Page 1 HP Switch Software Access Security Guide E3800 switches Software version KA.15.03 September 2011...
Page 3 HP Networking E3800 Switches September 2011 KA.15.03 Access Security Guide...
Page 4 Publication Number performance, or use of this material. 5998-2707 The only warranties for HP products and services are set September 2011 forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Page 5: Table Of Contents
Arbitrating Client-Specific Attributes ..... . 1-18 HP Identity-Driven Manager (IDM) ......1-20...
Page 6 2 Configuring Username and Password Security Overview ........... . . 2-1 Configuring Local Password Security .
Page 7 3 Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering ......3-1 Features and Benefits ........3-2 General Operation .
Page 8 4 Web and MAC Authentication Overview ........... . . 4-1 Web Authentication .
Page 9 HTTP Redirect When MAC Address Not Found ....4-59 How HTTP Redirect Works ......4-60 Diagram of the Registration Process .
Page 10 Controlling WebAgent Access When Using TACACS+ Authentication ....... 5-28 Messages Related to TACACS+ Operation ..... 5-29 Operating Notes .
Page 11 Commands Authorization ........6-36 Enabling Authorization .
Page 12 Example Using HP VSA 63 To Assign IPv6 and/or IPv4 ACLs . . 7-29 Example Using HP VSA 61 To Assign IPv4 ACLs ... . 7-32 To configure the above ACL, you would enter the username/ password and ACE information shown in figure 7-11 into the FreeRADIUS “users”...
Page 13 Event Log Messages ........7-42 Causes of Client Deauthentication Immediately After Authenticating .
Page 14 Steps for Configuring and Using SSL for Switch and Client Authentication ..........9-4 General Operating Rules and Notes .
Page 15 RADIUS-Assigned (Dynamic) Port ACL Applications ..10-17 Multiple ACLs on an Interface ....... 10-19 Features Common to All ACL Applications .
Page 16 Configuring Standard ACLs ........10-50 Command Summary for Standard ACLs ..... . 10-50 Configuring Named, Standard ACLs .
Page 17 Enable ACL “Deny” Logging ....... . 10-112 Requirements for Using ACL Logging ......10-112 ACL Logging Operation .
Page 18 Monitoring Dynamic ARP Protection ......11-22 Dynamic IP Lockdown ........11-22 Protection Against IP Source Address Spoofing .
Page 19 Static Multicast Filters ........12-14 Protocol Filters .
Page 20 B. Specify User-Based Authentication or Return to Port-Based Authentication ......13-19 Example: Configuring User-Based 802.1X Authentication .
Page 21 How RADIUS/802.1X Authentication Affects VLAN Operation . 13-69 VLAN Assignment on a Port ....... . . 13-70 Operating Notes .
Page 22 CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags ....... 14-36 Using the Event Log To Find Intrusion Alerts .
Page 23: Product Documentation
The latest version of each of the publications listed below is available in PDF format on the HP Web site, as described in the Note at the top of this page. Installation and Getting Started Guide—Explains how to prepare and ■...
Page 24: Software Feature Index
Software Feature Index For the software manual set supporting your E3800 switch model, this feature index indicates which manual to consult for information on a given software feature. Software Features Manual Management Advanced Multicast Access IPv6 Basic Traffic Security Configuration Operation Configuration Management...
Page 25 Software Features Manual Management Advanced Multicast Access IPv6 Basic Traffic Security Configuration Operation Configuration Management Routing Guide Guide Guide DHCP Snooping DHCP/Bootp Operation Diagnostic Tools Diagnostics and Troubleshooting (IPv6) Distributed Trunking Downloading Software Dynamic ARP Protection Dynamic Configuration Arbiter Dynamic IP Lockdown Eavesdrop Protection Equal Cost Multi-Path (ECMP) Event Log...
Page 26 Software Features Manual Management Advanced Multicast Access IPv6 Basic Traffic Security Configuration Operation Configuration Management Routing Guide Guide Guide IP Routing IPv6 Static Routing Jumbo Packets Key Management System (KMS) LACP LLDP LLDP-MED Loop Protection MAC Address Management MAC Lockdown MAC Lockout MAC-based Authentication Management VLAN...
Page 27 Software Features Manual Management Advanced Multicast Access IPv6 Basic Traffic Security Configuration Operation Configuration Management Routing Guide Guide Guide Passwords and Password Clear Protection PCM/PCM+ PIM-DM (Dense Mode) PIM-SM (Sparse Mode) Ping Port Configuration Port Monitoring Port Security Port Status Port Trunking (LACP) Port-Based Access Control (802.1X) Power over Ethernet (PoE and PoE+)
Page 28 Software Features Manual Management Advanced Multicast Access IPv6 Basic Traffic Security Configuration Operation Configuration Management Routing Guide Guide Guide Secure Copy Secure Copy (IPv6) Secure FTP (IPv6) sFlow SFTP SNMPv3 SNMP (IPv6) Software Downloads (SCP/SFTP, TFPT, Xmodem) Source-Port Filters Spanning Tree (STP, RSTP, MSTP) SSHv2 (Secure Shell) Encryption SSH (IPv6) SSL (Secure Socket Layer)
Page 29 Software Features Manual Management Advanced Multicast Access IPv6 Basic Traffic Security Configuration Operation Configuration Management Routing Guide Guide Guide Uni-Directional Link Detection (UDLD) UDP Forwarder USB Device Support Virus Throttling (Connection-Rate Filtering) VLANs VLAN Mirroring (1 static VLAN) Voice VLAN VRRP Web Authentication RADIUS Support Web-based Authentication...
Page 30 xxviii...
Page 31: Security Overview
For detailed information on individual features, see the references provided. Before you connect your switch to a network, HP recommends that you review the section titled “Getting Started with Access Security” on page 1-10.
Page 32 Security Overview Introduction For the latest version of all HP networking switch documentation, including Release Notes covering recently added features and other software topics, visit the HP networking web site at www.hp/support/manuals.
Page 33: Access Security Features
Security Overview Access Security Features Access Security Features This section provides an overview of the switch’s access security features, authentication protocols, and methods. Table 1-1 lists these features and provides summary configuration guidelines. For more in-depth information, see the references provided (all chapter and page references are to this Access Security Guide unless a different manual name is indicated).
Page 34 Security Overview Access Security Features Feature Default Security Guidelines More Information and Setting Configuration Details Telnet and enabled The default remote management protocols enabled on “Quick Start: Using the Web-browser the switch are plain text protocols, which transfer Management Interface access passwords in open or plain text that is easily captured.
Page 35 Secure disabled This feature creates an isolated network for managing Advanced Traffic Management the HP switches that offer this feature. When a secure Management Guide, refer to VLAN management VLAN is enabled, CLI, Menu interface, and the chapter “Static Virtual WebAgent access is restricted to ports configured as LANs (VLANs)”...
Page 36 • port-based access control allowing authentication by a single client to open the port • switch operation as a supplicant for point-to-point connections to other 802.1X-compliant HP switches Web and MAC none These options are designed for application on the edge Chapter 4, “Web and MAC...
Page 37: Network Security Features
“Using Secure Copy and SFTP” USB Autorun enabled Used in conjunction with HP E-PCM Plus, this feature Management and (disabled allows diagnosis and automated updates to the switch Configuration Guide, once a via the USB flash drive.
Page 38 Security Overview Network Security Features Feature Default Security Guidelines More Information and Setting Configuration Details Access Control none ACLs can filter traffic to or from a host, a group of hosts, Chapter 10, “IPv4 Access Lists (ACLs) or entire subnets. Layer 3 IP filtering with Access Control Control Lists (ACLs)”...
Page 39 Default Security Guidelines More Information and Setting Configuration Details none KMS is available in several HP switch models and is Chapter 16, “Key Management designed to configure and maintain key chains for use Management System” System (KMS) with KMS-capable routing protocols that use time- dependent or time-independent keys.
Page 40: Getting Started With Access Security
Getting Started with Access Security Getting Started with Access Security HP switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network...
Page 41: Quick Start: Using The Management Interface Wizard
Security Overview Getting Started with Access Security Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you can do the following: Disable or re-enable the password-clearing function of the Clear button. ■...
Page 42: Cli: Management Interface Wizard
Security Overview Getting Started with Access Security CLI: Management Interface Wizard To configure security settings using the CLI wizard, follow the steps below: At the command prompt, type setup mgmt-interfaces. The welcome banner appears and the first setup option is displayed (Operator password).
Page 43: Webagent: Management Interface Wizard
Security Overview Getting Started with Access Security When you enter the wizard, you have the following options: • To update a setting, type in a new value, or press [Enter] to keep the current value. • To quit the wizard without saving any changes, press [CTRL-C] at any time.
Page 44: Snmp Security Guidelines
SNMP Access to the Authentication Configuration MIB. A management station running an SNMP networked device management application, such as HP E-PCM Plus or HP OpenView, can access the switch’s management information base (MIB) for read access to the switch’s status and read/write access to the switch’s authentication configuration...
Page 45 Security Overview Getting Started with Access Security N o t e o n S N M P Downloading and booting from the K.12.xx or greater software version for the A c c e s s t o first time enables SNMP access to the authentication configuration MIB (the A u t h e n t i c a t i o n default action).
Page 46: Precedence Of Security Options
Security Overview Precedence of Security Options Precedence of Security Options This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch. Precedence of Port-Based Security Options Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest.
Page 47: Network Immunity Manager
Network Immunity Manager Network Immunity Manager (NIM) is a plug-in to HP E-PCM Plus and a key component of the HP Network Immunity security solution that provides comprehensive detection and per-port-response to malicious traffic at the HP network edge.
Page 48: Arbitrating Client-Specific Attributes
NIM-configured, RADIUS-assigned, and statically configured settings. Precedence is always given to the temporarily applied NIM-configured parameters over RADIUS-assigned and locally configured parameters. For information on Network Immunity Manager, go to the HP Networking Web site at www.hp.com/solutions, Arbitrating Client-Specific Attributes In previous releases, client-specific authentication parameters for 802.1X...
Page 49 Security Overview Precedence of Security Options Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.
Page 50: Hp Identity-Driven Manager (Idm)
HP Identity-Driven Manager (IDM) HP Identity-Driven Manager (IDM) IDM is a plug-in to HP E-PCM Plus and uses RADIUS-based technologies to create a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of access security policy from a central management server, with policy enforcement to the network edge, and protection against both external and internal threats.
Page 51: Configuring Username And Password Security
Configuring Username and Password Security Overview Feature Default Menu WebAgent Set Usernames none — — page 2-9 Set a Password none page page 2-6 page 2-9 Delete Password Protection page page 2-6 page 2-9 show front-panel-security — page 1-13 — front-panel-security —...
Page 52 Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level. That is, if a Manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface.
Page 53 Configuring Username and Password Security Overview N o t e s The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and WebAgent. If you configure only a Manager password (with no Operator password), and in a later session the Manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session.
Page 54: Configuring Local Password Security
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the WebAgent. From the Main Menu select: 3.
Page 55 Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass- words (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
Page 56: Cli: Setting Passwords And Usernames
Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below. Configuring Manager and Operator Passwords. N o t e The password command has changed. You can now configure manager and operator passwords in one step.
Page 57 Configuring Username and Password Security Configuring Local Password Security If you want to remove both operator and manager password protection, use the no password all command. Username and Password Length. The limit on usename and password length is 64 characters for the following authentication methods: Front-end—WEB User Interface, SSH, and Telnet ■...
Page 58 Execute the CLI command no password all. This clears all the passwords. Then execute a CLI write memory command (required if the include- credentials feature has ever been enabled). HP Switch(config)# no password all Password protections will be deleted, do you want to continue [y/n]? y HP Switch(config)# write mem Clear the password by using the "Clear"...
Page 59: Webagent: Setting Passwords And Usernames
Configuring Username and Password Security Configuring Local Password Security If You Cannot Access the Switch Using the Previous Password If you cannot access the switch after a software version downgrade, clear the password by using the "Clear" button on the switch to regain access. Then boot into a software version that supports long passwords, and perform steps 1, 2, or 3 in the preceding section.
Page 60: Saving Security Credentials In A Config File
By permanently saving a switch’s security credentials in a configuration file, you can upload the file to a TFTP server or Xmodem host, and later download the file to the HP switches on which you want to use the same security settings without having to manually configure the settings (except for SNMPv3 user parameters) on each switch.
Page 61: Enabling The Storage And Display Of Security Credentials
Configuring Username and Password Security Saving Security Credentials in a Config File By storing different security settings in different files, you can test ■ different security configurations when you first download a new software version that supports multiple configuration files, by changing the configuration file used when you reboot the switch.
Page 62: Security Settings That Can Be Saved
Configuring Username and Password Security Saving Security Credentials in a Config File Security Settings that Can Be Saved The security settings that can be saved to a configuration file are: ■ Local manager and operator passwords and user names SNMP security credentials, including SNMPv1 community names and ■...
Page 63: Password Command Options
Configuring Username and Password Security Saving Security Credentials in a Config File Password Command Options The password command has the following options: Syntax: [no] password <manager | operator | port-access> [user-name <name>] <hash-type> <password> Set or clear a local username/password for a given access level. manager: configures access to the switch with manager-level privileges.
Page 64: Snmp Security Credentials
Configuring Username and Password Security Saving Security Credentials in a Config File SNMP Security Credentials SNMPv1 community names and write-access settings, and SNMPv3 usernames continue to be saved in the running configuration file even when you enter the include-credentials command. In addition, the following SNMPv3 security parameters are also saved: snmpv3 user “<name>"...
Page 65: 802.1X Port-Access Credentials
Configuring Username and Password Security Saving Security Credentials in a Config File 802.1X Port-Access Credentials 802.1X authenticator (port-access) credentials can be stored in a configuration file. 802.1X authenticator credentials are used by a port to authenticate supplicants requesting a point-to-point connection to the switch. 802.1X supplicant credentials are used by the switch to establish a point-to- point connection to a port on another 802.1X-aware switch.
Page 66: Radius Shared-Secret Key Authentication
RADIUS server. SSH Client Public-Key Authentication Secure Shell version 2 (SSHv2) is used by HP switches to provide remote access to SSH-enabled management stations. Although SSH provides Telnet- like functions, unlike Telnet, SSH provides encrypted, two-way authenticated transactions.
Page 67 Configuring Username and Password Security Saving Security Credentials in a Config File The SSH security credential that is stored in the running configuration file is configured with the ip ssh public-key command used to authenticate SSH clients for manager or operator access, along with the hashed content of each SSH client public-key.
Page 68 AAAAB3NzaC1yc2EAAABIwAAAIEA1Kk9sVQ9LJOR6XO/hCMPxbiMNOK8C/ay \ +SQ10qGw+K9m3w3TmCfjh0ud9hivgbFT4F99AgnQkvm2eVsgoTtLRnfF7uw \ NmpzqOqpHjD9YzItUgSK1uPuFwXMCHKUGKa+G46A+EWxDAIypwVIZ697QmM \ qPFj1zdI4sIo5bDett2d0= joe@hp.com” Figure 2-5. Example of SSH Public Keys If a switch configuration contains multiple SSH client public keys, each public key is saved as a separate entry in the configuration file. You can configure up to ten SSH client public-keys on a switch.
Page 69: Operating Notes
Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes C a u t i o n When you first enter the include-credentials command to save the ■ additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file.
Page 70 Configuring Username and Password Security Saving Security Credentials in a Config File • copy config <source-filename> config <target-filename>: Makes a local copy of an existing startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot.
Page 71: Restrictions
Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command: ■ The private keys of an SSH host cannot be stored in the running configuration.
Page 72 Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. You can store the password port-access values in the running configuration file by using the include-credentials command. Note that the password port-access values are configured separately from local operator username and passwords configured with the password operator command and used for management access to the switch.
Page 73: Front-Panel Security
Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together).
Page 74: Front-Panel Button Functions
Clear Button Reset Button Figure 2-6. Front-Panel Button Locations on a HP E3800 Switch Clear Button Pressing the Clear button alone for one second resets the password(s) con- figured on the switch.
Page 75: Reset Button
Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-8. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.
Page 76: Configuring Front-Panel Security
Configuring Username and Password Security Front-Panel Security Reset Clear Test When the Test LED to the right of the Clear button begins flashing, release the Clear button. Reset Clear Test It can take approximately 20-25 seconds for the switch to reboot. This process restores the switch configuration to the factory default settings.
Page 77 Configuring Username and Password Security Front-Panel Security • Modify the operation of the Reset+Clear combination (page 2-25) so that the switch still reboots, but does not restore the switch’s factory default configuration settings. (Use of the Reset button alone, to simply reboot the switch, is not affected.) •...
Page 78 Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to “Password Recovery Process” on page 2-34.) (Default: Enabled.) CAUTION: Disabling this option removes the ability to recover a password on the switch.
Page 79: Disabling The Clear Password Function Of The Clear Button
Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button Syntax: no front-panel-security password-clear In the factory-default configuration, pressing the Clear button on the switch’s front panel erases any local usernames and passwords configured on the switch. This command disables the password clear function of the Clear button, so that pressing it has no effect on any local usernames and passwords.
Page 80: Re-Enabling The Clear Button And Setting Or Changing The "Reset-On-Clear" Operation
Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. •...
Page 81: Changing The Operation Of The Reset+Clear Combination
Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on- clear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-11. Example of Re-Enabling the Clear Button’s Default Operation Changing the Operation of the Reset+Clear Combination In their default configuration, using the Reset+Clear buttons in the combina- tion described under “Restoring the Factory Default Configuration”...
Page 82: Password Recovery
(the default) on the switch prior to an attempt ■ to recover from a lost username/password situation ■ Contacting your HP Customer Care Center to acquire a one-time-use password Disabling or Re-Enabling the Password Recovery Process Disabling the password recovery process means that the only method for...
Page 83 Configuring Username and Password Security Password Recovery C a u t i o n Disabling password-recovery requires that factory-reset be enabled, and locks out the ability to recover a lost manager username (if configured) and pass- word on the switch. In this event, there is no way to recover from a lost manager username/password situation without resetting the switch to its factory-default configuration.
Page 84: Password Recovery Process
If you have lost the switch’s manager username/password, but password- recovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by HP. If you have disabled password-recovery, which locks out the ability to recover a...
Page 85 Configuring Username and Password Security Password Recovery algorithm is randomized based upon your switch's MAC address, the pass- word will change as soon as you use the “one-time-use” password provided to you by the HP Customer Care Center. 2-35...
Page 86 Configuring Username and Password Security Password Recovery 2-36...
Page 87: Virus Throttling (Connection-Rate Filtering)
Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering Feature Default Page Ref Global Configuration and Sensitivity Disabled 3-10 Per-Port Configuration None 3-11 Listing and Unblocking Blocked Hosts 3-15 Viewing the Current Configuration 3-14 Configuring Connection-Rate ACLs None 3-17 The spread of malicious agents in the form of worms exhibiting worm behavior has severe implications for network performance.
Page 88: Features And Benefits
Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering connection-rate filtering can help reduce the impact of worm-like malicious code and give system administrators more time to isolate and eradicate the threat. Thus, while traditional worm and virus-signature updates will still need to be deployed to hosts, the network remains functional and the overall distribution of the malicious code is limited.
Page 89: General Operation
Event Log message the high connection-rate traffic (characteristic of worm attacks) that is detected on the edge port connected to device D. HP switch with connection-rate filtering configured, and block spreading option enabled. Port is blocked Device infected with worm-like malicious code Figure 3-1.
Page 90: Sensitivity To Connection Rate Detection
Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering Notify only (of potential attack): While the apparent attack ■ continues, the switch generates an Event Log notice identifying the offending host’s source IP address and (if a trap receiver is configured on the switch) a similar SNMP trap notice).
Page 91 Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering Connection-Rate ACLs. The basic connection-rate filtering policy is con- figured per-port as notify-only, throttle, and block. A connection-rate ACL cre- ates exceptions to these per-port policies by creating special rules for individual hosts, groups of hosts, or entire subnets. Thus, you can adjust a connection-rate filtering policy to create and apply an exception to configured filters on the ports in a VLAN.
Page 92: Operating Rules
Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering Operating Rules Connection-rate filtering does not operate on IPv6 traffic. ■ ■ Connection-rate filtering is triggered by inbound IP traffic exhibiting high rates of IP connections to new hosts. After connection-rate filtering has been triggered on a port, all traffic from the suspect host is subject to the configured connection-rate policy (notify-only, throttle, or block).
Page 93: General Configuration Guidelines
Virus Throttling (Connection-Rate Filtering) General Configuration Guidelines General Configuration Guidelines As stated earlier, connection-rate filtering is triggered only by inbound IP traffic generating a relatively high number of new IP connection requests from the same host. For a network that is relatively attack-free: Enable notify-only mode on the ports you want to monitor.
Page 94: For A Network That Appears To Be Under Significant Attack
Virus Throttling (Connection-Rate Filtering) General Configuration Guidelines Note On a given VLAN, to unblock the hosts that have been blocked by the connection-rate feature, use the vlan < vid > connection-rate filter unblock command. Maintain a practice of carefully monitoring the Event Log or configured trap receivers for any sign of high connectivity-rate activity that could indicate an attack by malicious code.
Page 95: Configuring Connection-Rate Filtering
Virus Throttling (Connection-Rate Filtering) Configuring Connection-Rate Filtering Configuring Connection-Rate Filtering Command Page Global and Per-Port Configuration connection-rate-filter sensitivity < low | medium | high | aggressive > 3-10 filter connection-rate < port-list > < notify-only | throttle | block > 3-11 show connection-rate-filter <...
Page 96: Enabling Connection-Rate Filtering And Configuring
Virus Throttling (Connection-Rate Filtering) Configuring Connection-Rate Filtering Enabling Connection-Rate Filtering and Configuring Sensitivity Syntax: connection-rate-filter sensitivity < low | medium | high | aggressive > no connection-rate-filter This command: • Enables connection-rate filtering. • Sets the global sensitivity level at which the switch interprets a given host’s attempts to connect to a series of different devices as a possible attack by a malicious agent residing in the host.
Page 97: Configuring The Per-Port Filtering Mode
Virus Throttling (Connection-Rate Filtering) Configuring Connection-Rate Filtering Configuring the Per-Port Filtering Mode Syntax: filter connection-rate < port-list > < notify-only | throttle | block > no filter connection-rate < port-list > Configures the per-port policy for responding to detection of a relatively high number of inbound IP connection attempts from a given source.
Page 98: Example Of A Basic Connection-Rate Filtering Configuration
Virus Throttling (Connection-Rate Filtering) Configuring Connection-Rate Filtering Example of a Basic Connection-Rate Filtering Configuration Switch HP Switch VLAN 1 15.45.100.1 Server VLAN 10 Switch Server 15.45.200.1 Server VLAN 15 15.45.300.1 Switch Company Intranet Server Figure 3-2. Sample Network Basic Configuration. Suppose that in the sample network, the administra-...
Page 99 Virus Throttling (Connection-Rate Filtering) Configuring Connection-Rate Filtering HP Switch(config)# connection-rate-filter sensitivity low Enables connection-rate filtering HP Switch(config)# filter connection-rate 10-12 throttle and sets the sensitivity to “low”. HP Switch(config)# filter connection-rate 13 notify-only HP Switch(config)# filter connection-rate 19,21-22 block Configures the desired...
Page 100: Viewing And Managing Connection-Rate Status
Displays the current global connection-rate status (enabled/disabled) and sensitivity setting, and the cur- rent per-port configuration. This command does not display the current (optional) connection-rate ACL con- figuration, if any. HP Switch(config)# show connection-rate-filter Connection Rate Filter Configuration Global Status: Enabled Sensitivity:...
Page 101: Listing Currently-Blocked Hosts
Lists, by VLAN membership, the hosts cur- rently in a throttling state due to connection-rate action. blocked-hosts: Lists, by VLAN membership, the hosts currently blocked by connection-rate action. HP Switch(config)# show connection-rate-filter all-hosts VLAN ID | Source IP Address | Filter Mode -------------+-------------------+------------ | 13.28.234.175...
Page 102 Src IP xxx.xxx.xxx.xxx blocked Note HP recommends that, before you unblock a host that has been blocked by connection-rate filtering, you inspect the host with current antivirus tools and remove any malicious agents that pose a threat to your network.
Page 103: Configuring And Applying Connection-Rate Acls
Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs Configuring and Applying Connection-Rate ACLs Command Page ip access-list connection-rate-filter < crf-list-name > 3-19, 3-21 < filter | ignore > ip < any | host < ip-addr > | ip-addr < mask >> 3-19 <...
Page 104: Connection-Rate Acl Operation
Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs For more information on when to apply connection-rate ACLs, refer to “Appli- cation Options” on page 3-4. Note Connection-rate ACLs are a special case of the switch’s ACL feature. If you need information on other applications of ACLs or more detailed information on how ACLs operate, refer to Chapter 10, “IPv4 Access Control Lists (ACLs)”.
Page 105: Configuring A Connection-Rate Acl Using Source Ip Address Criteria
Syntax: ip access-list connection-rate-filter < crf-list-name > Creates a connection-rate-filter ACL and puts the CLI into the access control entry (ACE) context: HP Switch(config-crf-nacl)# If the ACL already exists, this command simply puts the CLI into the ACE context. Syntax: < filter | ignore > ip < any | host < ip-addr > | ip-addr < mask-length > >...
Page 106 Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs < filter | ignore > The filter option assigns policy filtering to traffic with source IP address (SA) matching the source address in the ACE. The ignore option specifies bypassing policy filtering for traffic with an SA that matches the source address in the ACE.
Page 107: Configuring A Connection-Rate Acl Using Udp/Tcp Criteria
Syntax: ip access-list connection-rate-filter < crf-list-name > Creates a connection-rate-filter ACL and puts the CLI into the access control entry (ACE) context: HP Switch(config-crf-nacl)# If the ACL already exists, this command simply puts the CLI into the ACE context. Syntax: < filter | ignore > < udp | tcp > < any >...
Page 108 Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs ip-addr < mask-length >: Applies the ACEs action (filter or ignore) to IP traffic having an SA within the range defined by either: < src-ip-addr/cidr-mask-bits> <src-ip-addr < mask >> Use this criterion for traffic received from either a subnet or a group of IP addresses.
Page 109 (161) snmp-trap: Simple Network Management Pro- tocol (162) tftp: Trivial File Transfer Protocol (69) HP Switch(config)# ignore tcp host 15.75.10.11 destination-port eq 1812 source-port eq 1812 Ignore (allow) tcp traffic from the host at 15.75.10.11 with both source and destination tcp ports of 1812.
Page 110: Applying Connection-Rate Acls
Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs Applying Connection-Rate ACLs To apply a connection-rate ACL, use the access group command described below. Note that this command differs from the access group command for non-connection-rate ACLs. Syntax: [no] vlan < vid > ip access-group < crf-list-name > connection-rate-filter This command applies a connection-rate access control list (ACL) to inbound traffic on ports in the specified VLAN that are configured for connection-rate filtering.
