HP ProCurve 2910al Access Security Manual
HP ProCurve 2910al Access Security Manual

HP ProCurve 2910al Access Security Manual

Hide thumbs Also See for ProCurve 2910al:
Table of Contents

Advertisement

Access Security Guide
2910al
ProCurve Switches
W.14.03
www.procurve.com

Advertisement

Table of Contents
loading

Summary of Contents for HP ProCurve 2910al

  • Page 1 Access Security Guide 2910al ProCurve Switches W.14.03 www.procurve.com...
  • Page 3 HP ProCurve 2910al Switch February 2009 W.14.03 Access Security Guide...
  • Page 4 This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. For more The only warranties for HP products and services are set information on OpenSSL, visit forth in the express warranty statements accompanying www.openssl.org.
  • Page 5: Table Of Contents

    Contents Product Documentation About Your Switch Manual Set ......xix Printed Publications......... . xix Electronic Publications .
  • Page 6 2 Configuring Username and Password Security Contents ............2-1 Overview .
  • Page 7 Disabling or Re-Enabling the Password Recovery Process ..2-32 Password Recovery Process ....... . . 2-34 3 Web and MAC Authentication Contents .
  • Page 8 4 TACACS+ Authentication Contents ............4-1 Overview .
  • Page 9 RADIUS-Administered CoS and Rate-Limiting ....5-4 SNMP Access to the Switch’s Authentication Configuration MIB . . . 5-4 Terminology ..........5-5 Switch Operating Rules for RADIUS .
  • Page 10 General RADIUS Statistics ........5-43 RADIUS Authentication Statistics ......5-45 RADIUS Accounting Statistics .
  • Page 11 Configuring the Switch To Support RADIUS-Assigned ACLs ........... . . 6-24 Displaying the Current RADIUS-Assigned ACL Activity on the Switch .
  • Page 12 8 Configuring Secure Socket Layer (SSL) Contents ............8-1 Overview .
  • Page 13 ACL Applications ......... . . 9-14 Static Port ACL and Dynamic Port ACL Applications .
  • Page 14 Configuring Standard ACLs ........9-44 Configuring Named, Standard ACLs ..... . . 9-46 Creating Numbered, Standard ACLs .
  • Page 15 10 Configuring Advanced Threat Protection Contents ........... . . 10-1 Introduction .
  • Page 16 Traffic/Security Filters and Monitors Contents ........... . . 11-1 Overview .
  • Page 17 802.1X Port-Based Access Control ......12-5 Alternative To Using a RADIUS Server ..... 12-6 Accounting .
  • Page 18 802.1X Open VLAN Operating Notes ......12-46 Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices ....12-47 Port-Security .
  • Page 19 MAC Lockdown ..........13-22 Differences Between MAC Lockdown and Port Security .
  • Page 20 Using a Web Proxy Server to Access the Web Browser Interface ..........14-9 Web-Based Help .
  • Page 21: Product Documentation

    Note at the top of this page. ■ Read Me First—Provides software update information, product notes, and other information. HP ProCurve Switch Quick Setup—Provides quick start installation ■ instructions. See the Installation and Getting Started Guide for more detailed information.
  • Page 22: Software Feature Index

    Software Feature Index For the software manual set supporting your 2910al switch model, this feature index indicates which manual to consult for information on a given software feature. N o t e This Index does not cover IPv6 capable software features. For information on IPv6 protocol operations and features (such as DHCPv6, DNS for IPv6, Ping6, and MLD Snooping), refer to the IPv6 Configuration Guide.
  • Page 23 Intelligent Edge Software Manual Features Management Advanced Multicast and Access Traffic Routing Security Configuration Management Guide DHCP/Bootp Operation Diagnostic Tools Downloading Software Dynamic ARP Protection Dynamic Configuration Arbiter Eavesdrop Protection Event Log Factory Default Settings Flow Control (802.3x) File Management File Transfers Friendly Port Names Guaranteed Minimum Bandwidth (GMB)
  • Page 24 Intelligent Edge Software Manual Features Management Advanced Multicast and Access Traffic Routing Security Configuration Management Guide MAC Lockdown MAC Lockout MAC-based Authentication Management VLAN Monitoring and Analysis Multicast Filtering Multiple Configuration Files Network Management Applications (SNMP) OpenView Device Management Passwords and Password Clear Protection ProCurve Manager (PCM) Ping Port Configuration...
  • Page 25 Intelligent Edge Software Manual Features Management Advanced Multicast and Access Traffic Routing Security Configuration Management Guide RMON 1,2,3,9 Routing Routing - IP Static Secure Copy sFlow SFTP SNMPv3 Software Downloads (SCP/SFTP, TFPT, Xmodem) Source-Port Filters Spanning Tree (STP, RSTP, MSTP) SSHv2 (Secure Shell) Encryption SSL (Secure Socket Layer) Stack Management (3500yl/6200yl switches only)
  • Page 26 Intelligent Edge Software Manual Features Management Advanced Multicast and Access Traffic Routing Security Configuration Management Guide Voice VLAN Web Authentication RADIUS Support Web-based Authentication Web UI Xmodem xxiv...
  • Page 27: Security Overview

    Security Overview Contents Security Overview Contents Introduction ..........1-2 About This Guide .
  • Page 28: Introduction

    “Software Feature Index” on page xx of this guide. For the latest version of all ProCurve switch documentation, including Release Notes covering recently added features and other software topics, visit the HP ProCurve Networking web site at www.procurve.com/manuals.
  • Page 29: Access Security Features

    Security Overview Access Security Features Access Security Features This section provides an overview of the switch’s access security features, authentication protocols, and methods. Table 1-1 lists these features and provides summary configuration guidelines. For more in-depth information, see the references provided (all chapter and page references are to this Access Security Guide unless a different manual name is indicated).
  • Page 30 Security Overview Access Security Features Feature Default Security Guidelines More Information and Setting Configuration Details Telnet and enabled The default remote management protocols enabled on “Quick Start: Using the Web-browser the switch are plain text protocols, which transfer Management Interface access passwords in open or plain text that is easily captured.
  • Page 31 Security Overview Access Security Features Feature Default Security Guidelines More Information and Setting Configuration Details disabled Secure Socket Layer (SSL) and Transport Layer Security “Quick Start: Using the (TLS) provide remote Web browser access to the switch Management Interface via authenticated transactions and encrypted paths Wizard”...
  • Page 32 Security Overview Access Security Features Feature Default Security Guidelines More Information and Setting Configuration Details RADIUS disabled For each authorized client, RADIUS can be used to Chapter 6, “RADIUS Authentication authenticate operator or manager access privileges on Authentication and the switch via the serial port (CLI and Menu interface), Accounting” Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access methods.
  • Page 33: Network Security Features

    Security Overview Network Security Features Network Security Features This section outlines features and defence mechanisms for protecting access through the switch to the network. For more detailed information, see the indicated chapters. Table 1-2. Network Security—Default Settings and Security Guidelines Feature Default Security Guidelines...
  • Page 34 Security Overview Network Security Features Feature Default Security Guidelines More Information and Setting Configuration Details Access Control none ACLs can filter traffic to or from a host, a group of hosts, Chapter 10, “IPv4 Access Lists (ACLs) or entire subnets. Layer 3 IP filtering with Access Control Control Lists (ACLs)” Lists (ACLs) enables you to improve network performance and restrict network use by creating policies for:...
  • Page 35 Security Overview Network Security Features Feature Default Security Guidelines More Information and Setting Configuration Details none KMS is available in several ProCurve switch models and Chapter 16, “Key Management is designed to configure and maintain key chains for use Management System” System (KMS) with KMS-capable routing protocols that use time- dependent or time-independent keys.
  • Page 36: Getting Started With Access Security

    Security Overview Getting Started with Access Security Getting Started with Access Security ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network operation, therefore, ProCurve strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible...
  • Page 37: Quick Start: Using The Management Interface Wizard

    Security Overview Getting Started with Access Security Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you can do the following: Disable or re-enable the password-clearing function of the Clear button. ■...
  • Page 38: Cli: Management Interface Wizard

    Security Overview Getting Started with Access Security CLI: Management Interface Wizard To configure security settings using the CLI wizard, follow the steps below: At the command prompt, type setup mgmt-interfaces. The welcome banner appears and the first setup option is displayed (Operator password).
  • Page 39: Web: Management Interface Wizard

    Security Overview Getting Started with Access Security 2. When you enter the wizard, you have the following options: • To update a setting, type in a new value, or press [Enter] to keep the current value. • To quit the wizard without saving any changes, press [CTRL-C] at any time.
  • Page 40 Security Overview Getting Started with Access Security The Welcome window appears. Figure 1-2. Management Interface Wizard: Welcome Window This page allows you to choose between two setup types: Typical—provides a multiple page, step-by-step method to configure • security settings, with on-screen instructions for each option. •...
  • Page 41 Security Overview Getting Started with Access Security 4. The summary setup screen displays the current configuration settings for all setup options (see Figure 1-3). Figure 1-3. Management Interface Wizard: Summary Setup From this screen, you have the following options: • To change any setting that is shown, type in a new value or make a different selection.
  • Page 42: Snmp Security Guidelines

    SNMP Access to the Authentication Configuration MIB. A management station running an SNMP networked device management application, such as ProCurve Manager Plus (PCM+) or HP OpenView, can access the switch’s management information base (MIB) for read access to the switch’s status and read/write access to the switch’s authentication configuration (hpSwitchAuth).
  • Page 43 Security Overview Getting Started with Access Security If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then you should implement the following security precautions: ■ If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above is not desirable for your network, use the following command to disable this feature: snmp-server mib hpswitchauthmib excluded...
  • Page 44: Precedence Of Security Options

    Security Overview Precedence of Security Options Precedence of Security Options This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch. Precedence of Port-Based Security Options Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest.
  • Page 45: Network Immunity Manager

    Security Overview Precedence of Security Options DCA allows client-specific parameters configured in any of the following ways to be applied and removed as needed in a specified hierarchy of precedence. When multiple values for an individual configuration parameter exist, the value applied to a client session is determined in the following order (from highest to lowest priority) in which a value configured with a higher priority overrides a value configured with a lower priority:...
  • Page 46: Arbitrating Client-Specific Attributes

    Precedence is always given to the temporarily applied NIM-configured parameters over RADIUS-assigned and locally configured parameters. For information on Network Immunity Manager, go to the HP ProCurve Networking Web site at www.procurve.com/solutions, click on Security, and then click on Security Products.
  • Page 47 Security Overview Precedence of Security Options Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.
  • Page 48: Procurve Identity-Driven Manager (Idm)

    Security Overview ProCurve Identity-Driven Manager (IDM) ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+) and uses RADIUS-based technologies to create a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of access security policy from a central management server, with policy enforcement to the network edge, and protection against both external and internal threats.
  • Page 49: Configuring Username And Password Security

    Configuring Username and Password Security Contents Overview ........... . . 2-3 Configuring Local Password Security .
  • Page 50 Configuring Username and Password Security Contents Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel ......2-29 Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear”...
  • Page 51: Overview

    Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames none — — page 2-9 Set a Password none page 2-6 page 2-8 page 2-9 Delete Password Protection page 2-7 page 2-8 page 2-9 show front-panel-security — page 1-13 —...
  • Page 52 Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level. That is, if a Manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface.
  • Page 53 Configuring Username and Password Security Overview N o t e s The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface. If you configure only a Manager password (with no Operator password), and in a later session the Manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session.
  • Page 54: Configuring Local Password Security

    Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the web browser interface. From the Main Menu select: 3.
  • Page 55 Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass­ words (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
  • Page 56: Cli: Setting Passwords And Usernames

    Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below. Configuring Manager and Operator Passwords. N o t e The password command has changed. You can now configure manager and operator passwords in one step.
  • Page 57: Web: Setting Passwords And Usernames

    Configuring Username and Password Security Configuring Local Password Security If you want to remove both operator and manager password protection, use the no password all command. Web: Setting Passwords and Usernames In the web browser interface you can enter passwords and (optional) user- names.
  • Page 58: Saving Security Credentials In A

    Configuring Username and Password Security Saving Security Credentials in a Config File Saving Security Credentials in a Config File You can store and view the following security settings in the running-config file associated with the current software image by entering the include- credentials command (formerly this information was stored only in internal flash memory): ■...
  • Page 59: Enabling The Storage And Display Of Security Credentials

    Configuring Username and Password Security Saving Security Credentials in a Config File By storing different security settings in different files, you can test ■ different security configurations when you first download a new software version that supports multiple configuration files, by changing the configuration file used when you reboot the switch.
  • Page 60: Local Manager And Operator Passwords

    Configuring Username and Password Security Saving Security Credentials in a Config File SNMP security credentials, including SNMPv1 community names and ■ SNMPv3 usernames, authentication, and privacy settings ■ 802.1X port-access passwords and usernames TACACS+ encryption keys ■ RADIUS shared secret (encryption) keys ■...
  • Page 61: Password Command Options

    Configuring Username and Password Security Saving Security Credentials in a Config File Password Command Options The password command has the following options: Syntax: [no] password <manager | operator | port-access| all [user-name <name>] <hash-type> <password>> Set or clear a local username/password for a given access level. manager: configures access to the switch with manager-level privileges.
  • Page 62: Snmp Security Credentials

    Configuring Username and Password Security Saving Security Credentials in a Config File SNMP Security Credentials SNMPv1 community names and write-access settings, and SNMPv3 usernames continue to be saved in the running configuration file even when you enter the include-credentials command. In addition, the following SNMPv3 security parameters are also saved: snmpv3 user “<name>"...
  • Page 63: 802.1X Port-Access Credentials

    Configuring Username and Password Security Saving Security Credentials in a Config File 802.1X Port-Access Credentials 802.1X authenticator (port-access) credentials can be stored in a configuration file. 802.1X authenticator credentials are used by a port to authenticate supplicants requesting a point-to-point connection to the switch. 802.1X supplicant credentials are used by the switch to establish a point-to­...
  • Page 64: Radius Shared-Secret Key Authentication

