Page 4
Software Credits and Notices HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, SSH on HP switches is based on the OpenSSH soft- ware INCLUDING, BUT NOT LIMITED TO, THE IMPLIED toolkit. This product includes software developed by the WARRANTIES OF MERCHANTABILITY AND FITNESS OpenSSH Project for use in the OpenSSH Toolkit.
Page 5
Software End User License Agreement and Hardware Limited Warranty For the software end user license agreement and the hardware limited warranty information for HP Networking products, visit www.hp.com/networking/support. Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 www.hp.com/networking/support...
Page 8
CLI: Setting Passwords and Usernames ......2-6 Setting an Encrypted Password ....... 2-9 WebAgent: Setting Passwords and Usernames .
Page 9
Restoring the Factory Default Configuration ....2-36 Configuring Front-Panel Security ......2-37 Disabling the Clear Password Function of the Clear Button .
Page 10
Configuring a Connection-Rate ACL Using Source IP Address Criteria ........3-20 Configuring a Connection-Rate ACL Using UDP/TCP Criteria .
Page 11
Customizable HTML Templates ......4-34 Configuring MAC Authentication on the Switch ....4-48 Overview .
Page 12
Configuring the TACACS+ Server for Single Login ....5-12 Configuring the Switch’s TACACS+ Server Access ....5-17 How Authentication Operates .
Page 14
RADIUS Client and Server Requirements ....7-1 Optional HP PCM+ and IDM Network Management Applications ....... . . 7-2 RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting .
Page 15
Example Using HP VSA 63 To Assign IPv6 and/or IPv4 ACLs . . 7-30 Example Using HP VSA 61 To Assign IPv4 ACLs ... . 7-33 Configuration Notes ........7-35 Configuring the Switch To Support RADIUS-Assigned ACLs .
Page 16
SSH Client and Secure Sessions ....... 8-31 Opening a Secure Session to an HP Switch ..... 8-32 Operating Notes .
Page 17
Generate a CA-Signed server host certificate with the WebAgent ..........9-13 3.
Page 18
Guidelines for Planning the Structure of a Static ACL ... 10-31 IPv4 ACL Configuration and Operating Rules ....10-32 How an ACE Uses a Mask To Screen Packets for Matches .
Page 19
Filtering Inbound IPv4 Traffic Per Port ..... . . 10-83 Classifier-Based Rate-Limiting with RL-PACLs ....10-84 Deleting an ACL .
Page 20
IPv4 Counter Operation with Multiple Interface Assignments ......... 10-124 General ACL Operating Notes .
Page 21
Potential Issues with Bindings ......11-28 Adding a Static Binding ....... . . 11-29 Verifying the Dynamic IP Lockdown Configuration .
Electronic Publications The latest version of each of the publications listed below is available in PDF format on the HP Networking web site, as described in the Note at the top of this page. ■ Installation and Getting Started Guide—Explains how to prepare for and perform the physical installation and connect the switch to your network.
Intelligent Edge Software Features. These features are automatically included on all switches. Premium License Software Features. For the HP 3500, 3500yl, 5400zl, 6600, and 8200zl switches, Premium License features can be acquired by purchasing the optional Premium License and installing it on the Intelligent Edge version of these switches.
Page 29
Intelligent Edge Manual Software Features Management Advanced Multicast and Access IPv6 Basic Traffic Routing Security Configura- Operation Configura- Management Guide tion Guide Guide tion Access Control Lists (ACLs) Access Control Lists (ACLs) (IPv6) AAA Authentication Authorized IP Managers Authorized IP Managers (IPv6) Authorized Manager List (Web, Telnet, TFTP)
Page 31
Intelligent Edge Manual Software Features Management Advanced Multicast and Access IPv6 Basic Traffic Routing Security Configura- Operation Configura- Management Guide tion Guide Guide tion Key Management System (KMS) LACP LLDP LLDP-MED Loop Protection MAC Address Management MAC Lockdown MAC Lockout MAC-based Authentication Management VLAN Management Security (IPv6)
Page 32
Intelligent Edge Manual Software Features Management Advanced Multicast and Access IPv6 Basic Traffic Routing Security Configura- Operation Configura- Management Guide tion Guide Guide tion Ping Policy-based Routing (PBR) Port Configuration Port Monitoring Port Security Port Status Port Trunking (LACP) Port-Based Access Control (802.1X) Power over Ethernet (PoE and PoE+)
For detailed information on individual features, see the references provided. Before you connect your switch to a network, HP strongly recommends that you review the section titled “Getting Started with Access Security” on page 1-9.
Security Overview Access Security Features Access Security Features This section provides an overview of the switch’s access security features, authentication protocols, and methods. Table 1-1 lists these features and provides summary configuration guidelines. For more in-depth information, see the references provided (all chapter and page references are to this Access Security Guide unless a different manual name is indicated).
Page 37
Security Overview Access Security Features Feature Default Security Guidelines More Information and Setting Configuration Details Telnet and enabled The default remote management protocols enabled on “Quick Start: Using the Web-browser the switch are plain text protocols, which transfer Management Interface access passwords in open or plain text that is easily captured.
Page 38
Secure disabled This feature creates an isolated network for managing Advanced Traffic Management the HP switches that offer this feature. When a secure Management Guide, refer to VLAN management VLAN is enabled, CLI, Menu interface, and the chapter “Static Virtual WebAgent access is restricted to ports configured as LANs (VLANs)”...
Page 39
• port-based access control allowing authentication by a single client to open the port • switch operation as a supplicant for point-to-point connections to other 802.1X-compliant HP switches Web and MAC none These options are designed for application on the edge Chapter 4, “Web and MAC...
“Using Secure Copy and SFTP” USB Autorun enabled Used in conjunction with HP PCM+, this feature allows Management and (disabled diagnosis and automated updates to the switch via the Configuration Guide, once a USB flash drive.
Page 41
Security Overview Network Security Features Feature Default Security Guidelines More Information and Setting Configuration Details Access Control none ACLs can filter traffic to or from a host, a group of hosts, Chapter 10, “IPv4 Access Lists (ACLs) or entire subnets. Layer 3 IP filtering with Access Control Control Lists (ACLs)”...
Page 42
Default Security Guidelines More Information and Setting Configuration Details none KMS is available in several HP switch models and is Chapter 16, “Key Management designed to configure and maintain key chains for use Management System” System (KMS) with KMS-capable routing protocols that use time- dependent or time-independent keys.
Getting Started with Access Security Getting Started with Access Security HP switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network...
Security Overview Getting Started with Access Security Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you can do the following: Disable or re-enable the password-clearing function of the Clear button. ■...
Security Overview Getting Started with Access Security CLI: Management Interface Wizard To configure security settings using the CLI wizard, follow the steps below: At the command prompt, type setup mgmt-interfaces. The welcome banner appears and the first setup option is displayed (Operator password).
Security Overview Getting Started with Access Security When you enter the wizard, you have the following options: • To update a setting, type in a new value, or press [Enter] to keep the current value. • To quit the wizard without saving any changes, press [CTRL-C] at any time.
1 and 2c compatibility, which uses plain text and does not provide security options. HP recommends that you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected operation).
Page 48
Security Overview Getting Started with Access Security authentication configuration (hpSwitchAuth). This means that the switch’s default configuration now allows SNMP access to security settings in hpSwitchAuth. N o t e o n S N M P Downloading and booting from the K.12.xx or greater software version for the A c c e s s t o first time enables SNMP access to the authentication configuration MIB (the A u t h e n t i c a t i o n...
Security Overview Precedence of Security Options Precedence of Security Options This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch. Precedence of Port-Based Security Options Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest.