Page 111: Example Of Using An Acl In A Connection-Rate Configuration
Matches” on page 10-35. Example of Using an ACL in a Connection-Rate Configuration This example adds connection-rate ACLs to the basic example on page 3-12. IP Address: 15.45.100.7 Switch HP Switch VLAN 1 15.45.100.1 Server VLAN 10 Switch Server 15.45.200.1...
Page 112 Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs configure a connection-rate ACL that causes the switch to ignore (circumvent) connection-rate filtering for inbound traffic from the server, while maintaining the filtering for all other inbound traffic on port D2. The configuration steps include: Create the connection-rate ACL with a single entry: •...
Page 113: Connection-Rate Acl Operating Notes
Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs HP Switch(config)# show config Startup configuration: ; J9573A Configuration Editor; Created on release #KA.15.03 ; Ver #01:00:01 hostname "HP Switch" connection-rate-filter sensitivity high ip access-list connection-rate-filter “17-server” ignore ip 15.45.50.17 0.0.0.0...
Page 114 Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs • filter < source-criteria >: This ACE type does the opposite of an ignore entry. That is, all inbound traffic meeting the configured < source- criteria > must be filtered through the connection-rate policy config- ured for the port on which the traffic entered the switch.
Page 115: Web And Mac Authentication
Web and MAC Authentication Overview Feature Default Menu Configure Web Authentication — 4-18 — Configure MAC Authentication — 4-48 — Display Web Authentication Status and Configuration — 4-26 — Display MAC Authentication Status and Configuration — 4-65 — Web and MAC authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and a switch from unauthorized access.
Page 116: Web Authentication
Web and MAC Authentication Overview Web Authentication The Web Authentication (Web-Auth) method uses a web page login to authen- ticate users for access to the network. When a client connects to the switch and opens a web browser, the switch automatically presents a login page. Note A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web authentication.
Page 117: Concurrent Web And Mac Authentication
Web and MAC Authentication Overview Concurrent Web and MAC Authentication Web authentication and MAC authentication can be configured at the same time on a port. It is assumed that MAC authentication will use an existing MAC address. The following conditions apply for concurrent Web and MAC authen- tication: A specific MAC address cannot be authenticated by both Web and ■...
Page 118: Radius-Based Authentication
Web and MAC Authentication Overview support multiple client sessions in different VLANs for a network application, design your system so that clients request network access on different switch ports.) In the default configuration, the switch blocks access to all clients that the RADIUS server does not authenticate.
Page 119: How Web And Mac Authentication Operate
Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Before gaining access to the network, a client first presents authentication credentials to the switch. The switch then verifies the credentials with a RADIUS authentication server. Successfully authenticated clients receive access to the network, as defined by the System Administrator.
Page 120 Web and MAC Authentication How Web and MAC Authentication Operate enabled SSL on the switch, you can specify the ssl-login option when you configure web authentication so that clients who log in to specified ports are redirected to a secure login page (https://...) to enter their credentials. The switch passes the supplied username and password to the RADIUS server for authentication and displays the following progress message: Figure 4-2.
Page 121: Mac-Based Authentication
Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period).
Page 122 Web and MAC Authentication How Web and MAC Authentication Operate If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (auth-vid if configured) and temporarily drops all other VLAN memberships. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.
Page 123: Terminology
VLAN. Authentication Server: The entity providing an authentication service to the switch. In the case of a HP Switch E3800 running Web/MAC-Authen- tication, this is a RADIUS server. Authenticator: In HP switch applications, a device such as a HP Switch...
Page 124: Operating Rules And Notes
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports concurrent 802.1X , Web and MAC authentication operation on a port (with up to 2 clients allowed). However, concur- rent operation of Web and MAC authentication with other types of authentication on the same port is not supported.
Page 125 Web and MAC Authentication Operating Rules and Notes • During an authenticated client session, the following hierarchy deter- mines a port’s VLAN membership: If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.
Page 126: Setup Procedure For Web/Mac Authentication
Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this is not required for a Web- or MAC-based configuration, HP recommends that you use a local user name and password pair, at least until your other security measures are in place, to protect the switch configuration from unauthorized access.)
Page 127 To display the current configuration of 802.1X, Web-based, and MAC authentication on all switch ports, enter the show port-access config command. HP Switch (config)# show port-access config Port Access Status Summary Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes...
Page 128 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that when configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100”...
Page 129: Configuring The Radius Server To Support Mac Authentication
Web and MAC Authentication Setup Procedure for Web/MAC Authentication Configuring the RADIUS Server To Support MAC Authentication On the RADIUS server, configure the client device authentication in the same way that you would any other client, except: Configure the client device’s (hexadecimal) MAC address as both ■...
Page 130 The tilde (~) character is allowed in the string, for example, radius- server key hp~network. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
Page 131 For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of ‘1A7rd’: HP Switch(config)# radius-server host 192.168.32.11 HP Switch(config)# radius-server host 192.168.32.11 key 1A7rd HP Switch(config)# show radius Status and Counters - General RADIUS Information...
Page 132: Configuring Web Authentication
If you have not already done so, configure a local username and password pair on the switch. Identify or create a redirect URL for use by authenticated clients. HP recommends that you provide a redirect URL when using Web Authenti- cation.
Page 133: Configuration Commands For Web Authentication
Web and MAC Authentication Configuring Web Authentication • You can block only incoming traffic on a port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web authentication. For example, Wake-on-LAN traffic is transmitted on a web-authenti- cated egress port that has not yet transitioned to the authenticated state;...
Page 134 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> After you enable web-based authentication on specified ports, you can use the aaa port-access controlled-direc- tions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.
Page 135 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> — Continued — Notes: ■ For information on how to configure the prerequisites for using the aaa port-access controlled-directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation”...
Page 136 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based <port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax: aaa port-access web-based <port-list> [auth-vid <vid>]] no aaa port-access web-based <port-list>...
Page 137 If the web server is also used for other purposes, you may wish to group the HTML files in their own directory, for example in “/EWA/”) HP Switch (config)# aaa port-access web-based 47 ewa-server 10.0.12.179 /EWA HP Switch (config)# aaa port-access web-based 47 ewa-server 10.0.12.180...
Page 138 Web and MAC Authentication Configuring Web Authentication HP Switch (config)# no aaa port-access web-based 47 ewa-server 10.0.12.181 HP Switch (config)# Figure 4-7. Removing a Web Server with the aaa port-access web-based ews-server Command logoff-period <60-9999999> aaa port-access web-based <port-list >...
Page 139 Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. HP recommends that you provide a redirect URL when using Web Authentication. Note: The redirect-url command accepts only the first 103 characters of the allowed 127 characters.
Page 140: Show Commands For Web Authentication
Web and MAC Authentication Configuring Web Authentication Show Commands for Web Authentication Command Page show port-access web-based [port-list] 4-26 show port-access web-based clients [port-list] 4-27 show port-access web-based clients <port-list> detailed 4-28 show port-access web-based config [port-list] 4-29 show port-access web-based config <port-list> detailed 4-30 show port-access web-based config [port-list] auth-server 4-31...
Page 141 If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table, n/a - no info is displayed. HP Switch (config)# show port-access web-based clients Port Access Web-Based Client Status Port Client Name...
Page 142 MAC-to-IP address binding for a client is found in the DHCP binding table. HP Switch (config)# show port-access web-based clients 1 detailed Port Access Web-Based Client Status Detailed Client Base Details : Port...
Page 143 If the authorized or unauthorized VLAN ID value is 0, the default VLAN ID is used unless overridden by a RADIUS- assigned value. HP Switch (config)# show port-access web-based config Port Access Web-Based Configuration DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.255.0...
Page 144 <port-list> detailed Displays more detailed information on the currently config- ured Web Authentication settings for specified ports. HP Switch (config)# show port-access web-based config 1 detailed Port Access Web-Based Detailed Configuration Port Web-based enabled : Yes...
Page 145 • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts HP Switch (config)# show port-access web-based config auth-server Port Access Web-Based Configuration Client Client Logoff Re-Auth Quiet...
Page 146: Customizing Web Authentication Html Files (Optional)
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Customizing Web Authentication HTML Files (Optional) The Web Authentication process displays a series of web pages and status messages to the user during login. The web pages that are displayed can be: ■...
Page 147: Customizing Html Templates
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) To configure a web server on your network, follow the instructions ■ in the documentation provided with the server. ■ Before you enable custom Web Authentication pages, you should: • Determine the IP address or host name of the web server(s) that will host your custom pages.
Page 148: Customizable Html Templates
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Customizable HTML Templates The sample HTML files described in the following sections are customizable templates. To help you create your own set HTML files, a set of the templates can be found on the download page for ‘K’ software. File Name Page 4-34...
Page 149 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional)  <html> <head> <title>User Login</title> </head> <body> <h1>User Login</h1> <p>In order to access this network, you must first log in.</p> <form action="/webauth/loginprocess" method="POST">...
Page 150 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Access Granted Page (accept.html). Figure 4-16. Access Granted Page The accept.html file is the web page used to confirm a valid client login. This web page is displayed after a valid username and password are entered and accepted.
Page 151 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional)  <html> <head> <title>Access Granted</title>  <meta http-equiv="refresh"content="<%GETWAUTHREDIRECTTIME%>; URL=<%GETWAUTHREDIRECTURL%>"/> </head> <body> <h1>Access Granted</h1> <!-- The ESI tag below will be replaced with the time in seconds until the page redirects.
Page 152 Authenticating Page (authen.html). Figure 4-18. Authenticating Page The authen.html file is the web page used to process a client login and is refreshed while user credentials are checked and verified.  <html> <head>...
Page 153 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Invalid Credentials Page (reject_unauthvlan.html). Figure 4-20. Invalid Credentials Page The reject_unauthvlan.html file is the web page used to display login failures in which an unauthenticated client is assigned to the VLAN configured for unauthorized client sessions.
Page 154 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional)  <html> <head> <title>Invalid Credentials</title>  <meta http-equiv="refresh"content="<%GETWAUTHREDIRECTTIME%>; URL=<%GETWAUTHREDIRECTURL%>"/> </head> <body> <h1>Invalid Credentials</h1> <p>Your credentials were not accepted. However, you have been granted gues account status.
Page 155 RADIUS server is not reachable. You can configure the time period (in seconds) that the switch waits for a response from the RADIUS server used to verify client credentials with the aaa port-access web-based server-timeout command when you enable Web Authentication.  <html> <head>...
Page 156 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Retry Login Page (retry_login.html). Figure 4-24. Retry Login Page The retry_login.html file is the web page displayed to a client that has entered an invalid username and/or password, and is given another opportunity to log The GETWAUTHRETRIESLEFT ESI displays the number of login retries that remain for a client that entered invalid login credentials.
Page 157 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional)  <html> <head> <title>Invalid Credentials</title>  <meta http-equiv="refresh" content="5;URL=/EWA/index.html">...
Page 158 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) SSL Redirect Page (sslredirect.html). Figure 4-26. SSL Redirect Page The sslredirect file is the web page displayed when a client is redirected to an SSL server to enter credentials for Web Authentication. If you have enabled SSL on the switch, you can enable secure SSL-based Web Authentication by entering the aaa port-access web-based ssl-login command when you enable Web Authentication.
Page 159 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional)  <html> <head> <title>User Login SSL Redirect</title> <meta http-equiv="refresh" content="5;URL=https://<%GETWAUTHSSLSRV%>/EWA/ index.html"> </head> <body> <h1>User Login SSL Redirect</h1> <p>In order to access this network, you must first log in.</p>...
Page 160 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Access Denied Page (reject_novlan.html). Figure 4-28. Access Denied Page The reject_novlan file is the web page displayed after a client login fails and no VLAN is configured for unauthorized clients. The GETWAUTHQUIETTIME ESI inserts the time period used to block an unauthorized client from attempting another login.
Page 161 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional)  <html> <head> <title>Access Denied</title>  <meta http-equiv="refresh" content="<%GETWAUTHQUIETTIME%>;URL=/EWA/ index.html">...
Page 162: Configuring Mac Authentication On The Switch
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview If you have not already done so, configure a local username and password pair on the switch. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made.
Page 163: Configuration Commands For Mac Authentication
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuration Commands for MAC Authentication Command Page Configuration Level aaa port-access mac-based addr-format 4-49 [no] aaa port-access mac-based password <password-value> below [no] aaa port-access mac-based [e] < port-list > 4-51 [addr-limit] 4-52 [addr-moves]...
Page 164 Web and MAC Authentication Configuring MAC Authentication on the Switch HP Switch(config)# aaa port-access mac-based password secretMAC1 HP Switch(config)# show port-access mac-based config Port Access MAC-Based Configuration MAC Address Format : no-delimiter Password : secretMAC1 Unauth Redirect Configuration URL :...
Page 165: Configuring A Mac-Based Address Format
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring a MAC-based Address Format Syntax: aaa port-access mac-based addr-format <no-delimiter | single-dash | multi-dash | multi-colon | no-delimiter-uppercase | single-dash- uppercase | multi-dash-uppercase | multi-colon-uppercase> Specifies the MAC address format to be used in the RADIUS request message.
Page 166 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-256>] Specifies the maximum number of authenticated MACs to allow on the port. (Default: 1) Note: On switches where MAC Auth and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods.
Page 167 Web and MAC Authentication Configuring MAC Authentication on the Switch Specifies the number of authentication attempts that must time-out before authentication fails. (Default: 2) Syntax: aaa port-access mac-based [e] < port-list > [quiet-period <1 - 65535>] Specifies the time period (in seconds) that the switch waits before processing an authentication request from a MAC address that failed authentication.
Page 168: Configuring Custom Messages
Use the text message provided in the RADIUS server response to the authentication request. HP Switch(config)# aaa port-access web-based access-denied-message “Please contact your system administrator to obtain authentication privileges.” Figure 4-31. Example of Configuring an Access Denied Message on the Switch...
Page 169 Web and MAC Authentication Configuring MAC Authentication on the Switch HP Switch(config)# show port-access web-based config Port Access Web-based Configuration DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.248.0 DHCP Lease Length : 10 seconds Allow RADIUS-assigned dynamic (GVRP) VLANs[No]: Yes Access Denied Message : Custom: Please contact your system administrator to obtain authentication privileges.
Page 170: Web Page Display Of Access Denied Message
Web and MAC Authentication Configuring MAC Authentication on the Switch Unauthenticated clients may be assigned to a specific static, untagged VLAN (unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients, the port is blocked and no network access is available.
Page 171 Web and MAC Authentication Configuring MAC Authentication on the Switch Invalid Credentials Your credentials were not accepted. Please wait 96 seconds to retry.You will be redirected automatically to the login page. Unauthorized access to this network is prohibited. Access to this network requires prior authorization from the System Administrator.
Page 172 Web and MAC Authentication Configuring MAC Authentication on the Switch HP Switch(config)# show running-config Running configuration: ; hpStack Configuration Editor; Created on release #KA.15.03 ; Ver #01:00:01 hostname "HP Switch"web-management ssl qos dscp-map 000000 priority 0 no stack auto-join vlan 1 name "DEFAULT_VLAN"...
Page 173: Http Redirect When Mac Address Not Found
Web and MAC Authentication Configuring MAC Authentication on the Switch HP Switch(config)# show running-config Running configuration: ; J9573A Configuration Editor; Created on release #KA.15.03.3003 ; Ver #01:00:01 hostname "HP Switch" module 1 type J9573x web-management ssl qos dscp-map 000000 priority 0...
Page 174: How Http Redirect Works
Web and MAC Authentication Configuring MAC Authentication on the Switch Notes The HTTP redirect feature cannot be enabled if web authentication is enabled on any port, and conversely, if HTTP redirect is enabled, web authentication cannot be enabled on any port. The web/registration server software is not included with this feature.
Page 175 Web and MAC Authentication Configuring MAC Authentication on the Switch C a u t i o n Rogue clients can attempt to access any web pages on the web/registration server via interface ports configured for MAC authentication. The following steps are involved in HTTP registration. When the redirect feature is enabled, a client that fails MAC authentica- tion is moved into the unauthorized MAC authentication redirection state.
Page 176: Diagram Of The Registration Process
Web and MAC Authentication Configuring MAC Authentication on the Switch Diagram of the Registration Process RADIUS Client Switch Web Server Packet is sent RADIUS request is made Client fails authentication Client is put in unauth MAC-auth redirect Client sends DHCP request state.
Page 177: Using The Restrictive-Filter Option
HTTP request is to the registration server’s destination IP address. Show Command Output Figure 4-39 is an example of the show command that displays the HTTP redirect configuration. HP Switch(config)# show port-access mac-based config Port Access MAC-Based Configuration MAC Address Format : no-delimiter Configured HTTP redirect URL Unauth Redirect Configuration URL : http://14.29.16.192:80/myserver.html...
Page 178: Configuring The Registration Server Url
Web and MAC Authentication Configuring MAC Authentication on the Switch Using the CLI. To reauthenticate a client using the CLI, use this command: HP Switch(config)# aaa port-access mac-based <single- port> reauthenticate mac-addr <MAC address> The keyword mac-addr specifies single client reauthentication. If the reauthenticate parameter is entered without the mac-addr keyword and MAC address, the command is executed as port reauthentication—all clients on a...
Page 179: Show Commands For Mac-Based Authentication
Web and MAC Authentication Configuring MAC Authentication on the Switch Show Commands for MAC-Based Authentication Command Page show port-access mac-based [port-list] 4-66 show port-access mac-based clients [port-list] 4-66 show port-access mac-based clients <port-list> detailed 4-67 show port-access mac-based config [port-list] 4-68 show port-access mac-based config <port-list>...
Page 180 If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table, n/a - no info is displayed. HP Switch (config)# show port-access mac-based clients Port Access MAC-Based Client Status Port MAC Address IP Address...
Page 181 MAC-to-IP address binding for a client is found in the DHCP binding table. HP Switch (config)# show port-access mac-based clients 1 detailed Port Access MAC-Based Client Status Detailed Client Base Details : Port...
Page 182 If the authorized or unauthorized VLAN ID value is 0, the default VLAN ID is used unless overridden by a RADIUS- assigned value. HP Switch (config)# show port-access mac-based config Port Access MAC-Based Configuration MAC Address Format : no-delimiter Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No...
Page 183 <port-list> detailed Displays more detailed information on the currently config- ured MAC Authentication settings for specified ports. HP Switch (config)# show port-access mac-based config 1 detailed Port Access MAC-Based Detailed Configuration Port Web-based enabled : Yes...
Page 184 • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts HP Switch (config)# show port-access mac-based config auth-server Port Access MAC-Based Configuration Client Client Logoff Re-Auth Quiet...
Page 185: Client Status
Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Possible Explanations Connection authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires.
Page 186 Web and MAC Authentication Client Status 4-72...
Page 187: Tacacs+ Authentication
TACACS+ Authentication Overview Feature Default Menu view the switch’s authentication configuration — page 5-8 — view the switch’s TACACS+ server contact — page 5-9 — configuration configure the switch’s authentication methods disabled — page — 5-10 configure the switch to contact TACACS+ server(s) disabled —...
Page 188: Terminology Used In Tacacs Applications
TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ in the switches covered in this guide manages authentication of logon attempts through either the Console port or Telnet. TACACS+ uses an authentication hierarchy consisting of (1) remote passwords assigned in a TACACS+ server and (2) local passwords configured on the switch.
Page 189 TACACS+ Authentication Terminology Used in TACACS Applications: • Local Authentication: This method uses username/password pairs configured locally on the switch; one pair each for manager- level and operator-level access to the switch. You can assign local usernames and passwords through the CLI or WebAgent. (Using the menu interface you can assign a local password, but not a username.) Because this method assigns passwords to the switch instead of to individuals who access the switch, you must...
Page 190: General System Requirements
TACACS+ configurations used in your network. TACACS-aware HP switches include the capability of configuring multiple backup TACACS+ servers. HP recommends that you use a TACACS+ server application that supports a redundant backup installation. This allows you to configure the switch to use a backup TACACS+ server if it loses access to the first-choice TACACS+ server.
Page 191 TACACS+ Authentication General Authentication Setup Procedure Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation” in the Trouble- shooting chapter of the Management and Configuration Guide for your switch.
Page 192 15. For more on this topic, refer to the documentation you received with your TACACS+ server application. If you are a first-time user of the TACACS+ service, HP recommends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment.
Page 193: Configuring Tacacs+ On The Switch
Configuring TACACS+ on the Switch Before You Begin If you are new to TACACS+ authentication, HP recommends that you read the “General Authentication Setup Procedure” on page 5-4 and configure your TACACS+ server(s) before configuring authentication on the switch.
Page 194: Cli Commands Described In This Section
TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs aaa authentication 5-10 through 5-16 console Telnet num-attempts <1-10 > tacacs-server 5-17 host < ip-addr > 5-17 5-22 timeout < 1-255 > 5-23 Viewing the Switch’s Current Authentication Configuration...
Page 195: Viewing The Switch's Current Tacacs+ Server Contact Configuration
TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. Syntax: show tacacs For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a (global) encryption key, show tacacs would produce a listing similar to the...
Page 196: Configuring The Switch's Authentication Methods
The TACACS+ server returns the allowed privilege level to the switch. You are placed directly into Operator or Manager mode, depending on your privilege level. HP Switch(config) aaa authentication login privilege-mode The no version of the above command disables TACACS+ single login capa- bility.
Page 197 TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: aaa authentication < console | telnet | ssh | web | port-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level. <login [privilege-mode] > The server grants privileges at the Operator privilege level.
Page 198: Authentication Parameters
TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters Table 5-1. AAA Authentication Parameters Name Default Range Function console, Telnet, Specifies the access method used when authenticating. TACACS+ SSH, web or port- authentication only uses the console, Telnet or SSH access methods. access enable Specifies the Manager (read/write) privilege level for the access...
Page 199: Configuring The Tacacs+ Server For Single Login
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the TACACS+ Server for Single Login In order for the single login feature to work correctly, you need to check some entries in the User Setup on the TACACS+ server. In the User Setup, scroll to the Advanced TACACS+ Settings section. Make sure the radio button for “Max Privilege for any AAA Client”...
Page 200 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 5-5. The Shell Section of the TACACS+ Server User Setup As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch’s console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.
Page 201 TACACS+ Authentication Configuring TACACS+ on the Switch Table 5-2. Primary/Secondary Authentication Table Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Console — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console —...
Page 202 Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. HP Switch (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server. Secondary using Local. HP Switch (config)# aaa authentication console enable tacacs local Telnet Login (Operator or Read-Only) Access: Primary using TACACS+ server.
Page 203: Configuring The Switch's Tacacs+ Server Access
Note As described under “General Authentication Setup Procedure” on page 5-4, HP recommends that you configure, test, and troubleshoot authentication via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up authentication in either the switch or your TACACS+ server.
Page 204 TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string >] | [oobm] Adds a TACACS+ server and optionally assigns a server- specific encryption key. If the switch is configured to access multiple TACACS+ servers having different encryp- tion keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
Page 205 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host <ip-addr> [key <key-string>] none | [oobm] Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per- server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key”...
Page 206 <key-string> entry at the beginning of this table.) You can configure a TACACS+ encryption key that includes a tilde (~) as part of the key, for example, “hp~network”. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character For more on the encryption key, see “Using the Encryption Key”...
Page 207 "good morning Shows the key configured for a specific host. tacacs-server host 10.10.10.2 key "hp~network" snmp-server community "public" unrestricted Figure 5-7. Example of the Running Configuration File Showing the Host-Specific Key for TACACS+ with the “~” Included Adding, Removing, or Changing the Priority of a TACACS+ Server.
Page 208 To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: HP Switch(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key. Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key.
Page 209 TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: HP Switch(config)# tacacs-server host 10.28.227.104 Note You can save the encryption key in a configuration file by entering this command: HP Switch(config)# tacacs-server key <keystring>...
Page 210: How Authentication Operates
TACACS+ Operation Second-Choice TACACS+ Server (Optional) Terminal “B” Remotely Accessing This Switch Via Telnet HP Switch Configured for TACACS+ Operation Third-Choice TACACS+ Server (Optional) Figure 5-10. Using a TACACS+ Server for Authentication Using figure 5-10, above, after either switch detects an operator’s logon...
Page 211: Local Authentication Process
TACACS+ Authentication How Authentication Operates After the server receives the username input, the requesting terminal receives a password prompt from the server via the switch. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs: •...
Page 212: Using The Encryption Key
TACACS+ Authentication How Authentication Operates If the username/password pair entered at the requesting terminal does ■ not match either username/password pair previously configured locally in the switch, access is denied. In this case, the terminal is again prompted to enter a username/password pair. In the default configuration, the switch allows up to three attempts.
Page 213: Encryption Options In The Switch