    Configuring Username and Password Security Saving Security Credentials in a Config File TACACS+ server application. (The encryption key is sometimes referred to as “shared secret” or “secret” key.) For more information, see “TACACS+ Authentication” on page 4-1 in this guide. TACACS+ shared secret (encryption) keys can be saved in a configuration file by entering this command: ProCurve(config)# tacacs-server key <keystring>...
  • Page 65 Configuring Username and Password Security Saving Security Credentials in a Config File The SSH security credential that is stored in the running configuration file is configured with the ip ssh public-key command used to authenticate SSH clients for manager or operator access, along with the hashed content of each SSH client public-key.
  • Page 66 “ssh-rsa \ AAAAB3NzaC1yc2EAAABIwAAAIEA1Kk9sVQ9LJOR6XO/hCMPxbiMNOK8C/ay \ +SQ10qGw+K9m3w3TmCfjh0ud9hivgbFT4F99AgnQkvm2eVsgoTtLRnfF7uw \ NmpzqOqpHjD9YzItUgSK1uPuFwXMCHKUGKa+G46A+EWxDAIypwVIZ697QmM \ qPFj1zdI4sIo5bDett2d0= joe@hp.com” ... Figure 2-5. Example of SSH Public Keys If a switch configuration contains multiple SSH client public keys, each public key is saved as a separate entry in the configuration file. You can configure up to ten SSH client public-keys on a switch.
  • Page 67: Operating Notes

    Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes C a u t i o n When you first enter the include-credentials command to save the ■ additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file.
  • Page 68 Configuring Username and Password Security Saving Security Credentials in a Config File • copy config <source-filename> config <target-filename>: Makes a local copy of an existing startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot.
  • Page 69: Restrictions

    Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command: ■ The private keys of an SSH host cannot be stored in the running configuration.
  • Page 70 Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. You can store the password port-access values in the running configuration file by using the include-credentials command. Note that the password port-access values are configured separately from local operator username and passwords configured with the password operator command and used for management access to the switch.
  • Page 71: Front-Panel Security

    Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together).
  • Page 72: Front-Panel Button Functions

    Configuring Username and Password Security Front-Panel Security As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch. Front-Panel Button Functions The System Support Module (SSM) of the switch includes the System Reset button and the Clear button.
  • Page 73: Reset Button

    Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-8. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.
  • Page 74: Configuring Front-Panel Security

    Configuring Username and Password Security Front-Panel Security Reset Clear Test 4. When the Test LED to the right of the Clear button begins flashing, release the Clear button. Reset Clear Test It can take approximately 20-25 seconds for the switch to reboot. This process restores the switch configuration to the factory default settings.
  • Page 75 Configuring Username and Password Security Front-Panel Security • Modify the operation of the Reset+Clear combination (page 2-25) so that the switch still reboots, but does not restore the switch’s factory default configuration settings. (Use of the Reset button alone, to simply reboot the switch, is not affected.) •...
  • Page 76 Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to “Password Recovery Process” on page 2-34.) (Default: Enabled.) CAUTION: Disabling this option removes the ability to recover a password on the switch.
  • Page 77: Disabling The Clear Password Function Of The Clear Button On The Switch's Front Panel

    Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel Syntax: no front-panel-security password-clear In the factory-default configuration, pressing the Clear button on the switch’s front panel erases any local usernames and passwords configured on the switch.
  • Page 78: Re-Enabling The Clear Button On The Switch's Front Panel And Setting Or Changing The "Reset-On-Clear" Operation

    Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel.
  • Page 79: Changing The Operation Of The Reset+Clear Combination

    Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on­ clear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-11. Example of Re-Enabling the Clear Button’s Default Operation Changing the Operation of the Reset+Clear Combination In their default configuration, using the Reset+Clear buttons in the combina­...
  • Page 80: Password Recovery

    Configuring Username and Password Security Front-Panel Security The command to disable the factory-reset operation produces this caution. To complete the command, press [Y]. To abort the command, press [N]. Completes the command to disable the factory reset option. Displays the current front- panel-security configuration, with Factory Reset disabled.
  • Page 81 Configuring Username and Password Security Front-Panel Security C a u t i o n Disabling password-recovery requires that factory-reset be enabled, and locks out the ability to recover a lost manager username (if configured) and pass­ word on the switch. In this event, there is no way to recover from a lost manager username/password situation without resetting the switch to its factory-default configuration.
  • Page 82: Password Recovery Process

    Configuring Username and Password Security Front-Panel Security • If you want to abort the command, press (for “No”) Figure 2-13 shows an example of disabling the password-recovery parameter. Figure 2-13. Example of the Steps for Disabling Password-Recovery Password Recovery Process If you have lost the switch’s manager username/password, but password- recovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by...
  • Page 83 Configuring Username and Password Security Front-Panel Security N o t e The alternate password provided by the ProCurve Customer Care Center is valid only for a single login attempt. You cannot use the same “one-time-use” password if you lose the password a second time. Because the password algorithm is randomized based upon your switch's MAC address, the pass­...
  • Page 84 Configuring Username and Password Security Front-Panel Security 2-36...
  • Page 85: Web And Mac Authentication

    Web and MAC Authentication Contents Overview ........... . . 3-2 Web Authentication .
  • Page 86: Overview

    Web and MAC Authentication Overview Overview Feature Default Menu Configure Web Authentication — 3-18 — Configure MAC Authentication — 3-32 — Display Web Authentication Status and Configuration — 3-26 — Display MAC Authentication Status and Configuration — 3-36 — Web and MAC authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and a switch from unauthorized access.
  • Page 87: Mac Authentication

    Web and MAC Authentication Overview N o t e A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web authentication. ■ In the login page, a client enters a username and password, which the switch forwards to a RADIUS server for authentication.
  • Page 88: Authorized And Unauthorized Client Vlans

    Web and MAC Authentication Overview Each new Web/MAC Auth client always initiates a MAC authentication ■ attempt. This same client can also initiate Web authentication at any time before the MAC authentication succeeds. If either authentication suc­ ceeds then the other authentication (if in progress) is ended. No further Web/MAC authentication attempts are allowed until the client is deau­...
  • Page 89: Radius-Based Authentication

    Web and MAC Authentication How Web and MAC Authentication Operate You configure access to an optional, unauthorized VLAN when you configure Web and MAC authentication on a port. RADIUS-Based Authentication In Web and MAC authentication, you use a RADIUS server to temporarily assign a port to a static VLAN to support an authenticated client.
  • Page 90: Web-Based Authentication

    Web and MAC Authentication How Web and MAC Authentication Operate Web-based Authentication When a client connects to a Web-Auth enabled port, communication is redi­ rected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their username and password. The default User Login screen is shown in Figure 3-1.
  • Page 91 Web and MAC Authentication How Web and MAC Authentication Operate If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access. After a successful login, a client may be redirected to a URL if you specify a URL value (redirect-url) when you configure web authentication.
  • Page 92: Mac-Based Authentication

    Web and MAC Authentication How Web and MAC Authentication Operate A client may not be authenticated due to invalid credentials or a RADIUS server timeout. The max-retries parameter specifies how many times a client may enter their credentials before authentication fails. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out.
  • Page 93 Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period).
  • Page 94: Terminology

    Web and MAC Authentication Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN.
  • Page 95: Operating Rules And Notes

    Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports concurrent 802.1X, Web and MAC authentication operation on a port (with up to 2 clients allowed). However, concurrent operation of Web and MAC authentication with other types of authentica­ tion on the same port is not supported.
  • Page 96 Web and MAC Authentication Operating Rules and Notes 1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships. 2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (if configured) and temporarily drops all other VLAN memberships.
  • Page 97: Setup Procedure For Web/Mac Authentication

    Web and MAC Authentication Setup Procedure for Web/MAC Authentication W e b / M A C Web or MAC authentication and LACP are not supported at the same time on A u t h e n t i c a t i o n a port.
  • Page 98 Web and MAC Authentication Setup Procedure for Web/MAC Authentication ProCurve(config)# show port-access config Port Access Status Summary Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes Supplicant Authenticator Web Auth Mac Auth Port Enabled Enabled Enabled Enabled ---- ---------- ------------- -------- --------...
  • Page 99: Configuring The Radius Server To Support Mac Authentication

    Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that when configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100”...
  • Page 100: Configuring The Switch To Access A Radius Server

    Web and MAC Authentication Configuring the Switch To Access a RADIUS Server aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff AABBCCDDEEFF AABBCC-DDEEFF AA-BB-CC-DD-EE-FF AA:BB:CC:DD:EE:FF If the device is a switch or other VLAN-capable device, use the base MAC ■ address assigned to the device, and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch.
  • Page 101 Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Syntax: [no] radius-server [host < ip-address >] Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can config­ ure up to three RADIUS server addresses. The switch uses the first server it successfully accesses.
  • Page 102: Configuring Web Authentication

    Web and MAC Authentication Configuring Web Authentication Configuring Web Authentication Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. Identify or create a redirect URL for use by authenticated clients. Pro- Curve recommends that you provide a redirect URL when using Web Authentication.
  • Page 103: Configuration Commands For Web Authentication

    Web and MAC Authentication Configuring Web Authentication Configuration Commands for Web Authentication Command Page Configuration Level aaa port-access <port-list > controlled-directions <both | in> 3-20 [no] aaa port-access web-based <port-list > 3-22 [auth-vid] 3-22 [clear-statistics] 3-22 [client-limit] 3-22 [client-moves] 3-23 [dhcp-addr] 3-23 [dhcp-lease]...
  • Page 104 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> After you enable web-based authentication on specified ports, you can use the aaa port-access controlled-direc­ tions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.
  • Page 105 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> — Continued — Notes: For information on how to configure the prerequisites for using the ■ aaa port-access controlled-directions in command, see Chapter 4, “Multi­ ple Instance Spanning-Tree Operation”...
  • Page 106 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based <port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax: aaa port-access web-based <port-list> [auth-vid <vid>]] no aaa port-access web-based <port-list>...
  • Page 107 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based <port-list > [client-moves] Configures whether the client can move between ports. Default: Disabled Syntax: aaa port-access web-based [dhcp-addr <ip-address/mask>] Specifies the base address/mask for the temporary IP pool used by DHCP. The base address can be any valid ip address (not a multicast address).
  • Page 108 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based <port-list> [max-retries <1-10>] Specifies the number of the number of times a client can enter their user name and password before authen­ tication fails. This allows the reentry of the user name and password if necessary.
  • Page 109 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based <port-list> [redirect-url <url>] no aaa port-access web-based <port-list> [redirect-url] Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5.
  • Page 110: Show Commands For Web Authentication

    Web and MAC Authentication Configuring Web Authentication Show Commands for Web Authentication Command Page show port-access web-based [port-list] 3-26 show port-access web-based clients [port-list] 3-27 show port-access web-based clients <port-list> detailed 3-28 show port-access web-based config [port-list] 3-29 show port-access web-based config <port-list> detailed 3-30 show port-access web-based config [port-list] auth-server 3-31...
  • Page 111 Web and MAC Authentication Configuring Web Authentication ProCurve(config)# show port-access web-based Port Access Web-Based Status Auth Unauth Untagged Tagged Port % In RADIUS Port Clients Clients VLAN VLANs Limit ----- -------- -------- -------- ------ -------- ------ ------ 4006 70000000 MACbased No Figure 3-6.
  • Page 112 Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based clients <port-list> detailed Displays detailed information on the status of web- authenticated client sessions on specified switch ports. ProCurve(config)# show port-access web-based clients 1 detailed Port Access Web-Based Client Status Detailed Client Base Details : Port Session Status : authenticated...
  • Page 113 Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config [port-list] Displays the currently configured Web Authentication settings for all switch ports or specified ports, including: • Temporary DHCP base address and mask • Support for RADIUS-assigned dynamic VLANs (Yes or • Controlled directions setting for transmitting Wake-on- LAN traffic on egress ports •...
  • Page 114 Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config <port-list> detailed Displays more detailed information on the currently config­ ured Web Authentication settings for specified ports. ProCurve(config)# show port-access web-based config 1 detailed Port Access Web-Based Detailed Configuration Port Web-based enabled : Yes Client Limit...
  • Page 115 Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config [port-list] auth-server Displays the currently configured Web Authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as: • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts...
  • Page 116: Configuring Mac Authentication On The Switch

    Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made.
  • Page 117: Configuration Commands For Mac Authentication

    Web and MAC Authentication Configuring MAC Authentication on the Switch Configuration Commands for MAC Authentication Command Page Configuration Level aaa port-access mac-based addr-format 3-33 [no] aaa port-access mac-based [e] < port-list > 3-34 [addr-limit] 3-34 [addr-moves] 3-34 [auth-vid] 3-34 [logoff-period] 3-35 [max-requests] 3-35...
  • Page 118 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: [no] aaa port-access mac-based < port-list > Enables MAC-based authentication on the specified ports. Use the no form of the command to disable MAC- based authentication on the specified ports. Syntax: aaa port-access mac-based [e] <...
  • Page 119 Web and MAC Authentication Configuring MAC Authentication on the Switch aaa port-access mac-based [e] < port-list > Syntax: [logoff-period] <60-9999999> Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense.
  • Page 120: Show Commands For Mac-Based Authentication

    Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [unauth-vid <vid>] no aaa port-access mac-based [e] < port-list > [unauth-vid] Specifies the VLAN to use for a client that fails authen­ tication.
  • Page 121 Web and MAC Authentication Configuring MAC Authentication on the Switch ProCurve(config)# show port-access mac-based Port Access MAC-Based Status Auth Unauth Untagged Tagged Port % In RADIUS Port Clients Clients VLAN VLANs Limit ---- ------- ------- -------- ------ -------- ------ ------ 2003 70000000 MACbased No...
  • Page 122 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based clients <port-list> detailed Displays detailed information on the status of MAC- authenticated client sessions on specified ports. ProCurve(config)# show port-access mac-based clients 1 detailed Port Access MAC-Based Client Status Detailed Client Base Details : Port Session Status : authenticated...
  • Page 123 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config [port-list] Displays the currently configured MAC Authentication settings for all switch ports or specified ports, including: • MAC address format • Support for RADIUS-assigned dynamic VLANs (Yes or • Controlled directions setting for transmitting Wake-on- LAN traffic on egress ports •...
  • Page 124 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config <port-list> detailed Displays more detailed information on the currently config­ ured MAC Authentication settings for specified ports. ProCurve(config)# show port-access mac-based config 1 detailed Port Access MAC-Based Detailed Configuration Port Web-based enabled : Yes Client Limit...
  • Page 125 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config [port-list] auth-server Displays the currently configured Web Authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as: • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between...
  • Page 126: Client Status

    Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Possible Explanations Connection authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires.
  • Page 127 TACACS+ Authentication Contents Overview ........... . . 4-2 Terminology Used in TACACS Applications: .
  • Page 128: Tacacs+ Authentication

    TACACS+ Authentication Overview Overview Feature Default Menu view the switch’s authentication configuration — page 4-9 — view the switch’s TACACS+ server contact — page 4- — configuration configure the switch’s authentication methods disabled — page 4- — configure the switch to contact TACACS+ server(s) disabled —...
  • Page 129: Terminology Used In Tacacs Applications

    TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/ write) privilege level access.
  • Page 130 TACACS+ Authentication Terminology Used in TACACS Applications: everyone who needs to access the switch, and you must configure and manage password protection on a per-switch basis. (For more on local authentication, refer to chapter 2, “Configuring Username and Password Security”.) •...
  • Page 131: General System Requirements

    TACACS+ Authentication General System Requirements General System Requirements To use TACACS+ authentication, you need the following: ■ A TACACS+ server application installed and configured on one or more servers or management stations in your network. (There are several TACACS+ software packages available.) A switch configured for TACACS+ authentication, with access to one or ■...
  • Page 132 TACACS+ Authentication General Authentication Setup Procedure Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation” in the Trouble­ shooting chapter of the Management and Configuration Guide for your switch.
  • Page 133 TACACS+ Authentication General Authentication Setup Procedure If you are a first-time user of the TACACS+ service, ProCurve recom­ mends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment. After you have success with the minimum feature set, you may then want to try additional features that the application offers.
  • Page 134: Configuring Tacacs+ On The Switch

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring TACACS+ on the Switch Before You Begin If you are new to TACACS+ authentication, ProCurve recommends that you read the “General Authentication Setup Procedure” on page 4-5 and configure your TACACS+ server(s) before configuring authentication on the switch. The switch offers three command areas for TACACS+ operation: show authentication and show tacacs: Displays the switch’s TACACS+ ■...
  • Page 135: Cli Commands Described In This Section

    TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs 4-10 aaa authentication 4-11 through 4-17 console Telnet num-attempts <1-10 > tacacs-server 4-18 host < ip-addr > 4-18 4-22 timeout < 1-255 > 4-23 Viewing the Switch’s Current Authentication Configuration...
  • Page 136: Viewing The Switch's Current Tacacs+ Server Contact Configuration

    TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. Syntax: show tacacs For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a (global) encryption key, show tacacs would produce a listing similar to the...
  • Page 137: Configuring The Switch's Authentication Methods

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures access control for the following access methods: ■ Console Telnet ■ ■ ■ ■ Port-access (802.1X) However, TACACS+ authentication is only used with the console, Telnet, or SSH access methods.
  • Page 138 TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: aaa authentication < console | telnet | ssh | web | port-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level. <login [privilege-mode] > The server grants privileges at the Operator privilege level.
  • Page 139: Authentication Parameters

    TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters Table 4-1. AAA Authentication Parameters Parameters Name Default Range Function console, Telnet, Specifies the access method used when authenticating. TACACS+ SSH, web or port- authentication only uses the console, Telnet or SSH access methods. access enable Specifies the Manager (read/write) privilege level for the access...
  • Page 140 TACACS+ Authentication Configuring TACACS+ on the Switch numbers 0 through 15, with zero allowing only Operator privileges (and requiring two logins) and 15 representing root privileges. The root privilege level is the only level that will allow Manager level access on the switch. Figure 4-4.
  • Page 141 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of the TACACS+ Server User Setup As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch’s console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.
  • Page 142 TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Console — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console —...
  • Page 143 TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server.
  • Page 144: Configuring The Switch's Tacacs+ Server Access

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three TACACS+ servers; one first- choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server.
  • Page 145 TACACS+ Authentication Configuring TACACS+ on the Switch tacacs-server key <key-string> Enters the optional global encryption key. [no] tacacs-server key Removes the optional global encryption key. (Does not affect any server-specific encryption key assignments.) tacacs-server timeout < 1-255 > Changes the wait period for a TACACS server response. (Default: 5 seconds.) Note Encryption keys configured in the switch must exactly match the encryption...
  • Page 146 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host <ip-addr> [key <key-string> none Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per- server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key”...
  • Page 147 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range key <key-string> none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server”...
  • Page 148 TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-7. Example of the Switch After Assigning a Different “First-Choice” Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.
  • Page 149 TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs-server host 10.28.227.104 Note...
  • Page 150: How Authentication Operates

    TACACS+ Authentication How Authentication Operates How Authentication Operates General Authentication Process Using a TACACS+ Server Authentication through a TACACS+ server operates generally as described below. For specific operating details, refer to the documentation you received with your TACACS+ server application. Terminal “A”...
  • Page 151: Local Authentication Process

    TACACS+ Authentication How Authentication Operates 4. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs: • If the username/password pair received from the requesting terminal matches a username/password pair previously stored in the server, then the server passes access permission through the switch to the terminal.
  • Page 152: Using The Encryption Key

    TACACS+ Authentication How Authentication Operates attempt limit without a successful authentication, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again. Note The switch’s menu allows you to configure only the local Operator and Manager passwords, and not any usernames.
  • Page 153: Controlling Web Browser Interface Access When Using Tacacs+ Authentication

    TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication in the switch must be identical to the encryption key configured in the corresponding TACACS+ server. If the key is the same for all TACACS+ servers the switch will use for authentication, then configure a global key in the switch.
  • Page 154: Messages Related To Tacacs+ Operation

    TACACS+ Authentication Messages Related to TACACS+ Operation Configure the switch’s Authorized IP Manager feature to allow web ■ browser access only from authorized management stations. (The Autho­ rized IP Manager feature does not interfere with TACACS+ operation.) ■ Disable web browser access to the switch by going to the System Infor­ mation screen in the Menu interface and configuring the Web Agent Enabled parameter to No.
  • Page 155: Operating Notes

    TACACS+ Authentication Operating Notes Operating Notes ■ If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized man­ ager list. That is, authentication traffic between a TACACS+ server and the switch is not subject to Authorized IP Manager controls configured on the switch.
  • Page 156 TACACS+ Authentication Operating Notes 4-30...
  • Page 157: Radius Authentication And Accounting

    RADIUS Authentication and Accounting Contents Overview ........... . . 5-3 Authentication Services .
  • Page 158: Contents

    RADIUS Authentication and Accounting Contents Additional RADIUS Attributes ....... . 5-34 Configuring RADIUS Accounting .
  • Page 159: Overview

    RADIUS Authentication and Accounting Overview Overview Feature Default Menu Configuring RADIUS Authentication None Configuring RADIUS Accounting None 5-35 Configuring RADIUS Authorization None 5-26 Viewing RADIUS Statistics 5-43 RADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one primary server and one or two backups) and maintain separate authentication and accounting for each RADIUS server employed.
  • Page 160: Accounting Services

    MIB (Management Information Base). A management station running an SNMP networked device management application such as ProCurve Manager Plus (PCM+) or HP OpenView can access the switch’s MIB for read access to the switch’s status and read/write access to the switch’s configuration. For more information, including the CLI command to use for disabling this feature, refer to “Using SNMP To View and Configure Switch Authentication Features”...
  • Page 161: Terminology

    RADIUS Authentication and Accounting Terminology Terminology AAA: Authentication, Authorization, and Accounting groups of services pro­ vided by the carrying protocol. CHAP (Challenge-Handshake Authentication Protocol): A challenge- response authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a challenge from a RADIUS server. CoS (Class of Service): Support for priority handling of packets traversing the switch, based on the IEEE 802.1p priority carried by each packet.
  • Page 162: Switch Operating Rules For Radius

    RADIUS Authentication and Accounting Switch Operating Rules for RADIUS Shared Secret Key: A text value used for encrypting data in RADIUS packets. Both the RADIUS client and the RADIUS server have a copy of the key, and the key is never transmitted across the network. Vendor-Specific Attribute: A vendor-defined value configured in a RADIUS server to specific an optional switch feature assigned by the server during an authenticated client session.
  • Page 163: General Radius Setup Procedure

    RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS servers to support the switch. (That is, one primary server and one or two backups.) Refer to the documentation provided with the RADIUS server application. 2. Before configuring the switch, collect the information outlined below.
  • Page 164: Configuring The Switch For Radius Authentication

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you have configured the switch to access.) • Determine whether you want to bypass a RADIUS server that fails to respond to requests for service.
  • Page 165: Outline Of The Steps For Configuring Radius Authentication

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: 1. Configure RADIUS authentication for controlling access through one or more of the following •...
  • Page 166: Configure Authentication For The Access Methods You Want Radius To Protect

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Timeout Period: The timeout period the switch waits for a RADIUS server to reply. (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no server response to a RADIUS authentication request.
  • Page 167 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail. Syntax: aaa authentication < console | telnet | ssh | web | < enable | login <local | radius>>...
  • Page 168 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-2 shows an example of the show authentication command displaying authorized as the secondary authentication method for port-access, Web-auth access, and MAC-auth access. Since the configuration of authorized means no authentication will be performed and the client has unconditional access to the network, the “Enable Primary”...
  • Page 169: Enable The (Optional) Access Privilege Option

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in this guide. The switch now allows Telnet and SSH authentication only through RADIUS. Figure 5-3.
  • Page 170 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication this default behavior for clients with Enable (manager) access. That is, with privilege-mode enabled, the switch immediately allows Enable (Manager) access to a client for whom the RADIUS server specifies this access level. Syntax: [no] aaa authentication login privilege-mode When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server.
  • Page 171: Configure The Switch To Access A Radius Server

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 5-35: “Configuring RADIUS Accounting”...
  • Page 172 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication [key < key-string >] Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key.
  • Page 173: Configure The Switch's Global Radius Parameters

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-4. Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server To make the changes listed prior to figure 5-4, you would do the following: Changes the key for the existing server to “source0127”...
  • Page 174 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Global server key: The server key the switch will use for contacts ■ with all RADIUS servers for which there is not a server-specific key configured by radius-server host < ip-address > key < key-string >. This key is optional if you configure a server-specific key for each RADIUS server entered in the switch.
  • Page 175 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 - 15 > Specifies the maximum time the switch waits for a response to an authentication request before counting the attempt as a failure. (Default: 3 seconds; Range: 1 - 15 seconds) radius-server retransmit <...
  • Page 176 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in this guide. After two attempts failing due to username or password entry errors, the switch will terminate the session.
  • Page 177: Using Snmp To View And Configure Switch Authentication Features

    RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features Using SNMP To View and Configure Switch Authentication Features SNMP MIB object access is available for switch authentication configuration (hpSwitchAuth) features. This means that the switches covered by this Guide allow, by default, manager-only SNMP read/write access to a subset of the authentication MIB objects for the following features: ■...
  • Page 178: Changing And Viewing The Snmp Access Configuration

    RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features Changing and Viewing the SNMP Access Configuration Syntax: snmp-server mib hpswitchauthmib < excluded | included > included: Enables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB. excluded: Disables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB.
  • Page 179 RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features An alternate method of determining the current Authentication MIB access state is to use the show run command. ProCurve(config)# show run Running configuration: ; J8715A Configuration Editor; Created on release #W.14.XX hostname "ProCurve"...
  • Page 180: Local Authentication Process

    RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: Local is the authentication option for the access method being used. ■...
  • Page 181: Controlling Web Browser Interface Access

    RADIUS Authentication and Accounting Controlling Web Browser Interface Access Controlling Web Browser Interface Access To help prevent unauthorized access through the web browser interface, do one or more of the following: ■ Configure the switch to support RADIUS authentication for web browser interface access (See chapter 3, “Web and MAC Authentica­...
  • Page 182: Commands Authorization

    RADIUS Authentication and Accounting Commands Authorization Commands Authorization The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server will send authorization information (from the user’s profile) to the Network Access Server (NAS). After user authentication has occurred, the authorization information provided by the RADIUS server is stored on the NAS for the duration of the user’s session.
  • Page 183: Enabling Authorization

    RADIUS Authentication and Accounting Commands Authorization Enabling Authorization To configure authorization for controlling access to the CLI commands, enter this command at the CLI. Syntax: [no] aaa authorization <commands> <radius | none> Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed.
  • Page 184: Displaying Authorization Information

    Configuring Commands Authorization on a RADIUS Server Using Vendor Specific Attributes (VSAs) Some RADIUS-based features implemented on ProCurve switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access- Accept packets sent to the switch may contain the vendor-specific informa­...
  • Page 185 (those that are available by default to any user). You must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.
  • Page 186: Example Configuration On Cisco Secure Acs For Ms Windows

    The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps. 1. Create a dictionary file (for example, hp.ini) containing the HP VSA definitions, as shown in the example below. ;[User Defined Vendor] ;...
  • Page 187 Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). 3. From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils> csutil -addudv 0 hp.ini The zero (0) is the slot number.
  • Page 188: Example Configuration Using Freeradius

    4 (100 in the example). 7. Restart all Cisco services. 8. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry. In the Authenticate Using field choose RADIUS(HP) as an option for the type of security control protocol.
  • Page 189 2. Find the location of the dictionary files used by FreeRADIUS (try /usr/ local/share/freeradius). 3. Copy dictionary.hp to that location. Open the existing dictionary file and add this entry: $ INCLUDE dictionary.hp 4. You can now use HP VSAs with other attributes when configuring user entries. 5-33...
  • Page 190: Additional Radius Attributes

    RADIUS server for port-based (MAC, Web, or 802.1X) authentication; for example, HP VSAs for port QoS, ingress rate-limiting, IDM filter rules, RFC 4675 QoS and VLAN attributes, and RFC 3580 VLAN-related attributes.
  • Page 191: Configuring Radius Accounting

    Port-Based Access Control (802.1X): • Acct-Authentic • Acct-Session-Id • MS-RAS-Vendor • Acct-Delay-Time • Acct-Session-Time • NAS-Identifier • Acct-Input-Octets • Acct-Status-Type • NAS-IP-Address • Acct-Input-Packets • Acct-Terminate-Cause • NAS-Port • Acct-Output-Octets • Called-Station-Id • Service-Type • Acct-Output-Packets • HP-acct-terminate- • Username cause 5-35...
  • Page 192 RADIUS Authentication and Accounting Configuring RADIUS Accounting Exec accounting: Provides records holding the information listed ■ below about login sessions (console, Telnet, and SSH) on the switch: • Acct-Authentic • Acct-Status-Type • NAS-Identifier • Acct-Delay-Time • Acct-Terminate-Cause • NAS-IP-Address • Acct-Session-Id •...
  • Page 193: Operating Rules For Radius Accounting

    RADIUS Authentication and Accounting Configuring RADIUS Accounting Operating Rules for RADIUS Accounting You can configure up to four types of accounting to run simulta­ ■ neously: exec, system, network, and commands. RADIUS servers used for accounting are also used for authentication. ■...
  • Page 194: Configure The Switch To Access A Radius Server

    RADIUS Authentication and Accounting Configuring RADIUS Accounting must match the encryption key used on the specified RADIUS server. For more information, refer to the “[key < key-string >]” parameter on page 5-15. (Default: null) 2. Configure accounting types and the controls for sending reports to the RADIUS server.
  • Page 195 RADIUS Authentication and Accounting Configuring RADIUS Accounting [key < key-string >] Optional. Specifies an encryption key for use during accounting or authentication sessions with the speci­ fied server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key.
  • Page 196: Configure Accounting Types And The Controls For Sending Reports To The Radius Server