HP E-Network Immunity Manager HP E-Network Immunity Manager (NIM) is a plug-in to HP PCM+ and a key component of the HP E-Network Immunity security solution that provides comprehensive detection and per-port-response to malicious traffic at the HP network edge.
Precedence is always given to the temporarily applied NIM-configured parameters over RADIUS-assigned and locally configured parameters. For information on HP E-Network Immunity Manager, go to the HP Networking web site at www.hp.com/solutions, click on Security, and then click on Security Products.
Page 52
Security Overview Precedence of Security Options 802.1X authentication b. Web or MAC authentication Statically (local) configured Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.
Page 53
Security Overview Precedence of Security Options RADIUS-assigned CoS, rate-limiting, and ACLS: “Configuring RADIUS ■ Server Support for Switch Services” on page 7-1. ■ Statically (local) configured: “Configuring Username and Password Security” on page 2-1. 1-19...
HP PMC Identity Driven Manager (IDM) HP PMC Identity Driven Manager (IDM) HP PMC IDM is a plug-in to HP PCM+ and uses RADIUS-based technologies to create a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of access security policy from a central management server, with policy enforcement to the network edge, and protection against both external and internal threats.
Configuring Username and Password Security Overview Feature Default Menu WebAgent Set Usernames none — — page 2-10 Set a Password none page page 2-6 page 2-10 Delete Password Protection page page 2-7 page 2-10 show front-panel-security — page 1-13 — front-panel-security —...
Page 56
Configuring Username and Password Security Overview Beginning with software release K.14.01, usernames and passwords for Man- ager and Operator access can also be configured using the Management Interface Wizard. For more information, refer to “Quick Start: Using the Management Interface Wizard” on page 1-10. Level Actions Permitted Manager:...
Page 57
Configuring Username and Password Security Overview Menu Interface: System Information screen (Select “2. Switch Configu- ■ ration.) CLI: Use the console inactivity-timer < 0 | 1 | 5 | 10 | 15 | 20 | 30 | 60 | 120 > ■...
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the WebAgent. From the Main Menu select: 3.
Page 59
Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass- words (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
(up to 64 characters). The default type is plaintext, which is also the only type accepted for the port-access parameter. • Password entries appear HP Switch(config)# password manager as asterisks. New password: ******* • You must type the Please retype new password: ******* password entry twice.
Page 61
(This command also clears the username associated with a password you are removing.) For example, to remove the Operator password (and username, if assigned) from the switch, you would do the following: HP Switch(config)# no password Password protection will be deleted, do you want to continue [y/n]? y HP Switch(config)#...
Page 62
Configuring Username and Password Security Configuring Local Password Security The SPACE character is allowed to form a username or password pass-phrase. The username must be in quotes, for example “The little brown fox”. A space is not allowed as part of a username without the quotes. A password that includes a space or spaces should not have quotes.
Execute the CLI command no password all. This clears all the passwords. Then execute a CLI write memory command (required if the include- credentials feature has ever been enabled). HP Switch(config)# no password all Password protections will be deleted, do you want to continue [y/n]? y HP Switch(config)# write mem Clear the password by using the "Clear"...
Configuring Username and Password Security Configuring Local Password Security WebAgent: Setting Passwords and Usernames In the WebAgent you can enter passwords and (optional) usernames. See the WebAgent Online Help for detailed information. 2-10...
By permanently saving a switch’s security credentials in a configuration file, you can upload the file to a TFTP server or Xmodem host, and later download the file to the HP switches on which you want to use the same security settings without having to manually configure the settings (except for SNMPv3 user parameters) on each switch.
Configuring Username and Password Security Saving Security Credentials in a Config File By storing different security settings in different files, you can test ■ different security configurations when you first download a new software version that supports multiple configuration files, by changing the configuration file used when you reboot the switch.
Configuring Username and Password Security Saving Security Credentials in a Config File radius-tacacs-only: When executed with the radius-tacacs-only option, only the RADIUS and TACACS security keys are included in the configuration when saving files remotely. The radius-tacacs-only option can be disabled with either command: no include-credentials no include-credentials radius-tacacs-only store-in-config: Stores passwords and SSH authorized keys in the...
Configuring Username and Password Security Saving Security Credentials in a Config File HP Switch(config)# include-credentials **** CAUTION **** You have invoked the command 'include-credentials'. This action will make changes to the password and SSH public-key storage. It will affect *all* stored configurations, which might need to be updated.
Configuring Username and Password Security Saving Security Credentials in a Config File HP Switch(config)# no include-credentials store-in-config This will remove any switch passwords and inactive SSH authorized keys from all configuration files. This will also restore the functionality to store only a single set of passwords and authorized keys on the switch.
Configuring Username and Password Security Saving Security Credentials in a Config File Use the write memory command to save the password configurations in the startup-config file. The passwords take effect when the switch boots with the software version associated with that configuration file. C a u t i o n If a startup configuration file includes other security credentials, but does not contain a manager or operator password, the switch will not have password...
Configuring Username and Password Security Saving Security Credentials in a Config File SNMP Security Credentials SNMPv1 community names and write-access settings, and SNMPv3 usernames continue to be saved in the running configuration file even when you enter the include-credentials command. In addition, the following SNMPv3 security parameters are also saved: snmpv3 user “<name>"...
Configuring Username and Password Security Saving Security Credentials in a Config File 802.1X Port-Access Credentials 802.1X authenticator (port-access) credentials can be stored in a configuration file. 802.1X authenticator credentials are used by a port to authenticate supplicants requesting a point-to-point connection to the switch. 802.1X supplicant credentials are used by the switch to establish a point-to- point connection to a port on another 802.1X-aware switch.
TACACS+ shared secret (encryption) keys can be saved in a configuration file by entering this command: HP Switch(config)# tacacs-server key <keystring> The option <keystring> is the encryption key (in clear text) used for secure communication with all or a specific TACACS+ server.
Configuring Username and Password Security Saving Security Credentials in a Config File Include-Credentials Radius-Tacacs-Only Option This option allows you to execute include-credentials for only RADIUS and TACACS. The radius-tacacs-only option does not cause the switch to store authentication passwords and SSH keys in the configuration file. Syntax: [no] include-credentials [radius-tacacs-only | store-in-config] Enables the inclusion of passwords and security credentials in each configuration file when the file is saved onto a remote server...
Figure 2-8. Example of Caution Message Displayed for radius-tacacs-only Option SSH Client Public-Key Authentication Secure Shell version 2 (SSHv2) is used by HP switches to provide remote access to SSH-enabled management stations. Although SSH provides Telnet- like functions, unlike Telnet, SSH provides encrypted, two-way authenticated transactions.
Page 76
Configuring Username and Password Security Saving Security Credentials in a Config File keystring:. a legal SSHv2 (RSA or DSA) public key. The text string for the public key must be a single quoted token. If the keystring contains double-quotes, it can be quoted with single quotes ('keystring').
Page 77
AAAAB3NzaC1yc2EAAABIwAAAIEA1Kk9sVQ9LJOR6XO/hCMPxbiMNOK8C/ay \ +SQ10qGw+K9m3w3TmCfjh0ud9hivgbFT4F99AgnQkvm2eVsgoTtLRnfF7uw \ NmpzqOqpHjD9YzItUgSK1uPuFwXMCHKUGKa+G46A+EWxDAIypwVIZ697QmM \ qPFj1zdI4sIo5bDett2d0= joe@hp.com” Figure 2-9. Example of SSH Public Keys If a switch configuration contains multiple SSH client public keys, each public key is saved as a separate entry in the configuration file. You can configure up to ten SSH client public-keys on a switch.
SSH keys for the switch. Enabled in Active Configuration: Include-credentials is either enabled or disabled. RADIUS/TACACS only: Displayed when the option is configured. HP Switch(config)# show include-credentials Stored in Configuration : Yes Enabled in Active Configuration : N/A...