HP Switch(config)# tacacs-server host 10.28.227.87 key south10campus With both of the above keys configured in the switch, the...
Page 214: Using Tacacs+ Authentication
TACACS+ Authentication Controlling WebAgent Access When Using TACACS+ Authentication Controlling WebAgent Access When Using TACACS+ Authentication Configuring the switch for TACACS+ authentication does not affect WebAgent access. To prevent unauthorized access through the WebAgent, do one or more of the following: ■...
Page 215: Messages Related To Tacacs+ Operation
TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa- tion on such messages, refer to the documentation you received with the application.
Page 216: Operating Notes
TACACS+ Authentication Operating Notes Operating Notes ■ If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized manager list. That is, authentication traffic between a TACACS+ server and the switch is not subject to Authorized IP Manager controls configured on the switch.
Page 217: Overview
For accounting, this can help you track network resource usage. Authentication Services You can use RADIUS to verify user identity for the following types of primary password access to the HP switch: ■ Serial port (Console) ■...
Page 218: Accounting Services
MIB (Management Information Base). A management station running an SNMP networked device management application such as HP E-PCM Plus or HP OpenView can access the switch’s MIB for read access to the switch’s status and read/write access to the switch’s configuration. For more informa-...
Page 219: Terminology
EXEC Session: a service (EXEC shell) granted to the authenticated login user for doing management operations on the HP device. Host: See RADIUS Server. NAS (Network Access Server): In this case, a HP switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): a protocol for...
Page 220: Switch Operating Rules For Radius
You can select RADIUS as the primary authentication method for each type of access. (Only one primary and one secondary access method is allowed for each access type.) In the HP switch, EAP RADIUS uses MD5 and TLS to encrypt a ■ response to a challenge from a RADIUS server.
Page 221: General Radius Setup Procedure
RADIUS as the primary authentication method. Consider both Operator (login) and Manager (enable) levels, as well as which secondary authentication methods to use (local or none) if the RADIUS authentication fails or does not respond. HP Switch(config)# show authentication Note: The WebAgent access task shown in this...
Page 222: Configuring The Switch For Radius Authentication
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication • Determine an acceptable timeout period for the switch to wait for a server to respond to a request. HP recommends that you begin with the default (five seconds).
Page 223 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands Page *The web authentication option for the WebAgent is available on the switches covered in this guide.
Page 224: Outline Of The Steps For Configuring Radius Authentication
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: Configure RADIUS authentication for controlling access through one or more of the following •...
Page 225: You Want Radius To Protect
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication • Timeout Period: The timeout period the switch waits for a RADIUS server to reply. (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no server response to a RADIUS authentication request.
Page 226 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail. Syntax: aaa authentication < console | telnet | ssh | web | < enable | login <local | radius>>...
Page 227 “Enable Primary” and “Enable Secondary” fields are not applicable (N/A). HP Switch(config)# show authentication Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Disabled...
Page 228: Enable The (Optional) Access Privilege Option
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch(config)# aaa authentication telnet login radius none HP Switch(config)# aaa authentication telnet enable radius none HP Switch(config)# aaa authentication ssh login radius none HP Switch(config)# aaa authentication ssh enable radius none...
Page 229 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication this default behavior for clients with Enable (manager) access. That is, with privilege-mode enabled, the switch immediately allows Enable (Manager) access to a client for whom the RADIUS server specifies this access level. Syntax: [no] aaa authentication login privilege-mode When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server.
Page 230: Configure The Switch To Access A Radius Server
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 6-48: “Accounting Services”...
Page 231 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication [dyn-authorization] Enables or disables the processing of Disconnect and Change of Authorization messages from this host. When enabled, the RADIUS server can dynamically terminate or change the authorization parameters (such as VLAN assignment) used in an active client session on the switch.
Page 232 Change the encryption key for the server at 10.33.18.127 to “source0127”. Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of “source0119”. HP Switch(config)# radius-server host 10.22.18.127 key source0127 HP Switch(config)# radius-server host 10.22.18.119 key source0119 HP Switch# show radius...
Page 233: Configure The Switch's Global Radius Parameters
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch(config)# radius-server host 10.33.18.127 key source0127 HP Switch(config)# radius-server host 10.33.18.119 key source0119 Changes HP Switch(config)# show radius the key for the existing Status and Counters - General RADIUS Information server to “source012...
Page 234 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Retransmit attempts: If the first attempt to contact a RADIUS ■ server fails, specifies how many retries you want the switch to attempt on that server. Change of Authorization port: The dyn-autz-port parameter ■...
Page 235 Allow three seconds for request timeouts. Allow two retries following a request that did not receive a response. ■ HP Switch(config)# aaa authentication num-attempts 2 HP Switch(config)# radius-server key My-Global-Key-1099 HP Switch(config)# radius-server key dead-time 5 HP Switch(config)# radius-server timeout 3...
Page 236 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Figure 6-6. Example of Global Configuration Exercise for RADIUS Authentication HP Switch(config)# show authentication Status and Counters - Authentication Information After two attempts failing due to Login Attempts : 2...
Page 237: Using Multiple Radius Server Groups
RADIUS server must be configured before it can be added to a group. See “Configuring the Switch for RADIUS Authentication” on page 6-6 for more information about configuring RADIUS servers. HP Switch(config)# radius-server host 10.33.18.151 acct-port 1750 key source0151 HP Switch(config)# write mem...
Page 238: Enhanced Commands
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa server-group radius <group-name> host <ip-addr> no aaa server-group radius <group-name> host <ip-addr> Associates a RADIUS server with a server group. Each group can contain up to 3 RADIUS servers. The default group (called ‘radius’) can only contain the first three RADIUS servers.
Page 239 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication [ local | none | authorized ]: Provides options for secondary authentication (default: none). Note that for console access, secondary authentication must be local if primary access is not local. This prevents you from being locked out of the switch in the event of a failure in other access methods.
Page 240: Displaying The Radius Server Group Information
Displaying the RADIUS Server Group Information The show server-group radius command displays the same information as the show radius command, but displays the servers in their server groups. HP Switch(config)# show server-group radius Status and Counters - AAA Server Groups Group Name: radius...
Page 241 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch(config)# show authentication Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Disabled | Login Login Login Access Task | Primary Server Group Secondary...
Page 242: Cached Reauthentication
RADIUS Authentication, Authorization, and Accounting Cached Reauthentication Cached Reauthentication Cached reauthentication allows 802.1X, web, or MAC reauthentications to succeed when the RADIUS server is unavailable. Users already authenticated retain their currently-assigned RADIUS attributes. Uninterrupted service is provided for authenticated users with RADIUS-assigned VLANS if the RADIUS server becomes temporarily unavailable during periodic reauthentications.
Page 243: Timing Considerations
Configures the period of time (in seconds) during which cached reauthentication is allowed on the port. Default: No limit is set. HP Switch(config)# aaa port-access web-based 6-8 cached-reauth-period 86400 The cached-reauth-period is set to 86400 seconds (1440 minutes, or 24 hours).
Page 244 RADIUS Authentication, Authorization, and Accounting Cached Reauthentication authentication have been changed from their default values. The period of time represented by X is how long 802.1X or Web MAC authentication will wait for a RADIUS response. For example: A cached-reauth-period is set to 900 seconds (15 minutes) and the reauth period is 180 seconds.
Page 245 RADIUS Authentication, Authorization, and Accounting Cached Reauthentication The time between step 8 and step 9 is X seconds. The total time is 180 + X + 900 + 180 + X, which equals 900 +2(180+X) seconds. Note The period of 1 to 30 seconds, represented by X, is not a firm time period; the time can vary depending on other 802.1X and Web/MAC auth parameters.
Page 246: Switch Authentication Features
If you choose to leave SNMP access to the security MIB open (the default setting), HP recommends that you configure the switch with the SNMP version 3 management and access security feature, and disable SNMP version 2c access.
Page 247: Changing And Viewing The Snmp Access Configuration
RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Switch Authentication Features Changing and Viewing the SNMP Access Configuration Syntax: snmp-server mib hpswitchauthmib < excluded | included > included: Enables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB. excluded: Disables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB.
Page 248 RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Switch Authentication Features HP Switch(config)# snmp-server mib hpswitchauthmib excluded HP Switch(config)# show snmp-server Indicates that SNMP security MIB access is disabled, which is the SNMP Communities nondefault setting. Community Name...
Page 249 Using SNMP To View and Configure Switch Authentication Features An alternate method of determining the current Authentication MIB access state is to use the show run command. HP Switch(config)# show run Running configuration: ; J9573A Configuration Editor; Created on release #KA.15.03 ;...
Page 250: Local Authentication Process
RADIUS Authentication, Authorization, and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: Local is the authentication option for the access method being used. ■...
Page 251: Controlling Webagent Access
RADIUS Authentication, Authorization, and Accounting Controlling WebAgent Access Controlling WebAgent Access To help prevent unauthorized access through the WebAgent, do one or more of the following: Configure the switch to support RADIUS authentication for ■ WebAgent access (Web Authentication, Chapter 7). Options for the switches covered in this guide: ■...
Page 252: Commands Authorization
RADIUS Authentication, Authorization, and Accounting Commands Authorization Commands Authorization The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server will send authorization information (from the user’s profile) to the Network Access Server (NAS). After user authentication has occurred, the authorization information provided by the RADIUS server is stored on the NAS for the duration of the user’s session.
Page 253: Enabling Authorization
The NAS does not request authorization information. For example, to enable the RADIUS protocol as the authorization method: HP Switch(config)# aaa authorization commands radius When the NAS sends the RADIUS server a valid username and password, the RADIUS server sends an Access-Accept packet that contains two attributes —the command list and the command exception flag.
Page 254: Displaying Authorization Information
Configuring Commands Authorization on a RADIUS Server Using Vendor Specific Attributes (VSAs) Some RADIUS-based features implemented on HP switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access-Accept pack- ets sent to the switch may contain the vendor-specific information. The...
Page 255 (those that are available by default to any user). You must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.
Page 256: Example Configuration On Cisco Secure Acs For Ms Windows
The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps. Create a dictionary file (for example, hp.ini) containing the HP VSA definitions, as shown in the example below. ;[User Defined Vendor] ;...
Page 257 Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils> csutil -addudv 0 hp.ini The zero (0) is the slot number.
Page 258 4 (100 in the example). Restart all Cisco services. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry. In the Authenticate Using field choose RADIUS(HP) as an option for the type of security control protocol.
Page 259: Example Configuration Using Freeradius
Find the location of the dictionary files used by FreeRADIUS (try /usr/ local/share/freeradius). Copy dictionary.hp to that location. Open the existing dictionary file and add this entry: $ INCLUDE dictionary.hp You can now use HP VSAs with other attributes when configuring user entries. 6-43...
Page 260: Vlan Assignment In An Authentication Session
RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session VLAN Assignment in an Authentication Session A switch supports concurrent 802.1X and either Web- or MAC-authentication sessions on a port (with up to 32 clients allowed). If you have configured RADIUS as the primary authentication method for a type of access, when a client authenticates on a port, the RADIUS server assigns an untagged VLAN that is statically configured on the switch for use in the authentication session.
Page 261: Additional Radius Attributes
■ MS-RAS-Vendor (RFC 2548): Allows HP switches to inform a Micro- soft RADIUS server that the switches are from HP Networking. This feature assists the RADIUS server in its network configuration. ■ HP-capability-advert: An HP proprietary RADIUS attribute that allows a switch to advertise its current capabilities to the RADIUS server for port-based (MAC, Web, or 802.1X) authentication;...
Page 262 6-16 and 6-17. See “3. Configure the Switch To Access a RADIUS Server” on page 6-14 for configuration commands for dynamic authoriza- tion. HP Switch(config)# show radius dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information NAS Identifier : LAB-8212...
Page 263 RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session Switch(config)# show radius host 154.23.45.111 dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information Authorization Client IP Address : 154.23.45.111 Unknown PKT Types Received : 0 Disc-Reqs CoA-Reqs Disc-Reqs Authorize Only : 0 CoA-Reqs Authorize Only : 0 Disc-ACKs CoA-ACKs...
Page 264: Accounting Services
• Nas-Port • NAS-Identifier • Acct-Authentic • Acct-Output-Octets • Calling-Station-Id • Acct-Delay-Time • Acct-Session-Time • HP-acct-terminate- cause • Acct-Input-Packets • User-Name • MS-RAS-Vendor ■ Exec accounting: Provides records holding the information listed below about login sessions (console, Telnet, and SSH) on the switch: •...
Page 265: Operating Rules For Radius Accounting
■ on CLI command execution during user sessions. • Acct-Session-Id • User-Name • Calling-Station-Id • Acct-Status-Type • NAS-IP-Address • HP-Command-String • Service-Type • NAS-Identifier • Acct-Delay-Time • Acct-Authentic • NAS-Port-Type RADIUS accounting with IP attribute: The RADIUS Attribute 8 ■...
Page 266: Acct-Session-Id Options In A Management Session
RADIUS Authentication, Authorization, and Accounting Accounting Services requests from the switch, a second or third server will not be accessed. (For more on this topic, refer to “Changing RADIUS-Server Access Order” on page 6-67.) If access to a RADIUS server fails during a session, but after the client ■...
Page 267 This incrementing of the NAS-Port-Type = Virtual session ID is normal operation Calling-Station-Id = "172.22.17.101" for command accounting in the HP-Command-String = "show ip" (default) Unique mode. Acct-Delay-Time = 0 Acct-Session-Id = "00330000000A" User “fred” executes the logout Acct-Status-Type = Stop command.
Page 268: Common Acct-Session-Id Operation
NAS-Port-Type = Virtual ID assigned when the session Calling-Station-Id = "172.22.17.101" was opened. No incrementing HP-Command-String = "show ip" of the session ID is done for Acct-Delay-Time = 0 individual commands. Acct-Session-Id = "00330000000B"...
Page 269: Configuring Radius Accounting
RADIUS Authentication, Authorization, and Accounting Accounting Services Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 6-54 [acct-port < port-number >] 6-54 [key < key-string >] 6-54 [no] aaa accounting < exec | network | system > < start-stop | stop-only> radius 6-59 [no] aaa accounting commands <...
Page 270: Configure The Switch To Access A Radius Server
RADIUS Authentication, Authorization, and Accounting Accounting Services • Provide the following: – A RADIUS server IP address. – Optional—a UDP destination port for authentication requests. Otherwise the switch assigns the default UDP port (1812; recom- mended). – Optional—if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are desig- nating, configure a server-specific key.
Page 271 RADIUS Authentication, Authorization, and Accounting Accounting Services yet configured the switch to use a RADIUS server, your server data has changed, or you need to specify a non-default UDP destination port for accounting requests. Note that switch operation expects a RADIUS server to accommodate both authentication and accounting.
Page 272: Optional) Reconfigure The Acct-Session-Id Operation
RADIUS Authentication, Authorization, and Accounting Accounting Services HP Switch(config)# radius-server host 10.33.18.151 acct-port 1750 key source0151 HP Switch(config)# write mem HP Switch(config)# show radius Status and Counters - General RADIUS Information Because the radius-server command includes an acct-port keyword with a non-default UDP port...
Page 273: Reports To The Radius Server
RADIUS Authentication, Authorization, and Accounting Accounting Services HP Switch(config)# aaa accounting session-id common HP Switch(config)# show accounting Status and Counters - Accounting Information Interval(min) : 0 Suppress Empty User : No Example of common Sessions Identification : Common Session ID Configuration...
Page 274 RADIUS Authentication, Authorization, and Accounting Accounting Services Accounting Controls. These options are enabled separately, and define how the switch will send accounting data to a RADIUS server: Start-Stop: Applies to the exec, network, and system accounting ■ service types: • Send a “start record accounting”...
Page 275 Exec functions, stop-only for system functions, and interim-update for com- mands functions. This example continues from figure 6-21, where the session ID was configured as common. HP Switch(config)# aaa accounting exec start-stop radius HP Switch(config)# aaa accounting system stop-only radius HP Switch(config)# aaa accounting commands interim-update radius...
Page 276 Service-Type = NAS-Prompt-User Acct-Authentic = Local NAS-IP-Address = 10.1.242.15 NAS-Identifier = "gsf_dosx_15" NAS-Port-Type = Virtual Calling-Station-Id = "0.0.0.0" HP-Command-String = "reload" Acct-Delay-Time = 0 Acct-Session-Id = "003600000001" Record of System Accounting Off Acct-Status-Type = Accounting-Off When Switch Reboots NAS-IP-Address = 10.1.242.15 NAS-Identifier = "gsf_dosx_15"...
Page 277: Updating Options
Send updates every 10 minutes on in-progress accounting sessions. ■ ■ Block accounting for unknown users (no username). HP Switch(config)# aaa accounting update periodic 10 HP Switch(config)# aaa accounting suppress null-username HP Switch(config)# show accounting Status and Counters - Accounting Information...
Page 278: Viewing Radius Statistics
RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Accounting Services” on page 6-48.) HP Switch# show radius Status and Counters - General RADIUS Information Deadtime(min) : 5 Timeout(secs) : 10...
Page 279 RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics HP Switch(config)# show radius host 192.33.12.65 Status and Counters - RADIUS Server Information Server IP Addr : 192.33.12.65 Authentication UDP Port : 1812 Accounting UDP Port : 1813 Round Trip Time Round Trip Time...
Page 280: Radius Authentication Statistics
RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics Term Definition Access Requests The number of RADIUS Access-Requests the switch has sent since it was last rebooted. (Does not include retransmissions.) Accounting Requests The number of RADIUS Accounting-Request packets sent. This does not include retransmissions.
Page 281 | Radius None Figure 6-27. Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command HP Switch(config)# show radius authentication Status and Counters - RADIUS Authentication Information NAS Identifier : HP Invalid Server Addresses : 0 Server IP Addr...
Page 282: Radius Accounting Statistics
System | Radius Stop-Only Commands | Radius Interim-Update Figure 6-29. Listing the Accounting Configuration in the Switch HP Switch(config)# show radius accounting Status and Counters - RADIUS Accounting Information NAS Identifier : HP Invalid Server Addresses : 0 Server IP Addr...
Page 283: Changing Radius-Server Access Order
RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order HP Switch(config)# show accounting sessions Active Accounted actions on SWITCH, User (n/a) Priv (n/a), Acct-Session-Id 0x013E00000006, System Accounting record, 1:45:34 Elapsed system event 'Accounting On Figure 6-31. Example Listing of Active RADIUS Accounting Sessions on the Switch...
Page 284 RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order HP Switch# show radius Status and Counters - General RADIUS Information Deadtime(min) : 0 RADIUS server IP addresses listed in the order Timeout(secs) : 5 in which the switch will try to access them. In this Retransmit Attempts : 3 case, the server at IP address 10.10.10.1 is first.
Page 285 RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order HP Switch(config)# no radius host 10.10.10.3 Removes the “3” and “1” addresses from the HP Switch(config)# no radius host 10.10.10.1 RADIUS server list. HP Switch(config)# radius host 10.10.10.3 Inserts the “3” address in the first position in the HP Switch(config)# radius host 10.10.10.1...
Page 286: Limits
This enhancement allows a common port policy to be configured on all access ports by creating new RADIUS HP vendor-specific attributes (VSAs) that will dynamically override the authentication limits. The changes are always applied to the port on the authenticator switch associated with the supplicant being authenti- cated.
Page 287 VSA. A port-based VSA is set with a value of 1; a user-based VSA is set with a value of 2. This is an HP proprietary VSA with a value of 13.
Page 288: Displaying The Port-Access Information
If the command no aaa port-access authentication <port-list> client-limit is exe- cuted, the port access is in port-mode. If the 802.1X client-limit is configured with a value from 1-32, the port access is in user-mode. HP Switch(config)# show port-access summary Port Access Status Summary Port-access authenticator activated [No] : No...
Page 289: Operating Notes
To display the configuration information for just those ports that are dynam- ically overridden by RADIUS attributes, use the show port-access summary radius-overridden command. HP Switch(config)# show port-access summary radius-overridden Port Access Status Summary Port-access authenticator activated [No} : No...
Page 290 RADIUS Authentication, Authorization, and Accounting Dynamic Removal of Authentication Limits 6-74...
Page 291: Overview
— IPv4-only or IPv4 and IPv6) HP recommends using the Standard RADIUS attribute if available. If multiple clients are authenticated on a port where per-port rules are assigned by a RADIUS server, then the most recently assigned rule is applied to the traffic of all clients authenticated on the port.
Page 292: Optional Pcm And Idm Network Management Applications
Overview Optional PCM and IDM Network Management Applications For information on support for the above services in the HP E-PCM Plus (PCM) application using the Identity-Driven Management (IDM) plug-in, refer to the documentation for these applications on the HP website at www.hp.com.
Page 293: P Priority) And Rate-Limiting
Inbound to the Switch Vendor-Specific Attribute used in the RADIUS server. Assigns a RADIUS- (This attribute is maintained for legacy configurations.) configured 802.1p HP vendor-specific ID:11 priority to the inbound VSA: 40 packets received from a specific client authenticated on a Setting: User-Priority-Table = xxxxxxxx where: switch port.
Page 294 Rate-Limiting Per- HP vendor-specific ID:11 User VSA: 46 Assigns a RADIUS- Setting: HP-Bandwidth-Max-Egress = < bandwidth-in-Kbps > configured bandwidth Note: RADIUS-assigned rate-limit bandwidths must be specified in limit to the inbound Kbps. (Bandwidth percentage settings are not supported.) Using a...
Page 295: Applied Rates For Radius-Assigned Rate Limits
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting Applied Rates for RADIUS-Assigned Rate Limits On the switches covered by this guide, rate limits are applied incrementally, as determined by the RADIUS-applied rate. For any given bandwidth assign- ment, the switch applies the nearest rate increment that does not exceed the assigned value.
Page 296 RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting Per- Port HP recommends that rate-limiting be configured either solely through B a n d w i d t h RADIUS assignments or solely through static CLI configuration on the switch unless the potential for the override described below is specifically desired.
Page 297: Viewing The Currently Active Per-Port Cos And Rate-Limiting Configuration Specified By A Radius Server
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting Viewing the Currently Active Per-Port CoS and Rate- Limiting Configuration Specified by a RADIUS Server While a RADIUS-assigned client session is active on a given port, any RADIUS- imposed values for the settings listed in table 7-5 are applied as shown: Table 7-5.
Page 298 Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting web-based [ port-list ] clients detail displays, for a Web authen- ticated client (Web-Auth), the status of RADIUS-assignment details for that client.. (Refer to “Show Commands for Web Authentication”...
Page 299 10,000 kbs 50,000 kbs* “X” authenticates *Combined rate-limit output for all clients active on the port. HP Switch(eth-10)# show port-access web-based clients 4 detail Indicates there is an authenticated client session running on port 10. Port Access Web-Based Client Status Detailed...
Page 300 They also include indications of RADIUS-assigned rate-limiting and client traffic priority settings for any clients that may be authenticated on the same ports. HP Switch# show rate-limit all 1-5 All-Traffic Rate Limit Maximum % | Inbound Radius...
Page 301: Configuring And Using Dynamic Radius-Assigned) Access Control Lists
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Introduction A RADIUS-assigned ACL is configured on a RADIUS server and dynamically assigned by the server to filter IP traffic from a specific client after the client is authenticated by the server.
Page 302 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists • RACL (IPv4 ACLs only): an ACL assigned to filter routed IPv4 traffic entering or leaving the switch on a VLAN. (Separate assignments are required for inbound and outbound traffic.) •...
Page 303 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists NAS (Network Attached Server): In this context, refers to a HP switch configured for RADIUS operation. Outbound Traffic: For defining the points where the switch applies an ACL to filter traffic, outbound traffic is routed IPv4 traffic leaving the switch through a VLAN interface (or a subnet in a multinetted VLAN).
Page 304: Overview Of Radius-Assigned, Dynamic Acls
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists VLAN ACL (VACL): An ACL applied to traffic entering the switch on a given VLAN interface. See also “Access Control List”. VSA (Vendor-Specific-Attribute): A value used in a RADIUS-based config- uration to uniquely identify a networking feature that can be applied to a port on a given vendor’s switch during an authenticated client session.
Page 305 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Implementing the feature requires: RADIUS authentication using the 802.1X, Web authentication, or MAC ■ authentication available on the switch to provide client authentica- tion services ■...
Page 306: Contrasting Radius-Assigned And Static Acls
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of network security. However, because ACLs do not protect from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete edge security solution.
Page 307 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists RADIUS-Assigned ACLs Static Port and VLAN ACLs Allows one RADIUS-assigned ACL per authenticated client Simultaneously supports all of the following static on a port. (Each such ACL filters traffic from a different, assignments affecting a given port: authenticated client.) •...
Page 308: To A Client On A Switch Port
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists How a RADIUS Server Applies a RADIUS-Assigned ACL to a Client on a Switch Port A RADIUS-assigned ACL configured on a RADIUS server is identified and invoked by the unique credentials (username/password pair or a client MAC address) of the specific client the ACL is intended to service.
Page 309: General Acl Features, Planning, And Configuration
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists actual IP traffic inbound from any client on the switch carries a source MAC address unique to that client. The RADIUS-assigned ACL uses this MAC address to identify the traffic to be filtered.) Effect of Multiple ACL Application Types on an Interface.
Page 310: The Packet-Filtering Process
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists The Packet-filtering Process Packet-Filtering in an applied ACL is sequential, from the first ACE in the ACL to the implicit “deny any any” following the last explicit ACE. This operation is the same regardless of whether the ACL is applied dynamically from a RADIUS server or statically in the switch configuration.
Page 311 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Effect of Other, Statically Configured ACLs: Suppose that port ■ B1 belongs to VLAN “Y” and has a RADIUS-assigned ACL to filter inbound traffic from an authenticated client. Port B1 is also config- ured with IPv4 and IPv6 static port ACLs, and VLAN “Y”...
Page 312: Configuring An Acl In A Radius Server
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Configuring an ACL in a RADIUS Server This section provides general guidelines for configuring a RADIUS server to specify RADIUS-assigned ACLs. Also included is an example configuration for a FreeRADIUS server application.
Page 313: Nas-Filter-Rule-Options
(Using this option causes the ACL to drop any IPv6 traffic received from the authenticated client.) Setting: HP-Nas-Rules-IPv6 = < 1 | 2 > Nas-filter-Rule “< permit or deny ACE >” Note: When the configured integer option is “1”, the any keyword used as a destination applies to both IPv4 and IPv6 destinations for the selected traffic type (such as Telnet).
