based < port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax: aaa port-access web-based < port-list> [auth-vid <vid>]] no aaa port-access web-based <...
Page 73 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based < port-list > [max-requests <1-10>] Specifies the number of authentication attempts that must time-out before authentication fails. (Default: 2) Syntax: aaa port-access web-based < port-list > [max-retries <1-10>] Specifies the number of the number of times a client can enter their user name and password before authen...
Page 74 Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. ProCurve recommends that you provide a redirect URL when using Web Authentica tion. Use the no form of the command to remove a specified redirect URL.
Page 75: Configuring Mac Authentication On The Switch
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made.
Page 76: Configure The Switch For Mac-Based Authentication
Web and MAC Authentication Configuring MAC Authentication on the Switch Configure the Switch for MAC-Based Authentication Command Page Configuration Level aaa port-access mac-based addr-format 3-24 [no] aaa port-access mac-based < port-list > 3-25 [addr-limit] 3-25 [addr-moves] 3-25 [auth-vid] 3-25 [logoff-period] 3-26 [max-requests] 3-26...
Page 77 Web and MAC Authentication Configuring MAC Authentication on the Switch multi-dash-uppercase—specifies an AA-BB-CC-DD-EE-FF format multi-colon-uppercase—specifies an AA:BB:CC:DD:EE:FF format Syntax: [no] aaa port-access mac-based < port-list > Enables MAC-based authentication on the specified ports. Use the no form of the command to disable MAC- based authentication on the specified ports.
Page 78 Web and MAC Authentication Configuring MAC Authentication on the Switch aaa port-access mac-based < port-list > Syntax: [logoff-period] <60-9999999> Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense.
Page 79 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based < port-list > [unauth-vid <vid>] no aaa port-access mac-based < port-list > [unauth-vid] Specifies the VLAN to use for a client that fails authen tication. If unauth-vid is 0, no VLAN changes occur. Use the no form of the command to set the unauth-vid to 0.
Page 80: Show Commands For Web-Based Authentication
Web and MAC Authentication Show Commands for Web-Based Authentication Show Commands for Web-Based Authentication Command Page show port-access [port-list] web-based 3-28 [clients] 3-28 [config] 3-28 [config [auth-server]] 3-29 [config [web-server]] 3-29 show port-access port-list web-based config detail 3-29 Syntax: show port-access [port-list] web-based Shows the status of all Web-Authentication enabled ports or the specified ports.
Page 81 Web and MAC Authentication Show Commands for Web-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-server]] Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.
Page 82 Web and MAC Authentication Show Commands for Web-Based Authentication ProCurve(config)# show port-access web-based config Port Access Web-Based Configuration DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.255.0 DHCP Lease Length : 10 Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No...
Page 83: Show Commands For Mac-Based Authentication
Web and MAC Authentication Show Commands for MAC-Based Authentication Show Commands for MAC-Based Authentication Command Page show port-access [port-list] mac-based 3-31 [clients] 3-31 [config] 3-31 [config [auth-server]] 3-32 show port-access port-list mac-based config detail 3-32 Syntax: show port-access [port-list] mac-based Shows the status of all MAC-Authentication enabled ports or the specified ports.
Page 84 Authorized and unauthorized VLAN IDs Controlled directions setting for transmitting Wake-on-LAN traffic on ■ egress ports ProCurve(config)# show port-access mac-based config Port Access MAC-Based Configuration MAC Address Format : no-delimiter Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Client Client Logoff...
Page 85: Show Client Status
Web and MAC Authentication Show Client Status Show Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Possible Explanations Connection authenticated Authorized VLAN Client authenticated.
Page 86 Web and MAC Authentication Show Client Status 3-34...
Page 87: Tacacs+ Authentication
TACACS+ Authentication Contents Overview ............4-2 Terminology Used in TACACS Applications: .
Page 88: Overview
(local access) or Telnet (remote access). A3 or Terminal “A” Directly ProCurve Switch Accessing the Switch Configured for A2 or Via Switch’s Console...
Page 89: Terminology Used In Tacacs Applications
TACACS+ Authentication Configuring TACACS+ on the Switch tion services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/write) privilege level access.
Page 90 TACACS+ Authentication Configuring TACACS+ on the Switch • Local Authentication: This method uses username/password pairs configured locally on the switch; one pair each for manager- level and operator-level access to the switch. You can assign local usernames and passwords through the CLI or web browser inter face.
Page 91: General System Requirements
TACACS+ servers. Notes The effectiveness of TACACS+ security depends on correctly using your TACACS+ server application. For this reason, ProCurve recommends that you thoroughly test all TACACS+ configurations used in your network. TACACS-aware ProCurve switches include the capability of configuring multiple backup TACACS+ servers.
Page 92 TACACS+ Authentication Configuring TACACS+ on the Switch other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation”...
Page 93 15. For more on this topic, refer to the documentation you received with your TACACS+ server application. If you are a first-time user of the TACACS+ service, ProCurve recom mends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment.
Page 94: Configuring Tacacs+ On The Switch
Configuring TACACS+ on the Switch Before You Begin If you are new to TACACS+ authentication, ProCurve recommends that you read the “General Authentication Setup Procedure” on page 4-5 and configure your TACACS+ server(s) before configuring authentication on the switch.
Page 95: Cli Commands Described In This Section
TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs 4-10 aaa authentication pages 4-10 through 4-16 console Telnet num-attempts <1-10 > login <privilege-mode> tacacs-server pages 4-17 host < ip-addr > pages 4-17 4-21 timeout <...
Page 96: Viewing The Switch's Current Tacacs+ Server Contact
TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. show tacacs Syntax: For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a...
Page 97 The TACACS+ server returns the allowed privilege level to the switch. You are placed directly into Operator or Manager mode, depending on your privilege level. ProCurve(config) aaa authentication login privilege-mode The no version of the above command disables TACACS+ single login capa bility.
Page 98 TACACS+ Authentication Configuring TACACS+ on the Switch [< local | none >] If the primary authentication method fails, determines whether to use the local password as a secondary method or to disallow access. aaa authentication num-attempts < 1-10 > Specifies the maximum number of login attempts allowed in the current session.
Page 99 TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the TACACS+ Server for Single Login In order for the single login feature to work correctly, you need to check some entries in the User Setup on the TACACS+ server. In the User Setup, scroll to the Advanced TACACS+ Settings section. Make sure the radio button for “Max Privilege for any AAA Client”...
Page 100 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of the TACACS+ Server User Setup Primary/Secondary Authentication As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch’s console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.
Page 101 TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Console — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console —...
Page 102 Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console enable tacacs local Telnet Login (Operator or Read-Only) Access: Primary using TACACS+ server.
Page 103: Configuring The Switch's Tacacs+ Server Access
Note As described under “General Authentication Setup Procedure” on page 4-5, ProCurve recommends that you configure, test, and troubleshoot authentica tion via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up authentication in either the switch or your TACACS+ server.
Page 104 TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string >] Adds a TACACS+ server and optionally assigns a server-specific encryption key [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its server- specific encryption key, if any) tacacs-server key <key-string>...
Page 105 TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-3. Details on Configuring TACACS Servers and Keys Name Default Range tacacs-server host <ip-addr> none This command specifies the IP address of a device running a TACACS+ server application. Optionally, it can also specify the unique, per-server encryption key to use when each assigned server has its own, unique key.
Page 106 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range [ key <key-string> ] none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server”...
Page 107 ProCurve(config) tacacs-server key north01 To configure as a per-server encryption key: north01 ProCurve(config)# tacacs-server host 10.28.227.63 key north01 An encryption key can contain up to 100 characters, without spaces, and is likely to be case-sensitive in most TACACS+ server applications.
Page 108: How Authentication Operates
TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs-server host 10.28.227.104 Note The show tacacs command lists the global encryption key, if configured.
Page 109 TACACS+ Authentication Configuring TACACS+ on the Switch Using figure 4-8, above, after either switch detects an operator’s logon request from a remote or directly connected terminal, the following events occur: 1. The switch queries the first-choice TACACS+ server for authentication of the request.
Page 110: Local Authentication Process
TACACS+ Authentication Configuring TACACS+ on the Switch Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentica tion only if one of these two conditions exists: “Local” is the authentication option for the access method being used. ■...
Page 111: Using The Encryption Key
TACACS+ Authentication Configuring TACACS+ on the Switch Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “secret key”, or “secret”) helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.
Page 112: Controlling Web Browser Interface Access When Using Tacacs
ProCurve(config)# tacacs-server host 10.28.227.87 key south10campus With both of the above keys configured in the switch, the...
Page 113: Messages Related To Tacacs+ Operation
TACACS+ Authentication Configuring TACACS+ on the Switch Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa tion on such messages, refer to the documentation you received with the application.
Page 114: Operating Notes
TACACS+ Authentication Configuring TACACS+ on the Switch Operating Notes ■ If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized manager list. That is, authentication traffic between a TACACS+ server and the switch is not subject to Authorized IP Manager controls configured on the switch.
Page 115: Radius Authentication And Accounting
RADIUS Authentication and Accounting Contents Overview ............5-2 Terminology .
Page 116 RADIUS Authentication and Accounting Contents Changing RADIUS-Server Access Order ......5-37 Messages Related to RADIUS Operation ......5-39...
Page 117: Overview
For accounting, this can help you track network resource usage. Authentication. You can use RADIUS to verify user identity for the follow ing types of primary password access to the ProCurve switch: ■ Serial port (Console) ■...
Page 118: Terminology
EAP type, such as MD5-Challenge, Generic Token Card, and TLS (Transport Level Security). Host: See RADIUS Server. NAS (Network Access Server): In this case, a ProCurve switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): RADIUS Client: The device that passes user information to designated RADIUS servers.
Page 119: Switch Operating Rules For Radius
(Only one primary and one secondary access method is allowed for each access type.) In the ProCurve switch, EAP RADIUS uses MD5 and TLS to encrypt ■ a response to a challenge from a RADIUS server.
Page 120: General Radius Setup Procedure
RADIUS as the primary authentication method. Consider both Operator (login) and Manager (enable) levels, as well as which secondary authentication methods to use (local or none) if the RADIUS authentication fails or does not respond. ProCurve> show authentication Status and Counters - Authentication Information Login Attempts : 3...
Page 121: Configuring The Switch For Radius Authentication
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Determine an acceptable timeout period for the switch to wait for a server to respond to a request. ProCurve recommends that you begin with the default (five seconds). • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting.
Page 122: Outline Of The Steps For Configuring Radius Authentication
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: 1. Configure RADIUS authentication for controlling access through one or more of the following •...
Page 123: Configure Authentication For The Access Methods You Want Radius To Protect
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication out on a server that is unavailable. If you want to use this feature, select a dead-time period of 1 to 1440 minutes. (Default: 0—disabled; range: 1 - 1440 minutes.) If your first-choice server was initially unavailable, but then becomes available before the dead-time expires, you can nullify the dead-time by resetting it to zero and then trying to log on again.
Page 124 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa authentication < console | telnet | ssh | web > < enable | login > < local | radius>>>< web-based | mac-based> <chap-radius>> Configures RADIUS as the primary password authentication method for console, Telnet, SSH and/or the Web browser interface.
Page 125 RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch’s local passwords): ProCurve(config)# aaa authentication telnet login radius none ProCurve(config)# aaa authentication telnet enable radius none ProCurve(config)# aaa authentication ssh login radius none...