Configuring Username and Password Security Saving Security Credentials in a Config File Storage States When Using Include-Credentials The following table shows the states of several access types when the factory default settings are in effect or when include-credentials is enabled or not enabled.
Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes C a u t i o n When you first enter the include-credentials command to save the ■ additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file.
Page 81
Configuring Username and Password Security Saving Security Credentials in a Config File • copy config <source-filename> config <target-filename>: Makes a local copy of an existing startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot.
Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command: ■ The private keys of an SSH host cannot be stored in the running configuration.
When the encrypt-credentials feature is enabled, the affected credentials will be encrypted using aes-256-cbc encryption. By default, a fixed, hard-coded 256-bit key that is common to all HP networking devices is used. This allows transfer of configurations with all relevant credentials and provides much more security than plaintext passwords in the configuration.
If specified with pre-shared-key option, clears the pre- shared-key used to encrypt credentials. pre-shared-key: When specified, sets the pre-shared-key that is used for all AES encryption. If no key is set, an HP switch default AES key is used. Default: HP switch default AES key plaintext: Set the key using plaintext.
Save config and continue [y/n]? y Figure 2-11. Example of Enabling encrypt-credentials with Caution Message HP Switch(config)# encrypt-credentials pre-shared-key plaintext SecretKey1 Save config and continue [y/n]? y Figure 2-12. Example of Creating a pre-shared-key in Plaintext...
■ HP recommends that when executing an “encrypted-<option>” command, you copy and paste the encrypted parameter from a known encrypted password that has been generated on the same switch or another switch with the same pre-shared key (whether user-specified or a default key).
Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together).
Clear Button Reset Button Figure 2-16. Front-Panel Button Locations on an HP Switch E8212zl Clear Button Pressing the Clear button alone for one second resets the password(s) con- figured on the switch.
Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-18. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.
Configuring Username and Password Security Front-Panel Security Reset Clear Test When the Test LED to the right of the Clear button begins flashing, release the Clear button. Reset Clear Test It can take approximately 20-25 seconds for the switch to reboot. This process restores the switch configuration to the factory default settings.
Page 92
Configuring Username and Password Security Front-Panel Security • Modify the operation of the Reset+Clear combination (page 2-36) so that the switch still reboots, but does not restore the switch’s factory default configuration settings. (Use of the Reset button alone, to simply reboot the switch, is not affected.) •...
Page 93
For example, show front-panel-security produces the following output when the switch is configured with the default front-panel security settings. HP Switch(config)# show front-panel-security Clear Password - Enabled Reset-on-clear - Disabled...
Clear button, type ; otherwise type . For example: HP Switch(config)# no front—panel—security password—clear **** CAUTION **** Disabling the clear button prevents switch passwords from being easily reset or recovered. Ensure that you are familiar with the front panel security options before proceeding.
Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. •...
Configuring Username and Password Security Front-Panel Security Switch(config)# show front—panel—security Shows password-clear disabled. Clear Password — Disabled Factory Reset — Enabled Enables password-clear, with reset-on- Password Recovery — Enabled clear disabled by the “no” statement at the beginning of the command. Switch(config)# no front—panel—security password—clear reset—on—clear Switch(config)# show front—panel—security Clear Password...
Page 97
The command to disable the factory-reset operation produces this caution. To complete the command, press [Y]. To abort the command, press [N]. HP Switch(config)# no front—panel—security factory—reset **** CAUTION **** Disabling the factory reset option prevents switch configuation and passwords from being easily reset or recovered.
Recovery requires: password-recovery enabled (the default) on the switch prior to an attempt ■ to recover from a lost username/password situation Contacting your HP Customer Care Center to acquire a one-time-use ■ password Disabling or Re-Enabling the Password Recovery...
Page 99
Configuring Username and Password Security Password Recovery C a u t i o n Disabling password-recovery requires that factory-reset be enabled, and locks out the ability to recover a lost manager username (if configured) and pass- word on the switch. In this event, there is no way to recover from a lost manager username/password situation without resetting the switch to its factory-default configuration.
If you have lost the switch’s manager username/password, but password- recovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by HP. If you have disabled password-recovery, which locks out the ability to recover a...
Page 101
Password Recovery N o t e The alternate password provided by the HP Customer Care Center is valid only for a single login attempt. You cannot use the same “one-time-use” password if you lose the password a second time. Because the password algorithm is randomized based upon your switch's MAC address, the pass- word will change as soon as you use the “one-time-use”...
Page 102
Configuring Username and Password Security Password Recovery 2-48...
Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering Feature Default Page Ref Global Configuration and Sensitivity Disabled 3-10 Per-Port Configuration None 3-11 Listing and Unblocking Blocked Hosts 3-16 Viewing the Current Configuration 3-14 Configuring Connection-Rate ACLs None 3-18 The spread of malicious agents in the form of worms exhibiting worm behavior has severe implications for network performance.
Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering connection-rate filtering can help reduce the impact of worm-like malicious code and give system administrators more time to isolate and eradicate the threat. Thus, while traditional worm and virus-signature updates will still need to be deployed to hosts, the network remains functional and the overall distribution of the malicious code is limited.
Event Log message the high connection-rate traffic (characteristic of worm attacks) that is detected on the edge port connected to device D. HP switch with connection-rate filtering configured, and block spreading option enabled. Port is blocked Device infected with worm-like malicious code Figure 3-1.
Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering Notify only (of potential attack): While the apparent attack ■ continues, the switch generates an Event Log notice identifying the offending host’s source IP address and (if a trap receiver is configured on the switch) a similar SNMP trap notice).
Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering Connection-Rate ACLs. The basic connection-rate filtering policy is con- figured per-port as notify-only, throttle, and block. A connection-rate ACL cre- ates exceptions to these per-port policies by creating special rules for individual hosts, groups of hosts, or entire subnets. Thus, you can adjust a connection-rate filtering policy to create and apply an exception to configured filters on the ports in a VLAN.
Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering Unblocking a Currently Blocked Host A host blocked by connection-rate filtering remains blocked until explicitly unblocked by one of the following methods: Using the connection-rate-filter unblock command (page 3-16). ■ ■ Rebooting the switch. Disabling connection-rate filtering using the no connection-rate-filter ■...
Virus Throttling (Connection-Rate Filtering) General Configuration Guidelines General Configuration Guidelines As stated earlier, connection-rate filtering is triggered only by inbound IP traffic generating a relatively high number of new IP connection requests from the same host. For a network that is relatively attack-free: Enable notify-only mode on the ports you want to monitor.
Virus Throttling (Connection-Rate Filtering) General Configuration Guidelines Note On a given VLAN, to unblock the hosts that have been blocked by the connection-rate feature, use the vlan < vid > connection-rate filter unblock command. Maintain a practice of carefully monitoring the Event Log or configured trap receivers for any sign of high connectivity-rate activity that could indicate an attack by malicious code.
Virus Throttling (Connection-Rate Filtering) Configuring Connection-Rate Filtering Enabling Connection-Rate Filtering and Configuring Sensitivity Syntax: connection-rate-filter sensitivity < low | medium | high | aggressive > no connection-rate-filter This command: • Enables connection-rate filtering. • Sets the global sensitivity level at which the switch interprets a given host’s attempts to connect to a series of different devices as a possible attack by a malicious agent residing in the host.
Virus Throttling (Connection-Rate Filtering) Configuring Connection-Rate Filtering Configuring the Per-Port Filtering Mode Syntax: filter connection-rate < port-list > < notify-only | throttle | block > no filter connection-rate < port-list > Configures the per-port policy for responding to detection of a relatively high number of inbound IP connection attempts from a given source.