Page 314 IPv4 traffic. However, for new or updated configurations (and any Switch configurations supporting IPv6 traffic filtering) HP recommends using the Standard Attribute (92) Assigns a RADIUS- described earlier in this table instead of the HP-Nas-filter-Rule attribute described here.
Page 315: Ace Syntax In Radius Servers
: Standard attribute for filtering inbound IPv4 traffic from an authenticated Nas-filter-Rule = client. When used without the HP VSA option (below) for filtering inbound IPv6 traffic from the client, drops the IPv6 traffic. Refer also to table 7-7, “Nas-Filter-Rule Attribute Options”...
Page 316 Nas-filter-Rule+=”permit in ip from any to 10.10.10.1/24” Nas-filter-Rule+=”deny in ip from any to any” – the HP-Nas-Filter-Rule VSA is used instead of either of the above options. For example, all of the following destinations are for IPv4 traffic: HP-Nas-filter-Rule=”permit in tcp from any to any 23”...
Page 317: Example Using The Standard Attribute (92) In An Ipv4 Acl
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists host < ipv6-addr >: Specifies a single destination IPv6 address. Note: Filtering IPv6 traffic requires the Standard Attribute (Nas-Filter-Rule) with the HP-Nas-Rules-IPv6 VSA set to 1. (Refer to table 7-7 on page 7-23.) <...
Page 318 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists client 10.10.10.125 Note: The key configured in the switch and the secret configured in the RADIUS server nastype = other supporting the switch must be identical. Refer secret = 1234 to the chapter titled “RADIUS Authentication and Accounting”...
Page 319: Example Using Hp Vsa 63 To Assign Ipv6 And/Or Ipv4 Acls
Figure 7-5. Example of Configuring the FreeRADIUS Server To Support ACLs for the Indicated Clients Example Using HP VSA 63 To Assign IPv6 and/or IPv4 ACLs The ACL VSA HP-Nas-Rules-IPv6=1 is used in conjunction with the standard attribute (Nas-Filter-Rule) for ACL assignments filtering both IPv6 and IPv4 traffic inbound from an authenticated client.
Page 320 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key (“secret”) is “1234”, you would enter the following in the server’s clients.conf file: client 10.10.18.12 Note: The key configured in the switch and the...
Page 321 Client’s Username (802.1X or Web Authentication) Client’s Password (802.1X or Web Authentication) Admin01 Auth-Type:= Local, User-Password == myAuth9 HP-Nas-Rules-IPv6 = 1, IPv6 VSA for the standard attribute-92. Nas-filter-rule = “permit in tcp from any to FE80::a40 80”, Nas-filter-rule += “deny in tcp from any to ::/0 80”, Nas-filter-rule += “permit in tcp from any to 10.10.10.117 80”,...
Page 322: Example Using Hp Vsa 61 To Assign Ipv4 Acls
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Example Using HP VSA 61 To Assign IPv4 ACLs The software supports the HP VSA 61 vendor-specific method for enabling RADIUS-based IPv4 ACL assignments on the switch. The recommended use of this option is to support ACL configurations that rely on VSA 61. However, HP recommends using the standard attribute (92) for new, RADIUS-based IPv4 ACLs (pages 7-23 and 7-27).
Page 323: Freeradius "Users" File
Client’s Password (802.1X or Web Authentication) User-10 Auth-Type:= Local, User-Password == auth7X HP-Nas-Rules-IPv6 = 1, HP-Nas-filter-Rule = “permit in tcp from any to 10.10.10.117 80”, HP-Nas-filter-Rule += “deny in tcp from any to any 80”, HP-Nas-filter-Rule += “deny in tcp from any to any 23”, HP-Nas-filter-Rule += “permit in ip from any to any”...
Page 324: Configuration Notes
HP-Nas-Rules-IPv6 = 1 exist elsewhere in the ACL. Refer to table 7-7 on page 7-23 for more on HP-Nas-Rules-IPv6. ■ HP-Nas-Filter-Rule += permit in ip from any to any ■ Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6 = 2 Explicitly Denying Inbound Traffic From an Authenticated Client.
Page 325: Acls
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Configuring the Switch To Support RADIUS-Assigned ACLs An ACL configured in a RADIUS server is identified by the authentication credentials of the client or group of clients the ACL is designed to support. When a client authenticates with credentials associated with a particular ACL, the switch applies that ACL to the switch port the client is using.
Page 326 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists 802.1X Option: Syntax: aaa port-access authenticator < port-list > aaa authentication port-access chap-radius aaa port-access authenticator active These commands configure 802.1X port-based access control on the switch, and activates this feature on the specified ports.
Page 327: On The Switch
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Displaying the Current RADIUS-Assigned ACL Activity on the Switch These commands output data indicating the current ACL activity imposed per- port by RADIUS server responses to client authentication. Syntax: show access-list radius <...
Page 328 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists HP Switch(config)# show access-list radius b1 Indicates MAC address identity of the authenticated client on the specified port. This data identifies the Radius-configured Port-based ACL for client to which the ACL applies.
Page 329 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Access Policy Details: COS Map: Indicates the 802.1p priority assigned by the RADIUS server for traffic inbound on the port from an authenticated client. The field shows an eight-digit value where all digits show the same, assigned 802.1p number.
Page 330 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists HP Switch(config)# show port-access web-based clients 10 detailed Port Access Web-Based Client Status Detailed Client Base Details : Port Session Status : authenticated Session Time(sec) : 5...
Page 331 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Table 7-8. ICMP Type Numbers and Keywords IPv4 ICMP IPv6 ICMP Keyword Keyword destination unreachable echo reply destination unreachable packet too big source quench time exceeded redirect parameter problem echo request...
Page 332: Event Log Messages
7-7 on page 7-23 for more on this attribute. Monitoring Shared Resources Currently active, RADIUS-based authentication sessions (including HP IDM client sessions) using RADIUS-assigned ACLs share internal switch resources with several other features. The switch provides ample resources for all features.
Page 333: Overview
Configuring Secure Shell (SSH) Overview Feature Default Menu WebAgent Generating a public/private key pair on the switch page 8-9 Using the switch’s public key page 8-12 Enabling SSH Disabled page 8-15 Enabling client public-key authentication Disabled pages 8-21, 8-25 Enabling user authentication Disabled page 8-20 The switches covered in this guide use Secure Shell version 2 (SSHv2) to...
Page 334 – None Figure 8-1. Client Public Key Authentication Model Note SSH in HP switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication shown in figure 8-1.
Page 335: Terminology
Configuring Secure Shell (SSH) Terminology Terminology ■ SSH Server: An HP switch with SSH enabled. ■ Key Pair: A pair of keys generated by the switch or an SSH client application. Each pair includes a public key, that can be read by anyone and a private key held internally in the switch or by a client.
Page 336: Prerequisite For Using Ssh
Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 8-2), then the client program must have the capability to generate or import keys.
Page 337: For Switch And Client Authentication
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 8-1.
Page 338 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation Assign a login (Operator) and enable (Manager) password on the switch (page 8-9). Generate a public/private key pair on the switch (page 8-9). You need to do this only once.
Page 339: General Operating Rules And Notes
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store 10 client key pairs. The switch’s own public/private key pair and the (optional) client ■...
Page 340: Configuring The Switch For Ssh Operation
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 8-19 show crypto client-public-key [<manager | operator>] 8-28 [keylist-str] [< babble | fingerprint>] show crypto host-public-key [< babble | fingerprint >] 8-14 show authentication 8-24...
Page 341: Enable (Manager) Password
1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Page 342 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be “permanent”;...
Page 343 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation zeroize <ssh | cert | autorun [rsa]> Erases the switch’s public/private key pair and dis- ables SSH operation. show crypto host-public-key Displays switch’s public key. Displays the version 1 and version 2 views of the key. See “SSH Client Public-Key Authentication”...
Page 344: Configuring Key Lengths
<keysize> parameter and has the values shown in Table 8-2. The default value is used if keysize is not specified. Table 8-2. RSA/DSA Values for Various HP Switches Platform Maximum RSA Key Size (in bits) DSA Key Size (in bits)
Page 345 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation The public key generated by the switch consists of three parts, separated by one blank space each: Exponent <e> Bit Size Modulus <n> 896 35 427199470766077426366625060579924214851527933248752021855126493 2934075407047828604329304580321402733049991670046707698543529734853020 0176777055355544556880992231580238056056245444224389955500310200336191 3610469786020092436232649374294060627777506601747146563337525446401 Figure 8-6. Example of a Public Key Generated by the Switch (The generated public key on the switch is always 896 bits.) With a direct serial connection from a management station to the switch: Use a terminal application such as HyperTerminal to display the switch’s...
Page 346 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Modulus <n>...
Page 347: Client Contact Behavior
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 8-9. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 8-9 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host”...
Page 348 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if the switch’s public key has not been copied into the client, then the client’s first connection to the switch will question the connection and, for security reasons, provide the option of accepting or refusing.
Page 349 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher <cipher-type>] Specify a cipher type to use for connection. Valid types are: • aes128-cbc • 3des-cbc • aes192-cbc •...
Page 350 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [mac <mac-type>] Allows configuration of the set of MACs that can be selected. Valid types are: • hmac-md5 • hmac-sha1 • hmac-sha1-96 • hmac-md5-96 Default: All MAC types are available. Use the no form of the command to disable a MAC type.
Page 351 Configuring the Switch for SSH Operation N o t e o n P o r t HP recommends using the default TCP port number (22). However, you can Num b er use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes.
Page 352: Configuring The Switch For Ssh Authentication
Client Public-Key Authentication” on page 8-25 Note HP recommends that you always assign a Manager-Level (enable) password to the switch. Without this level of protection, any user with Telnet, web, or serial port access to the switch can change the switch’s configuration. Also,...
Page 353 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option B: Configuring the Switch for Client Public-Key SSH Authentication. If configured with this option, the switch uses its public key to authenticate itself to a client, but the client must also provide a client public-key for the switch to authenticate.
Page 354 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh enable < local | tacacs | radius > < local | none > Configures a password method for the primary and second- ary enable (Manager) access. If you do not specify an optional secondary method, it defaults to none.
Page 355 Please retype new password for Manager: ******** keys in the public HP Switch(config)# aaa authentication ssh login public-key none key file. HP Switch(config)# aaa authentication ssh enable tacacs local HP Switch(config)# coy tftp pub-key-file 10.33.18.117...
Page 356: Use An Ssh Client To Access The Switch
None example, the file | Tacacs Local contains two client public-keys. Client Key Index Number HP Switch(config)# show crypto client-public-key 0,”Maden name [1024-bit rsa, Local_cryto @ Local crypto, Thu Nov 07 2009 21:25:42]” ssh-rsa AAAAB3NzaClyc2EAAAADAQABAAAAgQcz9oNfqxMHUFEC6frSu1Sa4Uh1EFznFhQqmgP2 9HXYp6NR/1QOumACtrFU+QD11Etm/XvZH/ KIxTdEc5exFZXKIxTdEc5exFXS10tcRaFYxI9UjK80dBMavBGKBLvVebCVwlqdAqbkaEX3d/ WaPS2xArLCFHsTZhnCvqTZDOGAB1frlcw==1,”[768-bit rsa, Local_crypto@Localcrypto, Mon Dec 16 2009 23:01:51]”ssh-rsaAAAAb3NzaClyc2EAAAADQABAAAAYQD0tmzA32JBgeu...
Page 357: Further Information On Ssh Client Public-Key Authentication
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Further Information on SSH Client Public-Key Authentication The section titled “5. Configuring the Switch for SSH Authentication” on page 8-20 lists the steps for configuring SSH authentication on the switch. However, if you are new to SSH or need more details on client public-key authentication, this section may be helpful.
Page 358 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication If there is not a match, and you have not configured the switch to accept a login password as a secondary authentication method, the switch denies SSH access to the client. If there is a match, the switch: Generates a random sequence of bytes.
Page 359 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Notes Comments in public key files, such as smith@support.cairns.com in figure 8-13, may appear in a SSH client application’s generated public key. While such comments may help to distinguish one key from another, they do not pose any restriction on the use of a key by multiple clients and/or users.
Page 360 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Copying a client-public-key into the switch requires the following: ■ One or more client-generated public keys. Refer to the documentation provided with your SSH client application. A copy of each client public key (up to ten) stored in a single text file ■...
Page 361 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication show crypto client-public-key [<manager | operator>] [keylist-str] [babble | fingerprint] Displays the client public key(s) in the switch’s current client-public-key file. See “SSH Client Public-Key Authentication” on page 2-16 in this guide for information about public keys saved in a configuration file.
Page 362 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Replacing or Clearing the Public Key File. The client public-key file remains in the switch’s flash memory even if you erase the startup-config file, reset the switch, or reboot the switch. You can remove the existing client public-key file or specific keys by ■...
Page 363: Messages Related To Ssh Operation
Note: Only up to 39 characters of the key comment are included in the event log message. Debug Logging To add ssh messages to the debug log output, enter this command: HP Switch# debug ssh LOGLEVEL where LOGLEVEL is one of the following (in order of increasing verbosity): • fatal •...
Page 364 Configuring Secure Shell (SSH) Messages Related to SSH Operation 8-32...
Page 365: Overview
SSL/TLS operation. N o t e HP Switches use SSL and TLS for all secure web transactions, and all refer- ences to SSL mean using one of these algorithms unless otherwise noted SSL provides all the web functions but, unlike standard web access, SSL provides encrypted, authenticated transactions.
Page 366: Terminology
■ ■ RC4 (40-bit, 128-bit) N o t e HP Switches use RSA public key algorithms and Diffie-Hellman, and all references to a key mean keys generated using these algorithms unless otherwise noted Terminology SSL Server: An HP switch with SSL enabled.
Page 367 Configuring Secure Socket Layer (SSL) Terminology Root Certificate: A trusted certificate used by certificate authorities to ■ sign certificates (CA-Signed Certificates) and used later on to verify that authenticity of those signed certificates. Trusted certificates are distrib- uted as an integral part of most popular web clients. (see browser docu- mentation for which root certificates are pre-installed).
Page 368: Prerequisite For Using Ssl
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL-enabled web browser application on the com- puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include:...
Page 369: General Operating Rules And Notes
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Enable SSL on the switch. (page 9-13) Use your SSL enabled browser to access the switch using the switch’s IP address or DNS name (if allowed by your browser). Refer to the documentation provided with the browser application.
Page 370: Configuring The Switch For Ssl Operation
1. Assigning a Local Login (Operator) and Enabling (Manager) Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Page 371: With The Cli
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The server certificate is stored in the switch’s flash memory. The server certificate should be added to your certificate folder on the SSL clients who you want to have access to the switch. Most browser applications automati- cally add the switch’s host certificate to there certificate folder on the first use.
Page 372: Comments On Certificate Fields
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. Syntax: crypto key generate cert rsa bits < 512 | 768 |1024 > Generates a key pair for use in the certificate. crypto key zeroize cert Erases the switch’s certificate key and disables SSL opera- tion.
Page 373 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Table 9-1. Certificate Field Descriptions Field Name Description Valid Start Date This should be the date you desire to begin using the SSL functionality. Valid End Date This can be any future date, however good security practices would suggest a valid duration of about one year between updates of passwords and keys.
Page 374: Generate A Self-Signed Host Certificate With The Webagent
Generate a Self-Signed Host Certificate with the WebAgent You can configure SSL from the WebAgent. For more information on how to access the WebAgent refer to the chapter titled “Using the HP WebAgent” in the Management and Configuration Guide for your switch.
Page 375: Webagent
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation iii. In the Web Management box, enable SSL if it is not already checked. iv. Complete the fields in the SSL Certificate box and click on Create request. N o t e When generating a self-signed host certificate, if no key is present and the current option is selected in the RSA key size box and error will be generated.
Page 376 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation then digitally signing the request to generate a certificate response (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL.
Page 377: Browser Contact Behavior
Switch’s Server Host Certificate” on page 9-6. When configured for SSL, the switch uses its host certificate to authenticate itself to SSL clients, however unless you disable the standard HP WebAgent with the no web-management command it will be still available for unsecured transactions.
Page 378: Using The Cli Interface To Enable Ssl
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The security concern described above does not exist when using CA-signed certificates that have been generated by certificate authorities that the web browser already trusts Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch.
Page 379 Click on Save. N o t e o n P o r t HP recommends using the default IP port number (443). However, you can N u m b e r use web-management ssl tcp-port to specify any TCP port for SSL connections except those reserved for other purposes.
Page 380: Common Errors In Ssl Setup
Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup Common Errors in SSL Setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 9-8.) Enabling SSL on the CLI or WebAgent You have not generated a host...
Page 381: Introduction
IPv4 Access Control Lists (ACLs) Introduction An Access Control List (ACL) is a list of one or more Access Control Entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing the switch’s interfaces. This chapter describes how to configure, apply, and edit static IPv4 ACLs in a network populated with the switches covered by this guide, and how to monitor IPv4 ACL actions.
Page 382 IPv4 Access Control Lists (ACLs) Introduction Feature Default Configure an ACL from a TFTP Server 10-107 Enable ACL Logging 10-114 IPv4 filtering with ACLs can help improve network performance and restrict network use by creating policies for: Switch Management Access: Permits or denies in-band manage- ■...
Page 383: Overview Of Options For Applying Ipv4 Acls On The Switch
IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Overview of Options for Applying IPv4 ACLs on the Switch To apply IPv4 ACL filtering, assign a configured IPv4 ACL to the interface on which you want traffic filtering to occur. VLAN and routed IPv4 traffic ACLs can be applied statically using the switch configuration.
Page 384 IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch clients. For information on RADIUS-assigned ACLs assigned by a RADIUS server, refer to the chapter titled “Configuring RADIUS Server Support for Switch Services”. Note This chapter describes the IPv4 ACL applications you can statically configure on the switch.
Page 385: Command Summary For Standard Ipv4 Acls
HP Switch(config)# ip access-list standard < name-str | 1-99 > 10-92 Remark from a HP Switch(config-ext-nacl)# [ remark < remark-str > | no < 1-2147483647 > remark ] 10-95 Standard ACL For numbered, standard ACLs only, the following remark commands can be substituted for the above: HP Switch(config)# access-list <...
Page 386: Command Summary For Ipv4 Extended Acls
[ [< 0 - 255 > [ 0 - 255 ] ] | icmp-message ] [precedence < priority >] [tos < tos- setting >] [log] HP Switch(config)# access-list < 100-199 > < deny | permit > Create an Extended, 10-74 Numbered ACL <...
Page 387: Displaying Acls
HP Switch(config)# no access-list < 100 - 199 > Command Summary for Enabling, Disabling, and Displaying ACLs Enable or Disable an HP Switch(config)# [no] vlan < vid > ip access-group < identifier > < in | out > 10-81 RACL Enable or Disable a HP Switch(config)# [no] vlan <...
Page 388: Terminology
IPv4 Access Control Lists (ACLs) Terminology Terminology Access Control Entry (ACE): A policy consisting of criteria and an action (permit or deny) to execute on a packet if it meets the criteria. The elements composing the criteria include: • source IPv4 address and mask (standard and extended ACLs) •...
Page 389 IPv4 Access Control Lists (ACLs) Terminology ACL ID: A number or alphanumeric string used to identify an ACL. A standard IPv4 ACL ID can have either an alphanumeric string or a number in the range of 1 to 99. An extended IPv4 ACL ID can have either an alphanumeric string or a number in the range of 100 to 199.
Page 390 IPv4 Access Control Lists (ACLs) Terminology ACLs). You can preempt the Implicit Deny in a given ACL by configuring a permit any (standard) or permit ip any any (extended) as the last explicit ACE in the ACL. Doing so permits any IPv4 packet that is not explicitly permitted or denied by other ACEs configured sequentially earlier in the ACL.
Page 391 IPv4 Access Control Lists (ACLs) Terminology Outbound Traffic: For defining the points where the switch applies an RACL to filter traffic, outbound traffic is routed traffic leaving the switch through a VLAN interface (or a subnet in a multinetted VLAN). “Outbound traffic”...
Page 392 IPv4 Access Control Lists (ACLs) Terminology seq-#: The term used in ACL syntax statements to represent the sequence number variable used to insert an ACE within an existing list. The range allowed for sequence numbers is 1 - 2147483647. Standard ACL: This type of access control list uses the layer-3 IP criteria of source IPv4 address to determine whether there is a match with an IPv4 packet.
Page 393: Overview
IPv4 Access Control Lists (ACLs) Overview Overview Types of IPv4 ACLs A permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, or on source address plus other factors. Standard ACL: Use a standard ACL when you need to permit or deny IPv4 traffic based on source address only.
Page 394: Racl Applications
IPv4 Access Control Lists (ACLs) Overview • Routed IPv4 traffic having a destination address (DA) on the switch itself. In figure 10-1 on page 10-15, this is any of the IP addresses shown in VLANs “A”, “B”, and “C”. (Routing need not be enabled.) •...
Page 395 IPv4 Access Control Lists (ACLs) Overview The subnet mask for this Switch with IPv4 Routing example is 255.255.255.0. Enabled VLAN 1 10.28.10.5 10.28.10.1 An ACL assigned to screen (One Subnet) routed, inbound IPv4 traffic on VLAN 1 screens only the VLAN 2 routed traffic arriving from 10.28.20.1...
Page 396: Vacl Applications
IPv4 Access Control Lists (ACLs) Overview VACL Applications VACLs filter any IPv4 traffic entering the switch on a VLAN configured with the “VLAN” ACL option. vlan < vid > ip access-group < identifier > vlan For example, in figure 10-2, you would assign a VACL to VLAN 2 to filter all inbound switched or routed IPv4 traffic received from clients on the 10.28.20.0 network.
Page 397: Radius-Assigned (Dynamic) Port Acl Applications
IPv4 Access Control Lists (ACLs) Overview RADIUS-Assigned (Dynamic) Port ACL Applications Note IPv6 support is available for RADIUS-assigned port ACLs configured to filter inbound IPv4 and IPv6 traffic from an authenticated client. Also, the implicit deny in RADIUS-assigned ACLs applies to both IPv4 and IPv6 traffic inbound from the client.
Page 398 IPv4 Access Control Lists (ACLs) Overview 802.1X User-Based and Port-Based Applications. User-Based 802.1X access control allows up to 32 individually authenticated clients on a given port. Port-Based access control does not set a client limit, and requires only one authenticated client to open a given port (and is recommended for applications where only one client at a time can connect to the port).
Page 399: Multiple Acls On An Interface
IPv4 Access Control Lists (ACLs) Overview For 802.1X or MAC authentication methods, clients can authenticate ■ regardless of their IP version (IPv4 or IPv6). For the Web authentication method, clients must authenticate using ■ IPv4. However, this does not prevent the client from using a dual stack, or the port receiving a RADIUS-assigned ACL configured with ACEs to filter IPv6 traffic.
Page 400 IPv4 Access Control Lists (ACLs) Overview Note In cases where an RACL and any type of port or VLAN ACL are filtering traffic entering the switch, the switched traffic explicitly permitted by the port or VLAN ACL is not filtered by the RACL (except where the traffic has a destination on the switch itself).
Page 401 IPv4 Access Control Lists (ACLs) Overview An inbound, switched packet entering on port A10, with a destination on port A12, will be screened by the static port ACL and the VACL, regardless of a match with any permit or deny action. A match with a deny action (including an implicit deny) in either ACL will cause the switch to drop the packet.
Page 402: Features Common To All Acl Applications
IPv4 Access Control Lists (ACLs) Overview Features Common to All ACL Applications Any ACL can have multiple entries (ACEs). ■ You can apply any one ACL to multiple interfaces. ■ ■ All ACEs in an ACL configured on the switch are automatically sequenced (numbered).
Page 403: General Steps For Planning And Configuring Acls
IPv4 Access Control Lists (ACLs) Overview General Steps for Planning and Configuring ACLs Identify the ACL action to apply. As part of this step, determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted IPv4 traffic at the edge of the network instead of in the core.
Page 404 IPv4 Access Control Lists (ACLs) Overview Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL, VACL, or RACL) appropriate for each assign- ment. (For RADIUS-assigned ACLs, refer to the Note in the table in step 1 on page 10-23.) If you are using an RACL, ensure that IPv4 routing is enabled on the switch.
Page 405: Ipv4 Static Acl Operation
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation IPv4 Static ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). A static ACL applies only to the switch in which it is configured.
Page 406: The Packet-Filtering Process
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation Note After you assign an IPv4 ACL to an interface, the default action on the interface is to implicitly deny IPv4 traffic that is not specifically permitted by the ACL. (This applies only in the direction of traffic flow filtered by the ACL.) The Packet-filtering Process Sequential Comparison and Action.
Page 407 IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation no further comparisons of the packet are made with the remaining ACEs in the list. This means that when an ACE whose criteria matches a packet is found, the action configured for that ACE is invoked, and any remaining ACEs in the ACL are ignored.
Page 408 40 permit tcp 10.11.11.33 0.0.0.0 0.0.0.0 255.255.255.255 eq 23 < Implicit Deny > exit HP Switch(config)# vlan 12 ip access-group Test-02 in 1. Permits IPv4 traffic from source address 10.11.11.42. Packets 4. Permits Telnet traffic from source address 10.11.11.33. Packets...
Page 409: Planning An Acl Application
IPv4 Access Control Lists (ACLs) Planning an ACL Application It is important to remember that all IPv4 ACLs configurable on the switch include an implicit deny ip any. That is, IPv4 packets that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped instead of forwarded on the interface.
Page 410 IPv4 Access Control Lists (ACLs) Planning an ACL Application Any TCP traffic (only) for a specific TCP port or range of ports, ■ including optional control of connection traffic based on whether the initial request should be allowed Any UDP traffic or UDP traffic for a specific UDP port ■...
Page 411: Security
IPv4 Access Control Lists (ACLs) Planning an ACL Application Security ACLs can enhance security by blocking traffic carrying an unauthorized source IPv4 address (SA). This can include: blocking access from specific devices or interfaces (port or VLAN) ■ ■ blocking access to or from subnets in your network ■...
Page 412: Ipv4 Acl Configuration And Operating Rules
IPv4 Access Control Lists (ACLs) Planning an ACL Application The sequence of ACEs is significant. When the switch uses an ACL to ■ determine whether to permit or deny a packet on a particular VLAN, it compares the packet to the criteria specified in the individual Access Control Entries (ACEs) in the ACL, beginning with the first ACE in the list and proceeding sequentially until a match is found.
Page 413 IPv4 Access Control Lists (ACLs) Planning an ACL Application Per Switch ACL Limits for All ACL Types. At a minimum an ACL ■ must have one, explicit “permit” or “deny” Access Control Entry. You can configure up to 2048 IPv4 ACLs each for IPv4 and IPv6. The maximums are as follows: •...
Page 414 IPv4 Access Control Lists (ACLs) Planning an ACL Application application on the same interface. For example, configuring an RACL named “100” to filter inbound routed traffic on VLAN 20, but later, you configured another RACL named 112 to filter inbound routed traffic on this same VLAN, RACL 112 replaces RACL 100 as the ACL to use.
Page 415: How An Ace Uses A Mask To Screen Packets For Matches
IPv4 Access Control Lists (ACLs) Planning an ACL Application Note RACLs do filter routed or switched IPv4 traffic having an SA or DA on the switch itself. How an ACE Uses a Mask To Screen Packets for Matches When the switch applies an ACL to IPv4 traffic, each ACE in the ACL uses an IPv4 address and ACL mask to enforce a selection policy on the packets being screened.
Page 416: Access Control Entry (Ace)
