Page 1 2650 and switch 6108 www.hp.com/go/hpprocurve...
Page 3: Access Security Guide
HP Procurve Switches 2650 and 6108 Software Release H.07.01 or Greater Access Security Guide...
Page 4 Microsoft, Windows, Windows 95, and Microsoft Windows Hewlett-Packard products and replacement parts can be NT are registered trademarks of Microsoft Corporation. obtained from your HP Sales and Service Office or Internet Explorer is a trademark of Microsoft Corporation. authorized dealer.
Page 5: Table Of Contents
Contents Getting Started Contents ............ix Introduction .
Page 6 2 TACACS+ Authentication Contents ............2-1 Overview .
Page 7 Configuring the Switch for RADIUS Authentication ... . . 3-6 Outline of the Steps for Configuring RADIUS Authentication ..3-6 1. Configure Authentication for the Access Methods You Want RADIUS To Protect .
Page 8 1. Assigning Local Operator and Manager Passwords ... . . 4-9 2. Generating the Switch’s Public and Private Key Pair ..4-10 3.
Page 9 Displaying 802.1x Configuration, Statistics, and Counters ..5-21 Show Commands for Port-Access Authenticator ....5-21 Show Commands for Port-Access Supplicant ....5-23 How 802.1x Authentication Affects VLAN Operation .
Page 10 7 Using Authorized IP Managers Contents ............7-1 Overview .
Page 11 Getting Started Contents Introduction ........... . x Overview of Access Security Features .
Page 12: Getting Started
Getting Started Introduction Introduction This Access Security Guide is intended for use with the following switches: HP Procurve Switch 2650 HP Procurve Switch 6108 Overview of Access Security Features Local Manager and Operator Passwords (page 1-1) Control access and privileges for the CLI, menu, and web browser interface.
Page 13 The Product Documentation CD-ROM shipped with the switch includes a copy of this guide. You can also download the latest copy from the HP Procurve website. (Refer to “Getting Documentation From the Web”, below.)
Page 14: Command Syntax Conventions
In the default configuration, your Switch 2650 or 6108 displays one of the following CLI prompts: HP Procurve Switch 2650# HP Procurve Switch 6108# To simplify recognition, this guide uses HPswitch to represent command prompts for all models. That is: HPswitch# (You can use the hostname command to change the text in the CLI prompt.)
Page 15: Related Publications
A PDF version of this guide is also provided on the Product Documentation CD-ROM shipped with the switch. And you can download a copy from the HP Procurve website. (See “Getting Documentation From the Web” on page xv.) Management and Configuration Guide.
Page 16 Related Publications Command Line Interface Reference Guide. This guide, available in a PDF file on the HP Procurve website, provides a summary of the CLI com- mands generally available for HP Procurve switches. For the latest version, see “Getting Documentation From the Web” on page xv.
Page 17: Getting Documentation From The Web
Getting Started Getting Documentation From the Web Getting Documentation From the Web Go to the HP Procurve website at http://www.hp.com/go/hpprocurve Click on technical support. Click on manuals. Click on the product for which you want to view or download a manual.
Page 18: Sources For More Information
If you need information on a specific command in the CLI, type the command name followed by “help”. For example: If you need information on specific features in the HP Web Browser Interface (hereafter referred to as the “web browser interface”), use the online help available for the web browser interface.
Page 19: Need Only A Quick Start
IP Addressing. If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using VLANs, HP recommends that you use the Switch Setup screen to quickly configure IP addressing.
Page 21: Contents
Configuring Username and Password Security Contents Overview ........... . . 1-2 Configuring Local Password Security .
Page 22: Configuring Username And Password Security
Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames no user names set — — page 1-6 Set a Password no passwords set page 1-4 page 1-5 page 1-6 Delete Password page 1-4 page 1-6 page 1-6 Protection Console access includes both the menu interface and the CLI.
Page 23 Configuring Username and Password Security Overview If you do steps 1 and 2, above, then the next time a console session is started for either the menu interface or the CLI, a prompt appears for a password. Assuming you have protected both the Manager and Operator levels, the level of access to the console interface will be determined by which password is entered in response to the prompt.
Page 24: Configuring Local Password Security
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the web browser interface. From the Main Menu select: 3.
Page 25: Cli: Setting Passwords And Usernames
Configuring Username and Password Security Configuring Local Password Security If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter. If you do not have physical access to the switch, you will need Manager-Level access: Enter the console at the Manager level.
Page 26: Web: Setting Passwords And Usernames
Configuring Username and Password Security Configuring Local Password Security To Remove Password Protection. Removing password protection means to eliminate password security. This command prompts you to verify that you want to remove one or both passwords, then clears the indicated password(s). (This command also clears the username associated with a password you are removing.) For example, to remove the Operator password (and username, if assigned) from the switch, you would do the following:...
Page 27: Tacacs+ Authentication
TACACS+ Authentication Contents Overview ........... . . 2-2 Terminology Used in TACACS Applications: .
Page 28: Overview
TACACS+ Authentication Overview Overview Feature Default Menu view the switch’s authentication configuration — page — 2-10 view the switch’s TACACS+ server contact — page — configuration 2-10 configure the switch’s authentication methods disabled — page — 2-11 configure the switch to contact TACACS+ server(s) disabled —...
Page 29 TACACS+ Authentication Overview server and (2) local passwords configured on the switch. That is, with TACACS+ configured, the switch first tries to contact a designated TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authen- tication control if it has been configured to do so.
Page 30: Terminology Used In Tacacs Applications