    RADIUS Authentication and Accounting Configuring RADIUS Accounting The radius-server command as shown in figure 5-11, above, configures the switch to use a RADIUS server at IP address 10.33.18.151, with a (non-default) UDP accounting port of 1750, and a server-specific key of “source0151”. 2.
  • Page 197 RADIUS Authentication and Accounting Configuring RADIUS Accounting Stop-Only: ■ • Send a stop record accounting notice at the end of the accounting session. The notice includes the latest data the switch has collected for the requested accounting type (Network, Exec, Commands, or System).
  • Page 198: Optional) Configure Session Blocking And Interim Updating Options

    RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additional control over accounting data. Updates: In addition to using a Start-Stop or Stop-Only trigger, you ■ can optionally configure the switch to send periodic accounting record updates to a RADIUS server.
  • Page 199: Viewing Radius Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which.
  • Page 200 RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 5-15. RADIUS Server Information From the Show Radius Host Command Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
  • Page 201: Radius Authentication Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics Term Definition Requests The number of RADIUS Accounting-Request packets sent. This does not include retransmissions. AccessChallenges The number of RADIUS Access-Challenge packets (valid or invalid) received from this server. AccessAccepts The number of RADIUS Access-Accept packets (valid or invalid) received from this server. AccessRejects The number of RADIUS Access-Reject packets (valid or invalid) received from this server.
  • Page 202: Radius Accounting Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 5-17. Example of RADIUS Authentication Information from a Specific Server RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres­ sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config­...
  • Page 203: Changing Radius-Server Access Order

    RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 5-19. Example of RADIUS Accounting Information for a Specific Server Figure 5-20. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command.
  • Page 204 RADIUS Authentication and Accounting Changing RADIUS-Server Access Order RADIUS server IP addresses listed in the order in which the switch will try to access them. In this case, the server at IP address 1.1.1.1 is first. Note: If the switch successfully accesses the first server, it does not try to access any other servers in the list, even if the client is denied access by the first server.
  • Page 205 RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Removes the “003” and “001” addresses from the RADIUS server list. Inserts the “003” address in the first position in the RADIUS server list, and inserts the “001” address in the last position in the list. Shows the new order in which the switch searches for a RADIUS server.
  • Page 206: Messages Related To Radius Operation

    RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch.
  • Page 207: Configuring Radius Server Support

    Configuring RADIUS Server Support for Switch Services Contents Overview ........... . . 6-2 RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting .
  • Page 208 Configuring RADIUS Server Support for Switch Services Contents Configuring the Switch To Support RADIUS-Assigned ACLs ........... . . 6-23 Displaying the Current RADIUS-Assigned ACL Activity on the Switch .
  • Page 209: Overview

    Configuring RADIUS Server Support for Switch Services Overview Overview This chapter provides information that applies to setting up a RADIUS server to configure the following switch features on ports supporting RADIUS- authenticated clients: ■ Rate-Limiting ■ ■ ACLS Optional Network Management Applications. Per-port CoS and rate- limiting assignments through a RADIUS server are also supported in the ProCurve Manager (PCM) application.
  • Page 210: Radius Server Configuration For Per-Port Cos (802.1P Priority) And Rate-Limiting

    ProCurve (HP) vendor-specific ID:11 Inbound Traffic VSA: 40 (string = HP) This feature assigns a Setting: HP-COS = xxxxxxxx where: RADIUS-specified x = desired 802.1p priority 802.1p priority to all Note: This is typically an eight-octet field. Enter the same x-value...
  • Page 211: Applied Rates For Radius-Assigned Rate Limits

    Rate-Limiting on Vendor-Specific Attribute configured in the RADIUS server. inbound traffic ProCurve (HP) vendor-specific ID:11 This feature assigns a VSA: 46 (integer = HP) bandwidth limit to all Setting: HP-RATE-LIMIT = < bandwidth-in-Kbps > inbound packets Note: The CLI command for configuring a rate-limit on a port uses received on a port a percentage value.
  • Page 212: Viewing The Currently Active Per-Port Cos And Rate-Limiting Configuration Specified By A Radius Server

    Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Table 6-2. Examples of Assigned and Applied Rate Limits RADIUS-Assigned Applied Applied Rate Limit Difference/Kbps Bandwidth (Kbps) Increments (Kbps) 5,250 100 Kbps 5,200 50,250 1 Mbps 50,000...
  • Page 213 Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Syntax: show port-access authenticator [ port-list ] show rate-limit all show qos port-priority These commands display the CoS and Rate-Limiting settings specified by the RADIUS server used to grant authentication for a given client on a given port.
  • Page 214 Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting ProCurve(config)# show qos port-priority Priority in the Apply Rule column indicates a non- default CoS (802.1p) Port priorities priority configured in the switch for port B1. The 3 in Port Apply rule | DSCP Priority...
  • Page 215: Configuring And Using Radius-Assigned Access Control Lists

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuring and Using RADIUS-Assigned Access Control Lists Introduction A RADIUS-assigned ACL is configured on a RADIUS server and dynamically assigned by the server to filter traffic entering the switch through a specific port after the client is authenticated by the server.
  • Page 216 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists • RADIUS-assigned ACL: dynamic ACL assigned to a port by a RADIUS server to filter inbound traffic from an authenticated client on that port An ACL can be configured on an interface as a static port ACL. (RADIUS­ assigned ACLs are configured on a RADIUS server.) ACL Mask: Follows a destination IP address listed in an ACE.
  • Page 217 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Permit: An ACE configured with this action allows the switch to forward an inbound packet for which there is a match within an applicable ACL. Permit Any Any: An abbreviated form of permit in ip from any to any, which permits any inbound IP traffic from any source to any destination.
  • Page 218: Overview Of Radius-Assigned, Dynamic Acls

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Overview of RADIUS-Assigned, Dynamic ACLs RADIUS-assigned ACLs enhance network and switch management access security and traffic control by permitting or denying authenticated client access to specific network resources and to the switch management interface. This includes preventing clients from using TCP or UDP applications (such as Telnet, SSH, Web browser, and SNMP) if you do not want their access privi­...
  • Page 219: Contrasting Dynamic (Radius-Assigned) And Static Acls

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note A RADIUS-assigned ACL assignment filters all inbound IP traffic from an authenticated client on a port, regardless of whether the client’s IP traffic is to be switched or routed. RADIUS-assigned ACLs can be used either with or without PCM and IDM support.
  • Page 220: How A Radius Server Applies A Radius-Assigned

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists RADIUS-assigned ACLs Static Port ACLs Allows one RADIUS-assigned ACL per authenticated client Supports static ACLs on a port. (Each such ACL filters traffic from a different, authenticated client.) Note: The switch provides ample resources for supporting RADIUS-assigned ACLs and other features.
  • Page 221: General Acl Features, Planning, And Configuration

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists the same username/password pair. Where the client MAC address is the selection criteria, only the client having that MAC address can use the corre­ sponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured with that client’s credentials to the port.
  • Page 222: The Packet-Filtering Process

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 3. Configure the ACLs on a RADIUS server accessible to the intended clients. 4. Configure the switch to use the desired RADIUS server and to support the desired client authentication scheme.
  • Page 223: Operating Rules For Radius-Assigned Acls

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Operating Rules for RADIUS-Assigned ACLs Relating a Client to a RADIUS-Assigned ACL: A RADIUS-assigned ■ ACL for a particular client must be configured in the RADIUS server under the authentication credentials the server should expect for that client.
  • Page 224: Nas-Filter-Rule-Options

    This attribute is maintained for legacy purposes to support ACEs in RADIUS-assigned ACLs. Switch However, for new or updated configurations HP recommends using the Standard Attribute (92) Assigns a RADIUS- described earlier in this table instead of the HP-Nas-filter-Rule attribute described here.
  • Page 225: Configuring Ace Syntax In Radius Servers

    < any | ip-addr | ipv4-addr/mask > [ < tcp/udp-port | tcp/udp-port range > | icmp-type ] [cnt ]” Attribute-92) ACE Syntax HP-Nas-filter-Rule=”< permit | deny > in <ip | ip-protocol-value > from any to (Legacy VSA- < any | ip-addr | ipv4-addr/mask > [ < tcp/udp-port | tcp/udp-port range > | icmp-type ] [cnt ]”...
  • Page 226: Example Using The Standard Attribute (92) In An Ipv4 Acl

    Nas-filter-Rule+=”permit in ip from any to 10.10.10.1/24” Nas-filter-Rule+=”deny in ip from any to any” – the HP-Nas-Filter-Rule VSA is used instead of the above option. For example, all of the following destinations are for IPv4 traffic: HP-Nas-filter-Rule=”permit in tcp from any to any 23”...
  • Page 227: Example Of Configuring A Radius-Assigned Acl Using The Freeradius Application

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 1. Enter the ACL standard attribute in the FreeRADIUS dictionary.rfc4849 file. ATTRIBUTE Nas-FILTER-Rule 92 2. Enter the switch IP address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file.
  • Page 228 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 1. Enter the ProCurve vendor-specific ID and the ACL VSA in the FreeRADIUS dictionary file: VENDOR ProCurve (HP) Vendor-Specific ID BEGIN-VENDOR ATTRIBUTE HP-IP-FILTER-RAW 61 STRING END-VENDOR...
  • Page 229: Format Details For Aces Configured In A Radius-Assigned Acl

    Client’s Password (MAC Authentication) 08E99C4F0019 Auth-Type:= Local, User-Password == 08E99C4F0019 HP-IP-FILTER-RAW = “permit in tcp from any to host 10.10.10.101 80”, HP-IP-FILTER-RAW += “deny in tcp from any to any 80”, HP-IP-FILTER-RAW += “permit in ip from any to any”...
  • Page 230: Configuration Notes

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuration Notes Explicitly Permitting Any IP Traffic. Entering a permit in ip from any to any (permit any any) ACE in an ACL permits all IP traffic not previously permitted or denied by that ACL.
  • Page 231 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note Refer to the documentation provided with your RADIUS server for infor­ mation on how the server receives and manages network accounting information, and how to perform any configuration steps necessary to enable the server to support network accounting data from the switch.
  • Page 232: Displaying The Current Radius-Assigned Acl Activity

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Displaying the Current RADIUS-Assigned ACL Activity on the Switch These commands output data indicating the current ACL activity imposed per- port by RADIUS server responses to client authentication. Syntax: show access-list radius <...
  • Page 233 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Syntax: show port-access authenticator < port-list > For ports, in < port-list > that are configured for authentication, this command indicates whether there are any RADIUS-assigned features active on the port(s). (Any ports in <...
  • Page 234: Icmp Type Numbers And Keywords

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists ProCurve(config)# show port-access authenticator 2-3 Port Access Authenticator Status Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Auth Unauth Untagged Tagged Kbps In RADIUS Cntrl Port Clients...
  • Page 235: Event Log Messages

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Event Log Messages Message Meaning Notifies of a problem with the keyword in permit deny ACE parsing error, permit/deny keyword < ace-# > client < mac-address > the indicated ACE included in the access list for the port <...
  • Page 236: Causes Of Client Deauthentication Immediately After Authenticating

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Message Meaning Notifies that the string configured for an ACE entry on the Invalid Access-list entry length, client < mac-address > port < port-# >. Radius server exceeds 80 characters. Memory allocation failure for IDM Notifies of a memory allocation failure for a RADIUS­...
  • Page 237 Configuring Secure Shell (SSH) Overview ........... . . 7-2 Terminology .
  • Page 238: Configuring Secure Shell (Ssh)

    Configuring Secure Shell (SSH) Overview Overview Feature Default Menu Generating a public/private key pair on the switch page 7-9 Using the switch’s public key page 7-12 Enabling SSH Disabled page 7-15 Enabling client public-key authentication Disabled pages 7-20, 7-23 Enabling user authentication Disabled page 7-20 The switches covered in this guide use Secure Shell version 2 (SSHv2) to...
  • Page 239: Terminology

    Configuring Secure Shell (SSH) Terminology Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication shown in figure 7-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.
  • Page 240: Prerequisite For Using Ssh

    Configuring Secure Shell (SSH) Prerequisite for Using SSH Local password or username: A Manager-level or Operator-level pass­ ■ word configured in the switch. ■ SSH Enabled: (1) A public/private key pair has been generated on the switch (generate ssh [dsa | rsa]) and (2) SSH is enabled (ip ssh). (You can generate a key pair without enabling SSH, but you cannot enable SSH without first generating a key pair.
  • Page 241: Steps For Configuring And Using Ssh For Switch And Client Authentication

    Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 7-1.
  • Page 242 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch (page 7-8). 2. Generate a public/private key pair on the switch (page 7-9). You need to do this only once.
  • Page 243: General Operating Rules And Notes

    Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store 10 client key pairs. ■ The switch’s own public/private key pair and the (optional) client public key file are stored in the switch’s flash memory and are not affected by reboots or the erase startup-config command.
  • Page 244: Configuring The Switch For Ssh Operation

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 7-18 show crypto client-public-key [<manager | operator>] 7-26 [keylist-str] [< babble | fingerprint>] show crypto host-public-key [< babble | fingerprint >] 7-14 show authentication 7-22...
  • Page 245: Generating The Switch's Public And Private Key Pair

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation To Configure Local Passwords. You can configure both the Operator and Manager password with one command. Syntax:password < manager | operator | all > Figure 7-4. Example of Configuring Local Passwords 2.
  • Page 246 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation N o t e When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles.
  • Page 247 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation show crypto host-public-key Displays switch’s public key. Displays the version 1 and version 2 views of the key. See “SSH Client Public-Key Authentication” on page 2-16 in this guide for information about public keys saved in a configuration file.
  • Page 248: Configuring Key Lengths

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation hosts file, note that the formatting and comments need not match. For version 1 keys, the three numeric values bit size, exponent <e>, and modulus <n> must match; for PEM keys, only the PEM-encoded string itself must match. N o t e s "Zeroizing"...
  • Page 249 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation The public key generated by the switch consists of three parts, separated by one blank space each: Exponent <e> Bit Size Modulus <n> 896 35 427199470766077426366625060579924214851527933248752021855126493 2934075407047828604329304580321402733049991670046707698543529734853020 0176777055355544556880992231580238056056245444224389955500310200336191 3610469786020092436232649374294060627777506601747146563337525446401 Figure 7-6. Example of a Public Key Generated by the Switch (The generated public key on the switch is always 896 bits.) With a direct serial connection from a management station to the switch: 1. Use a terminal application such as HyperTerminal to display the switch’s...
  • Page 250 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Modulus <n>...
  • Page 251: Enabling Ssh On The Switch And Anticipating Ssh Client Contact Behavior