IPv4 Access Control Lists (ACLs) Planning an ACL Application Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) For a given ACE, when the switch compares an IPv4 address and ■ corresponding mask in the ACE to an IPv4 address carried in a packet: •...
Page 417 IPv4 Access Control Lists (ACLs) Planning an ACL Application Every IPv4 address and mask pair (source or destination) used in an ■ ACE creates one of the following policies: • Any IPv4 address fits the matching criteria. In this case, the switch automatically enters the address and mask in the ACE.
Page 418 IPv4 Access Control Lists (ACLs) Planning an ACL Application Example of How the Mask Bit Settings Define a Match . Assume an ACE where the second octet of the mask for an SA is 7 (the rightmost three bits are “on”, or “1”) and the second octet of the corresponding SA in the ACE is 31 (the rightmost five bits).
Page 419 IPv4 Access Control Lists (ACLs) Planning an ACL Application Examples Allowing Multiple IPv4 Addresses. Table 10-3 provides exam- ples of how to apply masks to meet various filtering requirements. Table 10-3. Example of Using an IPv4 Address and Mask in an Access Control Entry Address in the ACE Mask Policy for a Match Between a...
Page 420: Configuring And Assigning An Ipv4 Acl
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL CIDR Notation. For information on using CIDR notation to specify ACL masks, refer to “Using CIDR Notation To Enter the IPv4 ACL Mask” on page 10-49. Configuring and Assigning an IPv4 ACL ACL Feature Page Configuring and Assigning a Standard ACL...
Page 421: Options For Permit/Deny Policies
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Options for Permit/Deny Policies The permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, or on source address plus other IPv4 factors. Standard ACL: Uses only a packet's source IPv4 address as a crite- ■...
Page 422: Standard Acl Structure
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL One or more deny/permit list entries (ACEs): One entry per line. Element Notes Type Standard or Extended Identifier • Alphanumeric; Up to 64 Characters, Including Spaces • Numeric: 1 - 99 (Standard) or 100 - 199 (Extended) Remark Allows up to 100 alphanumeric characters, including blank spaces.
Page 423: Extended Acl Configuration Structure
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 10-10 shows how to interpret the entries in a standard ACL. HP Switch(Config)# show running ACL List Heading with List Type and Identifier (Name or Number) ip access-list standard “Sample-List”...
Page 424 IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL ip access-list extended < identifier > [ [ seq-# ] remark < remark-str >] < permit | deny > < ipv4-protocol-type > < SA > < src-acl-mask > < DA > <dest-acl-mask > <...
Page 425: Acl Configuration Factors
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 10-12 shows how to interpret the entries in an extended ACL. HP Switch(config)# show running ACL List Heading with List Type and ID String (Name or Number) Running configuration: ;...
Page 426 IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, suppose that you have applied the ACL shown in figure 10-13 to inbound IPv4 traffic on VLAN 1 (the default VLAN): Source Address Mask DestinationAddress Mask ip access-list extended "Sample-List-2" 10 deny ip 10.28.235.10 0.0.0.0 0.0.0.0 255.255.255.255 20 deny ip 10.28.245.89 0.0.0.0 0.0.0.0 255.255.255.255 30 permit tcp 10.28.18.100 0.0.0.0 10.28.237.1 0.0.0.0...
Page 427: Allowing For The Implied Deny Function
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Allowing for the Implied Deny Function In any ACL having one or more ACEs there will always be a packet match. This is because the switch automatically applies an Implicit Deny as the last ACE in any ACL.
Page 428: Using The Cli To Create An Acl
ACE without the sequence number. For example, if you wanted to add a “permit” ACL at the end of a list named “List-1” to allow traffic from the device at 10.10.10.100: HP Switch(config)# ip access-list standard List-1 HP Switch(config-std-nacl)# permit host 10.10.10.100 Insert an ACE anywhere in a named ACL by specifying a sequence number.
Page 429: Using Cidr Notation To Enter The Ipv4 Acl Mask
For example, to insert an ACE denying IPv4 traffic from the host at 10.10.10.77 as line 52 in an existing ACL identified (named) with the number 11: HP Switch(config)# ip access-list standard 99 HP Switch(config-std-nacl)# 52 deny host 10.10.10.77 Note After a numbered ACL has been created (using access-list <...
Page 430: Configuring Standard Acls
HP Switch(config)# ip access-list standard < name-str | 1-99 > 10-92 Remark from an ACL HP Switch(config-ext-nacl)# [ remark < remark-str > | no < 1-2147483647 > remark ] 10-95 For numbered, standard ACLs only, the following remark commands can be substituted for the above: HP Switch(config)# access-list <...
Page 431 HP Switch(config)# ip access-list standard Test-List HP Switch(config-std-nacl)# permit host 10.10.10.147 HP Switch(config)# access-list 1 permit host 10.10.10.147 Note that once a numbered ACL has been created, it can be accessed using the named ACL method. This is useful if it becomes necessary to edit a numbered ACL by inserting or removing individual ACEs.
Page 432: Configuring Named, Standard Acls
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Named, Standard ACLs This section describes the commands for performing the following: creating and/or entering the context of a named, standard ACL ■ ■ appending an ACE to the end of an existing list or entering the first ACE in a new list For other IPv4 ACL topics, refer to the following: Topic...
Page 433 IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring ACEs in an Named, Standard ACL. Configuring ACEs is done after using the ip access-list standard < name-str > command described above to enter the “Named ACL” (nacl) context of an access list. For a standard ACL syntax summary, refer to table on page 10-50.
Page 434 IPv4 traffic from a host with the address of 10.10.10.104 creates another ACE that blocks all other IPv4 traffic from the same subnet allows all other IPv4 traffic HP Switch(config)# ip access-list standard Sample-List Creates the “Sample-List” ACL and enters the “Named HP Switch(config-std-nacl)# permit host 10.10.10.104 ACL”...
Page 435: Creating Numbered, Standard Acls
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs HP Switch(config)# show access-list Sample-List Access Control Lists Name: Sample-List Type: Standard Applied: No Entry ------------------------------------------------------------------------------- Action: permit : 10.10.10.104 Mask: 0.0.0.0 Note that each ACE is automatically assigned a Action: deny (log) sequence number.
Page 436 IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Creating or Adding to an Standard, Numbered ACL. This command is an alternative to using ip access-list standard < name-str > and does not use the “Named ACL” (nacl) context. For a standard ACL syntax summary, refer to table on page 10-50.
Page 437 IPv4 Access Control Lists (ACLs) Configuring Standard ACLs < any | host < SA > | SA < mask | SA/mask-length >> Defines the source IPv4 address (SA) a packet must carry for a match with the ACE. • any — Allows IPv4 packets from any SA. •...
Page 438 Example of Creating and Viewing a Standard ACL. This example cre- ates a standard, numbered ACL with the same ACE content as show in figure 10-14 on page 10-54. HP Switch(config)# access-list 17 permit host 10.10.10.104 HP Switch(config)# access-list 17 deny 10.10.10.1/24 log HP Switch(config)# access-list 17 permit any...
Page 439: Configuring Extended Acls
[ [< 0 - 255 > [ 0 - 255 ] ] | icmp-message ] [precedence < priority >] 10-61 [tos < tos- setting >] [log] Create an Extended, HP Switch(config)# access-list < 100-199 > < deny | permit > 10-74 < ip-options |tcp/udp-options |igmp-options |icmp-options > Numbered ACL [log] [precedence < priority >] Add an ACE to the End [tos <...
Page 440 HP Switch(config)# ip access-list extended < name-str | 100-199 > 10-92 Remark HP Switch(config-ext-nacl)# [ remark < remark-str > | no < 1 - 2147483647 > remark ] 10-95 For numbered, extended ACLs only, the following remark commands can be substituted for the above: HP Switch(config)# access-list <...
Page 441: Configuring Named, Extended Acls
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Named, Extended ACLs For a match to occur with an ACE in an extended ACL, a packet must have the source and destination address criteria specified by the ACE, as well as any IPv4 protocol-specific criteria included in the command.
Page 442 “Accounting ACL”. You can also use this command to access an existing, numbered ACL. Refer to “Using the CLI To Edit ACLs” on page 10-86 HP Switch(config)# ip access-list extended Sample-List HP Switch(config-ext-nacl)# Figure 10-17. Example of Entering the Named ACL Context...
Page 443 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configure ACEs in a Named, Extended ACL and/or Enter the “Named ACL” (nacl) Context. Configuring ACEs is done after using the ip access- list standard < name-str > command described on page 10-62 to enter the “Named ACL”...
Page 444 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Used after deny or permit to specify the packet protocol type required for a match. An extended ACL must include one of the following: • ip — any IPv4 packet. •...
Page 445 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < any | host < DA > | DA/mask-length | DA/ < mask >> This is the second instance of IPv4 addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination address (DA) that a packet must carry in order to have a match with the ACE.
Page 446 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ tos < tos-setting > ] This option can be used after the DA to cause the ACE to match packets with the specified Type-of-Service (ToS) setting. ToS values can be entered as the following numeric settings or, in the case of 0, 2, 4, and 8, as alphanumeric names: or normal “...
Page 447 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for TCP and UDP Traffic in Extended ACLs. An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic.
Page 448 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Comparison Operators: eq < tcp/udp-port-nbr > • — “Equal To”; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to < tcp/udp-port-nbr >. gt <...
Page 449 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [established] — This option applies only where TCP is the configured protocol type. It blocks the synchronizing packet associated with establishing a TCP connection in one direction on a VLAN while allowing all other IPv4 traffic for the same type of connection in the opposite direction.
Page 450 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for ICMP Traffic in Extended ACLs. This option is useful where it is necessary to permit some types of ICMP traffic and deny other types, instead of simply permitting or denying all types of ICMP traffic. That is, an ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE.
Page 451 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ icmp-type-name ] These name options are an alternative to the [icmp-type [ icmp-code] ] methodology described above. For more infor- mation, visit the IANA website cited above. administratively-prohibited net-tos-unreachable alternate-address net-unreachable conversion-error network-unknown dod-host-prohibited...
Page 452 This option, if used, is entered immediately after the destination addressing entry. The following example shows an IGMP ACE entered in the Named ACL context: HP Switch(config-ext-nacl)# permit igmp any any host-query [ igmp-type ] The complete list of IGMP packet-type options includes:...
Page 453 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Example of a Named, Extended ACL. Suppose that you want to imple- ment these policies on a switch configured for IPv4 routing and membership in VLANs 10, 20, and 30: A. Permit Telnet traffic from 10.10.10.44 to 10.10.20.78, deny all other IPv4 traffic from network 10.10.10.0 (VLAN 10) to 10.10.20.0 (VLAN 20), and permit all other IPv4 traffic from any source to any destination.
Page 454: Configuring Numbered, Extended Acls
HP Switch(config)# ip access-list extended Extended-List-02 HP Switch(config-ext-nacl)# permit tcp host 10.10.20.100 host 10.10.30.55 eq ftp HP Switch(config-ext-nacl)# deny tcp 10.10.20.1/24 any eq ftp log HP Switch(config-ext-nacl)# permit ip any any HP Switch(config-ext-nacl)# exit HP Switch(config)# vlan 20 ip access-group Extended-List-02 in Figure 10-19.
Page 455 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Creating or Adding to an Extended, Numbered ACL. This command is an alternative to using ip access-list extended < name-str > and does not use the Named ACL (nacl) context. (For an extended ACL syntax summary, refer to table on page 10-59.) Syntax: access-list <...
Page 456 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < deny | permit > Specifies whether to deny (drop) or permit (forward) a packet that matches the criteria specified in the ACE, as described below. < ip | ip-protocol | ip-protocol-nbr > Specifies the packet protocol type required for a match.
Page 457 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs SA Mask Application: The mask is applied to the SA in the ACL to define which bits in a packet’s source SA must exactly match the address configured in the ACL and which bits need not match.
Page 458 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ precedence < 0 - 7 | precedence-name >] This option causes the ACE to match packets with the specified IP precedence value. Values can be entered as the following IP precedence numbers or alphanumeric names: or routine priority “...
Page 459 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Additional Options for TCP and UDP Traffic. An ACE designed to per- mit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic.
Page 460 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Additional Option for IGMP. This option is useful where it is necessary to permit some types of IGMP traffic and deny other types, instead of simply permitting or denying all types of IGMP traffic. That is, an ACE designed to permit or deny IGMP traffic can optionally include an IGMP packet type to permit or deny an individual type of IGMP packet while not addressing other IGMP traffic types in the same ACE.
Page 461: Adding Or Removing An Acl Assignment On An Interface
IPv4 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface Adding or Removing an ACL Assignment On an Interface Filtering Routed IPv4 Traffic For a given VLAN interface on a switch configured for routing, you can assign an ACL as an RACL to filter inbound IPv4 traffic and another ACL as a RACL to filter outbound IPv4 traffic.
Page 462: Filtering Ipv4 Traffic Inbound On A Vlan
HP Switch(config)# vlan 20 HP Switch(vlan-20)# ip access-group 155 out Enables an RACL from a HP Switch(vlan-20)# exit VLAN Context. HP Switch(config)# no vlan 20 ip access-group My-List in Disables an RACL from the Global Configuration Level HP Switch(config)# vlan 20...
Page 463: Filtering Inbound Ipv4 Traffic Per Port
HP Switch(config)# vlan 20 HP Switch(vlan-20)# ip access-group 155 vlan Enables a VACL from a HP Switch(vlan-20)# exit VLAN Context. HP Switch(config)# no vlan 20 ip access-group My-List vlan Disables a VACL from the Global Configuration Level HP Switch(config)# vlan 20...
Page 464 IPv4 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface HP Switch(config)# interface b10 ip access-group My-List in Enables a static port ACL from the Global Configuration level. HP Switch(config)# interface b10 HP Switch(eth-b10)# ip access-group 155 in...
Page 465: Deleting An Acl
IPv4 Access Control Lists (ACLs) Deleting an ACL Deleting an ACL Syntax: no ip access-list standard < name-str | 1-99 > no ip access-list extended < name-str | 100-199 > no access-list < 1 - 99 | 100 - 199 > Removes the specified ACL from the switch’s running- config file.
Page 466: Editing An Existing Acl
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Editing an Existing ACL The CLI provides the capability for editing in the switch by using sequence numbers to insert or delete individual ACEs. An offline method is also avail- able. This section describes using the CLI for editing ACLs. To use the offline method for editing ACLs, refer to “Creating or Editing ACLs Offline”...
Page 467: Sequence Numbering In Acls
ACL. HP Switch(Config)# ip access-list standard My-list HP Switch(Config-ext-nacl)# permit ip any host 10.10.10.125 Enters the context of an extended ACL and appends an ACE to the end of the list. Figure 10-24. Examples of Adding an ACE to the end of Numbered or Named ACLs...
Page 468: Inserting An Ace In An Existing Acl
Editing an Existing ACL For example, to append a fourth ACE to the end of the ACL in figure 10-23: HP Switch (config)# ip access-list standard My-List HP Switch(config-std-nacl)# permit any HP Switch(config-std-nacl)# show run ip access-list standard "My-List" 10 permit 10.10.10.25 0.0.0.0 20 permit 10.20.10.117 0.0.0.0...
Page 469 For example, inserting a new ACE between the ACEs numbered 10 and 20 in figure 10-25 requires a sequence number in the range of 11-19 for the new ACE. HP Switch(config)# ip access-list standard My-List HP Switch(config-std-nacl)# 15 deny 10.10.10.1/24 HP Switch(config-std-nacl)# show run Enters the “Named-ACL...
Page 470: Deleting An Ace From An Existing Acl
IPv4 Access Control Lists (ACLs) Editing an Existing ACL HP Switch(config)# ip access-list standard List-01 Becomes Line 10 HP Switch(config-std-nacl)# permit 10.10.10.1/24 HP Switch(config-std-nacl)# deny 10.10.1.1/16 Becomes Line 20 HP Switch(config-std-nacl)# 15 permit 10.10.20.1/24 HP Switch(config-std-nacl)# show run Lines 10 and 20...
Page 471: Resequencing The Aces In An Acl
30 deny 10.20.10.1 0.0.0.255 This command enters the “Named-ACL” (nacl) 40 permit 0.0.0.0 255.255.255.255 context for “My-List”. exit HP Switch(config)# ip access-list standard My-List HP Switch(config-std-nacl)# no 20 This command deletes the HP Switch(config-std-nacl)# show run ACE at line 20..
Page 472: Attaching A Remark To An Ace
15 deny 10.10.10.1 0.0.0.255 30 deny 10.20.10.1 0.0.0.255 40 permit 0.0.0.0 255.255.255.255 exit . . . HP Switch(config)# ip access-list resequence My-List 100 100 HP Switch(config)# show run . . . ip access-list standard "My-List" 100 permit 10.10.10.25 0.0.0.0 200 deny 10.10.10.1 0.0.0.255 300 deny 10.20.10.1 0.0.0.255...
Page 473 ACL with a numeric identifier of “115”, either of the following com- mand sets adds an ACE denying IPv4 traffic from any source to a host at 10.10.10.100: HP Switch(config)# access-list 115 deny ip host 10.10.10.100 HP Switch(config)# ip access-list extended 115 HP Switch(config-ext-nacl)# deny ip any 10.10.10.100...
Page 474 Editing an Existing ACL remark and the subsequent ACE having the same sequence number. For example, to add remarks using the “Named-ACL” (nacl) context: HP Switch(config)# ip access-list standard My-List HP Switch(config-std-nacl)# permit host 10.10.10.15 HP Switch(config-std-nacl)# deny 10.10.10.1/24 HP Switch(config-std-nacl)# remark HOST-10.20.10.34 The remark is assigned the same HP Switch(config-std-nacl)# permit host 10.20.10.34...
Page 475: Operating Notes For Remarks
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Inserting a Remark for an ACE that Already Exists in an ACL. If a sequence number is already assigned to an ACE in a list, you cannot insert a remark by assigning it to the same number. (To configure a remark with the same number as a given ACE, the remark must be configured first.) To assign a remark to the same number as an existing ACE: Delete the ACE.
Page 476 IPv4 Access Control Lists (ACLs) Editing an Existing ACL HP Switch(config)# ip access-list standard Accounting HP Switch(config-std-nacl)# permit host 10.10.10.115 HP Switch(config-std-nacl)# deny 10.10.10.1/24 HP Switch(config-std-nacl)# remark Marketing HP Switch(config-std-nacl)# remark Channel_Mktg Where multiple remarks are HP Switch(config-std-nacl)# show run...
Page 477: Displaying Acl Configuration Data
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying ACL Configuration Data The show commands in this section apply to both IPv4 and IPv6 ACLs. For information on IPv6 ACL operation, refer to the chapter titled “IPv6 Access Control Lists” in the IPv6 Configuration Guide for your switch. ACL Commands Function Page...
Page 478: Display An Acl Summary
VLANs. Syntax: show access-list List a summary table of the name, type, and application status of IPv4 and IPv6 ACLs configured on the switch. For example: HP Switch(config)# show access-list Access Control Lists Type Appl Name...
Page 479: Display The Content Of All Acls On The Switch
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display the Content of All ACLs on the Switch This command lists the configuration details for the IPv4 and IPv6 ACLs in the running-config file, regardless of whether any are actually assigned to filter IPv4 traffic on specific VLANs.
Page 480: Display The Racl And Vacl Assignments For A Vlan
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data HP Switch(config)# show access-list config ip access-list extended "101" 10 permit tcp 10.30.133.27 0.0.0.0 0.0.0.0 255.255.255.255 20 permit tcp 10.30.155.101 0.0.0.0 0.0.0.0 255.255.255.255 30 deny ip 10.30.133.1 0.0.0.0 0.0.0.0 255.255.255.255 log 40 deny ip 10.30.155.1 0.0.0.255 0.0.0.0 255.255.255.255...
Page 481: Display Static Port (And Trunk) Acl Assignments
For example, the following output shows that all inbound IPv6 traffic and the inbound and outbound, routed IPv4 traffic are all filtered on VLAN 20. HP Switch(config)# show access-list vlan 20 • An extended IPv4 ACL named “Account-2” is Access Lists for VLAN 20 assigned to filter routed IPv4 traffic entering the switch on VLAN 20.
Page 482 IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data HP Switch(config)# show access-list ports all • An IPv6 ACL is filtering Access Lists for Port B1 inbound traffic on port B1. Inbound Ipv6: List-01-Inbound • Both an IPv4 ACL and an IPv6...
Page 483: Displaying The Content Of A Specific Acl
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying the Content of a Specific ACL This command displays a specific IPv6 or IPv4 ACL configured in the running config file in an easy-to-read tabular format. Note This information also appears in the show running display. If you execute write memory after configuring an ACL, it also appears in the show config display.
Page 484 IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data HP Switch(config)# show access-list Accounting Access Control Lists Name: Accounting Type: ipv6 Indicates whether the ACL Applied: Yes is applied to an interface. Entry Remark Field (Appears if remark configured.) -----------------------------------------------------------------------...
Page 485 IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data HP Switch(config)# show access-list List-120 Access Control Lists Name: List-120 Indicates whether the ACL Type: Extended is applied to an interface. Applied: No Entry Remark Field (Appears if remark configured.). ----------------------------------------------------------------------...
Page 486: Display All Acls And Their Assignments In The Routing Switch Startup-Config File And Running-Config File
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Table 10-7. Descriptions of Data Types Included in Show Access-List < acl-id > Output Field Description Name The ACL identifier. Can be a number from 1 to 199, or a name. Type Standard or Extended.
Page 487: Creating Or Editing Acls Offline
ACL configuration to a file in your TFTP server. For example, to copy the ACL configuration to a file named acl-02.txt in the TFTP directory on a server at 10.28.227.2: HP Switch# copy command-output 'show access-list config' tftp 10.28.227.2 acl02.txt pc •...
Page 488: Example Of Using The Offline Process
IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline If you are replacing an ACL on the switch with a new ACL that uses the same number or name syntax, begin the command file with a no ip access- list command to remove the earlier version of the ACL from the switch’s running-config file.
Page 489 IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline Deny all other IPv4 traffic from VLAN 20 to VLAN 10. ■ ■ Deny all IPv4 traffic from VLAN 30 (10.10.30.0) to the server at 10.10.10.100 on VLAN 10 (without ACL logging), but allow any other IPv4 traffic from VLAN 30 to VLAN 10.
Page 490 If a transport error occurs, the switch does not execute the command and the ACL is not configured. HP Switch(config)# copy tftp command-file 10.10.10.1 LIST-20-IN.txt pc Running configuration may change, do you want to continue [y/n]? 1. ip access-list extended LIST-20-IN As illustrated here, blank lines in the .txt...
Page 491 IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline HP Switch(config)# show run Note that the comments preceded . . . by “ ; “ in the .txt source file for this configuration do not appear in the ip access-list extended "LIST-20-IN"...
Page 492: Enable Acl "Deny" Logging
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enable ACL “Deny” Logging ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny” action. You can use ACL logging to help: Test your network to ensure that your ACL configuration is detecting ■...
Page 493: Acl Logging Operation
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includes both the deny action and the optional log parameter, an ACL log message is sent to the designated debug destination.
Page 494: Enabling Acl Logging On The Switch
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enabling ACL Logging on the Switch If you are using a Syslog server, use the logging < ip-addr > command to configure the Syslog server IPv4 address(es). Ensure that the switch can access any Syslog server(s) you specify.
Page 495 Enable ACL “Deny” Logging HP Switch(config)# ip access-list extended NO-TELNET HP Switch(config-ext-nacl)# remark "DENY 10.10.10.3 TELNET TRAFFIC IN" HP Switch(config-ext-nacl)# deny tcp host 10.10.10.3 any eq telnet log HP Switch(config-ext-nacl)# permit ip any any HP Switch(config-ext-nacl)# exit HP Switch(config)# vlan 10 ip access-group NO-TELNET in HP Switch(config)# logging 10.10.20.3...
Page 496: Configuring The Logging Timer
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Configuring the Logging Timer By default, the wait period for logging “deny” matches (described above in “ACL Logging Operation”) is approximately five minutes (300 seconds). You can manually set the wait period timer to an interval between 30 and 300 seconds, using the access-list command from the config context.
Page 497: Monitoring Static Acl Performance
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Monitoring Static ACL Performance ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help, for example, to determine whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.
Page 498 ACEs in an applied ACL since the ACL’s counters were last reset to 0 (zero) For example, figure 10-46 illustrates both IPv6 and IPv4 ACL activity: HP Switch# show statistics aclv6 IPV6-ACL vlan 20 vlan HitCounts for ACL IPV6-ACL Total 10 permit icmp ::/0 fe80::20:2/128 128...
Page 499: Example Of Acl Performance Monitoring
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging ACE Counter Operation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset.
Page 500 IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging HP Switch# show statistics aclv6 V6-02 vlan 20 vlan HitCounts for ACL V6-02 Total 10 permit icmp ::/0 fe80::20:2/128 128 20 permit icmp ::/0 fe80::20:3/128 128 136) 30 permit tcp fe80::20:1/128 ::/0 eq 23...
Page 501: Example Of Resetting Ace Hit Counters To Zero
The following example uses the counter activity in figure 10-47 (page 10-120) to demonstrate using to reset the counters to zero. clear statistics HP Switch# show statistics aclv6 V6-02 vlan 20 vlan HitCounts for ACL V6-02 Total 10 permit icmp ::/0 fe80::20:2/128 128...
Page 502: Ipv6 Counter Operation With Multiple Interface Assignments
20 deny tcp ::/0 fe80::20:2/128 eq 23 log 30 permit ipv6 ::/0 ::/0 Assigns the ACL to port 2. exit HP Switch(config)# int b2 ipv access-group V6-01 in Figure 10-50. ACL “V6-01” and Command for PACL Assignment on Port 2 5400zl Switch VLAN 20...
Page 503: Ipv4 Counter Operation With Multiple Interface Assignments
Figure 10-52. Ping and Telnet from FE80::20:117 to FE80::20:2 Filtered by the Assignment of “V6-01” as a PACL on Port B2 HP Switch# show statistics aclv6 IP-01 port 2 Hit Counts for ACL IPV6-ACL Shows the succesful ping permitted by ACE 10.
Page 504 20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit Assigns the ACL as a VACL to VLAN 20. HP Switch(config)# vlan 20 ip access-group Test-1 vlan Assigns the ACL as HP Switch(config)# vlan 50 ip access-group Test-1 in an RACL to VLANs HP Switch(config)# vlan 70 ip access-group Test-1 in 50 and 70.
Page 505 Using the network in figure 10-55, a device at 10.10.20.4 on VLAN 20 attempting to ping and Telnet to 10.10.20.12 is filtered through the VACL instance of the “Test-1” ACL on VLAN 20 and results in the following: HP Switch(config)# ping 10.10.20.2 10.10.20.2 is alive, time = 5 ms HP Switch(config)# telnet 10.10.20.2 Telnet failed: Connection timed out.
Page 506 IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging HP Switch(config)# show statistics aclv4 Test-1 vlan 20 vlan Hit Counts for ACL Test-1 Indicates denied attempts to Telnet to 10.10.20.12 filtered by the instance of the “Test-1” VACL Total assignment on VLAN 20.
Page 507 IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging HP Switch(config)# show statistics aclv4 Test-1 vlan 50 in Indicates the same type of data as shown in figure 10-57 for the VACL assignment Hit Counts for ACL Test-1 of the “Test-1” ACL. That is, the Ping attempt incremented the counters for ACE...
Page 508: General Acl Operating Notes
Logging enables you to selectively test specific devices or groups. However, excessive logging can affect switch performance. For this reason, HP recommends that you remove the logging option from ACEs for which you do not have a present need. Also, avoid config- uring logging where it does not serve an immediate purpose.
Page 509 IPv4 Access Control Lists (ACLs) General ACL Operating Notes Monitoring Shared Resources. Applied ACLs share internal switch resources with several other features. The switch provides ample resources for all features. However, if the internal resources become fully subscribed, additional ACLs cannot be applied until the necessary resources are released from other applications.
Page 510 IPv4 Access Control Lists (ACLs) General ACL Operating Notes 10-130...
Page 511: Introduction
Configuring Advanced Threat Protection Introduction As your network expands to include an increasing number of mobile devices, continuous Internet access, and new classes of users (such as partners, temporary employees, and visitors), additional protection from attacks launched from both inside and outside your internal network is often neces- sary.
Page 512: Dhcp Snooping
Configuring Advanced Threat Protection DHCP Snooping • Attempts to fill all IP address entries in the switch’s forwarding table and cause legitimate traffic to be dropped, indicated by an increased number of learned IP destination addresses • Attempts to spread viruses, indicated by an increased number of ARP request packets •...
Page 513: Overview
Configuring Advanced Threat Protection DHCP Snooping Overview You can use DHCP snooping to help avoid the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users.
Page 514: Enabling Dhcp Snooping
Default: Yes vlan Enable DHCP snooping on a vlan. DHCP snooping must be enabled already. Default: No To display the DHCP snooping configuration, enter this command: HP Switch(config)# show dhcp-snooping An example of the output is shown below. 11-4...
Page 515 ----- ----- Figure 11-1. An Example of the DHCP Snooping Command Output To display statistics about the DHCP snooping process, enter this command: HP Switch(config)# show dhcp-snooping stats An example of the output is shown below. HP Switch(config)# show dhcp-snooping stats...