Virus Throttling (Connection-Rate Filtering) Configuring Connection-Rate Filtering Example of a Basic Connection-Rate Filtering Configuration Switch HP Switch VLAN 1 15.45.100.1 Server VLAN 10 Switch Server 15.45.200.1 Server VLAN 15 15.45.300.1 Switch Company Intranet Server Figure 3-2. Sample Network Basic Configuration. Suppose that in the sample network, the administra-...
Page 115
HP Switch(config)# filter connection-rate b1-b3 throttle the sensitivity to “low”. HP Switch(config)# filter connection-rate b4 notify-only HP Switch(config)# filter connection-rate b9, d1-d2 block HP Switch(config)# write mem HP Switch(config)# show config Startup configuration : J8697A Configuration Editor; Created on release #K.15.XX hostname “HP Switch”...
Displays the current global connection-rate status (enabled/disabled) and sensitivity setting, and the cur- rent per-port configuration. This command does not display the current (optional) connection-rate ACL con- figuration, if any. HP Switch(config)# show connection-rate-filter Connection Rate Filter Configuration Global Status: Enabled Sensitivity:...
Page 117
(page 3-18), use show config (for the startup-config file) or show running (for the running-config file). For example: Entry showing that connection-rate- HP Switch(config)# show config filtering is enabled Startup configuration and set to “medium” ; J8697A Configuration Editor; Created on sensitivity.
Lists, by VLAN membership, the hosts cur- rently in a throttling state due to connection-rate action. blocked-hosts: Lists, by VLAN membership, the hosts currently blocked by connection-rate action. HP Switch(config)# show connection-rate-filter all-hosts VLAN ID | Source IP Address | Filter Mode -------------+-------------------+------------ | 13.28.234.175...
Page 119
Src IP xxx.xxx.xxx.xxx blocked Note HP recommends that, before you unblock a host that has been blocked by connection-rate filtering, you inspect the host with current antivirus tools and remove any malicious agents that pose a threat to your network.
Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs For more information on when to apply connection-rate ACLs, refer to “Appli- cation Options” on page 3-4. Note Connection-rate ACLs are a special case of the switch’s ACL feature. If you need information on other applications of ACLs or more detailed information on how ACLs operate, refer to Chapter 10, “IPv4 Access Control Lists (ACLs)”.
Syntax: ip access-list connection-rate-filter < crf-list-name > Creates a connection-rate-filter ACL and puts the CLI into the access control entry (ACE) context: HP Switch(config-crf-nacl)# If the ACL already exists, this command simply puts the CLI into the ACE context. Syntax: < filter | ignore > ip < any | host < ip-addr > | ip-addr < mask-length > >...
Page 123
Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs < filter | ignore > The filter option assigns policy filtering to traffic with source IP address (SA) matching the source address in the ACE. The ignore option specifies bypassing policy filtering for traffic with an SA that matches the source address in the ACE.
Syntax: ip access-list connection-rate-filter < crf-list-name > Creates a connection-rate-filter ACL and puts the CLI into the access control entry (ACE) context: HP Switch(config-crf-nacl)# If the ACL already exists, this command simply puts the CLI into the ACE context. Syntax: < filter | ignore > < udp | tcp > < any >...
Page 125
Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs ip-addr < mask-length >: Applies the ACEs action (filter or ignore) to IP traffic having an SA within the range defined by either: < src-ip-addr/cidr-mask-bits> <src-ip-addr < mask >> Use this criterion for traffic received from either a subnet or a group of IP addresses.
Page 126
(161) snmp-trap: Simple Network Management Pro- tocol (162) tftp: Trivial File Transfer Protocol (69) HP Switch(config)# ignore tcp host 15.75.10.11 destination-port eq 1812 source-port eq 1812 Ignore (allow) tcp traffic from the host at 15.75.10.11 with both source and destination tcp ports of 1812.
Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs Applying Connection-Rate ACLs To apply a connection-rate ACL, use the access group command described below. Note that this command differs from the access group command for non-connection-rate ACLs. Syntax: [no] vlan < vid > ip access-group < crf-list-name > connection-rate-filter This command applies a connection-rate access control list (ACL) to inbound traffic on ports in the specified VLAN that are configured for connection-rate filtering.
Matches” on page 10-35. Example of Using an ACL in a Connection-Rate Configuration This example adds connection-rate ACLs to the basic example on page 3-12. IP Address: 15.45.100.7 Switch HP Switch VLAN 1 15.45.100.1 Server VLAN 10 Switch Server 15.45.200.1...
Page 129
15.45.50.17 without filtering through the per-port connection- rate ACL context and rate policy configured on port D2. names the ACL. HP Switch(config)# ip access-list connection-rate-filter 17-server HP Switch(config-crf-nacl)# ignore ip host 15.45.50.17 HP Switch(config-crf-nacl)# exit HP Switch(config)# vlan 15 HP Switch(vlan-15)# ip access-group 17-server connection-rate-filter...
Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs HP Switch(config)# show config Startup configuration ; J8697A Configuration Editor; Created on release #K.15.XX hostname “HP Switch” connection-rate-filter sensitivity high ip access-list connection-rate-filter “17-server” ignore ip 15.45.50.17 0.0.0.0 exit The new switch configuration...
Page 131
Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs the port through which the traffic entered the switch. For example, ignore host 15.45.120.70 tells the switch to permit traffic from the host at 15.45.120.70 without filtering this host’s traffic through the connec- tion-rate policy configured for the port on which the traffic entered the switch.
Virus Throttling (Connection-Rate Filtering) Connection-Rate Log and Trap Messages determining current resource availability and usage, refer to the appendix titled “Monitoring Resources” in the Management and Configuration Guide for your switch. Connection-Rate Log and Trap Messages Please see the Event Log Message Reference Guide for information about Event Log messages.
Web and MAC Authentication Overview Feature Default Menu Configure Web Authentication — 4-18 — Configure MAC Authentication — 4-48 — Display Web Authentication Status and Configuration — 4-26 — Display MAC Authentication Status and Configuration — 4-65 — Web and MAC authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and a switch from unauthorized access.
Web and MAC Authentication Overview Web Authentication The Web Authentication (Web-Auth) method uses a web page login to authen- ticate users for access to the network. When a client connects to the switch and opens a web browser, the switch automatically presents a login page. Note A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web authentication.
Web and MAC Authentication Overview Concurrent Web and MAC Authentication Web authentication and MAC authentication can be configured at the same time on a port. It is assumed that MAC authentication will use an existing MAC address. The following conditions apply for concurrent Web and MAC authen- tication: A specific MAC address cannot be authenticated by both Web and ■...
Web and MAC Authentication Overview support multiple client sessions in different VLANs for a network application, design your system so that clients request network access on different switch ports.) In the default configuration, the switch blocks access to all clients that the RADIUS server does not authenticate.
Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Before gaining access to the network, a client first presents authentication credentials to the switch. The switch then verifies the credentials with a RADIUS authentication server. Successfully authenticated clients receive access to the network, as defined by the System Administrator.
Page 138
Web and MAC Authentication How Web and MAC Authentication Operate enabled SSL on the switch, you can specify the ssl-login option when you configure web authentication so that clients who log in to specified ports are redirected to a secure login page (https://...) to enter their credentials. The switch passes the supplied username and password to the RADIUS server for authentication and displays the following progress message: Figure 4-2.
Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period).
Page 140
Web and MAC Authentication How Web and MAC Authentication Operate If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (auth-vid if configured) and temporarily drops all other VLAN memberships. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.
VLAN. Authentication Server: The entity providing an authentication service to the switch. In the case of a HP Switch 8212zl running Web/MAC-Authen- tication, this is a RADIUS server. Authenticator: In HP switch applications, a device such as a HP Switch...
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports concurrent 802.1X , Web and MAC authentication operation on a port (with up to 2 clients allowed). However, concur- rent operation of Web and MAC authentication with other types of authentication on the same port is not supported.