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 7-9. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 7-9 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host”...
  • Page 252 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if the switch’s public key has not been copied into the client, then the client’s first connection to the switch will question the connection and, for security reasons, provide the option of accepting or refusing.
  • Page 253 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher <cipher-type>] Specify a cipher type to use for connection. Valid types are: • aes128-cbc • 3des-cbc • aes192-cbc •...
  • Page 254 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (default: 22). Important: See “Note on Port Number” on page 7-18. [public-key <manager | operator>] Configures a client public key. manager: Select manager public keys (ASCII formatted).
  • Page 255: Configuring The Switch For Ssh Authentication

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation C a u t i o n Protect your private key file from access by anyone other than yourself. If someone can access your private key file, they can then penetrate SSH security on the switch by appearing to be you.
  • Page 256 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option A: Configuring SSH Access for Password-Only SSH Authentication. When configured with this option, the switch uses its pub­ lic key to authenticate itself to a client, but uses only passwords for client authentication.
  • Page 257 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: copy tftp pub-key-file < ipv4-address | ipv6-address > < filename > Copies a public key file into the switch. aaa authentication ssh login public-key Configures the switch to authenticate a client public-key at the login level with an optional secondary password method (default: none).
  • Page 258 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configures Manager user- Configures the name and password. switch to allow SSH access only ProCurve(config)# password manager user-name leader for a client whose public key New password for Manager: ******** matches one of the Please retype new password for Manager: ******** keys in the public...
  • Page 259: Use An Ssh Client To Access The Switch

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 6. Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems"...
  • Page 260 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication If you enable client public-key authentication, the following events occur when a client tries to access the switch using SSH: 1. The client sends its public key to the switch with a request for authenti­ cation.
  • Page 261 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication To Create a Client-Public-Key Text File. These steps describe how to copy client-public-keys into the switch for challenge-response authentication, and require an understanding of how to use your SSH client application. Bit Size Exponent <e>...
  • Page 262 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 2. Copy the client’s public key into a text file (filename.txt). (For example, you can use the Notepad editor included with the Microsoft® Windows® software. If you want several clients to use client public-key authentica­ tion, copy a public key for each of these clients (up to ten) into the file.
  • Page 263 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The babble option converts the key data to phonetic hashes that are easier for visual comparisons. The fingerprint option converts the key data to hexadec­ imal hashes that are for the same purpose. The keylist-str selects keys to display (comma-delimited list).
  • Page 264 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: clear crypto public-key Deletes the client-public-key file from the switch. Syntax: clear crypto public-key 3 Deletes the entry with an index of 3 from the client-public-key file on the switch. Enabling Client Public-Key Authentication.
  • Page 265: Messages Related To Ssh Operation

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning File transfer did not occur. Indicates an error in 00000K Peer unreachable. communicating with the tftp server or not finding the file to download. Causes include such factors as: • Incorrect IP configuration on the switch • Incorrect IP address in the command • Case (upper/lower) error in the filename used in the...
  • Page 266: Logging Messages

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning After you execute the generate ssh [dsa | rsa] Generating new RSA host key. If the command, the switch displays this message while it cache is depleted, this could take up to is generating the key.
  • Page 267 Configuring Secure Socket Layer (SSL) Contents Overview ........... . . 8-2 Terminology .
  • Page 268: Configuring Secure Socket Layer (Ssl)

    Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu Generating a Self Signed Certificate on the switch page 8-8 page 8-12 Generating a Certificate Request on the switch page 8-15 Enabling SSL Disabled page 8-17 page 8-19 The switches covered in this guide use Secure Socket Layer Version 3 (SSLv3) and support for Transport Layer Security(TLSv1) to provide remote web access to the switches via encrypted paths between the switch and manage­...
  • Page 269: Terminology

    Configuring Secure Socket Layer (SSL) Terminology 1. Switch-to-Client SSL Cert. SSL Client ProCurve Browser Switch 2. User-to-Switch (login password and (SSL enable password authentication) Server) options: – Local – TACACS+ – RADIUS Figure 8-1. Switch/User Authentication SSL on the switches covered in this guide supports these data encryption methods: ■...
  • Page 270 Configuring Secure Socket Layer (SSL) Terminology Root Certificate: A trusted certificate used by certificate authorities to ■ sign certificates (CA-Signed Certificates) and used later on to verify that authenticity of those signed certificates. Trusted certificates are distrib­ uted as an integral part of most popular web clients. (see browser docu­ mentation for which root certificates are pre-installed).
  • Page 271: Prerequisite For Using Ssl

    Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com­ puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include:...
  • Page 272: General Operating Rules And Notes

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes 4. Use your SSL enabled browser to access the switch using the switch’s IP address or DNS name (if allowed by your browser). Refer to the documentation provided with the browser application. General Operating Rules and Notes ■...
  • Page 273: Configuring The Switch For Ssl Operation

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 8-19 show config page 8-19 show crypto host-cert 8-12 crypto key generate cert [rsa] <512 | 768 |1024> 8-10 zeroize cert 8-10...
  • Page 274: Generating The Switch's Server Host Certificate

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Security Tab Password Button Figure 8-2. Example of Configuring Local Passwords 1. Proceed to the security tab and select device passwords button. 2. Click in the appropriate box in the Device Passwords window and enter user names and passwords.
  • Page 275: To Generate Or Erase The Switch's Server Certificate

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The server certificate is stored in the switch’s flash memory. The server certificate should be added to your certificate folder on the SSL clients who you want to have access to the switch. Most browser applications automati­ cally add the switch’s host certificate to there certificate folder on the first use.
  • Page 276: Comments On Certificate Fields

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. Syntax: crypto key generate cert [rsa] < 512 | 768 |1024 > Generates a key pair for use in the certificate. crypto key zeroize cert Erases the switch’s certificate key and disables SSL opera­...
  • Page 277 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Table 8-1.Certificate Field Descriptions Field Name Description Valid Start Date This should be the date you desire to begin using the SSL functionality. Valid End Date This can be any future date, however good security practices would suggest a valid duration of about one year between updates of passwords and keys.
  • Page 278: Generate A Self-Signed Host Certificate With The Web Browser Interface

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. Syntax: show crypto host-cert Displays switch’s host certificate To view the current host certificate from the CLI you use the show crypto host­ cert command.
  • Page 279 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To generate a self signed host certificate from the web browser interface: i. Proceed to the Security tab then the SSL button. The SSL config­ uration screen is split up into two halves. The left half is used in creating a new certificate key pair and (self-signed / CA-signed) certificate.
  • Page 280 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter­ face: Certificate Type Box Key Size Selection Certificate Arguments Figure 8-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface: Proceed to the Security tab Then the...
  • Page 281: Generate A Ca-Signed Server Host Certificate With The Web Browser Interface

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 8-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web browser interface To install a CA-Signed server host certificate from the web browser interface. For more information on how to access the web browser interface, refer to the chapter titled “Using the ProCurve Web Browser Interface”...
  • Page 282 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation that involves having the certificate authority verify the certificate request and then digitally signing the request to generate a certificate response (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL To generate a certificate request from the web browser interface:...
  • Page 283: Enabling Ssl On The Switch And Anticipating Ssl Browser Contact Behavior

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE----­ MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMBIGA1UEChMLT3Bwb3J0dW5pdGkxGDAW BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0+aMcXgVruVixw/xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B Figure 8-7. Request for Verified Host Certificate Web Browser Interface Screen 3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients.
  • Page 284 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation N o t e Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generating the Switch’s Server Host Certificate”...
  • Page 285: Using The Cli Interface To Enable Ssl

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443).
  • Page 286 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 8-8. Using the web browser interface to enable SSL and select TCP port number N o t e o n P o r t ProCurve recommends using the default IP port number (443).
  • Page 287: Common Errors In Ssl Setup

    Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 8-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host...
  • Page 288 Configuring Secure Socket Layer (SSL) Common Errors in SSL setup 8-22...
  • Page 289: Ipv4 Access Control Lists (Acls)

    IPv4 Access Control Lists (ACLs) Contents Introduction ..........9-4 Overview of Options for Applying IPv4 ACLs on the Switch .
  • Page 290 IPv4 Access Control Lists (ACLs) Contents Configuring and Assigning an IPv4 ACL ..... . . 9-34 Overview ..........9-34 General Steps for Implementing ACLs .
  • Page 291 IPv4 Access Control Lists (ACLs) Contents Displaying ACL Configuration Data ......9-85 Display an ACL Summary ........9-86 Display the Content of All ACLs on the Switch .
  • Page 292: Introduction

    IPv4 Access Control Lists (ACLs) Introduction Introduction An Access Control List (ACL) is a list of one or more Access Control Entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing the switch’s interfaces. This chapter describes how to configure, apply, and edit IPv4 ACLs in a network populated with the switches covered by this guide, and how to monitor IPv4 ACL actions.
  • Page 293 IPv4 Access Control Lists (ACLs) Introduction Notes IPv4 ACLs can enhance network security by blocking selected traffic, and can serve as part of your network security program. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IPv4 packet transmissions, they should not be relied upon for a complete security solution.
  • Page 294: Overview Of Options For Applying Ipv4 Acls On The Switch

    IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Overview of Options for Applying IPv4 ACLs on the Switch To apply IPv4 ACL filtering, assign a configured IPv4 ACL to the interface on which you want traffic filtering to occur. Port traffic ACLs can be applied either statically or dynamically (using a RADIUS server).
  • Page 295: Overview Of Options For Applying Ipv4 Acls On The Switch

    IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Create a Standard, ProCurve(config)# access-list < 1-99 > < deny | permit > 9-49 Numbered ACL < any | host <SA > | SA/< mask-length > | SA < mask >> [log] Add an ACE to the End of an Existing...
  • Page 296 IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Table 9-2. Command Summary for IPv4 Extended ACLs Action Command(s) Page Create an Extended, ProCurve(config)# ip access-list extended < name-str | 100-199 > 9-55 Named ACL ProCurve(config-std-nacl)# <...
  • Page 297 IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Action Command(s) Page Enter or Remove a ProCurve(config)# ip access-list extended < name-str | 100-199 > 9-81 Remark ProCurve(config-ext-nacl)# [ remark < remark-str > | no remark ] 9-83 For numbered, extended ACLs only, the following remark commands can be substituted for the above:...
  • Page 298: Terminology

    IPv4 Access Control Lists (ACLs) Terminology Terminology Access Control Entry (ACE): A policy consisting of criteria and an action (permit or deny) to execute on a packet if it meets the criteria. The elements composing the criteria include: • source IPv4 address and mask (standard and extended ACLs) •...
  • Page 299 IPv4 Access Control Lists (ACLs) Terminology ACL Mask: Follows any IPv4 address (source or destination) listed in an ACE. Defines which bits in a packet’s corresponding IPv4 addressing must exactly match the addressing in the ACE, and which bits need not match (wildcards).
  • Page 300 IPv4 Access Control Lists (ACLs) Terminology Inbound Traffic: For the purpose of defining where the switch applies IPv4 ACLs to filter traffic, inbound traffic is a packet that meets one of the following criteria: • Static Port ACL: Inbound traffic is a packet entering the switch on the port.
  • Page 301 IPv4 Access Control Lists (ACLs) Terminology whether there is a match between a packet and the ACE. In an extended ACE, this is the first of two IPv4 addresses used by the ACE to determine whether there is a match between a packet and the ACE. See also “DA”. seq-#: The term used in ACL syntax statements to represent the sequence number variable used to insert an ACE within an existing list.
  • Page 302: Overview

    IPv4 Access Control Lists (ACLs) Overview Overview Types of IPv4 ACLs A permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, or on source address plus other factors. Standard ACL: Use a standard ACL when you need to permit or deny IPv4 traffic based on source address only.
  • Page 303: Static Port Acl And Dynamic Port Acl Applications

    IPv4 Access Control Lists (ACLs) Overview Static Port ACL and Dynamic Port ACL Applications An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port, regardless of whether the traffic is switched or routed. Dynamic (RADIUS-assigned) Port ACL Applications Dynamic (RADIUS-assigned) port ACLs are configured on RADIUS servers and, where such servers support configuration for IPv4 traffic filtering, can be assigned to filter IPv4 traffic inbound from clients authenticated by such...
  • Page 304: Multiple Acls On An Interface

    IPv4 Access Control Lists (ACLs) Overview 802.1X User-Based and Port-Based Applications. User-Based 802.1X access control allows up to 8 individually authenticated clients on a given port. However, port-based access control does not set a client limit, and requires only one authenticated client to open a given port (and is recommended for applications where only one client at a time can connect to the port).
  • Page 305 IPv4 Access Control Lists (ACLs) Overview • T he CLI remark command option allows you to enter a separate comment for each ACE. A source or destination IPv4 address and a mask, together, can define ■ a single host, a range of hosts, or all hosts. ■...
  • Page 306: General Steps For Planning And Configuring Acls

    IPv4 Access Control Lists (ACLs) Overview General Steps for Planning and Configuring ACLs 1. Identify the ACL application to apply. As part of this step, determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted IPv4 traffic at the edge of the network instead of in the core.
  • Page 307 IPv4 Access Control Lists (ACLs) Overview For more details on ACL planning considerations, refer to “Planning an ACL Application” on page 9-24. Caution Regarding Source routing is enabled by default on the switch and can be used to override the Use of Source ACLs.
  • Page 308: Ipv4 Static Acl Operation

    IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation IPv4 Static ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). A static ACL applies only to the switch in which it is configured.
  • Page 309 IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation ACL. This directs the ACL to permit (forward) packets that do not have a match with any earlier ACE listed in the ACL, and prevents these packets from being filtered by the implicit “deny any”. Example.
  • Page 310 IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation Test a packet against 1. If a match is not found with criteria in first ACE. the first ACE in an ACL, the switch proceeds to the next ACE and so on. 2.
  • Page 311 IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation Permit inbound IPv4 traffic from IP address 10.11.11.42. Deny only the inbound Telnet traffic from address 10.11.11.101. Permit only inbound Telnet traffic from IP address 10.11.11.33. Deny all other inbound IPv4 traffic. The following ACL model , when assigned to inbound filtering on an interface, supports the above case: ip access-list extended "Test-02"...
  • Page 312: Planning An Acl Application

    IPv4 Access Control Lists (ACLs) Planning an ACL Application Planning an ACL Application Before creating and implementing ACLs, you need to define the policies you want your ACLs to enforce, and understand how the ACL assignments will impact your network users. Note All IPv4 traffic entering the switch on a given interface is filtered by all ACLs configured for inbound traffic on that interface.
  • Page 313: Security