Page 516: Enabling Dhcp Snooping On Vlans
DHCP snooping on VLANs is disabled by default. To enable DHCP snooping on a VLAN or range of VLANs enter this command: HP Switch(config)# dhcp-snooping vlan <vlan-id-range> You can also use this command in the vlan context, in which case you cannot enter a range of VLANs for snooping.
Page 517: Configuring Authorized Server Addresses
Configuring Advanced Threat Protection DHCP Snooping HP Switch(config)# dhcp-snooping trust 1-2 HP Switch(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans Verify MAC : Yes Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id...
Page 518: Using Dhcp Snooping With Option 82
Configuring Advanced Threat Protection DHCP Snooping HP Switch(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans Verify MAC : No Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : subnet-ip Authorized Servers --------------------- 111.222.3.4...
Page 519 Configuring Advanced Threat Protection DHCP Snooping If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.
Page 520: Changing The Remote-Id From A Mac To An Ip Address
IP address of the management VLAN can be used instead by entering this command with the associated parameter: HP Switch(config)# dhcp-snooping option 82 remote-id <mac|subnet-ip|mgmt-ip> HP Switch(config)# dhcp-snooping option 82 remote-id subnet- HP Switch(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping...
Page 521: The Dhcp Binding Database
Configuring Advanced Threat Protection DHCP Snooping HP Switch(config)# dhcp-snooping verify mac HP Switch(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans Verify MAC : yes Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : subnet-ip Figure 11-7.
Page 522: Operational Notes
A message is logged in the system event log if the DHCP binding database fails to update. To display the contents of the DHCP snooping binding database, enter this command. Syntax: show dhcp-snooping binding HP Switch(config)# show dhcp-snooping binding MacAddress VLAN Interface Time left ------------- --------------- ---- --------- --------- 22.22.22.22.22.22 10.0.0.1...
Page 523: Log Messages
Configuring Advanced Threat Protection DHCP Snooping HP Switch recommends running a time synchronization protocol such as ■ SNTP in order to track lease times accurately. ■ A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot.
Page 524 Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay information logs for <duration>. More than one DHCP client packet received on an untrusted port with a relay information field was dropped. To avoid filling the log file with repeated attempts, untrusted relay information packets will not be logged for the specified <duration>.
Page 525: Dynamic Arp Protection
Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings adver- tised in the source protocol address and source physical address fields are discarded.
Page 526 During this process, if ARP packets are received at too high a line rate, some ARP packets may be dropped and will need to be retrans- mitted. The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure ■ dynamic ARP protection and to report ARP packet-forwarding status and counters.
Page 527: Enabling Dynamic Arp Protection
Specifies a VLAN ID or a range of VLAN IDs from one to 4094; for example, 1–200. An example of the arp-protect vlan command is shown here: HP Switch(config)# arp-protect vlan 1-101 Configuring Trusted Ports In a similar way to DHCP snooping, dynamic ARP protection allows you to configure VLAN interfaces in two categories: trusted and untrusted ports.
Page 528 Specifies a port number or a range of port numbers. Separate individual port numbers or ranges of port numbers with a comma; for example: 1-3, 6. An example of the arp-protect trust command is shown here: HP Switch(config)# arp-protect trust 1-4, 1 11-18...
Page 529: Adding An Ip-To-Mac Binding To The Dhcp Database
MAC address and VLAN binding is configured in the DHCP binding database. An example of the ip source-binding command is shown here: HP Switch(config)# ip source-binding 0030c1-7f49c0 interface vlan 100 10.10.20.1 interface 4 N o t e Note that the ip source-binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings.
Page 530: Configuring Additional Validation Checks On Arp Packets
MAC address and destination AMC address: HP Switch(config)# arp-protect validate src-mac dst-mac Verifying the Configuration of Dynamic ARP Protection To display the current configuration of dynamic ARP protection, including the...
Page 531: Displaying Arp Packet Statistics
To display statistics about forwarded ARP packets, dropped ARP packets, MAC validation failure, and IP validation failures, enter the show arp-protect statistics command: HP Switch(config)# show arp-protect statistics Status and Counters - ARP Protection Counters for VLAN 1 Forwarded pkts...
Page 532: Monitoring Dynamic Arp Protection
The switch is dropping valid ARP packets that should be allowed. The switch is allowing invalid ARP packets that should be dropped. ■ HP Switch(config)# debug arp-protect 1. ARP request is valid "DARPP: Allow ARP request 000000-000001,10.0.0.1 for 10.0.0.2 port A1, vlan "...
Page 533: Protection Against Ip Source Address Spoofing
Configuring Advanced Threat Protection Dynamic IP Lockdown Protection Against IP Source Address Spoofing Many network attacks occur when an attacker injects packets with forged IP source addresses into the network. Also, some network services use the IP source address as a component in their authentication schemes. For example, the BSD “r”...
Page 534: Filtering Ip And Mac Addresses Per-Port And Per-Vlan
Configuring Advanced Threat Protection Dynamic IP Lockdown The DHCP binding database allows VLANs enabled for DHCP ■ snooping to be known on ports configured for dynamic IP lockdown. As new IP-to-MAC address and VLAN bindings are learned, a corre- sponding permit rule is dynamically created and applied to the port (preceding the final deny any vlan <VLAN_IDs>...
Page 535: Enabling Dynamic Ip Lockdown
Configuring Advanced Threat Protection Dynamic IP Lockdown Assuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown applies the following dynamic VLAN filtering on port 5: permit 10.0.8.5 001122-334455 vlan 2 permit 10.0.8.7 001122-334477 vlan 2 permit 10.0.10.3 001122-334433 vlan 5 permit 10.0.10.1 001122-110011 vlan 5 deny any vlan 1-10...
Page 536 Configuring Advanced Threat Protection Dynamic IP Lockdown • Dynamic IP lockdown only filters packets in VLANs that are enabled for DHCP snooping. In order for Dynamic IP lockdown to work on a port, the port must be configured for at least one VLAN that is enabled for DHCP snooping.
Page 537: Adding An Ip-To-Mac Binding To The Dhcp Binding Database
Configuring Advanced Threat Protection Dynamic IP Lockdown Adding an IP-to-MAC Binding to the DHCP Binding Database A switch maintains a DHCP binding database, which is used for dynamic IP lockdown as well as for DHCP and ARP packet validation. The DHCP snooping feature maintains the lease database by learning the IP-to-MAC bindings of VLAN traffic on untrusted ports.
Page 538: Adding A Static Binding
Configuring Advanced Threat Protection Dynamic IP Lockdown Adding a Static Binding To add the static configuration of an IP-to-MAC binding for a port to the lease database, enter the ip source-binding command at the global configuration level. Use the no form of the command to remove the IP-to-MAC binding from the database.
Page 539: Displaying The Static Configuration Of Ip-To-Mac Bindings
Figure 11-5. Note that the operational status of all switch ports is displayed. This information indicates whether or not dynamic IP lockdown is supported on a port. HP Switch(config)# show ip source-lockdown status Dynamic IP Lockdown (DIPLD) Information Global State: Enabled...
Page 540: Debugging Dynamic Ip Lockdown
Configuring Advanced Threat Protection Dynamic IP Lockdown HP Switch(config)# show ip source-lockdown bindings Dynamic IP Lockdown (DIPLD) Bindings Mac Address IP Address VLAN Port Not in HW ----------- ---------- ----- ----- --------- 001122-334455 10.10.10.1 1111 005544-332211 10.10.10.2 2222 Trk11 ......
Page 541: Differences Between Switch Platforms
Configuring Advanced Threat Protection Dynamic IP Lockdown HP Switch(config)# debug dynamic-ip-lockdown DIPLD 01/01/90 00:01:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 1 packets DIPLD 01/01/90 00:06:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 294 packets DIPLD 01/01/90 00:11:25 : denied ip 192.168.2.100 (0)
Page 542 A source is considered “trusted” for all VLANs if it is seen on any VLAN ■ without DHCP snooping enabled. ■ On the HP Switch series E3800, dynamic IP lockdown is supported on a port configured for statically configured port-based ACLs. 11-32...
Page 543: Using The Instrumentation Monitor
Configuring Advanced Threat Protection Using the Instrumentation Monitor Using the Instrumentation Monitor The instrumentation monitor can be used to detect anomalies caused by security attacks or other irregular operations on the switch. The following table shows the operating parameters that can be monitored at pre-deter- mined intervals, and the possible security attacks that may trigger an alert: Parameter Name Description...
Page 544: Operating Notes
Configuring Advanced Threat Protection Using the Instrumentation Monitor Operating Notes To generate alerts for monitored events, you must enable the instru- ■ mentation monitoring log and/or SNMP trap. The threshold for each monitored parameter can be adjusted to minimize false alarms (see “Configuring Instrumentation Monitor”...
Page 545: Configuring Instrumentation Monitor
Configuring Advanced Threat Protection Using the Instrumentation Monitor Configuring Instrumentation Monitor The following commands and parameters are used to configure the opera- tional thresholds that are monitored on the switch. By default, the instrumen- tation monitor is disabled. Syntax: [no] instrumentation monitor [parameterName|all] [<low|med|high|limitValue>] [log] : Enables/disables instrumentation monitoring log so that event log messages are generated every time there is an event which exceeds a configured threshold.
Page 546: Examples
HP Switch(config)# instrumentation monitor To turn off monitoring of the system delay parameter: HP Switch(config)# no instrumentation monitor system- delay To adjust the alert threshold for the MAC address count to the low value: HP Switch(config)# instrumentation monitor mac-...
Page 547: Viewing The Current Instrumentation Monitor Configuration
Configuring Advanced Threat Protection Using the Instrumentation Monitor Viewing the Current Instrumentation Monitor Configuration The show instrumentation monitor configuration command displays the config- ured thresholds for monitored parameters. HP Switch# show instrumentation monitor configuration PARAMETER LIMIT ------------------------- --------------- mac-address-count 1000 (med)
Page 548 Configuring Advanced Threat Protection Using the Instrumentation Monitor 11-38...
Page 549: Overview
4000m and 8000m Switches This chapter describes Traffic/Security filters on the switches covered in this guide. For information on filters for other HP switches in the above table or switches not listed here, refer to the documentation provided for those switches.
Page 550: Introduction
Traffic/Security Filters and Monitors Introduction Introduction Feature Default Menu WebAgent configure source-port filters none page 12-20 configure protocol filters none page 12-20 configure multicast filters none page 12-20 display filter data page 12-22 You can enhance in-band security and improve control over access to network resources by configuring static filters to forward (the default action) or drop unwanted traffic.
Page 551: Filter Types And Operation
Traffic/Security Filters and Monitors Filter Types and Operation Filter Types and Operation Table 12-1. Filter Types and Criteria Static Filter Selection Criteria Type Source-Port Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis. Multicast Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports (the default) or dropped on a per-port (destination) basis.
Page 552: Example
Traffic/Security Filters and Monitors Filter Types and Operation You can include all destination ports and trunks in the switch on a ■ single source-port filter. Each source-port filter includes: ■ One source port or port trunk (trk1, trk2, ...trkn) • •...
Page 553: Named Source-Port Filters
Traffic/Security Filters and Monitors Filter Types and Operation Port 7 Switch Server "A" Workstation " X" Port 5 Port 8 Server "B" Port 9 Server "C" Figure 12-2. Example of a Filter Blocking Traffic only from Port 5 to Server "A" This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to...
Page 554: Operating Rules For Named Source-Port Filters
Traffic/Security Filters and Monitors Filter Types and Operation Operating Rules for Named Source-Port Filters A port or port trunk may only have one source-port filter, named or ■ not named. A named source-port filter can be applied to multiple ports or port ■...
Page 555 A named source-port filter must first be defined and configured before it can be applied. In the following example two named source-port filters are defined, web-only and accounting. HP Switch(config)# filter source-port named-filter web-only HP Switch(config)# filter source-port named-filter accounting By default, these two named source-port filters forward traffic to all ports and port trunks.
Page 556: Viewing A Named Source-Port Filter
Traffic/Security Filters and Monitors Filter Types and Operation Viewing a Named Source-Port Filter You can list all source-port filters configured in the switch, both named and unnamed, and their action using the show command below. Syntax: show filter source-port Displays a listing of configured source-port filters, where each filter entry includes a Filter Name, Port List, and Action: Filter Name: The filter-name used when a named...
Page 557 Here we define and configure each of the named source-port filters for our example network in a single step. HP Switch(config)# filter source-port named-filter web-only drop 2-26 HP Switch(config)# filter source-port named-filter accounting drop 1-6,8,9,12-26 HP Switch(config)# filter source-port named-filter no-incoming-web drop 7,10,11...
Page 558 Traffic/Security Filters and Monitors Filter Types and Operation HP Switch(config)# show filter Traffic/Security Filters Indicates the port number or port- IDX Filter Type | Value trunk name of the source port or trunk --- ------------ + ------------------- assigned to the filter.
Page 559 Traffic/Security Filters and Monitors Filter Types and Operation HP Switch(config)# show filter 24 HP Switch(config)# show filter 4 Traffic/Security Filters Traffic/Security Filters Filter Type : Source Port Filter Type : Source Port Source Port : 10 Source Port : 5...
Page 560 Traffic/Security Filters and Monitors Filter Types and Operation HP Switch(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- --------- + ------------------------ 10/100TX | Forward 10/100TX | Forward 10/100TX...
Page 561 The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command. HP Switch(config)# filter source-port named-filter accounting forward 8,12,13 HP Switch(config)# filter source-port named-filter no-incoming-web drop 8,12,13 HP Switch(config)#...
Page 562: Static Multicast Filters
Traffic/Security Filters and Monitors Filter Types and Operation HP Switch(config)# show filter source-port Traffic/Security Filters Filter Name | Port List | Action -------------------- + -------------------- + -------------------------- web-only | 2-6,9,14-26 | drop 2-26 accounting | 7-8,10-13 | drop 1-6,9,14-26 no-incoming-web...
Page 563: Protocol Filters
Traffic/Security Filters and Monitors Filter Types and Operation Table 12-2. Multicast Filter Limits Max-VLANs Maximum # of Multicast Filters (Static and Setting IGMP Combined) 1 (the minimum) 8 (the default) 32 or higher N o t e s Per-Port IP Multicast Filters. The static multicast filters described in this section filter traffic having a multicast address you specify.
Page 564: Configuring Traffic/Security Filters
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Only one filter for a particular protocol type can be configured at any one time. For example, a separate protocol filter can be configured for each of the protocol types listed above, but only one of those can be an IP filter. Also, the destination ports for a protocol filter can be on different VLANs.
Page 565: Configuring A Source-Port Traffic Filter
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Configuring a Source-Port Traffic Filter Syntax: [no] filter [source-port < port-number | trunk-name>] Specifies one inbound port or trunk. Traffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the source- port filter for <...
Page 566: Example Of Creating A Source-Port Filter
10 and 11 while adding ports 16 and 17 to the "drop" list: HP Switch(config)# filter source-port 5 forward 10-11 drop 16-17 Configuring a Filter on a Port Trunk This operation uses the same command as is used for configuring a filter on an individual port.
Page 567: Editing A Source-Port Filter
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters filter on port 5, then create a trunk with ports 5 and 6, and display the results, you would see the following: The *5* shows that port 5 is configured for filtering, but the filtering action has been suspended while the port is a member of a trunk.
Page 568: Configuring A Multicast Or Protocol Traffic Filter
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Figure 12-14. Assigning Additional Destination Ports to an Existing Filter Configuring a Multicast or Protocol Traffic Filter Syntax: [no] filter [multicast < mac- address >] Specifies a multicast address. Inbound traffic received (on any port) with this multicast address will be filtered.
Page 569: Filter Indexing
HP Switch(config)# filter multicast 010000-123456 drop e 10-12 HP Switch(config)# filter multicast 010000-224466 drop e 7-8 HP Switch(config)# filter protocol Appletalk drop e 18, 20-22 HP Switch(config)# filter protocol Arp drop e 3-4, 6 Figure 12-15. Configuring Various Traffic/Security Filters...
Page 570: Displaying Traffic/Security Filters
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Displaying Traffic/Security Filters This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters. Syntax: show filter Lists the filters configured in the switch, with corresponding filter index (IDX) numbers.
Page 571 (IDX) for a specific filter |protocol | Arp drop e 3-4, 6 to list the details for that filter only. HP Switch(config)# show filter 4 Traffic/Security Filters Filter Type : Multicast Multi-cast Address : 010000-224466 Dest Port Type | Action...
Page 572 Traffic/Security Filters and Monitors Configuring Traffic/Security Filters 12-24...
Page 573: Overview
Configuring Port-Based and User-Based Access Control (802.1X) Overview Feature Default Menu WebAgent Configuring Switch Ports as 802.1X Authenticators Disabled page 13-17 Configuring 802.1X Open VLAN Mode Disabled page 13-32 Configuring Switch Ports to Operate as 802.1X Supplicants Disabled page 13-51 Displaying 802.1X Configuration, Statistics, and Counters page 13-55 How 802.1X Affects VLAN Operation...
Page 574: User Authentication Methods
Configuring Port-Based and User-Based Access Control (802.1X) Overview • Authentication of 802.1X access using a RADIUS server and either the EAP or CHAP protocol. • Provision for enabling clients that do not have 802.1 supplicant soft- ware to use the switch as a path for downloading the software and initiating the authentication process (802.1X Open VLAN mode).
Page 575: X User-Based Access Control
Configuring Port-Based and User-Based Access Control (802.1X) Overview method supports up to 32 802.1X-authenticated clients on a port. In both cases, there are operating details to be aware of that can influence your choice of methods. 802.1X User-Based Access Control 802.1X operation with access control on a per-user basis provides client-level security that allows LAN access to individual 802.1X clients (up to 32 per port), where each client gains access to the LAN by entering valid user credentials.
Page 576: Alternative To Using A Radius Server
Configuring Port-Based and User-Based Access Control (802.1X) Terminology If the first client authenticates and opens the port, and then one or more ■ other clients connect without trying to authenticate, then the port config- uration as determined by the original RADIUS response remains unchanged and all such clients will have the same access as the authenti- cated client.
Page 577 Authenticator: In HP applications, a switch that requires a supplicant to provide the proper credentials before being allowed access to the net- work.
Page 578 Configuring Port-Based and User-Based Access Control (802.1X) Terminology PVID (Port VID): This is the VLAN ID for the untagged VLAN to which an 802.1X port belongs. Port-Based Authentication: In this operation, the first client on a port to authenticate itself unblocks the port for the duration of the client’s 802.1X- authenticated session.
Page 579 Configuring Port-Based and User-Based Access Control (802.1X) Terminology membership is required for a client that does not support 802.1q VLAN tagging. A port can simultaneously have one untagged VLAN membership and multiple tagged VLAN memberships. Depending on how you configure 802.1X Open VLAN mode for a port, a statically configured, untagged VLAN membership may become unavailable while there is a client session on the port.
Page 580: General 802.1X Authenticator Operation
Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode”...
Page 581: Vlan Membership Priority
Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation N o t e The switches covered in this guide can use either 802.1X port-based authen- tication or 802.1X user-based authentication. For more information, refer to “User Authentication Methods” on page 13-2. VLAN Membership Priority Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration.
Page 582 Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation New Client Authenticated Another Assign New Client (Old) Client RADIUS- to RADIUS- Already Using Assigned Specified VLAN Port VLAN? Authorized Client VLAN Assign New Client Accept New Client VLAN Same As Old to Authorized VLAN Configured?
Page 583: General Operating Rules And Notes
Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the user-based mode, when there is an authenticated client on a port, the following traffic movement is allowed: • Multicast and broadcast traffic is allowed on the port. •...
Page 584 Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes If a port on switch “A” is configured as an 802.1X supplicant and is ■ connected to a port on another switch, “B”, that is not 802.1X-aware, access to switch “B” will occur without 802.1X security protection. ■...
Page 585: General Setup Procedure For 802.1X Access Control
Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, HP recommends that you use a local username and password pair at least until your other security measures are in place.)
Page 586 Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control HP Switch(config)# password port-access user-name Jim secret3 Figure 13-2. Example of the Password Port-Access Command You can save the port-access password for 802.1X authentication in the configuration file by using the include-credentials command.
Page 587 Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Determine whether to use user-based access control (page 13-3) or port- based access control (page 13-3). Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware;...
Page 588: Overview: Configuring 802.1X Authentication On The Switch
Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802.1X Authentication on the Switch This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to the following: “802.1X User-Based Access Control”...
Page 589: Configuring Switch Ports As 802.1X Authenticators
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators N o t e If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected.
Page 590: Enable 802.1X Authentication On Selected Ports
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches, and consists of two steps: A.
Page 591: Port-Based Authentication
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User-Based Authentication or Return to Port-Based Authentication User-Based 802.1X Authentication. Syntax: aaa port-access authenticator client-limit < port-list > < 1 - 32 > Used after executing aaa port-access authenticator < port-list > (above) to convert authentication from port-based to user- based.
Page 592: Example: Configuring User-Based 802.1X Authentication
This example enables ports A10-A12 to operate as authenticators, and then configures the ports for user-based authentication. HP Switch(config)# aaa port-access authenticator 10-12 HP Switch(config)# aaa port-access authenticator 10-12 client-limit 4 Figure 13-4. Example of Configuring User-Based 802.1X Authentication Example: Configuring Port-Based 802.1X Authentication This example enables ports A13-A15 to operate as authenticators, and then configures the ports for port-based authentication.
Page 593: Reconfigure Settings For Port-Access
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 2. Reconfigure Settings for Port-Access The commands in this section are initially set by default and can be reconfig- ured as needed. Syntax: aaa port-access authenticator < port-list > [control <...
Page 594 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page).
Page 595 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid <...
Page 596: Configure The 802.1X Authentication Method
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how the switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator You can configure local, chap-radius or eap-radius as the primary password authentication method for the port-access method.
Page 597: Enter The Radius Host Ip Address(Es)
Configuring Switch Ports as 802.1X Authenticators For example, to enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers: HP Switch(config)# aaa authentication port-access eap-radius HP Switch(config)# show authentication Status and Counters - Authentication Information Login Attempts : 3...
Page 598: Enable 802.1X Authentication On The Switch
The tilde (~) character is allowed in the string, for example, radius-server key hp~network. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
Page 599: Optional: Reset Authenticator Operation
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentication is operating, you can use the following aaa port- access authenticator commands to reset 802.1X authentication and statistics on specified ports. Syntax: aaa port-access authenticator <...
Page 600: Wake-On-Lan Traffic
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Prerequisite. As documented in the IEEE 802.1X standard, the disabling of incoming traffic and transmission of outgoing traffic on an 802.1X-aware egress port in an unauthenticated state (using the aaa port-access controlled- directions in command) is supported only if: The port is configured as an edge port in the network using the spanning- ■...
Page 601: Operating Notes
HP Switch(config)# aaa port-access authenticator 10 HP Switch(config)# aaa authentication port-access eap-radius HP Switch(config)# aaa port-access authenticator active HP Switch(config)# aaa port-access 10 controlled-directions in Figure 13-7. Example of Configuring 802.1X Controlled Directions Unauthenticated VLAN Access (Guest VLAN Access) When a PC is connected through an IP phone to a switch port that has been authorized using 802.1X or Web/MAC authentication, the IP phone is authen-...
Page 602: Characteristics Of Mixed Port Access Mode
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators have access to the insecure guest VLAN (unauthenticated VLAN) that has been configured for 802.1X or Web/MAC authentication. 802.1X and Web/MAC authentication normally do not allow authenticated clients (the phone) and unauthenticated clients (the PC) on the same port.
Page 603: Configuring Mixed Port Access Mode
Configuring Mixed Port Access Mode Syntax: [no] aaa port-access <port-list> mixed Enables or disables guests on ports with authenticated clients. Default: Disabled; guests do not have access HP Switch(config)# aaa port-access 6 mixed Figure 13-8. Example of Configuring Mixed Port Access Mode 13-31...
Page 604: X Open Vlan Mode
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 13-17 802.1X Supplicant Commands page 13-53 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator < port-list > page 13-47 [auth-vid < vlan-id >] [unauth-vid <...
Page 605: Vlan Membership Priorities
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode On ports configured for port-based 802.1X access control, if multiple clients try to authenticate on the same port, the most recently authenticated client determines the untagged VLAN membership for that port. Clients that connect without trying to authenticate will have access to the untagged VLAN mem- bership that is currently assigned to the port.
Page 606 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Unauthorized-Client VLAN: Configure this VLAN when unauthenti- ■ cated, friendly clients will need access to some services before being authenticated or instead of being authenticated. ■ Authorized-Client VLAN: Configure this VLAN for authenticated clients when the port is not statically configured as an untagged member of a VLAN you want clients to use, or when the port is statically configured as an untagged member of a VLAN you do not want clients to use.
Page 607 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 13-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN •...
Page 608 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Authorized-Client VLAN • After client authentication, the port drops membership in the Unauthorized-Client VLAN and becomes an untagged member of this VLAN. Notes: If the client is running an 802.1X supplicant application when the authentication session begins, and is able to authenticate itself before the switch assigns the port to the Unauthorized-Client VLAN, then the port does not become a...
Page 609 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
Page 610 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session. • If the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.
Page 611: Unauthorized-Client Vlans
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorized- These must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1X authenticator port to use them.
Page 612 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily session on untagged port VLAN moves the port to the Unauthorized-Client VLAN (also untagged).
Page 613 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an untagged member. This rule assumes no other authenticated clients are already using the port on a different VLAN.
Page 614 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Note: Limitation on Using an You can optionally enable switches to allow up to 32 clients per-port. Unauthorized-Client VLAN on an The Unauthorized-Client VLAN feature can operate on an 802.1X- 802.1X Port Configured to Allow configured port regardless of how many clients the port is configured Multiple-Client Access...
Page 615: Setting Up And Configuring 802.1X Open Vlan Mode
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 13-1 on page 13-35 for other options. Before you configure the 802.1X Open VLAN mode on a port: ■...
Page 616 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges.
Page 617 The tilde (~) character is allowed in the string, for example, radius- server key hp~network. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
Page 618 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Test both the authorized and unauthorized access to your system to ensure that the 802.1X authentication works properly on the ports you have configured for port-access. N o t e If you want to implement the optional port-security feature on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected.