TACACS+ Authentication Terminology Used in TACACS Applications: Terminology Used in TACACS Applications: NAS (Network Access Server): This is an industry term for a TACACS-aware device that communicates with a TACACS server for authentication services. Some other terms you may see in literature describing TACACS operation are communication server, remote access server, or terminal server.
Page 31: General System Requirements
TACACS+ Authentication General System Requirements • TACACS+ Authentication: This method enables you to use a TACACS+ server in your network to assign a unique password, user name, and privilege level to each individual or group who needs access to one or more switches or other TACACS-aware devices.
Page 32: General Authentication Setup Procedure
TACACS+ configurations used in your network. TACACS-aware HP switches include the capability of configuring multiple backup TACACS+ servers. HP recommends that you use a TACACS+ server application that supports a redundant backup installation. This allows you to configure the switch to use a backup TACACS+ server if it loses access to the first-choice TACACS+ server.
Page 33 15. For more on this topic, refer to the documentation you received with your TACACS+ server application. If you are a first-time user of the TACACS+ service, HP recommends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment.
Page 34 TACACS+ Authentication General Authentication Setup Procedure C a u ti o n You should ensure that the switch has a local Manager password. Other- wise, if authentication through a TACACS+ server fails for any reason, then unauthorized access will be available through the console port or Telnet.
Page 35: Configuring Tacacs+ On The Switch
Configuring TACACS+ on the Switch Configuring TACACS+ on the Switch Before You Begin If you are new to TACACS+ authentication, HP recommends that you read the “General Authentication Setup Procedure” on page 2-6 and configure your TACACS+ server(s) before configuring authentication on the switch.
Page 36: Viewing The Switch's Current Authentication Configuration
TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configured for each type of access. Syntax: show authentication This example shows the default authentication configuration.
Page 37: Configuring The Switch's Authentication Methods
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied).
Page 38 TACACS+ Authentication Configuring TACACS+ on the Switch Table 2-1. AAA Authentication Parameters Name Default Range Function console Specifies whether the command is configuring authentication for the console port - or - or Telnet access method for the switch. telnet enable Specifies the privilege level for the access method being configured.
Page 39 TACACS+ Authentication Configuring TACACS+ on the Switch Table 2-2. Primary/Secondary Authentication Table Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Console — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console —...
Page 40 TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. HPswitch (config)# aaa authentication console login tacacs local Console Login (Oper- Primary Secondary...
Page 41: Configuring The Switch's Tacacs+ Server Access
N o t e As described under “General Authentication Setup Procedure” on page 2-6, HP recommends that you configure, test, and troubleshoot authentication via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up authentication in either the switch or your TACACS+ server.
Page 42 TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string >] Adds a TACACS+ server and optionally assigns a server-specific encryption key [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its server- specific encryption key, if any) tacacs-server key <key-string>...
Page 43 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host <ip-addr> [key <key-string> none Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per- server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key”...
Page 44 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Name Default Range key <key-string> none (null) n/a Specifies the optional, global "encryption key" that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any "per-server" encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a "per-server"...
Page 45 TACACS+ Authentication Configuring TACACS+ on the Switch The "10" server is now the "first-choice" TACACS+ authentication device. Figure 2-5. Example of the Switch After Assigning a Different "First-Choice" Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: HPswitch(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.
Page 46: How Authentication Operates
Switch Via Switch’s Console Port TACACS+ Server HP Switch Configured for TACACS+ Operation Second-Choice TACACS+ Server (Optional) Terminal "B" Remotely Accessing This Switch Via Telnet HP Switch Configured for TACACS+ Operation Third-Choice TACACS+ Server (Optional) Figure 2-6. Using a TACACS+ Server for Authentication 2-20...
Page 47 TACACS+ Authentication How Authentication Operates Using figure 2-6, above, after either switch detects an operator’s logon request from a remote or directly connected terminal, the following events occur: The switch queries the first-choice TACACS+ server for authentication of the request. •...
Page 48: Local Authentication Process
TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentica- tion only if one of these two conditions exists: "Local" is the authentication option for the access method being used. TACACS+ is the primary authentication mode for the access method being used.
Page 49: Using The Encryption Key
TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed "key", "secret key", or "secret") helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.
Page 50: Controlling Web Browser Interface Access When Using Tacacs+ Authentication
TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to configure a global encryp- tion key in the switch to match a key entered as in two target north40campus TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch: HPswitch(config)# tacacs-server key north40campus...
Page 51: Messages Related To Tacacs+ Operation
TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa- tion on such messages, refer to the documentation you received with the application.
Page 52 TACACS+ Authentication Operating Notes When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unautho- rized persons.) 2-26...
Page 53: Radius Authentication And Accounting