Page 126: Configure The Switch To Access A Radius Server
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 5-26: “Configuring RADIUS Accounting”...
Page 127 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have configured the switch as shown in figure 5-3 and you now need to make the following changes: 1. Change the encryption key for the server at 10.33.18.127 to “source0127”. 2. Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of “source0119”.
Page 128: Configure The Switch's Global Radius Parameters
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch’s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters: Number of login attempts: In a given session, specifies how many ■ tries at entering the correct username and password pair are allowed before access is denied and the session terminated.
Page 129 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa authentication num-attempts < 1 - 10 > Specifies how many tries for entering the correct user- name and password before shutting down the session due to input errors. (Default: 3; Range: 1 - 10). [no] radius-server key <...
Page 130 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose that your switch is configured to use three RADIUS servers for authenticating access through Telnet and SSH. Two of these servers use the same encryption key. In this case your plan is to configure the switch with the following global authentication parameters: Allow only two tries to correctly enter username and password.
Page 131 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication ProCurve# show authentication Status and Counters - Authentication Information After two attempts failing due Login Attempts : 2 to username or password Respect Privilege : Disabled entry errors, the switch will terminate the session.
Page 132: Local Authentication Process
RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: “Local” is the authentication option for the access method being used. ■...
Page 133: Controlling Web Browser Interface Access When Using Radius Authentication
RADIUS Authentication and Accounting Controlling Web Browser Interface Access When Using RADIUS Authentication Controlling Web Browser Interface Access When Using RADIUS Authentication To prevent unauthorized access through the web browser interface, do one or more of the following: ■ Configure RADIUS authentication access. ■...
Page 134: Commands Authorization Type
The NAS does not request authorization information. For example, to enable the RADIUS protocol as the authorization method: ProCurve(config)# aaa authorization commands radius When the NAS sends the RADIUS server a valid username and password, the RADIUS server sends an Access-Accept packet that contains two attributes —the command list and the command exception flag.
Page 135: Showing Authorization Information
Figure 5-7. Example of Show Authorization Command Configuring the RADIUS Server Using Vendor Specific Attributes (VSAs) Some RADIUS-based features implemented on ProCurve switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access- Accept packets sent to the switch may contain the vendor-specific informa...
Page 136 RADIUS Authentication and Accounting Configuring RADIUS Authorization HP-Command-Exception: A flag that specifies whether the ■ commands indicated by the HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others; a one (1) means deny all listed commands and permit all others.
Page 137: Example Configuration On Cisco Secure Acs For Ms Windows
RADIUS Authentication and Accounting Configuring RADIUS Authorization You must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.
Page 138 RADIUS Authentication and Accounting Configuring RADIUS Authorization Type=STRING Profile=IN OUT [Hp-Command-Exception] Type=INTEGER Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). 3. From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils>...
Page 139 RADIUS Authentication and Accounting Configuring RADIUS Authorization Cisco adds the entry into this tree for each custom vendor. The id is 100 + the slot number used in the previous command (100 + 0, as it was added in slot 0). Look in the key to verify the vendor name and id. 5. Go to: HKEY_LOCAL_MACHINE\software\cisco\CiscoAAAv3.2\ CSRadius\ExtensionPoints\002\AssociatedWithVendors...
Page 140: Example Configuration Using Freeradius
RADIUS Authentication and Accounting Configuring RADIUS Authorization Example Configuration Using FreeRADIUS 1. Create a dictionary file (for example, dictionary.hp) containing HP VSA definitions. An example file is: dictionary.hp As posted to the list by User <user_email> Version: $Id: dictionary.hp, v 1.0 2006/02/23 17:07:07 VENDOR # HP Extensions ATTRIBUTE...
Page 141: Configuring Radius Accounting
RADIUS Authentication and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 5-28 [acct-port < port-number >] 5-28 [key < key-string >] 5-28 [no] aaa accounting < exec | network | system > 5-31 <...
Page 142: Operating Rules For Radius Accounting
RADIUS Authentication and Accounting Configuring RADIUS Accounting Exec accounting: Provides records holding the information listed ■ below about login sessions (console, Telnet, and SSH) on the switch: • Acct-Session-Id • Acct-Delay-Time • NAS-IP-Address • Acct-Status-Type • Acct-Session-Time • NAS-Identifier • Acct-Terminate-Cause •...
Page 143: Steps For Configuring Radius Accounting
RADIUS Authentication and Accounting Configuring RADIUS Accounting Steps for Configuring RADIUS Accounting 1. Configure the switch for accessing a RADIUS server. You can configure a list of up to three RADIUS servers (one primary, two backup). The switch operates on the assumption that a server can operate in both accounting and authentication mode.
Page 144 RADIUS Authentication and Accounting Configuring RADIUS Accounting changed, or you need to specify a non-default UDP destination port for accounting requests. Note that switch operation expects a RADIUS server to accommodate both authentication and accounting. Syntax: [no] radius-server host < ip-address > Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration.
Page 145: Reports To The Radius Server
RADIUS Authentication and Accounting Configuring RADIUS Accounting Because the radius-server command includes an acct-port element with a non- default 1750, the switch assigns this value to the accounting port UDP port numbers. Because auth-port was not included in the command, the authentication UDP port is set to the default 1812.
Page 146 RADIUS Authentication and Accounting Configuring RADIUS Accounting • Send a start record accounting notice at the beginning of the account ing session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type (Network, Exec, or System).
Page 147: Updating Options
RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additional control over accounting data. Updates: In addition to using a Start-Stop or Stop-Only trigger, you ■ can optionally configure the switch to send periodic accounting record updates to a RADIUS server.
Page 148: Viewing Radius Statistics
RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which.
Page 149 RADIUS Authentication and Accounting Viewing RADIUS Statistics Table 5-2. Values for Show Radius Host Output (Figure 5-12) Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server. Pending Requests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
Page 150: Radius Authentication Statistics
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Syntax: show authentication Displays the primary and secondary authentication meth ods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.
Page 151: Radius Accounting Statistics
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config ured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch.
Page 152: Changing Radius-Server Access Order
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 5-17. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.
Page 153 RADIUS Authentication and Accounting Changing RADIUS-Server Access Order To exchange the positions of the addresses so that the server at 10.10.10.003 will be the first choice and the server at 10.10.10.001 will be the last, you would do the following: 1. Delete 10.10.10.003 from the list.
Page 154: Messages Related To Radius Operation
RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning A designated RADIUS server is not responding to an Can’t reach RADIUS server < x.x.x.x >. authentication request. Try pinging the server to determine whether it is accessible to the switch. If the server is accessible, then verify that the switch is using the correct encryption key and that the server is correctly configured to receive an authentication request from the...
Page 155: Configuring Radius Server Support For Switch Services
Configuring RADIUS Server Support for Switch Services Contents Overview ............6-2 Configuring the RADIUS Server for CoS Services .
Page 156: Overview
■ Optional Network Management Applications. CoS assignments through a RADIUS server are also supported in the ProCurve Manager (PCM) applica tion. ACLs through a RADIUS server can also be augmented using the Identity- Driven Management (IDM) application available for use with PCM. However, the features described in this chapter can be used without PCM or IDM support, if desired.
Page 157: Configuring The Radius Server For Cos Services
Refer to the Note on page 6-5.) Service Control Method and Operating Notes: 802.1p (CoS) Priority Vendor-Specific Attribute configured in the RADIUS server. Assignments on ProCurve (HP) vendor-specific ID:11 Inbound Traffic VSA: 40 (string = HP) This feature assigns a Setting: HP-COS = xxxxxxxx where: RADIUS-specified x = desired 802.1p priority...
Page 158 (802.1X, Web-Auth, and MAC-Auth), the status of RADIUS-imposed overrides of the switch’s per-port CoS (802.1p) priority for inbound packets. Open indicates that there is an ProCurve(config)# show port-access authenticator authenticated client session running on port B7. No-override indicates that Port Access Authenticator Status there are no RADIUS-imposed settings for CoS (802.1p priority) on...
Page 159 Configuring RADIUS Server Support for Switch Services Configuring the RADIUS Server for CoS Services ProCurve(config)# show qos port-priority Priority in the Apply Rule column indicates a non- Port priorities default CoS (802.1p) priority configured in the Port Apply rule | DSCP...
Page 160: Configuring And Using Radius-Assigned Access Control Lists
Note that client authentication can be enhanced by using ProCurve Manager with the optional IDM applica tion. (Refer to “Optional PCM and IDM Applications” on page 6-2.)
Page 161 Inbound Traffic: For the purpose of defining where the switch applies ACLs to filter traffic, inbound traffic is any IP packet that enters the switch from a given client on a given port. NAS (Network Attached Server): In this context, refers to a ProCurve switch configured for RADIUS operation.
Page 162 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Outbound Traffic: For defining the points where the switch applies an ACL to filter traffic, outbound traffic is routed traffic leaving the switch through a VLAN interface (or a subnet in a multinetted VLAN). “Outbound traffic”...
Page 163: Overview Of Radius-Assigned, Dynamic Port Acls
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Overview of RADIUS-Assigned, Dynamic Port ACLs Dynamic port ACLs enhance network and switch management access security and traffic control by permitting or denying authenticated client access to specific network resources and to the switch management interface.
Page 164 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of network security. However, because ACLs do not protect from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete edge security solution.
Page 165: Contrasting Dynamic And Static Acls
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Contrasting Dynamic and Static ACLs Table 6-1, below, highlights several key differences between the static ACLs configurable on switch ports, and the dynamic port ACLs that can be assigned to individual ports by a RADIUS server.
Page 166: How A Radius Server Applies A Dynamic Port Acl
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Dynamic Port ACLs Static Port ACLs Requires client authentication by a RADIUS server No client authentication requirement. configured to dynamically assign an ACL to the client port, based on client credentials.
Page 167: General Acl Features, Planning, And Configuration
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Notes Included in any dynamic port ACL, there is an implicit deny in ip from any to any (“deny any any”) command that results in a default action to deny any inbound IP traffic that is not specifically permitted by the ACL.
Page 168: The Packet-Filtering Process
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 5. Test client access on the network to ensure that your RADIUS-based ACL application is properly enforcing your policies. For further information common to all ACL applications, refer to the following sections in chapter 9, “Access Control Lists (ACLs)”: “Features Common to All ACLs”...
Page 169: Configuring An Acl In A Radius Server
Elements in a Dynamic Port ACL Configuration. A dynamic port ACL configuration in a RADIUS server has the following elements: ■ vendor and ACL identifiers: • ProCurve (HP) Vendor-Specific ID: 11 • Vendor-Specific Attribute for ACLs: 61 (string = HP-IP-FILTER-RAW) 6-15...
Page 170 MAC address). For information on how to configure this functionality on other RADIUS server types, refer to the documentation provided with the server. 1. Enter the ProCurve vendor-specific ID and the ACL VSA in the FreeRA- DIUS dictionary file: VENDOR...
Page 171 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists vation of system resources, and remember that every ACL you create automatically includes an implicit deny in ip from any to any ACE. For example, suppose that you wanted to create identical ACL support for the following: •...
Page 172: Configuring Ace Syntax In Radius Servers
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Any instance of a dynamic port ACL is structured to filter authenticated client traffic as follows: Applies only to inbound client traffic on the switch port the authenti ■...