    IPv4 Access Control Lists (ACLs) Planning an ACL Application What are the logical points for minimizing unwanted traffic, and what ■ ACL application(s) should be used? In many cases it makes sense to prevent unwanted traffic from reaching the core of your network by configuring ACLs to drop the unwanted traffic at or close to the edge of the network.
  • Page 314: Guidelines For Planning The Structure Of A Static Acl

    IPv4 Access Control Lists (ACLs) Planning an ACL Application C a u t i o n IPv4 ACLs can enhance network security by blocking selected traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.
  • Page 315: Ipv4 Acl Configuration And Operating Rules

    IPv4 Access Control Lists (ACLs) Planning an ACL Application Generally, you should list ACEs from the most specific (individual ■ hosts) to the most general (subnets or groups of subnets) unless doing so permits traffic that you want dropped. For example, an ACE allowing a small group of workstations to use a specialized printer should occur earlier in an ACL than an entry used to block widespread access to the same printer.
  • Page 316: How An Ace Uses A Mask To Screen Packets For Matches

    IPv4 Access Control Lists (ACLs) Planning an ACL Application Explicitly Permitting Any IPv4 Traffic: Entering a permit any or a ■ permit ip any any ACE in an ACL permits all IPv4 traffic not previously permitted or denied by that ACL. Any ACEs listed after that point do not have any effect.
  • Page 317: Rules For Defining A Match Between A Packet And An Access Control Entry (Ace)

    IPv4 Access Control Lists (ACLs) Planning an ACL Application Thus, the bits set to 1 in a network mask define the part of an IPv4 address to use for the network number, and the bits set to 0 in the mask define the part of the address to use for the host number.
  • Page 318 IPv4 Access Control Lists (ACLs) Planning an ACL Application ACL mask to overlap one bit, which allows matches with hosts in two subnets: 31.30.224.0 and 31.30.240.0. Bit Position in the Third Octet of Subnet Mask 255.255.240.0 Bit Values Subnet Mask Bits Mask Bit Settings Affecting 1 or 0 Subnet Addresses...
  • Page 319 IPv4 Access Control Lists (ACLs) Planning an ACL Application • A group of IPv4 addresses fits the matching criteria. In this case you provide both the address and the mask. For example: access-list 1 permit 10.28.32.1 0.0.0.31 Address Mask 10.28.32.1 0.0.0.31 This policy states that: –...
  • Page 320 IPv4 Access Control Lists (ACLs) Planning an ACL Application dictates that a match occurs only when the source address on such packets is identical to the address configured in the ACE. This ACL (a standard ACL named “Fileserver”) includes an ACE (Access Control Entry) that permits matches only with the packets received from 10.28.252.117 (the SA).
  • Page 321 IPv4 Access Control Lists (ACLs) Planning an ACL Application Table 9-3. Mask Effect on Selected Octets of the IPv4 Addresses in Table 9-2 Addr Octet Mask Octet Range all bits 248-255 0 or 1 0 or 1 0 or 1 last 3 bits all bits 32-47...
  • Page 322: Configuring And Assigning An Ipv4 Acl

    IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Configuring and Assigning an IPv4 ACL ACL Feature Page Configuring and Assigning a Standard ACL 9-44 Configuring and Assigning an Extended ACL 9-53 Enabling or Disabling ACL Filtering 9-73 Overview General Steps for Implementing ACLs 1. Configure one or more ACLs.
  • Page 323: Options For Permit/Deny Policies

    IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Options for Permit/Deny Policies The permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, or on source address plus other IPv4 factors. Standard ACL: Uses only a packet's source IPv4 address as a crite­...
  • Page 324: Standard Acl Structure

    IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL 3. One or more deny/permit list entries (ACEs): One entry per line. Element Notes Type Standard or Extended Identifier • Alphanumeric; Up to 64 Characters, Including Spaces • Numeric: 1 - 99 (Standard) or 100 - 199 (Extended) Remark Allows up to 100 alphanumeric characters, including blank spaces.
  • Page 325: Extended Acl Configuration Structure

    IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 9-7 shows how to interpret the entries in a standard ACL. ProCurve(Config)# show running ACL List Heading with List Type and Identifier (Name or Number) ip access-list standard “Sample-List” 10 deny 10.28.150.77 0.0.0.0 log ACE Action 20 permit 10.28.150.1 0.0.0.255...
  • Page 326 IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL ip access-list extended < identifier > [ [ seq-# ] remark < remark-str >] < permit | deny > < ipv4-protocol-type > < SA > < src-acl-mask > < DA > <dest-acl-mask > [log] <...
  • Page 327: Acl Configuration Factors

    IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 9-9 shows how to interpret the entries in an extended ACL. ProCurve(config)# show running ACL List Heading with List Type and ID String (Name or Number) Running configuration: Indicates all possible ;...
  • Page 328 IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, suppose that you have applied the ACL shown in figure 9-10 to inbound IPv4 traffic on VLAN 1 (the default VLAN): Source Address Mask DestinationAddress Mask ip access-list extended "Sample-List-2" 10 deny ip 10.28.235.10 0.0.0.0 0.0.0.0 255.255.255.255 20 deny ip 10.28.245.89 0.0.0.0 0.0.0.0 255.255.255.255 30 permit tcp 10.28.18.100 0.0.0.0 10.28.237.1 0.0.0.0...
  • Page 329: Allowing For The Implied Deny Function

    IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Line # Action Any packet from any IPv4 SA to any IPv4 DA will be permitted (forwarded). The only traffic to reach this ACE will be IPv4 packets not specifically permitted or denied by the earlier ACEs. n/a The Implicit Deny is a function the switch automatically adds as the last action in all ACLs.
  • Page 330: Using The Cli To Create An Acl

    IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Using the CLI To Create an ACL Command Page access-list (standard ACLs) 9-44 access-list (extended ACLs) 9-53 You can use either the switch CLI or an offline text editor to create an ACL. This section describes the CLI method, which is recommended for creating short ACLs.
  • Page 331: Using Cidr Notation To Enter The Ipv4 Acl Mask

    IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL To insert an ACE anywhere in a numbered ACL, use the same process as described above for inserting an ACE anywhere in a named ACL. For example, to insert an ACE denying IPv4 traffic from the host at 10.10.10.77 as line 52 in an existing ACL identified (named) with the number 11: ProCurve(config)# ip access-list standard 99...
  • Page 332: Configuring Standard Acls

    IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Standard ACLs Table 9-6. Command Summary for Standard ACLs Action Command(s) Page Create a Standard, ProCurve(config)# ip access-list standard < name-str > 9-46 Named ACL ProCurve(config-std-nacl)# < deny | permit > <...
  • Page 333 IPv4 Access Control Lists (ACLs) Configuring Standard ACLs A standard ACL uses only source IPv4 addresses in its ACEs. This type of ACE is useful when you need to: Permit or deny any IPv4 traffic based on source address only. ■...
  • Page 334 IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Named, Standard ACLs This section describes the commands for performing the following: creating and/or entering the context of a named, standard ACL ■ ■ appending an ACE to the end of an existing list or entering the first ACE in a new list For other IPv4 ACL topics, refer to the following: Topic...
  • Page 335 IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring ACEs in an Named, Standard ACL. Configuring ACEs is done after using the ip access-list standard < name-str > command described above to enter the “Named ACL” (nacl) context of an access list. For a standard ACL syntax summary, refer to table 9-6 on page 9-44.
  • Page 336 IPv4 Access Control Lists (ACLs) Configuring Standard ACLs [ log] This option generates an ACL log message if: • The action is deny. • There is a match. • ACL logging is enabled on the switch. (Refer to “” on page 9-96.) (Use the debug command to direct ACL logging output to the current console session and/or to a Syslog server.
  • Page 337: Configuring Named, Standard Acls

    IPv4 Access Control Lists (ACLs) Configuring Standard ACLs ProCurve(config)# show access-list Sample-List Access Control Lists Name: Sample-List Type: Standard Applied: No Entry ------------------------------------------------------------------------------- Action: permit : 10.10.10.104 Mask: 0.0.0.0 Note that each ACE is automatically assigned a Action: deny (log) sequence number.
  • Page 338 IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Creating or Adding to an Standard, Numbered ACL. This command is an alternative to using ip access-list standard < name-str > and does not use the “Named ACL” (nacl) context. For a standard ACL syntax summary, refer to table 9-6 on page 9-44.
  • Page 339 IPv4 Access Control Lists (ACLs) Configuring Standard ACLs < any | host < SA > | SA < mask | SA/mask-length >> Defines the source IPv4 address (SA) a packet must carry for a match with the ACE. • any — Allows IPv4 packets from any SA. • host <...
  • Page 340 IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Example of Creating and Viewing a Standard ACL. This example cre­ ates a standard, numbered ACL with the same ACE content as show in figure 9-11 on page 9-48. ProCurve(config)# access-list 17 permit host 10.10.10.104 ProCurve(config)# access-list 17 deny 10.10.10.1/24 log ProCurve(config)# access-list 17 permit any ProCurve(config)# show access-list 17...
  • Page 341: Configuring Extended Acls

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Extended ACLs Table 9-7. Command Summary for Extended ACLs Action Command(s) Page Create an Extended, ProCurve(config)# ip access-list extended < name-str | 100-199 > 9-55 Named ACL ProCurve(config-std-nacl)# < deny | permit > <...
  • Page 342 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Action Command(s) Page Enter or Remove a ProCurve(config)# ip access-list extended < name-str | 100-199 > 9-81 Remark ProCurve(config-ext-nacl)# [ remark < remark-str > | no < 1 - 2147483647 > remark ] 9-83 For numbered, extended ACLs only, the following remark commands can be substituted for the above:...
  • Page 343: Configuring Named, Extended Acls

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Named, Extended ACLs For a match to occur with an ACE in an extended ACL, a packet must have the source and destination address criteria specified by the ACE, as well as any IPv4 protocol-specific criteria included in the command.
  • Page 344 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Creating a Named, Extended ACL and/or Entering the “Named ACL” (nacl) Context. This command is a prerequisite to entering or editing ACEs in a named, extended ACL. (For a summary of the extended ACL syntax options, refer to table 9-7 on page 9-53.) Syntax: ip access-list extended <...
  • Page 345 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configure ACEs in a Named, Extended ACL and/or Enter the “Named ACL” (nacl) Context. Configuring ACEs is done after using the ip access- list standard < name-str > command described on page 9-56 to enter the “Named ACL”...
  • Page 346 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Used after deny or permit to specify the packet protocol type required for a match. An extended ACL must include one of the following: • ip — any IPv4 packet. • ip-protocol —...
  • Page 347 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < any | host < DA > | DA/mask-length | DA/ < mask >> This is the second instance of IPv4 addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination address (DA) that a packet must carry in order to have a match with the ACE.
  • Page 348 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ tos < tos-setting > ] This option can be used after the DA to cause the ACE to match packets with the specified Type-of-Service (ToS) setting. ToS values can be entered as the following numeric settings or, in the case of 0, 2, 4, and 8, as alphanumeric names: or normal “...
  • Page 349 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for TCP and UDP Traffic in Extended ACLs. An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic.
  • Page 350 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Port Number or Well-Known Port Name: Use the TCP or UDP port number required by your appli­ cation. The switch also accepts these well-known TCP or UDP port names as an alternative to their port numbers: • TCP: bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet • UDP: bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp,...
  • Page 351 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for ICMP Traffic in Extended ACLs. This option is useful where it is necessary to permit some types of ICMP traffic and deny other types, instead of simply permitting or denying all types of ICMP traffic. That is, an ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE.
  • Page 352 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ icmp-type-name ] These name options are an alternative to the [icmp-type [ icmp-code] ] methodology described above. For more infor­ mation, visit the IANA website cited above. administratively-prohibited net-tos-unreachable alternate-address net-unreachable conversion-error network-unknown dod-host-prohibited...
  • Page 353: Configuring Numbered, Extended Acls

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Option for IGMP in Extended ACLs. This option is useful where it is nec­ essary to permit some types of IGMP traffic and deny other types instead of simply permitting or denying all types of IGMP traffic. That is, an ACE designed to permit or deny IGMP traffic can optionally include an IGMP packet type to permit or deny an individual type of IGMP packet while not addressing other IGMP traffic types in the same ACE.
  • Page 354 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs For other IPv4 ACL topics, refer to the following: Topic Page configuring named, standard ACLs 9-46 configuring numbered, standard ACLs 9-49 configuring named, extended ACLs 9-55 applying or removing an ACL on an interface 9-73 deleting an ACL 9-74...
  • Page 355 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs If the ACL does not already exist, this command creates the specified ACL and its first ACE. If the ACL already exists, the new ACE is appended to the end of the configured list of explicit ACEs.
  • Page 356 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Specifies the packet protocol type required for a match. An extended ACL must include one of the following: • ip — any IPv4 packet. • ip-protocol — any one of the following IPv4 protocol names: ip-in-ip ipv6-in-ip gre ospf...
  • Page 357 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs SA Mask Application: The mask is applied to the SA in the ACL to define which bits in a packet’s source SA must exactly match the address configured in the ACL and which bits need not match.
  • Page 358 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ precedence < 0 - 7 | precedence-name >] This option causes the ACE to match packets with the specified IP precedence value. Values can be entered as the following IP precedence numbers or alphanumeric names: or routine priority “...
  • Page 359 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Additional Options for TCP and UDP Traffic. An ACE designed to per­ mit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic.
  • Page 360 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Syntax: access-list < 100 - 199 > < deny | permit > igmp < src-ip > < dest-ip > [ igmp-type ] The IGMP “type” criteria is identical to the criteria described for IGMP in named, extended ACLs, beginning on page 9-65.
  • Page 361: Adding Or Removing An Acl Assignment On An Interface

    IPv4 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface Adding or Removing an ACL Assignment On an Interface Filtering Inbound IPv4 Traffic Per Port For a given port, port list, or static port trunk, you can assign an ACL as a static port ACL to filter any IPv4 traffic entering the switch on that interface.
  • Page 362: Deleting An Acl

    IPv4 Access Control Lists (ACLs) Deleting an ACL ProCurve(config)# interface b10 ip access-group My-List in Enables a static port ACL from the Global Configuration level. ProCurve(config)# interface b10 ProCurve(eth-b10)# ip access-group 155 in Enables a static port ACL ProCurve(eth-b10)# exit from a port context.
  • Page 363: Editing An Existing Acl

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL Editing an Existing ACL The CLI provides the capability for editing in the switch by using sequence numbers to insert or delete individual ACEs. An offline method is also avail­ able. This section describes using the CLI for editing ACLs. To use the offline method for editing ACLs, refer to “Creating or Editing ACLs Offline”...
  • Page 364: Sequence Numbering In Acls