Page 619 Configures the switch to look for a RADIUS server with an IP address of 10.28.127.101 and an encryption key of rad4all. HP Switch(config)# aaa port-access authenticator e 10-20 unauth-vid 80 Configures ports 10 - 20 to use VLAN 80 as the Unauthorized-Client VLAN.
Page 620: X Open Vlan Operating Notes
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1X Open VLAN Mode Status” on page 13-64. 802.1X Open VLAN Operating Notes ■...
Page 621: Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices
802.1X setting and you wanted to configure it to support the port- security option, you would use the following aaa port-access command: HP Switch(config)# aaa port-access authenticator 10 control auto HP Switch(config)# show port-access authenticator 10 config Port Access Authenticator Configuration...
Page 622: Port-Security
Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices Port-Security N o t e If 802.1X port-access is configured on a given port, then port-security learn- mode for that port must be set to either continuous (the default) or port-access. In addition to the above, to use port-security on an authenticator port (chapter 14), use the per-port client-limit option to control how many MAC addresses of 802.1X-authenticated devices the port is allowed to learn.
Page 623: Configuring Switch Ports To Operate As Supplicants For 802.1X Connections To Other Switches
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands page 13-17 802.1X Supplicant Commands [no] aaa port-access <...
Page 624 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches • If, after the supplicant port sends the configured number of start packets, it does not receive a response, it assumes that switch “B” is not 802.1X-aware, and transitions to the authenticated state.
Page 625: Supplicant Port Configuration
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. You can configure a switch port as a supplicant for a point-to-point link to an 802.1X-aware port on another switch.
Page 626 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [secret] Enter secret: < password > Repeat secret: < password > Sets the secret password to be used by the port supplicant when an MD5 authentication request is received from an authenticator.
Page 627: Displaying 802.1X Configuration, Statistics, And Counters
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 13-17 802.1X Supplicant Commands page 13-51 802.1X Open VLAN Mode Commands page 13-32 802.1X-Related Show Commands show port-access authenticator page 13-57 show port-access authenticator config page 13-58...
Page 628 Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator [port-list] [config | statistics | session-counters | vlan | clients | clients detailed —Continued— • Untagged VLAN: VLAN ID number of the untagged VLAN used in client sessions.
Page 629 Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters HP Switch(config)# show port-access authenticator Port Access Authenticator Status Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes Auth Unauth Untagged Tagged...
Page 630 Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters HP Switch(config)# show port-access authenticator config Port Access Authenticator Configuration Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No | Re-auth Access...
Page 631 802.1X configuration information for ports that are not enabled as an 802.1X authenticators is not displayed. HP Switch(config)# show port-access authenticator statistics Port Access Authenticator Statistics Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No...
Page 632 <username> command (see page 13-49). 802.1X configuration information for ports that are not enabled as an 802.1X authenticators is not displayed. HP Switch(config)# show port-access authenticator session-counters Port Access Authenticator Session Counters Port-access authenticator activated [No] : Yes...
Page 633 802.1X configuration information for ports that are not enabled as an 802.1X authenticators is not displayed. HP Switch(config)# show port-access authenticator vlan Port Access Authenticator VLAN Configuration Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No...
Page 634 If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table, n/a - no info is displayed. HP Switch (config)# show port-access authenticator clients Port Access Authenticator Client Status Port Client Name...
Page 635 ACEs configured with the cnt (counter) option in an ACL assigned to the port by a RADIUS server. HP Switch(config)# show port-access authenticator clients 5 detailed Port Access Authenticator Client Status Detailed Client Base Details :...
Page 636: Viewing 802.1X Open Vlan Mode Status
Figure 13-19 shows related VLAN data that can help you to see how the switch is using statically configured VLANs to support 802.1X operation. HP Switch# show port-access authenticator vlan Port Access Authenticator VLAN Configuration Port-access authenticator activated [No] : Yes...
Page 637 This state is controlled by the following port-access command syntax: HP Switch(config)# aaa port-access authenticator < port-list > control < authorized | auto | unauthorized > Auto: Configures the port to allow network access to any connected device that supports 802.1X authentication and provides valid 802.1X credentials.
Page 638 Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 13-2. Output for Determining Open VLAN Mode Status (Figure 13-18, Lower) Status Indicator Meaning Status Closed: Either no client is connected or the connected client has not received authorization through 802.1X authentication.
Page 639 Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters HP Switch(config)# show vlan 1 Status and Counters - VLAN Information - VLAN 1 VLAN ID : 1 Name : DEFAULT_VLAN Status : Static Voice : No...
Page 640: Show Commands For Port-Access Supplicant
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [< port-list >] [statistics] show port-access supplicant [< port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list >...
Page 641: How Radius/802.1X Authentication Affects Vlan Operation
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement.
Page 642: Vlan Assignment On A Port
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation N o t e You can use 802.1X (port-based or client-based) authentication and either Web or MAC authentication at the same time on a port, with a maximum of 32 clients allowed on the port.
Page 643 Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation • If the port is assigned as a member of an untagged dynamic VLAN that was learned through GVRP, the dynamic VLAN configuration must exist on the switch at the time of authentication and GVRP- learned dynamic VLANs for port-access authentication must be enabled.
Page 644: Authentication Session
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation If this temporary VLAN assignment causes the switch to disable a different untagged static or dynamic VLAN configured on the port (as described in the preceding bullet and in “Example of Untagged VLAN Assignment in a RADIUS-Based Authentication Session”...
Page 645 <vlan-id> command as shown in Figure 13-20 where <vlan-id> is the (static or dynamic) VLAN used in the authenticated client session. HP Switch(config)# show vlan 22 Status and Counters - VLAN Information - VLAN 22 VLAN ID : 22...
Page 646 Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation HP Switch(config)# show vlan 33 Status and Counters - VLAN Information - VLAN 33 VLAN ID : 33 Even though port 2 is configured as Untagged Name : VLAN_33...
Page 647: In Authentication Sessions
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions Syntax: aaa port-access gvrp-vlans Enables the use of dynamic VLANs (learned through GVRP) in the temporary untagged VLAN assigned by a RADIUS server on an authenticated port in an 802.1X, MAC, or Web authentication session.
Page 648 Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation 3. If you disable the use of dynamic VLANs in an authentication session using the no aaa port-access gvrp-vlans command, client sessions that were authenticated with a dynamic VLAN continue and are not deauthenticated.
Page 649: Overview
Configuring and Monitoring Port Security Overview Feature Default Menu WebAgent Displaying Current Port Security — page 14-8 Configuring Port Security disabled — page 14-12 Retention of Static Addresses — page 14-17 MAC Lockdown disabled — page 14-23 MAC Lockout disabled —...
Page 650: Port Security
Once port security is configured, you can then monitor the network for security violations through one or more of the following: Alert flags that are captured by network management tools such as HP E- ■ PCM Plus ■...
Page 651: Eavesdrop Prevention
Configuring and Monitoring Port Security Port Security • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses. (If you specify only some of the authorized addresses, the port learns the remaining authorized addresses from the traffic it receives from connected devices.) •...
Page 652: Feature Interactions When Eavesdrop Prevention Is Disabled
Configuring and Monitoring Port Security Port Security Feature Interactions When Eavesdrop Prevention is Disabled The following table explains the various interactions between learning modes and Eavesdrop Prevention when Eavesdrop Prevention is disabled. N o t e When the learning mode is “port-access”, Eavesdrop Prevention will not be applied to the port.
Page 653: Mib Support
Configuring and Monitoring Port Security Port Security HP Switch(config)# show port-security Port Security Port Learn Mode | Action Eavesdrop Prevention ------ -------------------- + ------------------------ -------------------- Continuous | None Enabled Continuous | None Enabled Continuous | None Enabled Continuous | None...
Page 654: Trunk Group Exclusion
Configuring and Monitoring Port Security Port Security Physical Topology Logical Topology for Access to Switch A Switch A Switch A Port Security Port Security Configured Configured PC 1 PC 1 MAC Address MAC Address Authorized by Switch A Authorized by Switch A Switch B Switch B PC 2...
Page 655: Planning Port Security
Configuring and Monitoring Port Security Port Security Planning Port Security Plan your port security configuration and monitoring according to the following: On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port? For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmit- ting to the network.) You can configure the switch to (1) send intrusion alarms to an SNMP management station and to (2) option-...
Page 656: Port Security Command Options And Operation
Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 14-9 show mac-address 14-10 port-security 14-12 < port-list > 14-12 learn-mode 14-12 address-limit 14-15 mac-address 14-16 action 14-16 clear-intrusion-flag 14-17 no port-security...
Page 657 Configuring and Monitoring Port Security Port Security Displaying Port Security Settings. Syntax: show port-security show port-security <port number> show port-security [<port number>-<port number>]. . .[,<port number>] The CLI uses the same command to provide two types of port security listings: •...
Page 658 Note that no spaces are allowed in the port number portion of the command string: HP Switch(config)# show port-security 1-3,6,8 Listing Authorized and Detected MAC Addresses. Syntax: show mac-address [ port-list | mac-address | vlan < vid >] Without an optional parameter, show mac-address lists the authorized MAC addresses that the switch detects on all ports.
Page 659 Configuring and Monitoring Port Security Port Security Figure 14-5. Examples of Show Mac-Address Outputs 14-11...
Page 660: Configuring Port Security
Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security and edit security settings. Add or delete devices from the list of authorized addresses for one or more ■ ports. Clear the Intrusion flag on specific ports ■...
Page 661 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port.
Page 662 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted device to become “authorized”.
Page 663 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces.
Page 664 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [<mac-addr>] [<mac-addr>] . . . [<mac-addr>] Available for learn-mode with the, static, configured, or limited-continuous option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in the address-limit parameter.
Page 665: Retention Of Static Addresses
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) clear-intrusion-flag Clears the intrusion flag for a specific port. (See “Reading Intrusion Alerts and Resetting Alert Flags” on page 14-34.) no port-security <port-list> mac-address <mac-addr> [<mac-addr> <mac-addr>] Removes the specified learned MAC address(es) from the specified port.
Page 666 1.) It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port. HP Switch(config)# port-security a1 learn-mode static action send-disable The next example does the same as the preceding example, except that it...
Page 667 Figure 14-6. Example of Adding an Authorized Device to a Port With the above configuration for port A1, the following command adds the 0c0090-456456 MAC address as the second authorized address. HP Switch(config)# port-security a1 mac-address 0c0090- 456456 After executing the above command, the security configuration for port A1...
Page 668 Configuring and Monitoring Port Security Port Security HP Switch(config)# show port-security 1 Port Security Port : 1 Learn Mode [Continuous] : StaticAddress Limit [1] : 2 Action [None] : None Eavesdrop Prevention [Enabled] : Enabled The Address Limit has been reached.
Page 669 A1 that raises the address limit to 2 and specifies the additional device’s MAC address. For example: HP Switch(config)# port-security 1 mac-address 0c0090- 456456 address-limit 2 Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list.
Page 670 The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: HP Switch(config)# port-security 1 address-limit 1 HP Switch(config)# no port-security 1 mac-address 0c0090- 123456 The above command sequence results in the following configuration for port 1:...
Page 671: Mac Lockdown
Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown MAC Lockdown, also known as “static addressing,” is the permanent assign- ment of a given MAC address (and VLAN, or Virtual Local Area Network) to a specific port on the switch. MAC Lockdown is used to prevent station movement and MAC address hijacking.
Page 672: Differences Between Mac Lockdown And Port Security
Configuring and Monitoring Port Security MAC Lockdown going anywhere other than the locked-down port. Thus TCP connections cannot be established. Traffic sent to the locked address cannot be hijacked and directed out the port of the intruder. If the device (computer, PDA, wireless device) is moved to a different port on the switch (by reconnecting the Ethernet cable or by moving the device to an area using a wireless access point connected to a different port on that same switch), the port will detect that the MAC Address is not on the appropriate...
Page 673 Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown, on the other hand, is not a “list.” It is a global parameter on the switch that takes precedence over any other security mechanism. The MAC Address will only be allowed to communicate using one specific port on the switch.
Page 674: Mac Lockdown Operating Notes
Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.
Page 675: Deploying Mac Lockdown
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as “meshing” or Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths.
Page 676 Configuring and Monitoring Port Security MAC Lockdown Internal Server “A” Core 8212zl Switch 8212zl Switch Network There is no need to lock MAC addresses on switches in the internal core network. 3800 Switch 3800 Switch Network Edge Lock Server “A” to these ports.
Page 677 Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
Page 678 Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fails, Server A traffic to Server A will not use the backup path via Switch 3 Switch 3 Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 External...
Page 679: Mac Lockout
Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so that any traffic to or from the “locked-out” MAC address will be dropped. This means that all data packets addressed to or from the given address are stopped by the switch.
Page 680 Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti- cation. You cannot use MAC Lockout to lock: • Broadcast or Multicast Addresses (Switches do not learn these) • Switch Agents (The switch’s own MAC Address) A MAC address can exist on many different VLANs, so a lockout MAC address must be added to the MAC table as a drop.
Page 681: Port Security And Mac Lockout
Configuring and Monitoring Port Security Port Security and MAC Lockout If someone using a locked out MAC address tries to send data through the switch a message similar to the following is generated in the log file: Lockout logging format: W 10/30/03 21:35:15 maclock: module A: 0001e6-1f96c0 detected on port A15 W 10/30/03 21:35:18 maclock: module A: 0001e6-1f96c0...
Page 682: Reading Intrusion Alerts And Resetting Alert Flags
– The Alert Log includes entries for per-port security violations – The Intrusion Log lists per-port security violation entries • In network management applications such as HP E-PCM Plus via an SNMP trap sent to a network management station 14-34...
Page 683: How The Intrusion Log Operates
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags How the Intrusion Log Operates When the switch detects an intrusion attempt on a port, it enters a record of this event in the Intrusion Log. No further intrusion attempts on that port will appear in the Log until you acknowledge the earlier intrusion event by reset- ting the alert flag.
Page 684: And Resetting Alert Flags
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The port comes up and will block traffic from unauthorized devices it ■ detects. ■ If the port detects another intruder, it will send another SNMP trap, but will not become disabled again unless you first reset the port’s intrusion flag.
Page 685 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags HP Switch(config)# show int brief Intrusion Alert on port B1. Status and Counters - Port Status | Intrusion Flow Bcast Port Type | Alert Enabled Status Mode Mode Ctrl Limit...
Page 686: Using The Event Log To Find Intrusion Alerts
Intrusion Alert entry for port A1 has changed to “No”. (Executing show port-security intrusion-log again will result in the same display as above, and does not include the Intrusion Alert status.) HP Switch(config)# port-security a1 clear-intrusion-flag HP Switch(config)# show interfaces brief Intrusion Alert on port A1 is now...
Page 687: Operating Notes For Port Security
Operating Notes for Port Security Identifying the IP Address of an Intruder. The Intrusion Log lists detected intruders by MAC address. If you are using HP E-PCM Plus to manage your network, you can use the device properties page to link MAC addresses to their corresponding IP addresses.
Page 688 LACP configuration, displays a notice that LACP is disabled on the port(s), and enables port security on that port. For example: HP Switch(config)# port-security e 17 learn-mode static address-limit 2 LACP has been disabled on secured port(s).
Page 689: Overview
Using Authorized IP Managers Overview Authorized IP Manager Features Feature Default Menu WebAgent Listing (Showing) Authorized page 15-5 page 15-6 page 15-9 Managers Configuring Authorized IP None page 15-5 page 15-6 page 15-9 Managers Building IP Masks page 15-11 page 15-11 page 15-11 Operating and Troubleshooting page 15-14 page 15-14 page 15-14 Notes...
Page 690 Using Authorized IP Managers Overview N o t e When no Authorized IP manager rules are configured, the access method feature is disabled, that is, access is not denied. 15-2...
Page 691: Options
Using Authorized IP Managers Options Options You can configure: ■ Up to 100 authorized manager addresses, where each address applies to either a single management station or a group of stations Manager or Operator access privileges ■ C a u t i o n Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port.
Page 692: Defining Authorized Management Stations
Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations Authorizing Single Stations: The table entry authorizes a single man- ■ agement station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Autho- rized Manager IP column, and leave the IP Mask set to 255.255.255.255.
Page 693: Menu: Viewing And Configuring Ip Authorized Managers
Only IPv4 is supported when using the menu to set the management access method. From the console Main Menu, select: 2. Switch Configuration … 6. IP Authorized Managers HP Switch 22-Apr-2008 20:17:53 ==========================- CONSOLE - MANAGER MODE -============================ Switch Configuration - IP Managers...
Page 694: Cli: Viewing And Configuring Authorized Ip Managers
Using Authorized IP Managers Defining Authorized Management Stations HP Switch 22-Apr-2008 20:17:53 ==========================- CONSOLE - MANAGER MODE -============================ Switch Configuration - IP Managers Enter an Authorized Manager IP address here. Authorized Manager IP: 10.10.245.3 Use the default mask to allow access by one IP Mask [255.255.255.255]:255.255.255.255...
Page 695: Configuring Ip Authorized Managers For The Switch
Configures access levels by access method and IP address. Each management method can have its own set of authorized managers. Default: all HP Switch(config)# ip authorized-managers 10.10.10.2 255.255.255.255 manager access-method ssh Figure 15-4. Example of Configuring IP Authorized Manager Access Method SSH 15-7...
Page 696 Similarly, the next command authorizes manager-level access for any station having an IP address of 10.28.227.101 through 103: HP Switch(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager If you omit the < mask bits > when adding a new authorized manager, the switch automatically uses 255.255.255.255.
Page 697: Webagent: Configuring Ip Authorized Managers
Using Authorized IP Managers WebAgent: Configuring IP Authorized Managers WebAgent: Configuring IP Authorized Managers In the WebAgent you can configure IP Authorized Managers as described below. To Add, Modify, or Delete an IP Authorized Manager address: In the navigation tree, click on Security. Click on IP Authorization.
Page 698: Web Proxy Servers
Using Authorized IP Managers WebAgent: Configuring IP Authorized Managers Web Proxy Servers If you use the WebAgent to access the switch from an authorized IP manager station, it is highly recommended that you avoid using a web proxy server in the path between the station and the switch.
Page 699: Building Ip Masks
Using Authorized IP Managers Building IP Masks Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network. Configuring One Station Per Authorized Manager IP Entry This is the easiest way to apply a mask.
Page 700 Using Authorized IP Managers Building IP Masks in the octet are “on”) means only one value is allowed for that octet—the value you specify in the corresponding octet of the Authorized Manager IP list. A “0” (all bits in the octet are “off”) means that any value from 0 to 255 is allowed in the corresponding octet in the IP address of an authorized station.
Page 701: Additional Examples For Authorizing Multiple Stations
Using Authorized IP Managers Building IP Masks Figure 15-8. Example of How the Bitmap in the IP Mask Defines Authorized Manager Addresses 4th Octet of IP Mask: 4th Octet of Authorized IP Address: Bit Numbers Bit Bit Values 4th Octet of Bits 1 and 2 in the mask are “off”, and bits 0 and 3 IP Mask (249) - 7 are “on”, creating a value of 249 in the 4th octet.
Page 702: Operating Notes
Using Authorized IP Managers Operating Notes Operating Notes ■ Network Security Precautions: You can enhance your network’s secu- rity by keeping physical access to the switch restricted to authorized personnel, using the password features built into the switch, using the additional security features described in this manual, and preventing unauthorized access to data on your management stations.
Page 703: Overview
Key Management System Overview The switches covered in this guide provide support for advanced routing capabilities. Security turns out to be extremely important as complex net- works and the internet grow and become a part of our daily life and business. This fact forces protocol developers to improve security mechanisms employed by their protocols, which in turn becomes an extra burden for system administrators who have to set up and maintain them.
Page 704: Configuring Key Chain Management
Key Management System Configuring Key Chain Management Time-Dependent key: a key that has an activate and deactivate time ■ associated with the Accept and Send processes. Time-Dependent keys expire, which means a key chain is needed to keep the assigned protocols supplied with keys.
Page 705: Assigning A Time-Independent Key To A Chain
Displays the current key chains on the switch and their overall status. For example, to generate a new key chain entry: Add new key chain HP Switch(config)# key-chan HP Switch1 Entry “HP Switch1”. HP Switch(config)# show key-chain Display key chain Key Chains entries.
Page 706 < chain_name > Displays the detail information about the keys used in the key chain named < chain_name >. For example, to generate a new time-independent key for the HP Switch1 key chain entry: HP Switch(config)# key-chain HP Switch1 key1...
Page 707: Assigning Time-Dependent Keys To A Chain
Key Management System Configuring Key Chain Management Assigning Time-Dependent Keys to a Chain A time-dependent key has Accept or Send time constraints. It is valid only during the times that are defined for the key . If a time-dependent key is used, there is usually more than one key in the key chain entry.
Page 708 Management and Configuration Guide for your switch. For example, to add a number of keys to the key chain entry HP Switch2: Adds a key with HP Switch(config)# key-chain HP Switch2 key 1 accept-lifetime 01/17/03 8:00:00...
Page 709 16-3 and 16-4, if you execute show key-chain at 8:05 on 01/19/03, the display would appear as follows: HP Switch(config)# show key-chain Key Chains Chain Name Keys Active Expired ------------------- ------ ------- ------- HP Switch1 HP Switch2 Figure 16-5. Status of Keys in Key Chain Entry “HP Switch2” 16-7...
Page 710 Key Management System Configuring Key Chain Management The “HP Switch1” key chain entry is a time-independent key and will not expire. “HP Switch2” uses time-dependent keys, which result in this data: Expired = 1 Key 1 has expired because its lifetime ended at 8:10 on 01/18/03, the previous day.
Page 711 Index Numerics display all 802.1X, Web, and MAC authentication configuration … 4-13 3DES … 9-2 displaying 802.1X port configuration … 13-57, 802.1X 13-58, 13-59, 13-60, 13-61 ACL, effect on … 10-18 EAP … 13-2 cached reauthentication … 6-26 EAPOL … 13-5, 13-59 802.1X access control eap-radius …...
Page 712 VLAN, after authentication … 13-33, 13-40, client not using … 13-37 13-48 configuring switch port … 13-53 VLAN, tagged … 13-33, 13-35, 13-40, 13-48, enabling switch port … 13-53 13-67 identity option … 13-53 overview … 13-1 secret … 13-53 password for port-access …...
Page 713 RADIUS-assigned … 13-39 IPX … 10-31 tagged … 13-36, 13-37 mask temporary membership … 13-39 CIDR … 3-24 unauthorized-client … 13-39, 13-40 removing from a VLAN … 10-81 unauthorized-client, best use … 13-42 wildcard, defined … 7-14 unauthorized-client, caution … 13-40 ACL, connection-rate unauthorized-client, different...
Page 714 create, CLI method … 10-48 filter rule when RACL, VACL, and/or port ACL all DA, defined … 10-9, 10-11 apply … 10-20 defined … 10-1, 10-8 filtering methods … 10-13 definitions … 10-8 filtering process … 10-27, 10-32 deleting from config … 10-85 hit count deny any See statistics, ACE.
Page 715 ignored … 10-32 precedence, numbers and names … 10-65 maximum allowed … 10-33 purpose … 10-2 IPv4 and IPv6 … 10-51 RACL mirroring … 10-14 configure … 10-7 monitoring … 10-117 defined … 10-3 multiple ACLs on interface … 10-19 inbound traffic …...
Page 716 use to delete ACE … 10-90 troubleshooting client authentication … 7-20 use to insert ACE … 10-88 trunk … 10-34 source routing, caution … 10-24, 10-40 adding port … 10-34 standard type … 10-46, 10-51, 10-89, 10-97, 10-100 command summary … 10-5 user-based 802.1X …...
Page 717 authorized for port security … 14-3 authorized server … 11-4 alerts authorized server address, configuring … 11-7 generating for monitored events … 11-34 authorized, option for authentication … 6-10, 13-24 adding IP-to-MAC binding … 11-19, 11-27 autorun debugging … 11-22 autorun-key …...
Page 718 access-control list … 3-4 sensitivity level, changing … 3-16 sensitivity level, command … 3-10 ACE mask … 3-24 show, command … 3-14, 3-15 application to port … 3-19 signature recognition … 3-1, 3-2 applying … 3-24 SNMP trap … 3-4 CIDR notation …...
Page 719 trusted ports, disabled … 11-6 bpdu protection, none … 1-9 DHCP snooping, none … 1-9 SSH, disabled … 1-4, 8-1 DSA keysize, 1024 bits … 8-12 SSL, disabled … 1-5, 9-1 dynamic arp protection, none … 1-9 TACACS+ dynamic IP lockdown, none … 1-9 authentication configuration …...
Page 720 DHCPOFFER … 11-3 filtering IP addresses … 11-24 DHCPRELEASE … 11-3 overview … 11-22 disable MAC check … 11-10 platform differences … 11-31 disabling … 11-4 spoofing protection … 11-23 dropping packets … 11-3 verifying configuration … 11-28 enabling … 11-4 VLAN binding …...
Page 721 … 11-28 ip source-lockdown … 11-25, 11-26 hierarchy of precedence, used by DCA … 1-17 bindings … 11-29, 11-30 HP E-PCM Plus IP spoofing IDM as a plug-in to … 1-20 protection against … 11-23 port security alerts … 14-2 IP-to-MAC binding …...
Page 722 generating a time-independent key … 16-3 show status and configuration … 4-65 key chain … 16-1 terminology … 4-9 key chain entry … 16-2 unauth-redirect command … 4-59, 4-60 key chain generation … 16-2 unconfigure registration server … 4-64 overview … 16-1 web registration …...
Page 723 … 12-15 with Setmib … 2-7 proxy password security … 8-20 web server … 14-39 saved to configuration file … 2-12 PCM … 7-2 See HP E-PCM Plus peap-mschapv2 … 6-10 RACL defined … 10-3 port RADIUS Index – 13...
Page 724 Egress-VLAN ID attribute … 6-44 TLS … 6-4 Egress-VLAN-Name attribute … 6-44 Tunnel-Type attribute … 6-44 Framed-IP-Address … 6-49 vendor specific attributes … 6-45 general setup … 6-5 vendor-specific attributes … 6-38, 7-3 HP-acct-terminate-cause attribute … 6-45 14 – Index...
Page 725 See vendor-specific attribute. wildcard, defined … 7-14 VSAs … 6-39, 6-70 See also ACLs. VSAs for client limit … 6-71 radius-server web browser security not supported … 6-5 host webagent access controls … 6-35 key with tilde character … 4-16 webagent security not supported …...
Page 726 downloading a configuration file … 2-19 disable MAC check … 11-10 downloading from a server … 2-10 Option 82 … 11-4, 11-8 enabling storage in configuration file … 2-11 statistics … 11-5 manager username and password … 2-12 untrusted-policy … 11-9 operator username and password …...
Page 727 known-host file … 8-13, 8-15 key, fingerprint … 9-10 mac selection … 8-18 man-in-the-middle spoofing … 9-13 man-in-the-middle spoofing … 8-16 OpenSSL … 9-1 messages, operating … 8-31 operating notes … 9-5 OpenSSH … 8-2 operating rules … 9-5 operating rules … 8-7 passwords, assigning …...
Page 728 … 5-13 configured in RADIUS server … 7-3 system requirements … 5-4 configuring … 7-3 TACACS+ server … 5-2, 5-7 configuring support for HP VSAs … 6-39 testing … 5-4 defined … 7-14 TFTP, configuration … 5-30 defining … 6-40 timeout …...
Page 729 tagged egress VLAN in authentication web browser interface session … 6-45 authorized IP managers, configuring … 15-7, unauthenticated access … 13-29 15-9 untagged VLAN in authentication SSL … 9-13 session … 6-44, 6-45 unsecured access, SSL … 9-13 VLANs web server, proxy … 14-39 GVRP-created …...
Page 730 20 – Index...
Page 732 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