Page 173 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists from any: Required keywords specifying the (authenticated) client source. (Note that a dynamic port ACL assigned to a port filters only the inbound traffic having a source MAC address that matches the MAC address of the client whose authentication invoked the ACL assignment.) to: Required destination keyword.
Page 174: Configuring The Switch To Support Dynamic Port
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists are not explicitly denied, you must configure permit in ip from any to any as the last explicit ACE in the ACL. This pre-empts the implicit deny in ip from any to any ACE and permits packets not explicitly permitted or denied by earlier ACEs in the list.
Page 175: Displaying The Current Dynamic Port Acl Activity
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Syntax: aaa port-access authenticator < port-list > aaa authentication port-access chap-radius aaa port-access authenticator active These commands configure 802.1X port-based access control on the switch, and activates this feature on the specified ports. For more on 802.1X configuration and operation, refer to chapter 11, “Configuring Port-Based and User-Based Access Control (802.1X)”...
Page 176 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists For example, the following output shows that a RADIUS server has assigned an ACL to port B1 to filter inbound traffic from an authenticated client identified by a MAC address of 00-11-85-C6-54-7D. Indicates MAC address identity of the authenticated client on the specified port.
Page 177 This assignment remains active until the session ends. No: There is no dynamic port ACL currently active on the indicated port. ProCurve (config)# show port-access authenticator 1-10 Port Access Authenticator Status Port-access authenticator activated [No] : No...
Page 178: Event Log Messages
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Event Log Messages Message Meaning Notifies of a problem with the keyword in permit deny ACE parsing error, permit/deny keyword < ace-# > client < mac-address > the indicated ACE included in the access list for the port <...
Page 179: Causes Of Client Deauthentication Immediately After Authenticating
The TCP/UDP port-range quantity of 14 per slot or port group has been exceeded. Monitoring Shared Resources Currently active, RADIUS-based authentication sessions (including ProCurve IDM client sessions) using dynamic port ACLs share internal routing switch resources with several other features. The routing switch provides ample resources for all features.
Page 180 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 6-26...
Page 181: Configuring Secure Shell (Ssh)
Configuring Secure Shell (SSH) Contents Overview ............7-2 Terminology .
Page 182: Overview
Enabling user authentication Disabled page 7-18 The ProCurve switches covered in this guide use Secure Shell version 1 or 2 (SSHv1 or SSHv2) to provide remote access to management functions on the switches via encrypted paths between the switch and management station clients capable of SSH operation.
Page 183 Configuring Secure Shell (SSH) Overview Note SSH in the ProCurve is based on the OpenSSH software toolkit. For more information on OpenSSH, visit www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 7-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.
Page 184: Terminology
Configuring Secure Shell (SSH) Terminology Terminology ■ SSH Server: A ProCurve switch with SSH enabled. Key Pair: A pair of keys generated by the switch or an SSH client ■ application. Each pair includes a public key, that can be read by anyone and a private key, that is held internally in the switch or by a client.
Page 185: Prerequisite For Using Ssh
Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 7-2), then the client program must have the capability to generate or import keys.
Page 186: Steps For Configuring And Using Ssh For Switch And Client Authentication
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 7-1.
Page 187 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch (page 7-9). 2. Generate a public/private key pair on the switch (page 7-10). You need to do this only once.
Page 188: General Operating Rules And Notes
(clients) you previously set up for SSH access to the switch. In some situations this can temporarily allow security breaches. On ProCurve switches that support stacking, when stacking is ■ enabled, SSH provides security only between an SSH client and the stack manager.
Page 189: Configuring The Switch For Ssh Operation
1. Assign Local Login (Operator) and Enable (Manager) Password At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Page 190: Generate The Switch's Public And Private Key Pair
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 7-5. Example of Configuring Local Passwords 2. Generate the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
Page 191 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be "permanent";...
Page 192: Provide The Switch's Public Key To Clients
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch Version 1 and Version 2 Views of Same Host Public Key Figure 7-6. Example of Generating a Public/Private Host Key Pair for the Switch The 'show crypto host-public-key' displays data in two different formats because your client may store it in either of these formats after learning the key.
Page 193 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below. The public key generated by the switch consists of three parts, separated by one blank space each: Bit Size Exponent <e>...
Page 194 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Modulus <n>...
Page 195: Enable Ssh On The Switch And Anticipate Ssh Client
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 7-10. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 7-10 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host”...
Page 196 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you have not copied the switch’s public key into the client, your client’s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing.
Page 197 TCP port for SSH connections except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http). Some other reserved TCP ports on the ProCurve switches are 49, 80, 1506, and 1513.
Page 198: Configure The Switch For Ssh Authentication
Client Public-Key Authentication” on page 7-22 Note ProCurve recommends that you always assign a Manager-Level (enable) password to the switch. Without this level of protection, any user with Telnet, web, or serial port access to the switch can change the switch’s configuration.
Page 199 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< local | none >] Configures a password method for the primary and second ary login (Operator) access. If you do not specify an optional secondary method, it defaults to none.
Page 200 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation C a u t i o n To allow SSH access only to clients having the correct public key, you must configure the secondary (password) method for login public-key to none. Otherwise a client without the correct public key can still gain entry by submitting a correct local login password.
Page 201: Use An Ssh Client To Access The Switch
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 7-13 shows how to check the results of the above commands. Lists the current SSH authentication configuration. Shows the contents of the public key file downloaded with the copy tftp command in figure 7-12.
Page 202: Further Information On Ssh Client Public-Key Authentication
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Further Information on SSH Client Public-Key Authentication The section titled “5. Configure the Switch for SSH Authentication” on page 7-18 lists the steps for configuring SSH authentication on the switch. However, if you are new to SSH or need more details on client public-key authentication, this section may be helpful.
Page 203 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 3. If there is not a match, and you have not configured the switch to accept a login password as a secondary authentication method, the switch denies SSH access to the client. 4. If there is a match, the switch: a. Generates a random sequence of bytes.
Page 204 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Notes Comments in public key files, such as smith@support.cairns.com in figure 7-14, may appear in a SSH client application’s generated public key. While such comments may help to distinguish one key from another, they do not pose any restriction on the use of a key by multiple clients and/or users.
Page 205 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 3. Copy the client-public-key file into a TFTP server accessible to the switch. Copying a client-public-key into the switch requires the following: ■ One or more client-generated public keys. Refer to the documentation provided with your SSH client application.
Page 206 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication For example, if you wanted to copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 and then display the file contents: Key Index Number Figure 7-15. Example of Copying and Displaying a Client Public-Key File Containing Two Client Public Keys Replacing or Clearing the Public Key File.
Page 207 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: aaa authentication ssh login public-key none Allows SSH client access only if the switch detects a match between the client’s public key and an entry in the client- public-key file most recently copied into the switch.
Page 208: Messages Related To Ssh Operation
Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning Indicates an error in communicating with the tftp server or 00000K Peer unreachable. not finding the file to download. Causes include such factors • Incorrect IP configuration on the switch • Incorrect IP address in the command • Case (upper/lower) error in the filename used in the command...
Page 209 Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning After you execute the crypto key generate ssh [rsa] Generating new RSA host key. If the command, the switch displays this message while it cache is depleted, this could take is generating the key.
Page 210 Configuring Secure Shell (SSH) Messages Related to SSH Operation 7-30...
Page 211: Configuring Secure Socket Layer (Ssl)
Configuring Secure Socket Layer (SSL) Contents Overview ............8-2 Terminology .
Page 212: Overview
SSL/TLS operation. Note ProCurve switches use SSL and TLS for all secure web transactions, and all references to SSL mean using one of these algorithms unless otherwise noted SSL provides all the web functions but, unlike standard web access, SSL provides encrypted, authenticated transactions.
Page 213: Terminology
(SSL enable password authentication) Server) options: – Local – TACACS+ – RADIUS Figure 8-1. Switch/User Authentication SSL on the ProCurve switches supports these data encryption methods: ■ 3DES (168-bit, 112 Effective) DES (56-bit) ■ RC4 (40-bit, 128-bit) ■ Note ProCurve switches use RSA public key algorithms and Diffie-Hellman. All...
Page 214 Configuring Secure Socket Layer (SSL) Terminology Self-Signed Certificate: A certificate not verified by a third-party ■ certificate authority (CA). Self-signed certificates provide a reduced level of security compared to a CA-signed certificate. CA-Signed Certificate: A certificate verified by a third party certif ■...
Page 215: Prerequisite For Using Ssl
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include:...
Page 216: General Operating Rules And Notes
The certificate key pair and the SSH key pair are independent of each other, which means a switch can have two keys pairs stored in flash On ProCurve switches that support stacking, when stacking is ■ enabled, SSL provides security only between an SSL client and the stack manager.
Page 217: Configuring The Switch For Ssl Operation
1. Assign Local Login (Operator) and Enable (Manager) Password At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s...
Page 218 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface refer to the chapter titled “Using the Web Browser Interface”...
Page 219: Generate The Switch's Server Host Certificate
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generate the Switch’s Server Host Certificate You must generate a server certificate on the switch before enabling SSL. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch.
Page 220 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To Generate or Erase the Switch’s Server Certificate with the Because the host certificate is stored in flash instead of the running-config file, it is not necessary to use write memory to save the certificate. Erasing the host certificate automatically disables SSL.
Page 221: Comments On Certificate Fields
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on Certificate Fields. There are a number arguments used in the generation of a server certificate. table 8-1, “Certificate Field Descriptions” describes these arguments. Table 8-1. Certificate Field Descriptions Field Name Description Valid Start Date...
Page 222 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note “Zeroizing” the switch’s server host certificate or key automatically disables SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation.
Page 223 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a Self-Signed Host Certificate with the Web browser interface You can configure SSL from the web browser interface. For more information on how to access the web browser interface, refer to the chapter titled “Using the Web Browser Interface”...
Page 224 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter face: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments Figure 8-5.
Page 225 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 8-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web Browser Interface This section describes how to install a CA-Signed server host certificate from the web browser interface.
Page 226 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.
Page 227: Enable Ssl On The Switch And Anticipate Ssl Browser Contact
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE---- MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMBIGA1UEChMLT3Bwb3J0dW5pdGkxGDAW BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0+aMcXgVruVixw/xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B Figure 8-7. Example of a Certificate Request and Reply 3. Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients.
Page 228 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generate the Switch’s Server Host Certificate” on page 8-9. When configured for SSL, the switch uses its host certificate to authenticate itself to SSL clients, however unless you disable the standard web browser interface with the no web-management command it will be still available for...
Page 229 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443).
Page 230 Figure 8-8. Using the web browser interface to enable SSL and select TCP port number N o t e o n P o r t ProCurve recommends using the default IP port number (443). However, you Num b er can use web-management ssl tcp-port to specify any TCP port for SSL connec...
Page 231: Behavior
Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup Common Errors in SSL Setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 8-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host...
Page 232 Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup 8-22...
Page 233: Access Control Lists (Acls)
Access Control Lists (ACLs) Contents Introduction ........... 9-3 ACL Applications .
Page 234 Access Control Lists (ACLs) Contents Configuring and Assigning a Numbered, Standard ACL ..9-39 Configuring and Assigning a Numbered, Extended ACL ..9-44 Configuring a Named ACL .
Page 235: Introduction
Access Control Lists (ACLs) Introduction Introduction Feature Default Menu Numbered ACLs Standard ACLs None — 9-39 — Extended ACLs None — 9-44 — Named ACLs — 9-50 — Enable or Disable an ACL — 9-52 — Display ACL Data — 9-54 —...