RADIUS Authentication and Accounting Contents Overview ........... . . 3-2 Terminology .
Page 54: Overview
For accounting, this can help you track network resource usage. Authentication. You can use RADIUS to verify user identity for the follow- ing types of primary password access to the HP switch: Serial port (Console) Telnet...
Page 55: Terminology
EAP type, such as MD5-Challenge, Generic Token Card, and TLS (Transport Level Security). Host: See RADIUS Server. NAS (Network Access Server): In this case, an HP switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): RADIUS Client: The device that passes user information to designated RADIUS servers.
Page 56: Switch Operating Rules For Radius
You can select RADIUS as the primary authentication method for each type of access. (Only one primary and one secondary access method is allowed for each access type.) In the HP switch, EAP RADIUS uses MD5 and TLS to encrypt a response to a challenge from a RADIUS server.
Page 57: General Radius Setup Procedure
IP address to the switch. • Determine an acceptable timeout period for the switch to wait for a server to respond to a request. HP recommends that you begin with the default (five seconds).
Page 58: Configuring The Switch For Radius Authentication
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands Page aaa authentication < console | telnet | ssh > < enable | login > radius < local | none > [no] radius-server host <...
Page 59 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication N o t e This step assumes you have already configured the RADIUS server(s) to support the switch. Refer to the documentation provided with the RADIUS server documentation.) • Server IP address •...
Page 60: To Protect
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 1. Configure Authentication for the Access Methods You Want RADIUS To Protect This section describes how to configure the switch for RADIUS authentication through the following access methods: Console: Either direct serial-port connection or modem connection. Telnet: Inbound Telnet must be enabled (the default).
Page 61 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch’s local passwords): The switch now allows Telnet and...
Page 62: Configure The Switch To Access A Radius Server
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. N o t e If you want to configure RADIUS accounting on the switch, go to page 3-16: “Configuring RADIUS Accounting”...
Page 63 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have configured the switch as shown in figure 3-3 and you now need to make the following changes: Change the encryption key for the server at 10.33.18.127 to "source0127". Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of "source0119".
Page 64: Configure The Switch's Global Radius Parameters
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch’s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters: Number of login attempts: In a given session, specifies how many tries at entering the correct username and password pair are allowed before access is denied and the session terminated.
Page 65 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 .. 15 > Specifies the maximum time the switch waits for a response to an authentication request before counting the attempt as a failure. (Default: 3 seconds; Range: 1 - 15 seconds) radius-server retransmit <...
Page 66: Local Authentication Process
RADIUS Authentication and Accounting Local Authentication Process After two attempts failing due to username or password entry errors, the switch will terminate the session. Global RADIUS parameters from figure 3-5. Server-specific encryption key for the RADIUS server that will not use the global encryption key.
Page 67: Controlling Web Browser Interface Access When Using Radius
RADIUS Authentication and Accounting Controlling Web Browser Interface Access When Using RADIUS Authentication For local authentication, the switch uses the Operator-level and Manager-level username/password set(s) previously configured locally on the switch. (These are the usernames and passwords you can configure using the CLI password command, the web browser interface, or the menu interface—which enables only local password configuration).
Page 68: Configuring Radius Accounting
RADIUS Authentication and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 3-19 [ acct-port < port-number >] 3-19 [key < key-string >] 3-19 [no] aaa accounting < exec | network | system > 3-21 <...
Page 69: Operating Rules For Radius Accounting
RADIUS Authentication and Accounting Configuring RADIUS Accounting (For 802.1x information for the switch, refer to “Configuring Port-Based Access Control (802.1x)” on page 5-1.) Exec accounting: Provides records containing the information listed below about login sessions (console, Telnet, and SSH) on the switch: •...
Page 70: Steps For Configuring Radius Accounting
RADIUS Authentication and Accounting Configuring RADIUS Accounting If access to a RADIUS server fails during a session, but after the client has been authenticated, the switch continues to assume the server is available to receive accounting data. Thus, if server access fails during a session, it will not receive accounting data transmitted from the switch.
Page 71: Configure The Switch To Access A Radius Server
RADIUS Authentication and Accounting Configuring RADIUS Accounting 1. Configure the Switch To Access a RADIUS Server Before you configure the actual accounting parameters, you should first configure the switch to use a RADIUS server. This is the same as the process described on page 3-10.
Page 72: Configure Accounting Types And The Controls For Sending Reports To The Radius Server
RADIUS Authentication and Accounting Configuring RADIUS Accounting Because the radius-server command includes an acct-port element with a non- default 1750, the switch assigns this value to the accounting port UDP port numbers. Because auth-port was not included in the command, the authentication UDP port is set to the default 1812.
Page 73 RADIUS Authentication and Accounting Configuring RADIUS Accounting Start-Stop: • Send a start record accounting notice at the beginning of the account- ing session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type (Network, Exec, or System).
Page 74: Optional) Configure Session Blocking And Interim Updating Options
RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additional control over accounting data. Updates: In addition to using a Start-Stop or Stop-Only trigger, you can optionally configure the switch to send periodic accounting record updates to a RADIUS server.