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL You can delete any ACE from any ACL (named or numbered) by using ■ the ip access-list command to enter the ACL’s context, and then using the no < seq-# > command (page 9-79). Deleting the last ACE from an ACL leaves the ACL in memory.
  • Page 365: Inserting An Ace In An Existing Acl

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL For example, to append a fourth ACE to the end of the ACL in figure 9-16: roCurve(config)# ip access-list standard My-List ProCurve(config-std-nacl)# permit any ProCurve(config-std-nacl)# show run ip access-list standard "My-List" 10 permit 10.10.10.25 0.0.0.0 20 permit 10.20.10.117 0.0.0.0 30 deny 10.20.10.1 0.0.0.255...
  • Page 366 IPv4 Access Control Lists (ACLs) Editing an Existing ACL 2. Begin the ACE command with a sequence number that identifies the position you want the ACE to occupy. (The sequence number range is 1­ 2147483647.) 3. Complete the ACE with the command syntax appropriate for the type of ACL you are editing.
  • Page 367: Deleting An Ace From An Existing Acl

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL Deleting an ACE from an Existing ACL This action uses ACL sequence numbers to delete ACEs from an ACL. Syntax: ip access-list < standard | extended > < name-str | 1 - 99 | 100 - 199 > no <...
  • Page 368: Resequencing The Aces In An Acl

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL Resequencing the ACEs in an ACL This action reconfigures the starting sequence number for ACEs in an ACL, and resets the numeric interval between sequence numbers for ACEs config­ ured in the ACL. Syntax: ip access-list resequence <...
  • Page 369: Attaching A Remark To An Ace

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL Attaching a Remark to an ACE A remark is numbered in the same way as an ACE, and uses the same sequence number as the ACE to which it refers. This operation requires that the remark for a given ACE be entered prior to entering the ACE itself.
  • Page 370 IPv4 Access Control Lists (ACLs) Editing an Existing ACL Note After a numbered ACL has been created (using access-list < 1 - 99 | 100 - 199 >), it can be managed as either a named or numbered ACL. For example, in an existing ACL with a numeric identifier of “115”, either of the following com­...
  • Page 371 IPv4 Access Control Lists (ACLs) Editing an Existing ACL Inserting Remarks and Related ACEs Within an Existing List. To insert an ACE with a remark within an ACL by specifying a sequence number, insert the numbered remark first, then, using the same sequence number, insert the ACE.
  • Page 372: Operating Notes For Remarks

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL Operating Notes for Remarks The resequence command ignores “orphan” remarks that do not have ■ an ACE counterpart with the same sequence number. For example, if: • a remark numbered “55” exists in an ACE •...
  • Page 373: Displaying Acl Configuration Data

    IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying ACL Configuration Data ACL Commands Function Page show access-list Displays a brief listing of all IPv4 ACLs on the 9-86 switch. show access-list config Display the type, identifier, and content of all IPv4 9-87 ACLs configured in the switch.
  • Page 374: Display An Acl Summary

    IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display an ACL Summary This command lists the configured IPv4 ACLs. Syntax: show access-list List a summary table of the name, type, and application status of IPv4 ACLs configured on the switch. For example: ProCurve(config)# show access-list Access Control Lists...
  • Page 375: Display The Content Of All Acls On The Switch

    IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display the Content of All ACLs on the Switch This command lists the configuration details for the IPv4 ACLs in the running­ config file. Syntax: show access-list config List the configured syntax for all IPv4 ACLs currently config­ ured on the switch.
  • Page 376: Display Static Port Acl Assignments

    IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display Static Port ACL Assignments This command briefly lists the identification and type(s) of current static port ACL assignments to individual switch ports and trunks, as configured in the running-config file. (The switch allows one static port ACL assignment per port.) Syntax: show access-list ports <...
  • Page 377: Displaying The Content Of A Specific Acl

    IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying the Content of a Specific ACL This command displays a specific ACL configured in the running config file in an easy-to-read tabular format. Note This information also appears in the show running display. If you execute write memory after configuring an ACL, it also appears in the show config display.
  • Page 378 IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data ProCurve(config)# show access-list List-120 Access Control Lists Name: List-120 Type: Extended Indicates whether the ACL is applied to an interface. Applied: No SEQ Entry Indicates source and destination entries in the ACL. ---------------------------------------------------------------------- 10 Action: permit Remark: Telnet Allowed...
  • Page 379: Display All Acls And Their Assignments In The Routing Switch Startup-Config File And Running-Config File

    IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Field Description Used for Standard ACLs: The source IP address to which the configured mask is applied to determine whether there is a match with a packet. Src IP Used for Extended ACLs: Same as above. Dst IP Used for Extended ACLs: The source and destination IP addresses to which the corresponding configured masks are applied to determine whether there is a match with a packet.
  • Page 380: Monitoring Static Acl Performance

    IPv4 Access Control Lists (ACLs) Monitoring Static ACL Performance Monitoring Static ACL Performance ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help, for example, to determine whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.
  • Page 381 IPv4 Access Control Lists (ACLs) Monitoring Static ACL Performance ACE Counter Operation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset.
  • Page 382: Creating Or Editing Acls Offline

    IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline Creating or Editing ACLs Offline The section titled “Editing an Existing ACL” on page 9-75 describes how to use the CLI to edit an ACL, and is most applicable in cases where the ACL is short or there is only a minor editing task to perform.
  • Page 383 IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline If you are replacing an ACL on the switch with a new ACL that uses the same number or name syntax, begin the command file with a no ip access- list command to remove the earlier version of the ACL from the switch’s running-config file.
  • Page 384: Enable Acl "Deny" Logging

    IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enable ACL “Deny” Logging ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny” action. You can use ACL logging to help: Test your network to ensure that your ACL configuration is detecting ■...
  • Page 385: Acl Logging Operation

    IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includes both the deny action and the optional log parameter, an ACL log message is sent to the designated debug destination.
  • Page 386: Enabling Acl Logging On The Switch

    IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enabling ACL Logging on the Switch 1. If you are using a Syslog server, use the logging < ip-addr > command to configure the Syslog server IP address(es). Ensure that the switch can access any Syslog server(s) you specify.
  • Page 387: General Acl Operating Notes

    IPv4 Access Control Lists (ACLs) General ACL Operating Notes General ACL Operating Notes ACLs do not provide DNS hostname support. ACLs cannot be config­ ured to screen hostname IP traffic between the switch and a DNS. ACLs Do Not Affect Serial Port Access. ACLs do not apply to the switch’s serial port.
  • Page 388 IPv4 Access Control Lists (ACLs) General ACL Operating Notes Monitoring Shared Resources. Applied ACLs share internal switch resources with several other features. The switch provides ample resources for all features. However, if the internal resources become fully subscribed, additional ACLs cannot be applied until the necessary resources are released from other applications.
  • Page 389 Configuring Advanced Threat Protection Contents Introduction ..........10-2 DHCP Snooping .
  • Page 390: Configuring Advanced Threat Protection

    Configuring Advanced Threat Protection Introduction Introduction As your network expands to include an increasing number of mobile devices, continuous Internet access, and new classes of users (such as partners, temporary employees, and visitors), additional protection from attacks launched from both inside and outside your internal network is often neces­ sary.
  • Page 391: Dhcp Snooping

    Configuring Advanced Threat Protection DHCP Snooping • Attempts to exhaust system resources so that sufficient resources are not available to transmit legitimate traffic, indicated by an unusually high use of specific system resources • Attempts to attack the switch’s CPU and introduce delay in system response time to new network events •...
  • Page 392: Enabling Dhcp Snooping

    Configuring Advanced Threat Protection DHCP Snooping DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded.
  • Page 393 Configuring Advanced Threat Protection DHCP Snooping option Add relay information option (Option 82) to DHCP client packets that are being forwarded out trusted ports. The default is yes add relay information. trust Configure trusted ports. Only server packets received on trusted ports are forwarded. Default: untrusted. verify Enables DHCP packet validation.
  • Page 394: Enabling Dhcp Snooping On Vlans

    Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# show dhcp-snooping stats Packet type Action Reason Count ----------- ------- ---------------------------- --------- server forward from trusted port client forward to trusted port server drop received on untrusted port server drop unauthorized server client drop destination on untrusted port client...
  • Page 395: Configuring Dhcp Snooping Trusted Ports

    Configuring Advanced Threat Protection DHCP Snooping Configuring DHCP Snooping Trusted Ports By default, all ports are untrusted. To configure a port or range of ports as trusted, enter this command: ProCurve(config)# dhcp-snooping trust <port-list> You can also use this command in the interface context, in which case you are not able to enter a list of ports.
  • Page 396: Configuring Authorized Server Addresses

    Configuring Advanced Threat Protection DHCP Snooping Configuring Authorized Server Addresses If authorized server addresses are configured, a packet from a DHCP server must be received on a trusted port AND have a source address in the autho­ rized server list in order to be considered valid. If no authorized servers are configured, all servers are considered valid.
  • Page 397 Configuring Advanced Threat Protection DHCP Snooping N o t e DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, not on VLANS without snooping enabled. If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned.
  • Page 398: Changing The Remote-Id From A Mac To An Ip Address

    Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the switch as the remote- id in Option 82 additions. The IP address of the VLAN the packet was received on or the IP address of the management VLAN can be used instead by entering this command with the associated parameter: ProCurve(config)# dhcp-snooping option 82 remote-id...
  • Page 399: The Dhcp Binding Database

    Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# dhcp-snooping verify mac ProCurve(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans : 4 Verify MAC : yes Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : subnet-ip Figure 10-7.
  • Page 400: Operational Notes

    Configuring Advanced Threat Protection DHCP Snooping A message is logged in the system event log if the DHCP binding database fails to update. To display the contents of the DHCP snooping binding database, enter this command. Syntax: show dhcp-snooping binding ProCurve(config)# show dhcp-snooping binding MacAddress VLAN Interface Time left...
  • Page 401: Log Messages

    Configuring Advanced Threat Protection DHCP Snooping ProCurve recommends running a time synchronization protocol such as ■ SNTP in order to track lease times accurately. ■ A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot. Log Messages Server <ip-address>...
  • Page 402 Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay information logs for <duration>. More than one DHCP client packet received on an untrusted port with a relay information field was dropped. To avoid filling the log file with repeated attempts, untrusted relay information packets will not be logged for the specified <duration>.
  • Page 403: Dynamic Arp Protection

    Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings adver­ tised in the source protocol address and source physical address fields are discarded.
  • Page 404 During this process, if ARP packets are received at too high a line rate, some ARP packets may be dropped and will need to be retrans­ mitted. ■ The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure dynamic ARP protection and to report ARP packet-forwarding status and counters. 10-16...
  • Page 405: Enabling Dynamic Arp Protection

    Configuring Advanced Threat Protection Dynamic ARP Protection Enabling Dynamic ARP Protection To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp protect vlan command at the global configuration level. Syntax: [no] arp protect vlan [vlan-range] vlan-range Specifies a VLAN ID or a range of VLAN IDs from one to 4094;...
  • Page 406 Configuring Advanced Threat Protection Dynamic ARP Protection Figure 10-9. Configuring Trusted Ports for Dynamic ARP Protection Take into account the following configuration guidelines when you use dynamic ARP protection in your network: You should configure ports connected to other switches in the network ■...
  • Page 407: Adding An Ip-To-Mac Binding To The Dhcp Database

    Configuring Advanced Threat Protection Dynamic ARP Protection Adding an IP-to-MAC Binding to the DHCP Database A routing switch maintains a DHCP binding database, which is used for DHCP and ARP packet validation. Both the DHCP snooping and DHCP Option 82 insertion features maintain the lease database by learning the IP-to-MAC bindings on untrusted ports.
  • Page 408: Configuring Additional Validation Checks On Arp Packets

    Configuring Advanced Threat Protection Dynamic ARP Protection Configuring Additional Validation Checks on ARP Packets Dynamic ARP protection can be configured to perform additional validation checks on ARP packets. By default, no additional checks are performed. To configure additional validation checks, enter the arp protect validate command at the global configuration level.
  • Page 409: Displaying Arp Packet Statistics

    Configuring Advanced Threat Protection Dynamic ARP Protection ProCurve(config)# show arp protect ARP Protection Information Enabled Vlans : 1-4094 Validate : dst-mac, src-mac Port Trust ----- ----- Figure 10-10.The show arp protect Command Displaying ARP Packet Statistics To display statistics about forwarded ARP packets, dropped ARP packets, MAC validation failure, and IP validation failures, enter the show arp protect statistics command: ProCurve(config)# show arp protect statistics...
  • Page 410: Monitoring Dynamic Arp Protection

    Configuring Advanced Threat Protection Dynamic ARP Protection Monitoring Dynamic ARP Protection When dynamic ARP protection is enabled, you can monitor and troubleshoot the validation of ARP packets with the debug arp protect command. Use this command when you want to debug the following conditions: ■...
  • Page 411: Using The Instrumentation Monitor

    Configuring Advanced Threat Protection Using the Instrumentation Monitor Using the Instrumentation Monitor The instrumentation monitor can be used to detect anomalies caused by security attacks or other irregular operations on the switch. The following table shows the operating parameters that can be monitored at pre-deter­ mined intervals, and the possible security attacks that may trigger an alert: Parameter Name Description...
  • Page 412: Operating Notes

    Configuring Advanced Threat Protection Using the Instrumentation Monitor Operating Notes To generate alerts for monitored events, you must enable the instru­ ■ mentation monitoring log and/or SNMP trap. The threshold for each monitored parameter can be adjusted to minimize false alarms (see “Configuring Instrumentation Monitor”...
  • Page 413: Configuring Instrumentation Monitor

    Configuring Advanced Threat Protection Using the Instrumentation Monitor Configuring Instrumentation Monitor The following commands and parameters are used to configure the opera­ tional thresholds that are monitored on the switch. By default, the instrumen­ tation monitor is disabled. Syntax: [no] instrumentation monitor [parameterName|all] [<low|med|high|limitValue>] [log] : Enables/disables instrumentation monitoring log so that event log messages are generated every time there is an event which exceeds a configured threshold.
  • Page 414: Examples

    Configuring Advanced Threat Protection Using the Instrumentation Monitor To enable instrumentation monitor using the default parameters and thresh­ olds, enter the general instrumentation monitor command. To adjust specific settings, enter the name of the parameter that you wish to modify, and revise the threshold limits as needed.
  • Page 415: Viewing The Current Instrumentation Monitor Configuration