Page 143
Web and MAC Authentication Operating Rules and Notes • During an authenticated client session, the following hierarchy deter- mines a port’s VLAN membership: If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.
Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this is not required for a Web- or MAC-based configuration, HP recommends that you use a local user name and password pair, at least until your other security measures are in place, to protect the switch configuration from unauthorized access.)
Page 145
Setup Procedure for Web/MAC Authentication To display the current configuration of 802.1X, Web-based, and MAC authentication on all switch ports, enter the show port-access config command. HP Switch (config)# show port-access config Port Access Status Summary Port-access authenticator activated [No] : Yes...
Page 146
Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that when configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100”...
Web and MAC Authentication Setup Procedure for Web/MAC Authentication Configuring the RADIUS Server To Support MAC Authentication On the RADIUS server, configure the client device authentication in the same way that you would any other client, except: Configure the client device’s (hexadecimal) MAC address as both ■...
Page 148
The tilde (~) character is allowed in the string, for example, radius- server key hp~switch. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
Page 149
For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of ‘1A7rd’: HP Switch(config)# radius-server host 192.158.32.11 HP Switch(config)# radius-server host 192.158.32 11 key 1A7rd HP Switch(config)# show radius...
If you have not already done so, configure a local username and password pair on the switch. Identify or create a redirect URL for use by authenticated clients. HP recommends that you provide a redirect URL when using Web Authenti- cation.
Web and MAC Authentication Configuring Web Authentication • You can block only incoming traffic on a port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web authentication. For example, Wake-on-LAN traffic is transmitted on a web-authenti- cated egress port that has not yet transitioned to the authenticated state;...
Page 152
Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> After you enable web-based authentication on specified ports, you can use the aaa port-access controlled-direc- tions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.
Page 153
Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> — Continued — Notes: ■ For information on how to configure the prerequisites for using the aaa port-access controlled-directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation”...
Page 154
Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based <port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax: aaa port-access web-based <port-list> [auth-vid <vid>]] no aaa port-access web-based <port-list>...
Page 155
If the web server is also used for other purposes, you may wish to group the HTML files in their own directory, for example in “/EWA/”) HP Switch (config)# aaa port-access web-based 47 ewa-server 10.0.12.179 /EWA HP Switch( config)# aaa port-access web-based 47 ewa-server 10.0.12.180...
Page 156
Web and MAC Authentication Configuring Web Authentication HP Switch (config)# no aaa port-access web-based 47 ewa-server 10.0.12.181 HP Switch (config)# Figure 4-7. Removing a Web Server with the aaa port-access web-based ews-server Command aaa port-access web-based <port-list > logoff-period <60-9999999>...
Page 157
Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. HP recommends that you provide a redirect URL when using Web Authentication. Note: The redirect-url command accepts only the first 103 characters of the allowed 127 characters.
Web and MAC Authentication Configuring Web Authentication Show Commands for Web Authentication Command Page show port-access web-based [port-list] 4-26 show port-access web-based clients [port-list] 4-27 show port-access web-based clients <port-list> detailed 4-28 show port-access web-based config [port-list] 4-29 show port-access web-based config <port-list> detailed 4-30 show port-access web-based config [port-list] auth-server 4-31...
If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table, n/a - no info is displayed. HP Switch(config)# show port-access web-based clients Port Access Web-Based Client Status Port Client Name...
IPv6 address. n/a-no info—DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table. HP Switch (config)# show port-access web-based clients 1 detailed Port Access Web-Based Client Status Detailed Client Base Details :...
• Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0, the default VLAN ID is used unless overridden by a RADIUS- assigned value. HP Switch (config)# show port-access web-based config Port Access Web-Based Configuration DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.255.0...
Syntax: show port-access web-based config <port-list> detailed Displays more detailed information on the currently config- ured Web Authentication settings for specified ports. HP Switch (config)# show port-access web-based config 1 detailed Port Access Web-Based Detailed Configuration Port Web-based enabled : Yes...
• Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts HP Switch (config)# show port-access web-based config auth-server Port Access Web-Based Configuration Client Client Logoff Re-Auth...
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Customizing Web Authentication HTML Files (Optional) The Web Authentication process displays a series of web pages and status messages to the user during login. The web pages that are displayed can be: ■...
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) To configure a web server on your network, follow the instructions ■ in the documentation provided with the server. ■ Before you enable custom Web Authentication pages, you should: • Determine the IP address or host name of the web server(s) that will host your custom pages.
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Customizable HTML Templates The sample HTML files described in the following sections are customizable templates. To help you create your own set HTML files, a set of the templates can be found on the download page for ‘K’ software. File Name Page 4-34...
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- HP Web Authentication Template index.html --> <html> <head> <title>User Login</title> </head> <body> <h1>User Login</h1> <p>In order to access this network, you must first log in.</p> <form action="/webauth/loginprocess" method="POST"> <table>...
Page 168
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Access Granted Page (accept.html). Figure 4-16. Access Granted Page The accept.html file is the web page used to confirm a valid client login. This web page is displayed after a valid username and password are entered and accepted.
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- HP Web Authentication Template accept.html --> <html> <head> <title>Access Granted</title> <!-- The following line is required to automatically redirect --> <meta http-equiv="refresh"content="<%GETWAUTHREDIRECTTIME%>; URL=<%GETWAUTHREDIRECTURL%>"/> </head> <body> <h1>Access Granted</h1> <!-- The ESI tag below will be replaced with the time in seconds until the page redirects.
Authenticating Page (authen.html). Figure 4-18. Authenticating Page The authen.html file is the web page used to process a client login and is refreshed while user credentials are checked and verified. <!-- HP Web Authentication Template authen.html --> <html> <head> <title>Authenticating</title>...
Page 171
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Invalid Credentials Page (reject_unauthvlan.html). Figure 4-20. Invalid Credentials Page The reject_unauthvlan.html file is the web page used to display login failures in which an unauthenticated client is assigned to the VLAN configured for unauthorized client sessions.
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- HP Web Authentication Template reject_unauthvlan.html --> <html> <head> <title>Invalid Credentials</title> <!-- The following line is required to automatically redirect --> <meta http-equiv="refresh"content="<%GETWAUTHREDIRECTTIME%>; URL=<%GETWAUTHREDIRECTURL%>"/> </head> <body> <h1>Invalid Credentials</h1> <p>Your credentials were not accepted. However, you have been granted gues account status.
Page 173
RADIUS server is not reachable. You can configure the time period (in seconds) that the switch waits for a response from the RADIUS server used to verify client credentials with the aaa port-access web-based server-timeout command when you enable Web Authentication. <!-- HP Web Authentication Template timeout.html --> <html> <head>...
Page 174
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Retry Login Page (retry_login.html). Figure 4-24. Retry Login Page The retry_login.html file is the web page displayed to a client that has entered an invalid username and/or password, and is given another opportunity to log The GETWAUTHRETRIESLEFT ESI displays the number of login retries that remain for a client that entered invalid login credentials.
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- HP Web Authentication Template retry_login.html --> <html> <head> <title>Invalid Credentials</title> <!-- The following line is required to automatically redirect the user back to the login page. --> <meta http-equiv="refresh" content="5;URL=/EWA/index.html">...
Page 176
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) SSL Redirect Page (sslredirect.html). Figure 4-26. SSL Redirect Page The sslredirect file is the web page displayed when a client is redirected to an SSL server to enter credentials for Web Authentication. If you have enabled SSL on the switch, you can enable secure SSL-based Web Authentication by entering the aaa port-access web-based ssl-login command when you enable Web Authentication.