Page 75: Viewing Radius Statistics
RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [ host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which.
Page 76 RADIUS Authentication and Accounting Viewing RADIUS Statistics Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
Page 77: Radius Authentication Statistics
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Syntax: show authentication Displays the primary and secondary authentication methods configured for the Console, Telnet, Port-Access (802.1x), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session.
Page 78: Radius Accounting Statistics
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, "Empty User" supression status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) configured in the switch (using the radius-server host command).
Page 79: Changing Radius-Server Access Order
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 3-16. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.
Page 80 RADIUS Authentication and Accounting Changing RADIUS-Server Access Order To exchange the positions of the addresses so that the server at 10.10.10.003 will be the first choice and the server at 10.10.10.001 will be the last, you would do the following: Delete 10.10.10.003 from the list.
Page 81: Messages Related To Radius Operation
RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning A designated RADIUS server is not responding to an Can’t reach RADIUS server < x.x.x.x >. authentication request. Try pinging the server to determine whether it is accessible to the switch.
Page 83: Configuring Secure Shell (Ssh)
Configuring Secure Shell (SSH) Contents Overview ........... . . 4-2 Terminology .
Page 84: Overview
Configuring Secure Shell (SSH) Overview Overview Feature Default Menu Generating a public/private key pair on the switch page 4-10 Using the switch’s public key page 4-12 Enabling SSH Disabled page 4-15 Enabling client public-key authentication Disabled pages 4-18, 4-21 Enabling user authentication Disabled page 4-18 The Switch 2650 and 6108 use Secure Shell version 1 (SSHv1) to provide...
Page 85 Configuring Secure Shell (SSH) Overview N o t e SSH in the HP Procurve Switch 2650 and 6108 is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http:// www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 4-1.
Page 86: Terminology
Configuring Secure Shell (SSH) Terminology Terminology SSH Server: An HP switch with SSH enabled. Key Pair: A pair of keys generated by the switch or an SSH client application. Each pair includes a public key (that can be read by anyone) and a private key that is held internally in the switch or by a client.
Page 87: Prerequisite For Using Ssh
Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 4-2), then the client program must have the capability to generate public and private key pairs.
Page 88: Steps For Configuring And Using Ssh For Switch And Client
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 4-5.
Page 89 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation Assign a login (Operator) and enable (Manager) password on the switch (page 4-9). Generate a public/private key pair on the switch (page 4-10). You need to do this only once.
Page 90: General Operating Rules And Notes
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes Any SSH client application you use must offer backwards-compati- bility to SSHv1 keys and operation. Public keys generated on an SSH client computer must be in ASCII format (used in SSHv1) if you want to be able to authenticate a client to the switch.
Page 91: Configuring The Switch For Ssh Operation
4-25 1. Assigning Local Operator and Manager Passwords At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Page 92: Generating The Switch's Public And Private Key Pair
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 4-6. Example of Configuring Local Passwords 2. Generating the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
Page 93 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation N o t e s When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles.
Page 94: Providing The Switch's Public Key To Clients
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch Figure 4-7. Example of Generating a Public/Private Host Key Pair for the Switch N o t e s "Zeroizing"...
Page 95 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation The public key generated by the switch consists of three parts, separated by one blank space each: Encode Encoded Public 896 35 427199470766077426366625060579924214851527933248752021855126493 2934075407047828604329304580321402733049991670046707698543529734853020 0176777055355544556880992231580238056056245444224389955500310200336191 3610469786020092436232649374294060627777506601747146563337525446401 Figure 4-8. Example of a Public Key Generated by the Switch (The generated public key on the switch is always 896 bits.) With a direct serial connection from a management station to the switch: Use a terminal application such as HyperTerminal to display the switch’s...
Page 96 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For more on this topic, refer to the documentation provided with your SSH client application. Displaying the Public Key. The switch provides three options for display- ing its public key. This is helpful if you need to visually verify that the public key the switch is using for authenticating itself to a client matches the copy of this key in the client’s "known hosts"...
Page 97: Enabling Ssh On The Switch And Anticipating Ssh Client Contact Behavior
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior he ip ssh command enables or disables SSH on the switch and modifies parameters the switch uses for transactions with clients. After you enable SSH, the switch can authenticate itself to SSH clients.
Page 98 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation N o t e When an SSH client connects to the switch for the first time, it is possible for a "man-in-the-middle" attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch.
Page 99 The switch’s public (host) key is a separate, accessible key that is always 896 bits. HP recommends using the default IP port number (22). However, you can use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes.
Page 100: Configuring The Switch For Ssh Authentication