Page 236: Optional Pcm And Idm Applications
ProCurve networks. ProCurve Identity Driven Manager (IDM) is an add-on module to the ProCurve Manager plus (PCM+) application. IDM extends the functionality of PCM+ to include authorization control features for edge devices in networks using RADIUS servers and Web-Authentication, MAC-Authentication, or 802.1X...
Page 237 9-52 an ACL < name-str | 1-99 | 100-199 > Deleting an ACL from ProCurve(config)# no ip access-list < standard < name-str | 1-99 >> 9-53 the Switch ProCurve(config)# no ip access-list < extended < name-str | 100 -199 >>...
Page 238: Terminology
Displaying ACL Data ProCurve(config)# show access-list 9-54 ProCurve(config)# show access-list [ acl-name-string ] ProCurve(config)# show access-list config ProCurve(config)# show access-list ports < port-list > ProCurve(config)# show access-list resources ProCurve(config)# access-list resources help ProCurve(config)# show config ProCurve(config)# show running The mask can be in either dotted-decimal notation (such as 0.0.15.255) or CIDR notation (such as /20).
Page 239 Access Control Lists (ACLs) Terminology ACL Mask: Follows an IP address (source or destination) listed in an ACE to specify either a subnet or a group of devices. Defines which bits in a packet’s corresponding IP addressing must exactly match the IP address ing in the ACE, and which bits need not match (wildcards).
Page 240 Access Control Lists (ACLs) Terminology Inbound Traffic: For the purpose of defining where the switch applies ACLs to filter traffic, inbound traffic is any IP packet that: • Enters the switch through a physical port. • Has a destination IP address (DA) that meets either of these criteria: –...
Page 241: Overview
Access Control Lists (ACLs) Overview Overview Types of IP ACLs Standard ACL: Use a standard ACL when you need to permit or deny traffic based on source IP address. Standard ACLs are also useful when you need to quickly control a performance problem by limiting traffic from a subnet, group of devices, or a single device.
Page 242: Features Common To All Acls
Access Control Lists (ACLs) Overview The subnet mask for this 2610Switch with IP Routing example is 255.255.255.0. Enabled VLAN A 10.28.10.5 10.28.10.1 Port 1 (One Subnet) VLAN B 10.28.20.1 Because of multinetting, (One Subnet) Port 2 traffic routed from 10.28.40.17 to 10.28.30.33 VLAN C 18.28.40.17 remains in VLAN C.
Page 243: General Steps For Planning And Configuring Acls
Access Control Lists (ACLs) Overview General Steps for Planning and Configuring ACLs 1. Identify the traffic type to filter. Options include: • Any inbound IP traffic • Inbound TCP traffic only • Inbound UDP traffic only 2. The SA and/or the DA of inbound traffic you want to permit or deny. 3. Determine the best points at which to apply specific ACL controls.
Page 244: Acl Operation
Access Control Lists (ACLs) ACL Operation ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). An ACL applies only to the switch in which it is configured. ACLs operate on assigned ports and static trunks, and filter these traffic types: ■...
Page 245: The Packet-Filtering Process
Access Control Lists (ACLs) ACL Operation The Packet-Filtering Process Sequential Comparison and Action. When the switch uses an ACL to fil ter a packet, it sequentially compares each ACE’s filtering criteria to the corresponding data in the packet until it finds a match. For a packet with a source IP address of 10.28.156.3, the switch: 1.
Page 246 Access Control Lists (ACLs) ACL Operation N o t e o n I m p l i c i t For ACLs configured to filter inbound packets, note that Implicit Deny filters D e n y any packets, including those with a DA specifying the switch itself. This operation helps to prevent management access from unauthorized IP sources.
Page 247 Access Control Lists (ACLs) ACL Operation Deny only the inbound Telnet traffic sent from IP address 11.11.11.101. Permit only inbound Telnet traffic sent from IP address 11.11.11.33. Deny all other inbound traffic on port 12. The following ACL model, when assigned to inbound filtering on port 12, supports the above case: 1. Permits IP traffic inbound from source address 11.11.11.42.
Page 248: Planning An Acl Application
Access Control Lists (ACLs) Planning an ACL Application Overriding the Implicit “Deny Any”. If you want an ACL to permit any inbound packets that are not explicitly denied by other entries in the ACL, you can do so by configuring a permit any entry as the last entry in the ACL. Doing so permits any packet not explicitly denied by earlier entries.
Page 249 Access Control Lists (ACLs) Planning an ACL Application Rule Usage There is only one implicit “deny any” entry per device for CLI ACLs, ■ and one implicit “deny any” entry per device for IDM ACLs. ■ The implicit “deny any” entry is created only the first time an ACL is applied to a port.
Page 250: Managing Acl Resource Consumption
Access Control Lists (ACLs) Planning an ACL Application The following two CLI commands are useful for planning and monitoring rule and mask usage in an ACL configuration. Syntax: access-list resources help Provides a quick reference on how ACLs use rule resources. Includes most of the information in table 9-2, plus an ACL usage summary.
Page 251 (For more detailed information on configuring and applying ACLs, refer to the later sections of this chapter.) Viewing the Current Rule Usage The show access-list resources command displays current information about rules and resources. ProCurve(config)# show access-list resources ACL Resource Usage Rules Rules Resources Resources Feature...
Page 252 Access Control Lists (ACLs) Planning an ACL Application The system administrator wants to: Permit inbound VLAN 1 traffic on all ports ■ ■ Permit inbound VLAN 2 traffic on ports 1 - 4 from hosts 10.10.10.1-30 ■ Deny inbound VLAN 2 traffic on ports 1 - 4 from hosts 10.10.10.31-255 Permit inbound VLAN 3 traffic on all ports.
Page 253 10.10.10.32 - 255. ProCurve(config)# access-list 1 permit 10.10.10.1/24 ProCurve(config)# access-list 1 permit 10.10.12.1/24 ProCurve(config)# access-list 1 deny host 10.10.11.31 ProCurve(config)# access-list 1 permit 10.10.11.1/27 ProCurve(config)# show access-list 1 Every standard ACL has at least two ACEs;...
Page 254: Traffic Management And Improved Network Performance
Access Control Lists (ACLs) Traffic Management and Improved Network Performance Traffic Management and Improved Network Performance You can use ACLs to block unnecessary traffic caused by individual hosts, workgroups, or subnets, and to block user access to subnets, devices, and services.
Page 255: Guidelines For Planning The Structure Of An Acl
Access Control Lists (ACLs) Traffic Management and Improved Network Performance Preventing the use of specific TCP or UDP functions (such as Telnet, ■ SSH, web browser) for unauthorized access You can also enhance switch management security by using ACLs to block inbound IP traffic that has the switch itself as the destination address (DA).
Page 256: Acl Configuration And Operating Rules
Access Control Lists (ACLs) Traffic Management and Improved Network Performance ACL Configuration and Operating Rules Per-Interface ACL Limits. At a minimum an ACL will have one ■ explicit “deny” Access Control Entry. You can assign one ACL per interface, as follows: •...
Page 257: How An Ace Uses A Mask To Screen Packets For Matches
Access Control Lists (ACLs) Traffic Management and Improved Network Performance ACLs Operate On Ports and Static Trunk Interfaces: You can ■ assign an ACL to any port and/or any statically configured trunk on the switch. ACLs do not operate with dynamic (LACP) trunks. ACLs Screen Only the Traffic Entering the Switch on a Port or ■...
Page 258 Access Control Lists (ACLs) Traffic Management and Improved Network Performance What Is the Difference Between Network (or Subnet) Masks and the Masks Used with ACLs? In common IP addressing, a network (or subnet) mask defines which part of the IP address to use for the network number and which part to use for the hosts on the network.
Page 259 Access Control Lists (ACLs) Traffic Management and Improved Network Performance Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) For a given ACE, when the switch compares an IP address and ■ corresponding mask in the ACE to an IP address carried in a packet: •...
Page 260 Access Control Lists (ACLs) Traffic Management and Improved Network Performance Every IP address and mask pair (source or destination) used in an ■ ACE creates one of the following policies: • Any IP address fits the matching criteria. In this case, the switch automatically enters the IP address and mask in the ACE.
Page 261 Access Control Lists (ACLs) Traffic Management and Improved Network Performance Example of How the Mask Bit Settings Define a Match . Assume an ACE where the second octet of the mask for an SA is 7 (the rightmost three bits are “on”, or “1”) and the second octet of the corresponding SA in the ACE is 31 (the rightmost five bits).
Page 262 Access Control Lists (ACLs) Traffic Management and Improved Network Performance This ACL (a standard ACL named “Fileserver”) includes an ACE (Access Control Entry) that permits matches only with the packets received from IP address 10.28.252.117 (the SA). Packets from any other source do not match and are denied. Source IP Address (SA) ip access-list standard Fileserver permit 10.28.252.117...
Page 263 Access Control Lists (ACLs) Traffic Management and Improved Network Performance Table 9-5. Mask Effect on Selected Octets of the IP Addresses in Table 9-4 Octet Mask Octet Addr Range all bits 248-255 0 or 1 0 or 1 0 or 1 last 3 bits all bits 32-47...
Page 264: Configuring And Assigning An Acl
Access Control Lists (ACLs) Configuring and Assigning an ACL Configuring and Assigning an ACL ACL Feature Page Configuring and Assigning a Numbered, Standard ACL 9-39 Configuring and Assigning a Numbered, Extended ACL 9-44 Configuring a Named ACL 9-50 Enabling or Disabling ACL Filtering 9-52 Overview General Steps for Implementing ACLs...
Page 265: Acl Configuration Structure
Access Control Lists (ACLs) Configuring and Assigning an ACL You should carefully plan your ACL application before configuring specific ACLs. For more on this topic, refer to “Planning an ACL Application” on page 9-16. ACL Configuration Structure After you enter an ACL command, you may want to inspect the resulting configuration.
Page 266 Access Control Lists (ACLs) Configuring and Assigning an ACL Standard ACL Structure Individual ACEs in a standard ACL include only a permit/deny “type” state ment, the source IP addressing, and an optional log command (available with “deny” statements). ip access-list < type > "< id-string >" permit host <...
Page 267 Access Control Lists (ACLs) Configuring and Assigning an ACL ip access-list < type > “< id-string >”< permit | deny > ip Note: The optional log < source-ip-address > < source-acl-mask > function appears only with “deny” aces. < destination-ip-address > < destination-acl-mask > [log] <...
Page 268: Acl Configuration Factors
Access Control Lists (ACLs) Configuring and Assigning an ACL ACL Configuration Factors ACL Resource Consumption Consumption of resources can be a significant factor in switches using exten sive ACL applications. In this case, resource usage takes precedence over other factors when planning and configuring ACLs. For more information on this topic, refer to “Planning an ACL Application”...
Page 269 Access Control Lists (ACLs) Configuring and Assigning an ACL Table 9-6. Effect of the ACL in Figure 9-12 on Inbound Traffic on the Assigned Port Line # Action Shows list type (extended) and ID (101). A packet from IP source address 10.28.235.10 will be denied (dropped). This line filters out all packets received from 10.28.235.10.
Page 270: Using The Cli To Create An Acl
Access Control Lists (ACLs) Configuring and Assigning an ACL Using the CLI To Create an ACL Command Page access-list (standard ACLs) 9-39 access-list (extended ACLs) 9-44 ip access-list (named ACLs) 9-50 You can use either the switch CLI or an offline text editor to create an ACL. This section describes the CLI method, which is recommended for creating short ACLs.