    Configuring Advanced Threat Protection Using the Instrumentation Monitor Viewing the Current Instrumentation Monitor Configuration The show instrumentation monitor configuration command displays the config­ ured thresholds for monitored parameters. ProCurve# show instrumentation monitor configuration PARAMETER LIMIT ------------------------- -------------- - mac-address-count 1000 (med) ip-address-count 1000 (med) system-resource-usage...
  • Page 416 Configuring Advanced Threat Protection Using the Instrumentation Monitor 10-28...
  • Page 417 Traffic/Security Filters and Monitors Contents Overview ........... . 11-2 Introduction .
  • Page 418: Traffic/Security Filters And Monitors

    Traffic/Security Filters and Monitors Overview Overview Applicable Switch Models. As of June 2007, Traffic/Security filters are available on these current ProCurve switch models: Switch Models Source-Port Protocol Multicast Filters Filters Filters Switch 8212zl Series 6400cl Series 5400zl Series 4200vl Series 3500yl Series 3400cl Series 2910al Series 2800...
  • Page 419: Using Port Trunks With Filters

    Traffic/Security Filters and Monitors Filter Types and Operation You can enhance in-band security and improve control over access to network resources by configuring static filters to forward (the default action) or drop unwanted traffic. That is, you can configure a traffic filter to either forward or drop all network traffic moving to outbound (destination) ports and trunks (if any) on the switch.
  • Page 420: Source-Port Filters

    Traffic/Security Filters and Monitors Filter Types and Operation Source-Port Filters This filter type enables the switch to forward or drop traffic from all end nodes on the indicated source-port to specific destination ports. Server Node “A” Port Port Switch 8212zl Configured for Node Source-Port...
  • Page 421: Example

    Traffic/Security Filters and Monitors Filter Types and Operation When you create a source port filter, all ports and port trunks (if any) ■ on the switch appear as destinations on the list for that filter, even if routing is disabled and separate VLANs and/or subnets exist. Where traffic would normally be allowed between ports and/or trunks, the switch automatically forwards traffic to the outbound ports and/or trunks you do not specifically configure to drop traffic.
  • Page 422: Named Source-Port Filters

    Traffic/Security Filters and Monitors Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to destination port 7 (server "A"). Notice that the filter allows traffic to move from source port 5 to all other destination ports.
  • Page 423: Defining And Configuring Named Source-Port Filters

    Traffic/Security Filters and Monitors Filter Types and Operation To change the named source-port filter used on a port or port trunk, ■ the current filter must first be removed, using the no filter source-port named-filter <filter-name > command. A named source-port filter can only be deleted when it is not applied ■...
  • Page 424 Traffic/Security Filters and Monitors Filter Types and Operation filter source-port named-filter <filter-name > forward Syntax: < destination-port-list > Configures the named source-port filter to forward traffic having a destination on the ports and/or port trunks in the <destination-port-list>. Since “forward” is the default state for destinations in a filter, this command is useful when destinations in an existing filter are configured for “drop”...
  • Page 425: Viewing A Named Source-Port Filter

    Traffic/Security Filters and Monitors Filter Types and Operation Viewing a Named Source-Port Filter You can list all source-port filters configured in the switch, both named and unnamed, and their action using the show command below. Syntax: show filter source-port Displays a listing of configured source-port filters, where each filter entry includes a Filter Name, Port List, and Action: Filter Name: The filter-name used when a named...
  • Page 426 Traffic/Security Filters and Monitors Filter Types and Operation Defining and Configuring Example Named Source-Port Filters. While named source-port filters may be defined and configured in two steps, this is not necessary. Here we define and configure each of the named source-port filters for our example network in a single step.
  • Page 427 Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter Traffic/Security Filters Indicates the port number or port- IDX Filter Type | Value trunk name of the source port or trunk --- ------------ + ------------------- assigned to the filter. Source Port Source Port An automatically assigned index...
  • Page 428 Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 24 ProCurve(config)# show filter 4 Traffic/Security Filters Traffic/Security Filters Filter Type : Source Port Filter Type : Source Port Source Port : 10 Source Port : 5 Dest Port Type | Action Dest Port Type...
  • Page 429 Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- --------- + ------------------------ 10/100TX | Forward 10/100TX | Forward 10/100TX | Forward 10/100TX | Forward 10/100TX...
  • Page 430 Traffic/Security Filters and Monitors Filter Types and Operation The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command. ProCurve(config)# filter source-port named-filter accounting forward 8,12,13 ProCurve(config)# filter source-port named-filter no-incoming-web drop 8,12,13 ProCurve(config)# ProCurve(config)# show filter source-port...
  • Page 431: Static Multicast Filters

    Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter source-port Traffic/Security Filters Filter Name | Port List | Action -------------------- + -------------------- + -------------------------- web-only | 2-6,9,14-26 | drop 2-26 accounting | 7-8,10-13 | drop 1-6,9,14-26 no-incoming-web | drop 7-8,10-13 ProCurve(config)# Figure 11-13.
  • Page 432: Protocol Filters

    Traffic/Security Filters and Monitors Filter Types and Operation Table 11-2. Multicast Filter Limits Max-VLANs Maximum # of Multicast Filters (Static and Setting IGMP Combined) 1 (the minimum) 8 (the default) 32 or higher N o t e s Per-Port IP Multicast Filters. The static multicast filters described in this section filter traffic having a multicast address you specify.
  • Page 433: Configuring Traffic/Security Filters

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Only one filter for a particular protocol type can be configured at any one time. For example, a separate protocol filter can be configured for each of the protocol types listed above, but only one of those can be an IP filter. Also, the destination ports for a protocol filter can be on different VLANs.
  • Page 434: Configuring A Source-Port Traffic Filter

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Configuring a Source-Port Traffic Filter Syntax: [no] filter [source-port < port-number | trunk-name>] Specifies one inbound port or trunk. Traffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the source- port filter for <...
  • Page 435: Example Of Creating A Source-Port Filter

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a source-port filter that drops all traffic received on port 5 with a destination of port trunk 1 (Trk1) and any port in the range of port 10 to port 15.
  • Page 436: Editing A Source-Port Filter

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters filter on port 5, then create a trunk with ports 5 and 6, and display the results, you would see the following: The *5* shows that port 5 is configured for filtering, but the filtering action has been suspended while the port is a member of a trunk.
  • Page 437: Configuring A Multicast Or Protocol Traffic Filter

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Figure 11-15. Assigning Additional Destination Ports to an Existing Filter Configuring a Multicast or Protocol Traffic Filter Syntax: [no] filter [multicast < mac- address >] Specifies a multicast address. Inbound traffic received (on any port) with this multicast address will be filtered.
  • Page 438: Filter Indexing

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters For example, suppose you wanted to configure the filters in table 11-3 on a switch. (For more on source-port filters, refer to “Configuring a Source-Port Traffic Filter” on page 11-18.) Table 11-3. Filter Example Filter Type Filter Value Action...
  • Page 439: Displaying Traffic/Security Filters

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Displaying Traffic/Security Filters This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters. Syntax: show filter Lists the filters configured in the switch, with corresponding filter index (IDX) numbers.
  • Page 440 Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Lists all filters configured in the switch. Filter Index Numbers Criteria for Individual (Automatically Assigned) Filters Uses the index number (IDX) for a specific filter to list the details for that filter only. Figure 11-17.
  • Page 441: User-Based Access Control (802.1X)

    Configuring Port-Based and User-Based Access Control (802.1X) Contents Overview ........... . 12-3 Why Use Port-Based or User-Based Access Control? .
  • Page 442 Configuring Port-Based and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Authentication Method ....12-26 4. Enter the RADIUS Host IP Address(es) ..... 12-27 5.
  • Page 443: Overview

    Configuring Port-Based and User-Based Access Control (802.1X) Overview Overview Feature Default Menu Configuring Switch Ports as 802.1X Authenticators Disabled page 12-19 Configuring 802.1X Open VLAN Mode Disabled page 12-31 Configuring Switch Ports to Operate as 802.1X Supplicants Disabled page 12-49 Displaying 802.1X Configuration, Statistics, and Counters page 12-53 How 802.1X Affects VLAN Operation...
  • Page 444: User Authentication Methods

    Configuring Port-Based and User-Based Access Control (802.1X) Overview • Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication.
  • Page 445: 802.1X Port-Based Access Control

    Configuring Port-Based and User-Based Access Control (802.1X) Overview credentials. This operation improves security by opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenticated. All sessions must use the same untagged VLAN.
  • Page 446: Alternative To Using A Radius Server

    Configuring Port-Based and User-Based Access Control (802.1X) Terminology This operation unblocks the port while an authenticated client session is in progress. In topologies where simultaneous, multiple client access is possible this can allow unauthorized and unauthenticated access by another client while an authenticated client is using the port.
  • Page 447 Configuring Port-Based and User-Based Access Control (802.1X) Terminology a port loses its authenticated client connection, it drops its membership in this VLAN. Note that with multiple clients on a port, all such clients use the same untagged, port-based VLAN membership. Authentication Server: The entity providing an authentication service to the switch when the switch is configured to operate as an authenticator.
  • Page 448 Configuring Port-Based and User-Based Access Control (802.1X) Terminology Static VLAN: A VLAN that has been configured as “permanent” on the switch by using the CLI vlan < vid > command or the Menu interface. Supplicant: The entity that must provide the proper credentials to the switch before receiving access to the network.
  • Page 449: General 802.1X Authenticator Operation

    Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode”...
  • Page 450: Vlan Membership Priority

    Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation N o t e The switches covered in this guide can use either 802.1X port-based authen­ tication or 802.1X user-based authentication. For more information, refer to “User Authentication Methods” on page 12-4. VLAN Membership Priority Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration.
  • Page 451 Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation New Client Authenticated Another Assign New Client (Old) Client RADIUS- to RADIUS- Already Using Assigned Specified VLAN Port VLAN? Authorized Client VLAN Assign New Client Accept New Client VLAN Same As Old to Authorized VLAN Configured?
  • Page 452: General Operating Rules And Notes

    Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the user-based mode, when there is an authenticated client on a port, the following traffic movement is allowed: • Multicast and broadcast traffic is allowed on the port. •...
  • Page 453 Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes If a port on switch “A” is configured as an 802.1X supplicant and is ■ connected to a port on another switch, “B”, that is not 802.1X-aware, access to switch “B” will occur without 802.1X security protection. ■...
  • Page 454 Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes not enabled. That is, any non-authenticating client attempting to access the port after another client authenticates with port-based 802.1X would still have to authenticate through Web-Auth or MAC-Auth. 12-14...
  • Page 455: General Setup Procedure For 802.1X Access Control

    Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Access Control Do These Steps Before You Configure 802.1X Operation 1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels.
  • Page 456 Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control ProCurve(config)# password port-access user-name Jim secret3 Figure 12-2. Example of the Password Port-Access Command You can save the port-access password for 802.1X authentication in the configuration file by using the include-credentials command. For more infor­ mation, see “Saving Security Credentials in a Config File”...
  • Page 457 Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control 3. Determine whether to use user-based access control (page 12-4) or port- based access control (page 12-5). 4. Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware;...
  • Page 458: Overview: Configuring 802.1X Authentication On The Switch

    Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802.1X Authentication on the Switch This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to the following: “802.1X User-Based Access Control”...
  • Page 459: Configuring Switch Ports As 802.1X Authenticators

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators N o t e If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected.
  • Page 460: Enable 802.1X Authentication On Selected Ports

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches, and consists of two steps: A.
  • Page 461: Specify User-Based Authentication Or Return To Port-Based Authentication

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User-Based Authentication or Return to Port-Based Authentication User-Based 802.1X Authentication. Syntax: aaa port-access authenticator client-limit < port-list > < 1 -8> Used after executing aaa port-access authenticator < port-list > (above) to convert authentication from port-based to user- based.
  • Page 462: Example: Configuring User-Based 802.1X Authentication

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring User-Based 802.1X Authentication This example enables ports A10-A12 to operate as authenticators, and then configures the ports for user-based authentication. ProCurve(config)# aaa port-access authenticator a10-A12 ProCurve(config)# aaa port-access authenticator a10-A12 client-limit 4 Figure 12-4.
  • Page 463 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page).
  • Page 464 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page).
  • Page 465 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid <...
  • Page 466: Configure The 802.1X Authentication Method

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how the switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator You can configure local, chap-radius or eap-radius as the primary password authentication method for the port-access method.
  • Page 467: Enter The Radius Host Ip Address(Es)

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the authentication method, configure the switch to use 1, 2, or 3 RADIUS servers for authentication. The following syntax shows the basic commands.
  • Page 468: Optional: Reset Authenticator Operation

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentication is operating, you can use the following aaa port- access authenticator commands to reset 802.1X authentication and statistics on specified ports. Syntax: aaa port-access authenticator <...
  • Page 469: Wake-On-Lan Traffic

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid ■ Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network. For information on how to configure the prerequisites for using the aaa port- access controlled-directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation”...
  • Page 470: Example: Configuring 802.1X Controlled Directions

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the aaa port-access controlled-directions command is applied to all authentication methods configured on the switch.
  • Page 471: 802.1X Open Vlan Mode

    Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands page 12-51 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator < port-list > page 12-45 [auth-vid < vlan-id >] [unauth-vid <...
  • Page 472: Vlan Membership Priorities

    Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports configured to allow multiple sessions using 802.1X user-based access control, all clients must use the same untagged VLAN. On a given port where there are no currently active, authenticated clients, the first authenticated client determines the untagged VLAN in which the port will operate for all subsequent, overlapping client sessions.
  • Page 473: Use Models For 802.1X Open Vlan Modes

    Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode N o t e After client authentication, the port resumes membership in any tagged VLANs for which it is configured. If the port is a tagged member of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the client is connected.
  • Page 474 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 12-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN • When the port detects a client without 802.1X supplicant capability, it automatically becomes an untagged member of this...
  • Page 475 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Authorized-Client VLAN • After client authentication, the port drops membership in the Unauthorized-Client VLAN and becomes an untagged member of this VLAN. Notes: If the client is running an 802.1X supplicant application when the authentication session begins, and is able to authenticate itself before the switch assigns the port to the Unauthorized-Client VLAN, then the port does not become a...
  • Page 476 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
  • Page 477 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session. • If the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.
  • Page 478: Operating Rules For Authorized-Client And Unauthorized-Client Vlans

    Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Table 12-2. Operating Rules for Client VLANs Condition Rule Static VLANs used as Authorized- These must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1X authenticator port to use them.
  • Page 479 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily session on untagged port VLAN moves the port to the Unauthorized-Client VLAN (also untagged).
  • Page 480 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an untagged member. This rule assumes no other authenticated clients are already using the port on a different VLAN.
  • Page 481 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VL