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 5. Configuring the Switch for SSH Authentication Note that all methods in this section result in authentication of the switch’s public key by an SSH client. However, only Option B, below results in the switch also authenticating the client’s public key.
Page 101 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Copy the public-key file into a TFTP server accessible to the switch and download the file to the switch. (For more on these topics, refer to “MoreInformation on SSH Client Public- Key Authentication”...
Page 102 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configures Manager user- Configures the name and password. switch to allow SSH access only a client whose public key matches one of the keys in the public key file Configures the primary and Copies a public key file secondary password methods for named "Client-Keys.pub"...
Page 103: Use An Ssh Client To Access The Switch
Configuring Secure Shell (SSH) MoreInformation on SSH Client Public-Key Authentication 6. Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems"...
Page 104: Authentication
Configuring Secure Shell (SSH) MoreInformation on SSH Client Public-Key Authentication The client sends its public key to the switch with a request for authenti- cation. The switch compares the client’s public key to those stored in the switch’s client-public-key file. (As a prerequisite, you must use the switch’s copy tftp command to download this file to flash.) If there is not a match, and you have not configured the switch to accept a login password as a secondary authentication method, the switch denies...
Page 105 Configuring Secure Shell (SSH) MoreInformation on SSH Client Public-Key Authentication To Create a Client-Public-Key Text File. These steps describe how to copy client-public-keys into the switch for RSA challenge-response authenti- cation, and require an understanding of how to use your SSH client applica- tion.
Page 106 Configuring Secure Shell (SSH) MoreInformation on SSH Client Public-Key Authentication Copy the client’s public key (in ASCII, non-encoded format) into a text file (filename.txt). (For example, you can use the Notepad editor included with the Microsoft® Windows® software. If you want several clients to use client public-key authentication, copy a public key for each of these clients (up to ten) into the file.
Page 107 Configuring Secure Shell (SSH) MoreInformation on SSH Client Public-Key Authentication For example, if you wanted to copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 and then display the file contents: Figure 4-16. Example of Copying and Displaying a Client Public-Key File Containing Two Client Public Keys Replacing or Clearing the Public Key File.
Page 108: Messages Related To Ssh Operation
Configuring Secure Shell (SSH) Messages Related to SSH Operation Syntax: aaa authentication ssh login rsa none Allows SSH client access only if the switch detects a match between the client’s public key and an entry in the client-public-key file most recently copied into the switch.
Page 109 Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning Indicates the switch experienced a problem when 00000K Transport error. trying to copy tftp the requested file. The file may not be in the expected directory, the filename may be mispelled in the command, or the file permissions may be wrong.
Page 111: Configuring Port-Based Access Control (802.1X)
Configuring Port-Based Access Control (802.1x) Contents Overview ........... . . 5-2 How 802.1x Operates .
Page 112: Overview
Configuring Port-Based Access Control (802.1x) Overview Overview Feature Default Menu Configuring Switch Ports as 802.1x Authenticators Disabled page 5-10 Configuring Switch Ports to Operate as 802.1x Supplicants Disabled page 5-17 Displaying 802.1x Configuration, Statistics, and Counters page 5-21 How 802.1x Affects VLAN Operation page 5-24 RADIUS Authentication and Accounting Refer to “RADIUS Authentication and Accounting”...
Page 113 Configuring Port-Based Access Control (802.1x) Overview Temporary on-demand change of a port’s VLAN membership status to support a current client’s session. (This does not include ports that are members of a trunk.) Session accounting with a RADIUS server, including the accounting update interval.
Page 114: How 802.1X Operates
Configuring Port-Based Access Control (802.1x) How 802.1x Operates How 802.1x Operates Authenticator Operation This operation provides security on a direct link between a single client and the switch, where both devices are 802.1x-aware. For example, suppose that you have configured a port on the switch for 802.1x authentication operation. If you then connect an 802.1x-aware client (supplicant) to the port and attempt to log on: When the switch detects the client on the port, it blocks access to the LAN...
Page 115: Switch-Port Supplicant Operation
Configuring Port-Based Access Control (802.1x) How 802.1x Operates Switch-Port Supplicant Operation This operation provides security on links between 802.1x-aware switches. For example, suppose that you want to connect two switches, where: Switch "A" has port A1 configured for 802.1x supplicant operation You want to connect port A1 on switch "A"...
Page 116: Terminology
Authenticator: In HP Procurve switch applications, a device such as a Swtich 2650 or 6108 that requires a supplicant to provide the proper credentials (username and password) before being allowed access to the network.
Page 117: General Operating Rules And Notes
Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes General Operating Rules and Notes When a port on the switch is configured as either an authenticator or supplicant and is connected to another device, rebooting the switch causes a re-authentication of the link. When a port on the switch is configured as an authenticator, it will block access to a client that either does not provide the proper authentication credentials or is not 802.1x-aware.
Page 118: Setup Procedure For Port-Based Access Control (802.1X)
Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1x configuration, HP recommends that you use a local username and password pair at least until your other security measures are in place.)
Page 119: Overview: Configuring 802.1X Authentication On The Switch
Configuring Port-Based Access Control (802.1x) Setup Procedure for Port-Based Access Control (802.1x) Overview: Configuring 802.1x Authentication on the Switch This section outlines of the steps for configuring 802.1x on the switch. For detailed information on each step, refer to “Configuring the Switch for RADIUS Authentication”...