Page 271: Configuring And Assigning A Numbered, Standard Acl
Access Control Lists (ACLs) Configuring and Assigning an ACL Table 9-7. Examples of CIDR Notation for Masks IP Address Used In an ACL Resulting ACL Mask Meaning with CIDR Notation 18.38.240.125/15 0.1.255.255 The leftmost 15 bits must match; the remaining bits are wildcards. 18.38.240.125/20 0.0.15.255 The leftmost 20 bits must match;...
Page 272 Access Control Lists (ACLs) Configuring and Assigning an ACL Note For a summary of ACL commands, refer to table 9-1, “Comprehensive Com mand Summary”, on page 9-5. Syntax: [no] access-list Creates an ACE in the specified (1-99) access list and indicates the action (deny or permit) to take on a packet if there is a match between the packet and the criterion in the entry.
Page 273 Access Control Lists (ACLs) Configuring and Assigning an ACL • IP-addr / mask-length — Performs the specified action on any IP packet having a source address within the range defined by either < src-ip-addr / cidr-mask-bits > < src-ip-addr < mask >> Use this criterion to filter packets received from either a subnet or a group of contiguous IP addresses.
Page 274 • 10.128.100.27 • 10.128.100.14 • Permits IP traffic from ProCurve(config)# access-list 50 permit host 10.128.100.10 the indicated IP address. ProCurve(config)# access-list 50 permit host 10.128.100.27 Since, for this example, ProCurve(config)# access-list 50 permit host 10.128.80.14 ACL 50 is a new list, this...
Page 275 IP traffic received on port 20 from 10. 128.93.17 and 10.130.93.25, but permit all other IP traffic on this VLAN. The next ACL achieves this: ProCurve Switch 2610-24(config)# access-list 60 deny host 10.128.93.17 ProCurve Switch 2610-24(config)# access-list 60 deny host 10.28.93.25...
Page 276: Configuring And Assigning A Numbered, Extended Acl
Access Control Lists (ACLs) Configuring and Assigning an ACL Configuring and Assigning a Numbered, Extended ACL This section describes how to configure numbered, extended ACLs. To con figure other ACL types, refer to the following table. To Configure: Refer To: Standard, numbered ACLs “Configuring and Assigning a Numbered, Standard ACL”...
Page 277 Access Control Lists (ACLs) Configuring and Assigning an ACL Syntax: [no] access-list Creates an ACE in the specified (100-199) access list and: • Indicates the action (deny or permit) to take on a packet if there is a match between the packet and the criteria in the complete ACE.
Page 278 Access Control Lists (ACLs) Configuring and Assigning an ACL < any | host < src-ip-addr > | ip-addr/mask -length > In an extended ACL, this parameter defines the source IP address (SA) that a packet must carry in order to have a match with the ACE.
Page 279 Access Control Lists (ACLs) Configuring and Assigning an ACL Comparison Operator: eq < tcp/udp-port-nbr > • — “Equal To”; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to < tcp/udp-port-nbr >. Port Number or Well-Known Port Name: Use the TCP or UDP port number required by your application.
Page 280 (See “A” in figure 9-15, below.) B. Permit FTP traffic from IP address 10.10.20.100 on port 2 to 10.10.30.55. Deny FTP traffic from other hosts on network10.10.20.0 to any destina tion, but permit all other traffic. 2610 Switch 10.10.10.0 VLAN 10 10.10.10.1 10.10.20.0...
Page 281 Access Control Lists (ACLs) Configuring and Assigning an ACL ProCurve(config)# access-list 110 permit tcp host 10.10.10.44 host 10.10.20.78 eq telnet ProCurve(config)# access-list 110 deny ip 10.10.10.1/24 10.10.20.1/24 ProCurve(config)# access-list 110 permit ip any any (Refer to figure 9-15, above.) ProCurve(config)# interface 1 access-group 110 in ProCurve(config)# access-list 120 permit tcp host 10.10.20.100 host 10.10.30.55...
Page 282: Configuring A Named Acl
Access Control Lists (ACLs) Configuring and Assigning an ACL Configuring a Named ACL You can use the “Named ACL” context to configure a standard or extended ACL with an alphanumeric name instead of a number. Note that the command structure for configuring a named ACL differs from that for a numbered ACL. Syntax: ip access-list standard <...
Page 283 Access Control Lists (ACLs) Configuring and Assigning an ACL < name-str | 1-99 | 100-199 > Consists of an alphanumeric string of up to 64 case- sensitive characters. If you include a space in the string, you must also enclose the string with quotes. For example, “ACL # 1"...
Page 284: Enabling Or Disabling Acl Filtering On An Interface
Access Control Lists (ACLs) Configuring and Assigning an ACL ProCurve (config)# ip access-list extended 150 ProCurve (config-ext-nacl)# permit tcp host 10.10.20.200 10.10.10.1/24 eq telnet ProCurve (config-ext-nacl)# exit Command Entry for ProCurve (config)# write mem Source IP Address ProCurve (config)# interface 12 access-group 150 in...
Page 285: Deleting An Acl From The Switch
Access Control Lists (ACLs) Deleting an ACL from the Switch Enabling an ACL from the Global Configuration Level Enabling an ACL from a interface Context. Disabling an ACL from the Global Configuration Level Disabling an ACL from an Interface Context. Figure 9-18.
Page 286: Displaying Acl Data
Access Control Lists (ACLs) Displaying ACL Data Displaying ACL Data ACL Commands Function Page show access-list View a brief listing of all ACLs on the 9-54 switch. show access-list config Display the ACL lists configured in the 9-55 switch. show access-list ports List the name and type of ACLs assigned 9-56 <...
Page 287: Display The Content Of All Acls On The Switch
Access Control Lists (ACLs) Displaying ACL Data ProCurve(config)# show access-list Access Control Lists Type Appl Name ---- ---- ----------------------------- Figure 9-19. Example of a Summary Table of Access Lists Term Meaning Type Shows whether the listed ACL is (Standard; source-address only) or (Extended;...
Page 288: Display The Acl Assignments For An Interface
ACL, it appears in the show config display. For example, with two ACLs configured in the switch, you will see results similar to the following: ProCurve (config)# show access-list config ip access-list standard "50" permit 10.128.100.10 0.0.0.0 permit 10.128.100.27 0.0.0.0...
Page 289: Displaying The Content Of A Specific Acl
Access Control Lists (ACLs) Displaying ACL Data Note This information also appears in the show running display. If you executed write memory after configuring an ACL, it appears in the show config display. For example, if you assigned a standard ACL with an ACL-ID of “1” to filter inbound traffic on port 10, you could quickly verify this assignment as follows: Indicates that a standard ACL with the ID of “2”...
Page 290 Access Control Lists (ACLs) Displaying ACL Data For example, suppose you configured the following two ACLs in the switch: ACL ID ACL Type Desired Action Standard • Deny IP traffic from 18.28.236.77 and 18.29.140.107. • Permit IP traffic from all other sources. Extended •...
Page 291: Displaying The Current Acl Resources
Access Control Lists (ACLs) Displaying ACL Data Table 9-8. Descriptions of Data Types Included in Show Access-List < interface > Output Field Description Name The ACL identifier. Can be a number from 1 to 199, or a name. Type Standard or Extended. The former uses only source IP addressing. The latter uses both source and destination IP addressing and also allows TCP or UDP port specifiers.
Page 292: Display All Acls And Their Assignments In The Switch Startup-Config File And Running-Config File
Access Control Lists (ACLs) Editing ACLs and Creating an ACL Offline ProCurve(config)# show access-list resources ACL Resource Usage Rules Rules Resources Resources Feature Used Maximum Used Required -----------------|-----|-------|---------|-------- cli-acl 15 | idm-acl Figure 9-23. Example of a Show Access-List Resources Command Output...
Page 293 Access Control Lists (ACLs) Editing ACLs and Creating an ACL Offline Note Before editing an assigned ACL, you must use the no interface < interface > access-group < acl-# > in command to remove the ACL from all interfaces to which it is assigned.
Page 294 Access Control Lists (ACLs) Editing ACLs and Creating an ACL Offline no access-list < name-str | 100-199 > < permit | deny > < ip | tcp | udp > < src-addr: any | host | ip-addr/mask-length > [operator < src-port-num >] <...
Page 295: Working Offline To Create Or Edit An Acl
ACL configuration to a file in your TFTP server. For example, to copy the ACL configuration to a file named acl02.txt in the TFTP directory on a server at 10.28.227.2: ProCurve# copy command-output 'show access-list config' tftp 10.28.227.2 acl02.txt pc 9-63...
Page 296 Access Control Lists (ACLs) Editing ACLs and Creating an ACL Offline • To create a new ACL, just open a text file in the appropriate directory on a TFTP server accessible to the switch. 2. Use the text editor to create or edit the ACL(s). 3. Use copy tftp command-file to download the file as a list of commands to the switch.
Page 297 Access Control Lists (ACLs) Editing ACLs and Creating an ACL Offline Permit internet access to the following two IP addresses through port ■ 24, but deny access to all other addresses through this port (without ACL logging). • 10.10.20.98 • 10.10.20.21 ■...
Page 298 ACL is not configured. 3. Next, assign the new ACL to the intended interface which, in this example, is for port 2. ProCurve(config)# interface 2 access-group 160 in 4. Inspect the effect of the ACL on the switch’s resources. ProCurve(config)# show access-list resources...
Page 299: Enable Acl "Deny" Logging
Access Control Lists (ACLs) Enable ACL “Deny” Logging Enable ACL “Deny” Logging ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny” action. You can use ACL logging to help: Test your network to ensure that your ACL configuration is detecting ■...
Page 300: Enabling Acl Logging On The Switch
Access Control Lists (ACLs) Enable ACL “Deny” Logging summary of any additional “deny” matches for that ACE (and any other “deny” ACEs for which the switch detected a match). If no further log messages are generated in the wait-period, the switch suspends the timer and resets itself to send a message as soon as a new “deny”...
Page 301 Access Control Lists (ACLs) Enable ACL “Deny” Logging Syslog Server Console 2610 Switch Console RS-232 Port Configure extended ACL 143 here to deny Telnet access to 10.38.100.127 inbound Telnet traffic from IP address 10.38.100.127. Block Telnet access to the network from this host.
Page 302: Operating Notes For Acl Logging
■ However, excessive logging can affect switch performance. For this reason, ProCurve recommends that you remove the logging option from ACEs for which you do not have a present need. Also, avoid configuring logging where it does not serve an immediate purpose.
Page 303: General Acl Operating Notes
Access Control Lists (ACLs) General ACL Operating Notes General ACL Operating Notes ACLs do not provide DNS hostname support. Protocol Support: ACL criteria includes IP, TCP, and UDP. ACLs do not use these protocols: TOS (Type-of-Service) ■ ■ Precedence ■ MAC information ■...
Page 304 Access Control Lists (ACLs) General ACL Operating Notes < acl-list-# >: Unable to apply access control list. The indicated ACL cannot be applied to an interface because an ACL is already assigned to the interface. The command fails for all included interfaces, including any that do not already have an ACL assigned.
Page 305 Traffic/Security Filters Contents Overview ........... . . 10-2 General Operation .