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- HP Web Authentication Template sslredirect.html --> <html> <head> <title>User Login SSL Redirect</title> <meta http-equiv="refresh" content="5;URL=https://<%GETWAUTHSSLSRV%>/EWA/ index.html"> </head> <body> <h1>User Login SSL Redirect</h1> <p>In order to access this network, you must first log in.</p>...
Page 178
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Access Denied Page (reject_novlan.html). Figure 4-28. Access Denied Page The reject_novlan file is the web page displayed after a client login fails and no VLAN is configured for unauthorized clients. The GETWAUTHQUIETTIME ESI inserts the time period used to block an unauthorized client from attempting another login.
Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- HP Web Authentication Template reject_novlan.html --> <html> <head> <title>Access Denied</title> <!-- The line below is required to automatically redirect the user back to the login page. --> <meta http-equiv="refresh" content="<%GETWAUTHQUIETTIME%>;URL=/EWA/ index.html">...
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview If you have not already done so, configure a local username and password pair on the switch. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made.
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuration Commands for MAC Authentication Command Page Configuration Level aaa port-access mac-based addr-format 4-49 [no] aaa port-access mac-based password <password-value> below [no] aaa port-access mac-based [e] < port-list > 4-51 [addr-limit] 4-52 [addr-moves]...
Page 182
Web and MAC Authentication Configuring MAC Authentication on the Switch HP Switch (config)# aaa port-access mac-based password secretMAC1 HP Switch (config)# show port-access mac-based config Port Access MAC-Based Configuration MAC Address Format : no-delimiter Password : secretMAC1 Unauth Redirect Configuration URL :...
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring a MAC-based Address Format Syntax: aaa port-access mac-based addr-format <no-delimiter | single-dash | multi-dash | multi-colon | no-delimiter-uppercase | single-dash- uppercase | multi-dash-uppercase | multi-colon-uppercase> Specifies the MAC address format to be used in the RADIUS request message.
Page 184
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-256>] Specifies the maximum number of authenticated MACs to allow on the port. (Default: 1) Note: On switches where MAC Auth and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods.
Page 185
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [max-requests <1-10>] Specifies the number of authentication attempts that must time-out before authentication fails. (Default: 2) Syntax: aaa port-access mac-based [e] < port-list > [quiet-period <1 - 65535>] Specifies the time period (in seconds) that the switch waits before processing an authentication request from a MAC address that failed authentication.
The string can be up to 250 ASCII characters. radius-response: Use the text message provided in the RADIUS server response to the authentication request. HP Switch (config)# aaa port-access web-based access-denied-message “Please contact your system administrator to obtain authentication privileges.”...
Page 187
Web and MAC Authentication Configuring MAC Authentication on the Switch HP Switch (config)# show port-access web-based config Port Access Web-based Configuration DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.248.0 DHCP Lease Length : 10 seconds Allow RADIUS-assigned dynamic (GVRP) VLANs[No]: Yes Access Denied Message : Custom: Please contact your system administrator to obtain authentication privileges.
Web and MAC Authentication Configuring MAC Authentication on the Switch Unauthenticated clients may be assigned to a specific static, untagged VLAN (unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients, the port is blocked and no network access is available.
Page 189
Web and MAC Authentication Configuring MAC Authentication on the Switch Invalid Credentials Your credentials were not accepted. Please wait 96 seconds to retry.You will be redirected automatically to the login page. Unauthorized access to this network is prohibited. Access to this network requires prior authorization from the System Administrator.
Page 190
Configuring MAC Authentication on the Switch HP Switch (config)# show running-config Running configuration: ; J8692A Configuration Editor; Created on release #K.14.00x hostname "HP Switch 3500yl-24G" web-management ssl qos dscp-map 000000 priority 0 module 1 type J86xxA module 3 type J8694A...
Configuring MAC Authentication on the Switch HP Switch (config)# show running-config Running configuration: ; J8692A Configuration Editor; Created on release #K.14.00x hostname "HP Switch 3500yl-24G" web-management ssl qos dscp-map 000000 priority 0 module 1 type J86xxA module 3 type J8694A...
Web and MAC Authentication Configuring MAC Authentication on the Switch Notes The HTTP redirect feature cannot be enabled if web authentication is enabled on any port, and conversely, if HTTP redirect is enabled, web authentication cannot be enabled on any port. The web/registration server software is not included with this feature.
Page 193
Web and MAC Authentication Configuring MAC Authentication on the Switch C a u t i o n Rogue clients can attempt to access any web pages on the web/registration server via interface ports configured for MAC authentication. The following steps are involved in HTTP registration. When the redirect feature is enabled, a client that fails MAC authentica- tion is moved into the unauthorized MAC authentication redirection state.
Web and MAC Authentication Configuring MAC Authentication on the Switch Diagram of the Registration Process RADIUS Client Switch Web Server Packet is sent RADIUS request is made Client fails authentication Client is put in unauth MAC-auth redirect Client sends DHCP request state.
HTTP request is to the registration server’s destination IP address. Show Command Output Figure 4-39 is an example of the show command that displays the HTTP redirect configuration. HP Switch (config)# show port-access mac-based config Port Access MAC-Based Configuration Configured HTTP redirect URL MAC Address Format : no-delimiter Unauth Redirect Configuration URL : http://14.29.16.192:80/myserver.html...
Unconfiguring a MAC-Auth Registration Server Each configured registration server’s URL must be removed by specifying it exactly, for example: HP Switch(config)# no aaa port-access mac-based unauth-redirect https://serverA.com:124/ registration server/reg.html Operating Notes for HTTP Redirect ■ If the configured URL contains a domain name (as opposed to an IP address) the switch’s DNS resolver must be configured:...
Web and MAC Authentication Configuring MAC Authentication on the Switch Show Commands for MAC-Based Authentication Command Page show port-access mac-based [port-list] 4-66 show port-access mac-based clients [port-list] 4-66 show port-access mac-based clients <port-list> detailed 4-67 show port-access mac-based config [port-list] 4-68 show port-access mac-based config <port-list>...
Page 198
Web and MAC Authentication Configuring MAC Authentication on the Switch HP Switch (config)# show port-access mac-based Port Access MAC-Based Status Auth Unauth Untagged Tagged Port % In RADIUS Port Clients Clients VLAN VLANs Limit ---- ------- ------- -------- ------ --------...
Page 199
IPv6 address. n/a-no info—DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table. HP Switch (config)# show port-access mac-based clients 1 detailed Port Access MAC-Based Client Status Detailed Client Base Details :...
Page 200
• Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0, the default VLAN ID is used unless overridden by a RADIUS- assigned value. HP Switch (config)# show port-access mac-based config Port Access MAC-Based Configuration MAC Address Format : no-delimiter...
Page 201
Syntax: show port-access mac-based config <port-list> detailed Displays more detailed information on the currently config- ured MAC Authentication settings for specified ports. HP Switch (config)# show port-access mac-based config 1 detailed Port Access MAC-Based Detailed Configuration Port Web-based enabled : Yes...
Page 202
• Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts HP Switch (config)# show port-access mac-based config auth-server Port Access MAC-Based Configuration Client Client Logoff Re-Auth...
Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Possible Explanations Connection authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires.
Page 204
Web and MAC Authentication Client Status 4-72...
TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ in the switches covered in this guide manages authentication of logon attempts through either the Console port or Telnet. TACACS+ uses an authentication hierarchy consisting of (1) remote passwords assigned in a TACACS+ server and (2) local passwords configured on the switch.
Page 207
TACACS+ Authentication Terminology Used in TACACS Applications: • Local Authentication: This method uses username/password pairs configured locally on the switch; one pair each for manager- level and operator-level access to the switch. You can assign local usernames and passwords through the CLI or WebAgent. (Using the menu interface you can assign a local password, but not a username.) Because this method assigns passwords to the switch instead of to individuals who access the switch, you must...