Page 120: Configuring Switch Ports As 802.1X Authenticators
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators If you are using Port Security on the switch, configure the switch to allow only 802.1x access on ports configured for 802.1x operation, and (if desired) the action to take if an unauthorized device attempts access through an 802.1x port.
Page 121: Enable 802.1X Authentication On Selected Ports
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 2. Enable 802.1x Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1x authenticators for point-to-point links to 802.1x-aware clients or switches. (Actual 802.1x operation does not commence until you perform step 5 on page 5-16 to activate 802.1x authentication on the switch.) Syntax: aaa port-access authenticator <...
Page 122 Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Syntax Continued) [quiet-period < 0 .. 65535 > ] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt auth orized by the max-requests parameter fails (next page ).
Page 123: Configure The 802.1X Authentication Method
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Syntax Continued) [ reauth-period < 1 - 9999999 > ] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [ initialize ] On the specified ports, blocks inbound and outbound...
Page 124: Enter The Radius Host Ip Address(Es)
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators For example, to enable the switch to perform 802.1x authentication using one or more EAP-capable RADIUS servers: Configuration command for EAP-RADIUS authentication. 802.1x (Port-Access) configured for EAP- RADIUS authentication. Figure 5-3.
Page 125: Optional: For Authenticator Ports, Configure Port-Security To Allow Only 802.1X Devices
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 5. Optional: For Authenticator Ports, Configure Port- Security To Allow Only 802.1x Devices If you are using port-security on authenticator ports, you can configure it to learn only the MAC address of the first 802.1x-aware device detected on the port.
Page 126: Enable 802.1X Authentication On The Switch
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators N o t e o n If the port’s 802.1x authenticator control mode is configured to authorized (as B lo c k i n g a N o n - shown below, instead of auto), then the first source MAC address from any 8 02 .
Page 127: Configuring Switch Ports To Operate As Supplicants For 802.1X Connections To Other Switches
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches 802.1x Authentication Commands page 5-10 802.1x Supplicant Commands [no] aaa port-access < supplicant < [ethernet] < port-list > page 5-18 [ auth-timeout | held-period | start-period | max-start | initialize | page 5-19...
Page 128 Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches When port A1 on switch "A" is first connected to a port on switch "B", or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch "B".
Page 129 Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring a Supplicant Switch Port. Note that you must enable suppli- cant operation on a port before you can change the supplicant configuration. This means you must execute the supplicant command once without any other parameters, then execute it again with a supplicant parameter you want to configure.
Page 130 Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches aaa port-access supplicant [ ethernet ] < port-list > (Syntax Continued) [ auth-timeout < 1 - 300 > ] Sets the period of time the port waits to receive a challenge from the authenticator.
Page 131: Displaying 802.1X Configuration, Statistics, And Counters
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Displaying 802.1x Configuration, Statistics, and Counters 802.1x Authentication Commands page 5-10 802.1x Supplicant Commands page 5-17 802.1x-Related Show Commands show port-access authenticator below show port-access supplicant page 5-23 RADIUS server configuration pages 5-14 Show Commands for Port-Access Authenticator Syntax: show port-access authenticator...
Page 132 Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters show port-access authenticator (Syntax Continued) [ e ] < port-list > statistics Shows whether port-access authenticator is active and the statistics of the specified port. Includes the supplicant’s MAC address, as deter- mined by the content of the last EAPOL frame received on the port.
Page 133: Show Commands For Port-Access Supplicant
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant Shows the port-access supplicant configuration (exclud- ing the secret parameter) for the ports configured on the switch as supplicants. The Supplicant State can include the following: Connecting - Starting authentication.
Page 134: How 802.1X Authentication Affects Vlan Operation
Configuring Port-Based Access Control (802.1x) How 802.1x Authentication Affects VLAN Operation Note on Supplicant Statistics. For each port configured as a supplicant, displays the source MAC show port-access supplicant statistics [e] < port-list >] address and statistics for transactions with the authenticator device most recently detected on the port.
Page 135 Configuring Port-Based Access Control (802.1x) How 802.1x Authentication Affects VLAN Operation an untagged member of another VLAN, port "N" loses access to that other VLAN for the duration of the session. (This is because a port can be an untagged member of only one VLAN at a time.) For example, suppose that a RADIUS-authenticated, 802.1x-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2:...
Page 136 Configuring Port-Based Access Control (802.1x) How 802.1x Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1x session. This is to accomodate an 802.1x client’s access , authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22.
Page 137 Configuring Port-Based Access Control (802.1x) How 802.1x Authentication Affects VLAN Operation When the 802.1x client’s session on port A2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN actually configured as untagged on the port again becomes available. Thus, when the RADIUS-authenticated 802.1x session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored.
Page 138: Messages Related To 802.1X Operation