Page 306: Traffic/Security Filters
Traffic/Security Filters Overview Overview General Operation You can enhance in-band security and improve control over access to network resources by configuring static per-port filters to forward (the default action) or drop unwanted traffic. That is, you can configure a traffic filter to either forward or drop all network traffic moving between an inbound (source) port or trunk and any outbound (destination) ports and trunks (if any) on the switch.
Page 307: Applying A Source Port Filter In A Multinetted Vlan
Traffic/Security Filters Overview port 5 to port 7, but would forward all other traffic from any source port to any destination port (refer to figures 10-1 and 10-2). Port 7 Server "A" Workstation " X" Port 5 Port 8 Server "B" Port 9 Server "C"...
Page 308: Using Source-Port Filters
Traffic/Security Filters Using Source-Port Filters Using Source-Port Filters Operating Rules for Source-Port Filters ■ You can configure one source-port filter for each physical port or port trunk on the switch. Each source-port filter you configure is composed of: ■ • One source port or port trunk (trk1, trk2, ...trk6) •...
Page 309: Configuring A Source-Port Filter
1 (Trk1) and any port in the range of port 10 to port 15. To create this filter you would execute this command: ProCurve(config)# filter source-port 5 drop trk1,10-15 Later, suppose you wanted to shift the destination port range for this filter up by two ports;...
Page 310 10 and 11 while adding ports 16 and 17 to the "drop" list: ProCurve(config)# filter source-port 5 forward 10-11 drop 16-17 Configuring a Filter on a Port Trunk. This operation uses the same com...
Page 311: Viewing A Source-Port Filter
Traffic/Security Filters Using Source-Port Filters The *5* shows that port 5 is configured for filtering, but the filtering action has been suspended while the port is a member of a trunk. If you want the trunk to which port 5 belongs to filter traffic, then you must explicitly configure filtering on the trunk.
Page 312 Traffic/Security Filters Using Source-Port Filters index Displays detailed data on the filter designated by the index number. For source-port filters, the display includes the source-port number, a listing of all ports and/or trunks on the switch (with their port types), and the filter action configured on each port or trunk (Forward—the default—or Drop).
Page 313: Filter Indexing
Traffic/Security Filters Using Source-Port Filters Filter Indexing The switch automatically assigns each new source-port filter to the lowest- available index (IDX) number. If there are no filters currently configured, and you create three filters in succession, they will have index numbers 1 - 3. However, if you then delete the filter using index number "2"...
Page 314: Using Named Source-Port Filters
Traffic/Security Filters Using Source-Port Filters Using Named Source-Port Filters Named source-port filters are filters that may be used on multiple ports and port trunks. As with regular source-port filters, a port or port trunk can only have one source-port filter, but this new capability enables you to define a source-port filter once and apply it to multiple ports and port trunks.
Page 315 > drop <destination-port-list> A named source-port filter must first be defined and configured before it can be applied. In the following example two named source-port filters are defined, web-only and accounting. ProCurve(config)# filter source-port named-filter web- only ProCurve(config)# filter source-port named-filter accounting By default, these two named source-port filters forward traffic to all ports and port trunks.
Page 316 Traffic/Security Filters Using Source-Port Filters A named source-port filter can be defined and configured in a single command by adding the drop option, followed by the required destination-port-list. Viewing a Named Source-Port Filter You can list all source-port filters configured in the switch, both named and unnamed, and their action using the show command below.
Page 317 Traffic/Security Filters Using Source-Port Filters Network Design 1. Accounting Workstations may only send traffic to the Accounting Server. 2. No Internet traffic may be sent to the Accounting Server or Workstations. 3 All other switch ports may only send traffic to Port 1. Router to the Port 1 Internet...
Page 318 Traffic/Security Filters Using Source-Port Filters ProCurve(config)# filter source-port named-filter web-only drop 2-26 ProCurve(config)# filter source-port named-filter accounting drop 1-6,8,9,12- ProCurve(config)# filter source-port named-filter no-incoming-web drop 7,10,11 ProCurve(config)# show filter source-port Traffic/Security Filters Filter Name | Port List | Action -------------------- + -------------------- + --------------------------...
Page 319 Traffic/Security Filters Using Source-Port Filters The show filter command shows what ports have filters applied. ProCurve(config)# show filter Traffic/Security Filters Indicates the port number or port- IDX Filter Type | Value trunk name of the source port or trunk --- ------------ + ------------------- assigned to the filter.
Page 320 Using the IDX value in the show filter command, we can see how traffic is filtered on a specific port (Value).The two outputs below show a non- accounting and an accounting switch port. ProCurve(config)# show filter 24 ProCurve(config)# show filter 4 Traffic/Security Filters...
Page 321 Traffic/Security Filters Using Source-Port Filters ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- --------- + ------- 10/100TX | Forward 10/100TX | Forward 10/100TX | Forward 10/100TX | Forward...
Page 322 The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command. ProCurve(config)# filter source-port named-filter accounting forward 8,12,13 ProCurve(config)# filter source-port named-filter no-incoming-web drop 8,12,13 ProCurve(config)#...
Page 323 Traffic/Security Filters Using Source-Port Filters The named source-port filters now manage traffic on the switch ports as shown below, using the show filter source-port command. ProCurve(config)# show filter source-port Traffic/Security Filters Filter Name | Port List | Action -------------------- + -------------------- + --------------------------...
Page 324 Traffic/Security Filters Using Source-Port Filters 10-20...
Page 325: Configuring Port-Based And User-Based Access Control (802.1X)
Configuring Port-Based and User-Based Access Control (802.1X) Contents Overview ........... . . 11-3 Why Use Port-Based or User-Based Access Control? .
Page 326 Configuring Port-Based and User-Based Access Control (802.1X) Contents Operating Rules for Authorized-Client and Unauthorized-Client VLANs ....... . . 11-36 Setting Up and Configuring 802.1X Open VLAN Mode .
Page 327: Overview
Configuring Port-Based and User-Based Access Control (802.1X) Overview Overview Feature Default Menu Configuring Switch Ports as 802.1X Authenticators Disabled page 11-17 Configuring 802.1X Open VLAN Mode Disabled page 11-29 Configuring Switch Ports to Operate as 802.1X Supplicants Disabled page 11-47 Displaying 802.1X Configuration, Statistics, and Counters page 11-51 How 802.1X Affects VLAN Operation...
Page 328: User Authentication Methods
Configuring Port-Based and User-Based Access Control (802.1X) Overview • Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication.
Page 329 Configuring Port-Based and User-Based Access Control (802.1X) Overview This operation improves security by opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenticated. All sessions must use the same untagged VLAN.
Page 330: Terminology
Configuring Port-Based and User-Based Access Control (802.1X) Terminology This operation unblocks the port while an authenticated client session is in progress. In topologies where simultaneous, multiple client access is possible this can allow unauthorized and unauthenticated access by another client while an authenticated client is using the port.
Page 331 Authenticator: In ProCurve applications, a switch that requires a supplicant to provide the proper credentials before being allowed access to the network.
Page 332 Configuring Port-Based and User-Based Access Control (802.1X) Terminology Supplicant: The entity that must provide the proper credentials to the switch before receiving access to the network. This is usually an end-user work station, but it can be a switch, router, or another device seeking network services.
Page 333: General 802.1X Authenticator Operation
Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode”...
Page 334: Vlan Membership Priority
Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation N o t e The switches covered in this guide can use either 802.1X port-based authen tication or 802.1X user-based authentication. For more information, refer to “User Authentication Methods” on page 11-4. VLAN Membership Priority Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration.
Page 335 Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation New Client Authenticated Another Assign New Client (Old) Client RADIUS- to RADIUS- Already Using Assigned Specified VLAN Port VLAN? Authorized Client VLAN Assign New Client Accept New Client VLAN Same As Old to Authorized VLAN Configured?
Page 336: General Operating Rules And Notes
Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the user-based mode, when there is an authenticated client on a port, the following traffic movement is allowed: • Multicast and broadcast traffic is allowed on the port. •...
Page 337 Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes If a port on switch “A” is configured as an 802.1X supplicant and is ■ connected to a port on another switch, “B”, that is not 802.1X-aware, access to switch “B” will occur without 802.1X security protection. ■...
Page 338: General Setup Procedure For 802.1X Access Control
1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, ProCurve recommends that you use a local username and password pair at least until your other security measures are in place.)
Page 339 Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control ProCurve(config)# password port-access user-name Jim secret3 Figure 11-2. Example of the Password Port-Access Command 2. Determine which ports on the switch you want to operate as authentica...
Page 340: Overview: Configuring 802.1X Authentication On The Switch
Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802.1X Authentication on the Switch This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to the following: “802.1X User-Based Access Control”...
Page 341: Configuring Switch Ports As 802.1X Authenticators
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators N o t e If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected.
Page 342: Enable 802.1X Authentication On Selected Ports
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches, and consists of two steps: A.
Page 343 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User-Based Authentication or Return to Port- Based Authentication User-Based 802.1X Authentication. Syntax: aaa port-access authenticator client-limit < port-list > < 1 - 8> Used after executing aaa port-access authenticator < port-list > (above) to convert authentication from port-based to user- based.
Page 344: Reconfigure Settings For Port-Access
This example enables ports A10-A12 to operate as authenticators, and then configures the ports for user-based authentication. ProCurve(config)# aaa port-access authenticator a10-A12 ProCurve(config)# aaa port-access authenticator a10-A12 client-limit 4 Figure 11-3. Example of Configuring User-Based 802.1X Authentication Example: Configuring Port-Based 802.1X Authentication This example enables ports A13-A15 to operate as authenticators, and then configures the ports for port-based authentication.
Page 345 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page).
Page 346 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page).
Page 347 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid <...
Page 348: Configure The 802.1X Authentication Method
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how the switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator. Syntax: aaa authentication port-access <...
Page 349: Enter The Radius Host Ip Address(Es)
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators For example, to enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers: Configuration command for EAP-RADIUS authentication. 802.1X (Port-Access) configured for EAP RADIUS authentication.
Page 350: Enable 802.1X Authentication On The Switch
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 5. Enable 802.1X Authentication on the Switch After configuring 802.1X authentication as described in the preceding four sections, activate it with this command: Syntax: aaa port-access authenticator active Activates 802.1X port-access on ports you have configured as authenticators.
Page 351 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Prerequisite. As documented in the IEEE 802.1X standard, the disabling of incoming traffic and transmission of outgoing traffic on an 802.1X-aware egress port in an unauthenticated state (using the aaa port-access controlled- directions in command) is supported only if: The port is configured as an edge port in the network using the spanning- ■...
Page 352 802.1X authenticated state and successfully authenticates a client device. ProCurve(config)# aaa port-access authenticator a10 ProCurve(config)# aaa authentication port-access eap-radius ProCurve(config)# aaa port-access authenticator active ProCurve(config)# aaa port-access a10 controlled-directions in Figure 11-6. Example of Configuring 802.1X Controlled Directions 11-28...
Page 353: 802.1X Open Vlan Mode
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 11-17 802.1X Supplicant Commands page 11-48 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator < port-list > page 11-43 [auth-vid < vlan-id >] [unauth-vid <...
Page 354: Vlan Membership Priorities
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports configured to allow multiple sessions using 802.1X user-based access control, all clients must use the same untagged VLAN. On a given port where there are no currently active, authenticated clients, the first authenticated client determines the untagged VLAN in which the port will operate for all subsequent, overlapping client sessions.