TACACS+ configurations used in your network. TACACS-aware HP switches include the capability of configuring multiple backup TACACS+ servers. HP recommends that you use a TACACS+ server application that supports a redundant backup installation. This allows you to configure the switch to use a backup TACACS+ server if it loses access to the first-choice TACACS+ server.
Page 209
TACACS+ Authentication General Authentication Setup Procedure Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation” in the Trouble- shooting chapter of the Management and Configuration Guide for your switch.
Page 210
15. For more on this topic, refer to the documentation you received with your TACACS+ server application. If you are a first-time user of the TACACS+ service, HP recommends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment.
Configuring TACACS+ on the Switch Before You Begin If you are new to TACACS+ authentication, HP recommends that you read the “General Authentication Setup Procedure” on page 5-4 and configure your TACACS+ server(s) before configuring authentication on the switch.
TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs aaa authentication 5-10 through 5-16 console Telnet num-attempts <1-10 > tacacs-server 5-17 host < ip-addr > 5-17 5-22 timeout < 1-255 > 5-23 Viewing the Switch’s Current Authentication Configuration...
TACACS+ Authentication Configuring TACACS+ on the Switch HP Switch(config)# show authentication Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Disabled | Login Login Login Access Task | Primary Server Group Secondary ----------- + ---------- ------------ ----------...
The TACACS+ server returns the allowed privilege level to the switch. You are placed directly into Operator or Manager mode, depending on your privilege level. HP Switch(config) aaa authentication login privilege-mode The no version of the above command disables TACACS+ single login capa- bility.
Page 215
TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: aaa authentication < console | telnet | ssh | web | port-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level. <login [privilege-mode] > The server grants privileges at the Operator privilege level.
TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters Table 5-1. AAA Authentication Parameters Name Default Range Function console, Telnet, Specifies the access method used when authenticating. TACACS+ SSH, web or port- authentication only uses the console, Telnet or SSH access methods. access enable Specifies the Manager (read/write) privilege level for the access...
Page 217
TACACS+ Authentication Configuring TACACS+ on the Switch numbers 0 through 15, with zero allowing only Operator privileges (and requiring two logins) and 15 representing root privileges. The root privilege level is the only level that will allow Manager level access on the switch. Figure 5-4.
Page 218
TACACS+ Authentication Configuring TACACS+ on the Switch Figure 5-5. The Shell Section of the TACACS+ Server User Setup As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch’s console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.
Page 219
TACACS+ Authentication Configuring TACACS+ on the Switch Table 5-2. Primary/Secondary Authentication Table Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Console — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console —...
Page 220
Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. HP Switch(config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server. Secondary using Local. HP Switch(config)# aaa authentication console enable tacacs local Telnet Login (Operator or Read-Only) Access: Primary using TACACS+ server.
Note As described under “General Authentication Setup Procedure” on page 5-4, HP recommends that you configure, test, and troubleshoot authentication via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up authentication in either the switch or your TACACS+ server.
Page 222
TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string > | encrypted-key <key- string>] | [oobm] Adds a TACACS+ server and optionally assigns a server- specific encryption key. If the switch is configured to access multiple TACACS+ servers having different encryp- tion keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
Page 223
TACACS+ Authentication Configuring TACACS+ on the Switch If TACACS+ server “X” does not have an encryption key assigned for the switch, then configuring either a global encryption key or a server-specific key in the switch for server “X” will block authentication support from server “X”. Name Default Range...
Page 224
<key-string> entry at the beginning of this table.) You can configure a TACACS+ encryption key that includes a tilde (~) as part of the key, for example, “hp~switch”. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character For more on the encryption key, see “Using the Encryption Key”...
Page 225
"good morning Shows the key configured for a specific host. tacacs-server host 10.10.10.2 key "hp~switch" snmp-server community "public" unrestricted Figure 5-7. Example of the Running Configuration File Showing the Host-Specific Key for TACACS+ with the “~” Included Adding, Removing, or Changing the Priority of a TACACS+ Server.
Page 226
To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: HP Switch(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key. Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key.
Page 227
TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: HP Switch(config)# tacacs-server host 10.28.227.104 Note You can save the encryption key in a configuration file by entering this command: HP Switch(config)# tacacs-server key <keystring>...
TACACS+ Operation Second-Choice TACACS+ Server (Optional) Terminal “B” Remotely Accessing This Switch Via Telnet HP Switch Configured for TACACS+ Operation Third-Choice TACACS+ Server (Optional) Figure 5-10. Using a TACACS+ Server for Authentication Using figure 5-10, above, after either switch detects an operator’s logon...
TACACS+ Authentication How Authentication Operates After the server receives the username input, the requesting terminal receives a password prompt from the server via the switch. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs: •...
TACACS+ Authentication How Authentication Operates If the username/password pair entered at the requesting terminal does ■ not match either username/password pair previously configured locally in the switch, access is denied. In this case, the terminal is again prompted to enter a username/password pair. In the default configuration, the switch allows up to three attempts.
TACACS+ Authentication Controlling WebAgent Access When Using TACACS+ Authentication Controlling WebAgent Access When Using TACACS+ Authentication Configuring the switch for TACACS+ authentication does not affect WebAgent access. To prevent unauthorized access through the WebAgent, do one or more of the following: ■...
TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa- tion on such messages, refer to the documentation you received with the application.
TACACS+ Authentication Operating Notes Operating Notes ■ If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized manager list. That is, authentication traffic between a TACACS+ server and the switch is not subject to Authorized IP Manager controls configured on the switch.
For accounting, this can help you track network resource usage. Authentication Services You can use RADIUS to verify user identity for the following types of primary password access to the HP switch: ■ Serial port (Console) ■...
RADIUS Authentication, Authorization, and Accounting Overview The switch also supports RADIUS accounting for Web Authentication and MAC authentication sessions. Note The switch does not support RADIUS security for SNMP (network manage- ment) access. For information on blocking access through the WebAgent, refer to “Controlling WebAgent Access”...
SNMP access to the hpSwitchAuth MIB (Management Information Base). A management station running an SNMP networked device manage- ment application such as HP PCM+ or HP OpenView can access the switch’s MIB for read access to the switch’s status and read/write access to the switch’s configuration.
EXEC Session: a service (EXEC shell) granted to the authenticated login user for doing management operations on the HP device. Host: See RADIUS Server. NAS (Network Access Server): In this case, a HP switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): a protocol for...
■ type of access. (Only one primary and one secondary access method is allowed for each access type.) In the HP switch, EAP RADIUS uses MD5 and TLS to encrypt a ■ response to a challenge from a RADIUS server.
(local or none) if the RADIUS authentication fails or does not respond. Note: The WebAgent HP Switch(config)# show authentication access task shown in this figure is available only on the switches covered in Status and Counters - Authentication Information this guide.
IP address to the switch. • Determine an acceptable timeout period for the switch to wait for a server to respond to a request. HP recommends that you begin with the default (five seconds).
Page 243
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication • (Optional) UDP destination port for authentication requests (default: 1812; recommended) • (Optional) UDP destination port for accounting requests (default: 1813; recommended) • (Optional) encryption key for use during authentication sessions with a RADIUS server.
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication 1. Configure Authentication for the Access Methods You Want RADIUS To Protect This section describes how to configure the switch for RADIUS authentication through the following access methods: ■ Console: Either direct serial-port connection or modem connection.
Page 245
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication [none | authorized]: Provides options for secondary authentication. The none option specifies that a backup authentication method is not used. The authorized option allows access without authentication. (default: none). In certain situations, RADIUS servers can become isolated from the network.
Page 246
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch (config)# show authentication Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Disabled | Login Login Login Access Task | Primary Server Group Secondary...