Configuring Port-Based Access Control (802.1x) Messages Related to 802.1x Operation Messages Related to 802.1x Operation Table 5-1. 802.1x Operating Messages Message Meaning The ports in the port list have not been enabled as 802.1x Port < port-list > is not an authenticator.
Page 139: Configuring And Monitoring Port Security
Configuring and Monitoring Port Security Contents Overview ........... . . 6-2 Basic Operation .
Page 140: Overview
Configuring and Monitoring Port Security Overview Overview Feature Default Menu Displaying Current Port Security n/a — page 6-9 page 6-15 Configuring Port Security disabled — page 6-10 page 6-15 Intrusion Alerts and Alert Flags page 6-21 page 6-19 page 6-22 Using Port Security, you can configure each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port.
Page 141: Blocking Unauthorized Traffic
Alert flags that are captured by network management tools such as HP TopTools for Hubs & Switches Alert Log entries in the switch’s web browser interface Event Log entries in the console interface...
Page 142: Trunk Group Exclusion
Configuring and Monitoring Port Security Basic Operation Physical Topology Logical Topology for Access to Switch A Switch A Switch A Port Security Port Security Configured Configured PC 1 PC 1 MAC Address Authorized MAC Address Authorized by Switch A by Switch A Switch B Switch B PC 2...
Page 143: Planning Port Security
Configuring and Monitoring Port Security Planning Port Security Planning Port Security Plan your port security configuration and monitoring according to the following: On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port (up to 8 per port)? For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmit-...
Page 144: Port Security Command Options And Operation
Configuring and Monitoring Port Security Port Security Command Options and Operation Port Security Command Options and Operation Port Security Commands Used in This Section show port-security port-security 6-10 < [ethernet] port-list > 6-10 [learn-mode] 6-10 [address-limit] 6-10 [mac-address] 6-10 [action] 6-10 [clear-intrusion-flag] 6-10...
Page 145 Configuring and Monitoring Port Security Port Security Command Options and Operation Table 6-2. Port Security Parameters Parameter Description Port List <[ethernet] port-list> Identifies the port or ports on which to apply a port security command. Learn learn-mode < static | continuous | port-access > Specifies how the port acquires authorized addresses: Mode Continuous (Default): Appears in the factory-default setting or when you execute no port-security.
Page 146: Retention Of Static Addresses
Configuring and Monitoring Port Security Port Security Command Options and Operation Parameter Description action Action <none | send-alarm | send-disable> Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port.
Page 147: Displaying Current Port Security Settings
Configuring and Monitoring Port Security Port Security Command Options and Operation Assigned/Authorized Addresses. : If you manually assign a MAC address (using port-security <port-number> address-list <mac-addr>) and then execute write memory, the assigned MAC address remains in memory until you do one of the following: Delete it by using no port-security <...
Page 148: Configuring Port Security
Configuring and Monitoring Port Security Port Security Command Options and Operation With port numbers included in the command, show port-security displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the spec- ified ports on a switch. The following example lists the full port security configuration for a single port: Figure 6-4.
Page 149 Configuring and Monitoring Port Security Port Security Command Options and Operation For information on the individual control parameters, see the Port Security Parameter table on page 6-7. Specifying Authorized Devices and Intrusion Responses. This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port.
Page 150 Configuring and Monitoring Port Security Port Security Command Options and Operation Although the Address Limit is set to 2, only one device has been authorized for this port. In this case you can add another without having to also increase the Address Limit.
Page 151 Configuring and Monitoring Port Security Port Security Command Options and Operation If you are adding a device (MAC address) to a port on which the Authorized Addresses list is already full (as controlled by the port’s current Address Limit setting), then you must increase the Address Limit in order to add the device, even if you want to replace one device with another.
Page 152 Configuring and Monitoring Port Security Port Security Command Options and Operation N o t e You can reduce the address limit below the number of currently authorized addresses on a port. This enables you to subsequently remove a device from the “Authorized”...
Page 153: Web: Displaying And Configuring Port Security Features
Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features Click on the Security tab. Click on Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field.
Page 154: How The Intrusion Log Operates
The Intrusion Log in the Security | Intrusion Log window lists per-port security violation entries • In HP TopTools for Hubs & Switches via an SNMP trap sent to a net management station How the Intrusion Log Operates When the switch detects an intrusion attempt on a port, it enters a record of this event in the Intrusion Log.
Page 155: Keeping The Intrusion Log Current By Resetting Alert Flags
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.
Page 156 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The Intrusion Alert column shows “Yes” for any port on which a security violation has been detected. Figure 6-11. Example of Port Status Screen with Intrusion Alert on Port A3 Type ) to display the Intrusion Log.
Page 157: Cli: Checking For Intrusions, Listing Intrusion Alerts, And Resetting Alert Flags
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags (The intrusion log holds up to 20 intrusion records and deletes an intrusion record only when the log becomes full and a new intrusion is subsequently detected.) Note also that the “prior to” text in the record for the earliest intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.
Page 158 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Intrusion Alert on port A1. Figure 6-13. Example of an Unacknowledged Intrusion Alert in a Port Status Display If you wanted to see the details of the intrusion, you would then enter the show port-security intrusion-log command.
Page 159: Using The Event Log To Find Intrusion Alerts