Page 355: Use Models For 802.1X Open Vlan Modes
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode N o t e After client authentication, the port resumes membership in any tagged VLANs for which it is configured. If the port is a tagged member of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the client is connected.
Page 356 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 11-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN • When the port detects a client without 802.1X supplicant capability, it automatically becomes an untagged member of this...
Page 357 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Authorized-Client VLAN • After client authentication, the port drops membership in the Unauthorized-Client VLAN and becomes an untagged member of this VLAN. Notes: If the client is running an 802.1X supplicant application when the authentication session begins, and is able to authenticate itself before the switch assigns the port to the Unauthorized-Client VLAN, then the port does not become a...
Page 358 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
Page 359 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session. • If the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.
Page 360: Operating Rules For Authorized-Client And Unauthorized-Client Vlans
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorized- These must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1X authenticator port to use them.
Page 361 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily session on untagged port VLAN moves the port to the Unauthorized-Client VLAN (also untagged).
Page 362 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an untagged member. This rule assumes no other authenticated clients are already using the port on a different VLAN.
Page 363 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Note: Limitation on Using an You can optionally enable switches to allow up to 8 clients per-port. Unauthorized-Client VLAN on an The Unauthorized-Client VLAN feature can operate on an 802.1X 802.1X Port Configured to Allow configured port regardless of how many clients the port is configured Multiple-Client Access...
Page 364: Setting Up And Configuring 802.1X Open Vlan Mode
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 11-1 on page 11-32 for other options. Before you configure the 802.1X Open VLAN mode on a port: ■...
Page 365 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges.
Page 366 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration.
Page 367 Configures the switch to look for a RADIUS server with an IP address of 10.28.127.101 and an encryption key of rad4all. ProCurve(config)# aaa port-access authenticator e a10-a20 unauth-vid 80 Configures ports A10 - A20 to use VLAN 80 as the Unauthorized-Client VLAN.
Page 368: 802.1X Open Vlan Operating Notes
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1X Open VLAN Mode Status” on page 11-54. 802.1X Open VLAN Operating Notes ■...
Page 369: Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices
Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices reauthenticate itself. If there are multiple clients authenticated on the port, if one client loses access and attempts to re-authenticate, that client will be handled as a new client on the port.
Page 370: Port-Security
Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices Port-Security N o t e If 802.1X port-access is configured on a given port, then port-security learn- mode for that port must be set to either continuous (the default) or port-access. In addition to the above, to use port-security on an authenticator port (chapter 12), use the per-port client-limit option to control how many MAC addresses of 802.1X-authenticated devices the port is allowed to learn.
Page 371: Configuring Switch Ports To Operate As Supplicants For 802.1X Connections To Other Switches
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands page 11-17 802.1X Supplicant Commands [no] aaa port-access <...
Page 372: Supplicant Port Configuration
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches • If, after the supplicant port sends the configured number of start packets, it does not receive a response, it assumes that switch “B” is not 802.1X-aware, and transitions to the authenticated state.
Page 373 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches identity and secret options to configure the RADIUS-expected credentials on the supplicant port. If the intended authenticator port uses Local 802.1X authentication, then use the identity and secret options to configure the authenticator switch’s local username and password on the supplicant port.
Page 374 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches [max-start < 1 - 10 >] Defines the maximum number of times the supplicant port requests authentication. See step 1 on page 11-47 for a description of how the port reacts to the authenticator response.
Page 375: Displaying 802.1X Configuration, Statistics, And Counters
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 11-17 802.1X Supplicant Commands page 11-47 802.1X Open VLAN Mode Commands page 11-29 802.1X-Related Show Commands show port-access authenticator below show port-access supplicant page 11-57...
Page 376 Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters show port-access authenticator (Syntax Continued) config [< port-list >] Shows: • Whether port-access authenticator is active • The 802.1X configuration settings of ports configured as 802.1X authenticators (For a description of each setting, refer to the syntax descriptions in “2.
Page 377 Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters ProCurve(config)# show port-access authenticator config Port Access Authenticator Configuration Port-access authenticator activated [No] : No | Re-auth Access Quiet Supplicant Server Cntrl Port | Period Control Reqs...
Page 378: Viewing 802.1X Open Vlan Mode Status
101 Auto Auto 101 Figure 11-10. Example Showing Ports Configured for Open VLAN Mode ProCurve (config)# show port-access authenticator 1-3 Port Access Authenticator Status Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Current Current...
Page 379 This state is controlled by the following port-access command syntax: ProCurve(config)# aaa port-access authenticator < port-list > control < authorized | auto | unauthorized > Auto: Configures the port to allow network access to any connected device that supports 802.1X authentication and provides valid 802.1X credentials.
Page 380 Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Note that ports B1 and B3 are not in the upper listing, but are included under “Overridden Port VLAN configuration”. This shows that static, untagged VLAN memberships on ports B1 and B3 have been overridden by temporary assignment to the authorized or unauthorized...
Page 381: Show Commands For Port-Access Supplicant
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [< port-list >] [statistics] show port-access supplicant [< port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list >...
Page 382: How Radius/802.1X Authentication Affects Vlan Operation
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement.
Page 383: Vlan Assignment On A Port
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation N o t e You can use 802.1X (port-based or client-based) authentication and either Web or MAC authentication at the same time on a port, with a maximum of 8 clients allowed on the port.
Page 384 Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN for authentication sessions on the switch, the authentication fails. ■...
Page 385: Example Of Untagged Vlan Assignment In A Radius-Based Authentication Session
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation • Removes the temporary untagged VLAN assignment and stops adver tising it. • Re-activates and resumes advertising the temporarily disabled, untagged VLAN assignment. If you modify a VLAN ID configuration on a port during an 802.1X, MAC, ■...
Page 386 Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1X client requires access...
Page 387 Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1X session. This is to accommodate an 802.1X client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22.
Page 388: Enabling The Use Of Gvrp-Learned Dynamic Vlans In Authentication Sessions
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation When the 802.1X client’s session on port A2 ends, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as untagged on the port becomes available again.
Page 389 Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Syntax: aaa port-access gvrp-vlans —Continued— 2. After you enable dynamic VLAN assignment in an authen tication session, it is recommended that you use the interface unknown-vlans command on a per-port basis to prevent denial-of-service attacks.
Page 390: Operating Note
Configuring Port-Based and User-Based Access Control (802.1X) Operating Note Operating Note Applying Web Authentication or MAC Authentication Concurrently with Port-Based 802.1X Authentication: While 802.1X port-based access control can operate concurrently with Web Authentication or MAC Authenti cation, port-based access control is subordinate to Web-Auth and MAC-Auth operation.
Page 391: Messages Related To 802.1X Operation
The ports in the port list have not been enabled as 802.1X Port authenticators. Use this command to enable the ports as authenticators: ProCurve(config)# aaa port-access authenticator e 10 < port-list > Occurs when there is an attempt to change the supplicant Port is not a supplicant.
Page 392 Configuring Port-Based and User-Based Access Control (802.1X) Messages Related to 802.1X Operation 11-68...
Page 393: Configuring And Monitoring Port Security
Configuring and Monitoring Port Security Contents Overview ........... . . 12-2 Basic Operation .
Page 394: Overview
Configuring and Monitoring Port Security Overview Overview Feature Default Menu Displaying Current Port Security n/a — page 12-10 page 12-27 Configuring Port Security disabled — page 12-12 page 12-27 Intrusion Alerts and Alert Flags page 12-34 page 12-32 page 12-35 Using Port Security, you can configure each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port.
Page 395: Eavesdrop Protection
Configuring and Monitoring Port Security Overview General Operation for Port Security. On a per-port basis, you can configure security measures to block unauthorized devices, and to send notice of security violations. Once you have configured port security, you can then monitor the network for security violations through one or more of the following: ■...
Page 396: Trunk Group Exclusion
Configuring and Monitoring Port Security Overview configuration to ports on which hubs, switches, or other devices are connected, and to maintain security while also maintaining network access to authorized users. For example: Physical Topology Logical Topology for Access to Switch A Switch A Switch A Port Security...
Page 397: Planning Port Security
Configuring and Monitoring Port Security Planning Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to the following: a. On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port and how many devices do you want to allow per port (up to 32) c. Within the devices-per-port limit, do you want to let the switch automatically accept devices it detects on a port, or do you want it...
Page 398: Port Security Command Options And Operation
Configuring and Monitoring Port Security Port Security Command Options and Operation Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 12-11 port-security 12-12 < [ethernet] port-list > 12-12 [learn-mode] 12-12 [address-limit] 12-12 [mac-address] 12-12 [action] 12-12 [clear-intrusion-flag]...
Page 399 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > learn-mode < continuous | static | configured | port-access > Continuous (Default): Appears in the factory-default setting or when you execute no port-security. Allows the port to learn addresses from inbound traffic from any device(s) to which it is connected.
Page 400 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > (- Continued -) learn-mode < continuous | static | configured | port-access > (- Continued -) Configured: The static-configured option operates the same as the static-learn option on the preceding page, except that it does not allow the switch to accept non-specified addresses to reach the address limit.
Page 401 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > (- Continued -) action < none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a network man agement station. Operates when: • Learn mode is set to learn-mode static (static-learn) or learn-mode configured (static-configured) and the port detects an unauthorized device.
Page 402: Retention Of Static Mac Addresses
Configuring and Monitoring Port Security Port Security Command Options and Operation Retention of Static MAC Addresses Learned MAC Addresses In the following two cases, a port in Static learn mode (learn-mode static) retains a learned MAC address even if you later reboot the switch or disable port security for that port: ■...
Page 403 Configuring and Monitoring Port Security Port Security Command Options and Operation Using the CLI To Display Port Security Settings. Syntax: how port-security show port-security [e] <port number> show port-security [e] [<port number>-<port number]. . .[,<port number>] Without port parameters, show port-security displays operating control settings for all ports on a switch.
Page 404: Configuring Port Security
(The default device limit is 1.) It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port. ProCurve(config)# port-security a1 learn-mode static action send-disable The next example does the same as the preceding example, except that it...
Page 405 Send an alarm to a management station if an intruder is detected on the ■ port. ProCurve(config)# port-security a5 learn-mode static address-limit 2 mac-address 00c100-7fec00 0060b0-889e00 action send-alarm If you manually configure authorized devices (MAC addresses) and/or an alarm action on a port, those settings remain unless you either manually change them or reset the switch to its factory-default configuration.
Page 406 Figure 12-4. Example of Adding an Authorized Device to a Port With the above configuration for port A1, the following command adds the 0c0090-456456 MAC address as the second authorized address. ProCurve(config)# port-security a1 mac-address 0c0090 456456 After executing the above command, the security configuration for port A1...
Page 407 A1 that raises the address limit to 2 and specifies the additional device’s MAC address. For example: ProCurve(config)# port-security a1 mac-address 0c0090- 456456 address-limit 2 Removing a Device From the “Authorized” List for a Port Configured for Learn-Mode Static. This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list.
Page 408 Figure 12-7. Example of Two Authorized Addresses on Port A1 The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090- 123456 12-16...
Page 409: Mac Lockdown
Configuring and Monitoring Port Security MAC Lockdown The above command sequence results in the following configuration for port Figure 12-8. Example of Port A1 After Removing One MAC Address MAC Lockdown MAC Lockdown, also known as “static addressing,” is the permanent assign ment of a given MAC address (and VLAN, or Virtual Local Area Network) to a specific port on the switch.