HP E3800-24G-PoE+-2SFP+ Access Security Manual

About Your Switch Manual Set

Product Documentation

Software Feature Index

Security Overview

Introduction

Access Security Features

Network Security Features

Getting Started with Access Security

Precedence of Security Options

HP Identity-Driven Manager (IDM)

Configuring Username and Password Security

Overview

Configuring Local Password Security

Saving Security Credentials in a Config File

Front-Panel Security

Password Recovery

Virus Throttling (Connection-Rate Filtering)

Overview of Connection-Rate Filtering

General Configuration Guidelines

Configuring Connection-Rate Filtering

Configuring and Applying Connection-Rate Acls

Web and MAC Authentication

Overview

How Web and MAC Authentication Operate

Terminology

Operating Rules and Notes

Setup Procedure for Web/Mac Authentication

Configuring Web Authentication

Customizing Web Authentication HTML Files (Optional)

Configuring MAC Authentication on the Switch

Client Status

TACACS+ Authentication

Overview

Terminology Used in TACACS Applications

General System Requirements

General Authentication Setup Procedure

Configuring TACACS+ on the Switch

How Authentication Operates

Using TACACS+ Authentication

Messages Related to TACACS+ Operation

Accounting Services

Terminology

Switch Operating Rules for RADIUS

General RADIUS Setup Procedure

Configuring the Switch for RADIUS Authentication

Cached Reauthentication

Using SNMP to View and Configure

Switch Authentication Features

Controlling Webagent Access

Commands Authorization

VLAN Assignment in an Authentication Session

Viewing RADIUS Statistics

Changing RADIUS-Server Access Order

Dynamic Removal of Authentication

Limits

Overview

RADIUS Server Configuration for Cos

P Priority) and Rate-Limiting

Overview

Prerequisite for Using SSH

Steps for Configuring and Using SSH

Public Key Formats

For Switch and Client Authentication

General Operating Rules and Notes

Configuring the Switch for SSH Operation

Further Information on SSH Client Public-Key Authentication

Messages Related to SSH Operation

Overview

9 Configuring Secure Socket Layer (SSL)

Terminology

Prerequisite for Using SSL

General Operating Rules and Notes

General Operating Rules and Notes

Authentication

Configuring the Switch for SSL Operation

Common Errors in SSL Setup

Ipv4 Static ACL Operation

Planning an ACL Application

Configuring and Assigning an Ipv4 ACL