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Intrusion Alert on port A1 is now cleared. Figure 6-15. Example of Port Status Screen After Alert Flags Reset For more on clearing intrusions, see “Note on Send-Disable Operation” on page 6-17 Using the Event Log To Find Intrusion Alerts The Event Log lists port security intrusions as:...
Page 160: Web: Checking For Intrusions, Listing Intrusion Alerts, And Resetting Alert Flags
Operating Notes for Port Security Identifying the IP Address of an Intruder. The Intrusion Log lists detected intruders by MAC address. If you are using HP TopTools for Hubs & Switches to manage your network, you can use the TopTools inventory reports to link MAC addresses to their corresponding IP addresses.
Page 161 Configuring and Monitoring Port Security Operating Notes for Port Security Without both of the above configured, the switch detects only the proxy server’s MAC address, and not your PC or workstation MAC address, and interprets your connection as unauthorized. “Prior To” Entries in the Intrusion Log. If you reset the switch (using the Reset button, Device Reset, or Reboot Switch), the Intrusion Log will list the time of all currently logged intrusions as “prior to”...
Page 163: Using Authorized Ip Managers
Using Authorized IP Managers Contents Overview ........... . . 7-2 Options .
Page 164: Overview
Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu Listing (Showing) Authorized page 7-5 page 7-6 page 7-8 Managers Configuring Authorized IP None page 7-5 page 7-6 page 7-8 Managers Building IP Masks page 7-9 page 7-9 page 7-9 Operating and Troubleshooting page 7-12...
Page 165: Options
Using Authorized IP Managers Options Options You can configure: Up to 10 authorized manager addresses, where each address applies to either a single management station or a group of stations Manager or Operator access privileges C a u ti o n Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port.
Page 166: Defining Authorized Management Stations
Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations Authorizing Single Stations: The table entry authorizes a single management station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Authorized Manager IP column, and leave the IP Mask set to 255.255.255.255.
Page 167: Menu: Viewing And Configuring Ip Authorized Managers
Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Masks” on page 7-9. N o t e The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch.
Page 168: Cli: Viewing And Configuring Authorized Ip Managers
Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See “Building IP Masks”on page 7-9.
Page 169: Configuring Ip Authorized Managers For The Switch
Using Authorized IP Managers Defining Authorized Management Stations The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: Access Mode: 255.255.255.252 10.28.227.100 through 103 Manager 255.255.255.254 10.28.227.104 through 105 Manager...
Page 170: Web: Configuring Ip Authorized Managers
Using Authorized IP Managers Web: Configuring IP Authorized Managers The result of entering the preceeding example is: • Authorized Station IP Address: 10.28.227.105 • IP Mask: 255.255.255.255, which authorizes only the specified station (10.28.227.105 in this case). (See “Configuring Multiple Stations Per Authorized Manager IP Entry”...
Page 171: Building Ip Masks
Using Authorized IP Managers Building IP Masks For web-based help on how to use the web browser interface screen, click on button provided on the web browser screen. Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network.
Page 172: Configuring Multiple Stations Per Authorized Manager Ip Entry
Using Authorized IP Managers Building IP Masks Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access.
Page 173 Using Authorized IP Managers Building IP Masks Figure 7-5. Analysis of IP Mask for Multiple-Station Entries Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask The “255” in the first three octets of the mask specify that only the exact value in the octet of the corresponding IP address is allowed.
Page 174: Additional Examples For Authorizing Multiple Stations
Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 This combination specifies an authorized IP address of 10.33.xxx.1. It could be applied, for example, to a subnetted network where each subnet is defined by the Authorized 248 1 third octet and includes a management station defined by the value of “1”...
Page 175 Using Authorized IP Managers Operating Notes • Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions”...
Page 177: Index
Index Numerics authorized IP managers … 7-5 3DES … 4-3 802.1x See port-based access control. … 5-1 DES … 4-3 duplicate IP address effect on authorized IP managers … 7-12 aaa authentication … 2-9 access levels, authorized IP managers … 7-3 accounting event log See RADIUS.
Page 178 configuring method … 5-13 counters … 5-21 OpenSSH … 4-3 EAP … 5-2 operating notes EAPOL … 5-6 authorized IP managers … 7-12 eap-radius … 5-13 port security … 6-22 enabling on ports … 5-11 operator password … 1-2, 1-4 enabling on switch …...
Page 179 RADIUS security accounting … 3-2, 3-16 authorized IP managers … 7-1 accounting, configuration outline … 3-18 per port … 6-2 accounting, configure server access … 3-19 security violations accounting, configure types on switch … 3-20 notices of … 6-15 accounting, exec … 3-17, 3-20 security, password accounting, interim updating …...
Page 180 reserved IP port numbers … 4-17 timeout … 2-15 security … 4-12, 4-17 troubleshooting … 2-6 SSHv1 … 4-2, 4-3 unauthorized access, preventing … 2-8 SSHv1 compatibility … 4-12 web access, controlling … 2-24 SSHv2 … 4-2 web access, no effect on … 2-6 steps for configuring …...
Page 184 Technical information in this document is subject to change without notice. ©Copyright Hewlett-Packard Company 2002. All right reserved. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws. October 2002 Manual Part Number 5990-3063 *5990-3063*...

This manual is also suitable for:

Procurve 6108

HP procurve switch 2650 Access Security Manual

Configuring Username and Password Security

TACACS+ Authentication

RADIUS Authentication and Accounting

Configuring Secure Shell (SSH)

Configuring Port-Based Access Control (802.1X)

Configuring and Monitoring Port Security

Using Authorized IP Managers

Quick Links

Related Manuals for HP procurve switch 2650

Summary of Contents for HP procurve switch 2650

This manual is also suitable for:

Table of Contents