Page 410 Configuring and Monitoring Port Security MAC Lockdown How It Works. When a device’s MAC address is locked down to a port (typically in a pair with a VLAN) all information sent to that MAC address must go through the locked-down port. If the device is moved to another port it cannot receive data.
Page 411: Differences Between Mac Lockdown And Port Security
Configuring and Monitoring Port Security MAC Lockdown You cannot perform MAC Lockdown and 802.1x authentication on the same port or on the same MAC address. MAC Lockdown and 802.1x authentication are mutually exclusive. Lockdown is permitted on static trunks (manually configured link aggrega tions).
Page 412 Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.
Page 413: Deploying Mac Lockdown
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths.
Page 414 Configuring and Monitoring Port Security MAC Lockdown Internal Server “A” Core 2610 or 2610or 5300xl Switch 5300xl Switch Network There is no need to lock MAC addresses on switches in the internal core network. 2610 or 2610 or 5300xl Switch...
Page 415 Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
Page 416 Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fails, Server A traffic to Server A will not use the backup path via Switch 3 Switch 3 Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 External...
Page 417: Mac Lockout
Displaying status. Locked down ports are listed in the output of the show running-config command in the CLI. The show static-mac command also lists the locked down MAC addresses, as shown below. ProCurve# show static-mac VLAN MAC Address Port 1 001083-34f8fa 9 Number of locked down MAC addresses = 1 Figure 12-11.Listing Locked Down Ports...
Page 418 Displaying status. Locked out ports are listed in the output of the show running-config command in the CLI. The show lockout-mac command also lists the locked out MAC addresses, as shown below. ProCurve# show lockout-mac Locked Out Addresses 007347-a8fd30 Number of locked out MAC addresses = 1 Figure 12-12.Listing Locked Out Ports...
Page 419: Port Security And Mac Lockout
Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command.
Page 420: Reading Intrusion Alerts And Resetting Alert Flags
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Reading Intrusion Alerts and Resetting Alert Flags Notice of Security Violations When the switch detects an intrusion on a port, it sets an “alert flag” for that port and makes the intrusion information available as described below. While the switch can detect additional intrusions for the same port, it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset.
Page 421: How The Intrusion Log Operates
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags How the Intrusion Log Operates When the switch detects an intrusion attempt on a port, it enters a record of this event in the Intrusion Log. No further intrusion attempts on that port will appear in the Log until you acknowledge the earlier intrusion event by reset...
Page 422 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The port comes up and will block traffic from unauthorized devices it ■ detects. ■ If the port detects another intruder, it will send another SNMP trap, but will not become disabled again unless you first reset the port’s intrusion flag.
Page 423 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags MAC Address of System Time of Intrusion on Port A3 Intruding Device on Port A3 Indicates this intrusion on port A3 occurred prior to a reset (reboot) at the indicated time and date.
Page 424 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags provides a history of the last 20 intrusions detected by the switch, resetting the alert flags does not change its content. Thus, displaying the Intrusion Log again will result in the same display as in figure 12-15, above.) CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The following commands display port status, including whether there are...
Page 425 Intrusion Alert entry for port A1 has changed to “No”. (Executing show port-security intrusion-log again will result in the same display as above, and does not include the Intrusion Alert status.) ProCurve(config)# port-security a1 clear-intrusion-flag ProCurve(config)# show interfaces brief Intrusion Alert on port A1 is now cleared.
Page 426: Using The Event Log To Find Intrusion Alerts
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Using the Event Log To Find Intrusion Alerts The Event Log lists port security intrusions as: W MM/DD/YY HH:MM:SS FFI: port A3 - Security Violation where “ ” is the severity level of the log entry and is the system module that generated the entry.
Page 427: Web: Checking For Intrusions, Listing Intrusion Alerts, And Resetting Alert Flags
Configuring and Monitoring Port Security Operating Notes for Port Security Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags 1. Check the Alert Log by clicking on the Status tab and the [Overview] button. If there is a “Security Violation” entry, do the following: Click on the Security tab.
Page 428 LACP configuration, displays a notice that LACP is disabled on the port(s), and enables port security on that port. For example: ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s).
Page 429: Using Authorized Ip Managers
Using Authorized IP Managers Contents Overview ........... . . 13-2 Configuration Options .
Page 430: Overview
Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu Listing (Showing) Authorized page 13-5 page 13-6 page 13-9 Managers Configuring Authorized IP None page 13-5 page 13-6 page 13-9 Managers Building IP Masks page 13-10 page 13-10 page 13-10 Operating and Troubleshooting page 13-13 page 13-13 page 13-13 Notes...
Page 431: Configuration Options
Using Authorized IP Managers Access Levels Configuration Options You can configure: Up to 10 authorized manager addresses, where each address applies ■ to either a single management station or a group of stations ■ Manager or Operator access privileges (for Telnet, SNMPv1, and SNMPv2c access only) C a u t i o n Configuring Authorized IP Managers does not protect access to the switch...
Page 432: Defining Authorized Management Stations
Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations Authorizing Single Stations: The table entry authorizes a single ■ management station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Authorized Manager IP column, and leave the IP Mask set to 255.255.255.255.
Page 433: Menu: Viewing And Configuring Ip Authorized Managers
Using Authorized IP Managers Defining Authorized Management Stations 255.255.255.252 uses the 4th octet of a given Authorized Manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Masks” on page 13-10. Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch.
Page 434: Cli: Viewing And Configuring Authorized Ip Managers
Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See “Building IP Masks”...
Page 435: Configuring Ip Authorized Managers For The Switch
Applies only to access through Telnet, SNMPv1, and SNMPv2c. Refer to the Note on page 11-3. To Authorize Manager Access. This command authorizes manager-level access for any station having an IP address of 10.28.227.0 through 10.28.227.255: ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.0 access manager 13-7...
Page 436 Defining Authorized Management Stations Similarly, the next command authorizes manager-level access for any station having an IP address of 10.28.227.101 through 103: ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager If you omit the <mask bits> when adding a new authorized manager, the switch automatically uses 255.255.255.255 for the mask.
Page 437: Web: Configuring Ip Authorized Managers
Using Authorized IP Managers Web: Configuring IP Authorized Managers Web: Configuring IP Authorized Managers In the web browser interface you can configure IP Authorized Managers as described below. To Add, Modify, or Delete an IP Authorized Manager address: 1. Click on the Security tab. 2. Click on [Authorized Addresses].
Page 438: Web-Based Help
Using Authorized IP Managers Building IP Masks Using a Web Proxy Server to Access the Web Browser Interface C a u t i o n This is NOT recommended. Using a web proxy server between the stations and the switch poses a security risk. If the station uses a web proxy server to connect to the switch, any proxy user can access the switch.
Page 439: Configuring Multiple Stations Per Authorized Manager Ip Entry
Using Authorized IP Managers Building IP Masks Table 13-1. Analysis of IP Mask for Single-Station Entries Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask 255 The “255” in each octet of the mask specifies that only the exact value in that octet of the corresponding IP address is allowed.
Page 440 Using Authorized IP Managers Building IP Masks Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask In this example (figure 13-5, below), the IP mask allows a group of up to 4 management stations to access the switch. This is useful if the only Authorized devices in the IP address group allowed by the mask are management IP Address...
Page 441: Additional Examples For Authorizing Multiple Stations
Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 This combination specifies an authorized IP address of 10.33.xxx.1. It could be applied, for example, to a subnetted network where each subnet is defined by the Authorized 248 1 third octet and includes a management station defined by the value of “1”...
Page 442 Using Authorized IP Managers Operating Notes • Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions”...
Page 443 Index Numerics features … 11-3 force authorized … 11-20, 11-55 3DES … 7-3, 8-3 force unauthorized … 11-20, 11-55 802.1X access control general setup … 11-14 authenticate users … 11-5 guest VLAN … 11-7, 11-8, 11-29, 11-36 authentication methods … 11-4 GVRP …...
Page 444 port-based terminology … 11-6 access … 11-4 traffic flow on unauthenticated ports … 11-27 client without authentication … 11-5 troubleshooting, gvrp … 11-58, 11-59, 11-60 effect of Web/MAC Auth client … 11-66 trunked port blocked … 11-13 enable … 11-18, 11-46 tx-period …...
Page 445 VLAN operation … 11-58 configured but not used … 9-37 VLAN use, multiple clients … 11-6 configured, not used … 9-37 VLAN, assignment conflict … 11-12 configuring offline … 9-10 VLAN, membership priority … 11-10, 11-30 copy operation appends … 9-64 VLAN, priority, RADIUS …...
Page 446 name string, maximum characters … 9-32, 9-39 VLANs … 9-24 number of entries … 9-10 where applied to traffic … 9-12, 9-25 offline creation … 9-63 wildcard … 9-28, 9-29 operator, comparison … 9-46 wildcard, defined … 9-8 outbound traffic, defined … 9-8 ACL, standard numeric I.D.
Page 447 connection inactivity time … 2-3 console, for configuring IANA … 9-47 authorized IP managers … 13-5 Identity Driven Manager CoS … 6-3, 6-4, 6-5 See IDM. RADIUS override … 6-4 IDM … 6-2, 6-6, 6-25, 9-4 CoS override … 11-54 See also RADIUS-assigned ACLs RADIUS-assigned ACLs.
Page 448 … 12-31, 12-33, 12-35 port security … 12-35 Privacy Enhanced Mode (PEM) operator password … 2-2, 2-4 See SSH. privilege-mode … 4-11 ProCurve Manager … 6-2 proxy password web server … 12-35 authorized IP managers, precedence … 13-2 browser/console access … 2-3 case-sensitive …...
Page 449 accounting, interim updating … 5-32 terminology … 5-3 accounting, network … 5-30 TLS … 5-4 accounting, operating rules … 5-27 vendor specific attributes … 5-20 accounting, server failure … 5-27 vendor-specific attributes … 6-3 accounting, session-blocking … 5-32 VSAs … 5-22 accounting, start-stop method …...
Page 450 rate-limiting … 6-3 key, fingerprint … 7-11 Rate-Limiting, RADIUS override … 6-4 keys, zeroing … 7-11 reserved port numbers … 7-17, 8-20 key-size … 7-17 routing known-host file … 7-13, 7-15 source-routing, caution … 6-12, 9-11, 9-32 man-in-the-middle spoofing … 7-16 messages, operating …...
Page 451 man-in-the-middle spoofing … 8-18 configuration, viewing … 4-10 OpenSSL … 8-2 encryption key … 4-6, 4-17, 4-18, 4-21 operating notes … 8-6 encryption key, general operation … 4-25 operating rules … 8-6 encryption key, global … 4-22 passwords, assigning … 8-7 general operation …...
Page 452 vendor specific attributes … 5-22 Vendor-Specific Attribute … 6-8 vendor-specific attribute configuring … 6-3 vendor-specific attributes … 6-3 VLAN 802.1X … 11-58 802.1X, ID changes … 11-61, 11-65 802.1X, suspend untagged VLAN … 11-54 filter, source-port … 10-3 not advertised for GVRP … 11-60, 11-65 VSA …...

This manual is also suitable for:

2610-pwr 2610-24 2610-48 2610-24-pwr 2610-48-pwr 2610-24/12-pwr

ProCurve 2610 Manual

Quick Links

Related Manuals for ProCurve 2610

Summary of Contents for ProCurve 2610