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch (config)# aaa authentication telnet login radius none HP Switch (config)# aaa authentication telnet enable radius none HP Switch (config)# aaa authentication ssh login radius none HP Switch...
Page 248
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication this default behavior for clients with Enable (manager) access. That is, with privilege-mode enabled, the switch immediately allows Enable (Manager) access to a client for whom the RADIUS server specifies this access level. Syntax: [no] aaa authentication login privilege-mode When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server.
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 6-52: “Accounting Services”...
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication [dyn-authorization] Enables or disables the processing of Disconnect and Change of Authorization messages from this host. When enabled, the RADIUS server can dynamically terminate or change the authorization parameters (such as VLAN assignment) used in an active client session on the switch.
Page 251
Change the encryption key for the server at 10.33.18.127 to “source0127”. Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of “source0119”. HP Switch (config)# radius-server host 10.22.18.127 key source0127 HP Switch (config)# radius-server host 10.22.18.119 key source0119...
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch (config)# radius-server host 10.33.18.127 key source0127 HP Switch (config)# radius-server host 10.33.18.119 key source0119 Changes HP Switch (config)# show radius the key for the existing server to Status and Counters - General RADIUS Information “source012...
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Retransmit attempts: If the first attempt to contact a RADIUS ■ server fails, specifies how many retries you want the switch to attempt on that server. Change of Authorization port: The dyn-autz-port parameter ■...
Page 254
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 - 15 > Specifies the maximum time the switch waits for a response to an authentication request before counting the attempt as a failure. (Default: 3 seconds; Range: 1 - 15 seconds) radius-server retransmit <...
Page 255
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Allow three seconds for request timeouts. ■ Allow two retries following a request that did not receive a response. ■ Switch(config)# aaa authentication num-attempts 2 Switch(config)# radius-server key My-Global-KEY-1099 Switch(config)# radius-server dead-time 5 Switch(config)# radius-server timeout 3 Switch(config)# radius-server retransmit 2...
Page 256
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch (config)# show authentication Status and Counters - Authentication Information After two attempts failing due to Login Attempts : 2 username or password entry Respect Privilege : Disabled errors, the switch will terminate the session.
RADIUS server must be configured before it can be added to a group. See “Configuring the Switch for RADIUS Authentication” on page 6-7 for more information about configuring RADIUS servers. HP Switch (config)# radius-server host 10.33.18.151 acct-port 1750 key source0151...
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa server-group radius <group-name> host <ip-addr> no aaa server-group radius <group-name> host <ip-addr> Associates a RADIUS server with a server group. Each group can contain up to 3 RADIUS servers. The default group (called ‘radius’) can only contain the first three RADIUS servers.
Page 259
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication [ local | none | authorized ]: Provides options for secondary authentication (default: none). Note that for console access, secondary authentication must be local if primary access is not local. This prevents you from being locked out of the switch in the event of a failure in other access methods.
Displaying the RADIUS Server Group Information The show server-group radius command displays the same information as the show radius command, but displays the servers in their server groups. HP Switch (config)# show server-group radius Status and Counters - AAA Server Groups...
Page 261
RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch (config)# show authentication Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Disabled | Login Login Login Access Task | Primary Server Group Secondary...
RADIUS Authentication, Authorization, and Accounting Cached Reauthentication Cached Reauthentication Cached reauthentication allows 802.1X, web, or MAC reauthentications to succeed when the RADIUS server is unavailable. Users already authenticated retain their currently-assigned RADIUS attributes. Uninterrupted service is provided for authenticated users with RADIUS-assigned VLANS if the RADIUS server becomes temporarily unavailable during periodic reauthentications.
Configures the period of time (in seconds) during which cached reauthentication is allowed on the port. Default: No limit is set. HP Switch (config)# aaa port-access web-based 6-8 cached-reauth-period 86400 The cached-reauth-period is set to 86400 seconds (1440 minutes, or 24 hours).
Page 264
RADIUS Authentication, Authorization, and Accounting Cached Reauthentication authentication have been changed from their default values. The period of time represented by X is how long 802.1X or Web MAC authentication will wait for a RADIUS response. For example: A cached-reauth-period is set to 900 seconds (15 minutes) and the reauth period is 180 seconds.
Page 265
RADIUS Authentication, Authorization, and Accounting Cached Reauthentication The time between step 8 and step 9 is X seconds. The total time is 180 + X + 900 + 180 + X, which equals 900 +2(180+X) seconds. Note The period of 1 to 30 seconds, represented by X, is not a firm time period; the time can vary depending on other 802.1X and Web/MAC auth parameters.
If you choose to leave SNMP access to the security MIB open (the default setting), HP recommends that you configure the switch with the SNMP version 3 management and access security feature, and disable SNMP version 2c access.
RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Switch Authentication Features Changing and Viewing the SNMP Access Configuration Syntax: snmp-server mib hpswitchauthmib < excluded | included > included: Enables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB. excluded: Disables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB.
Page 268
RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Switch Authentication Features HP Switch (config)# snmp-server mib hpswitchauthmib excluded HP Switch (config)# show snmp-server Indicates that SNMP security MIB access is disabled, which is the SNMP Communities nondefault setting.
Page 269
Using SNMP To View and Configure Switch Authentication Features An alternate method of determining the current Authentication MIB access state is to use the show run command. HP Switch(config)# show run Running configuration: ; J9091A Configuration Editor; Created on release #K.15.01.000x hostname "HP Switch"...
RADIUS Authentication, Authorization, and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: Local is the authentication option for the access method being used. ■...
RADIUS Authentication, Authorization, and Accounting Controlling WebAgent Access Controlling WebAgent Access To help prevent unauthorized access through the WebAgent, do one or more of the following: Configure the switch to support RADIUS authentication for ■ WebAgent access (Web Authentication, Chapter 7). Options for the switches covered in this guide: ■...
RADIUS Authentication, Authorization, and Accounting Commands Authorization Commands Authorization The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server will send authorization information (from the user’s profile) to the Network Access Server (NAS). After user authentication has occurred, the authorization information provided by the RADIUS server is stored on the NAS for the duration of the user’s session.
The NAS does not request authorization information. For example, to enable the RADIUS protocol as the authorization method: HP Switch (config)# aaa authorization commands radius When the NAS sends the RADIUS server a valid username and password, the RADIUS server sends an Access-Accept packet that contains two attributes —the command list and the command exception flag.
Configuring Commands Authorization on a RADIUS Server Using Vendor Specific Attributes (VSAs) Some RADIUS-based features implemented on HP switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access-Accept pack- ets sent to the switch may contain the vendor-specific information.
Page 275
The ^ metacharacter defines the start of the string and the $ character defines the end of the string. Do not leave a space between the semi-colon and the start of the next regular expression. So the HP-Command-String with more than one regular expression defined may look as follows: HP-Command-String = “^configure$;^show running-config$”.
Page 276
(those that are available by default to any user). You must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.
The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps. Create a dictionary file (for example, hp.ini) containing the HP VSA definitions, as shown in the example below. ;[User Defined Vendor] ;...
Page 278
Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils> csutil -addudv 0 hp.ini The zero (0) is the slot number.
Page 279
4 (100 in the example). Restart all Cisco services. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry. In the Authenticate Using field choose RADIUS(HP) as an option for the type of security control protocol.
Find the location of the dictionary files used by FreeRADIUS (try /usr/ local/share/freeradius). Copy dictionary.hp to that location. Open the existing dictionary file and add this entry: $ INCLUDE dictionary.hp You can now use HP VSAs with other attributes when configuring user entries. 6-46...
RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session VLAN Assignment in an Authentication Session A switch supports concurrent 802.1X and either Web- or MAC-authentication sessions on a port (with up to 32 clients allowed). If you have configured RADIUS as the primary authentication method for a type of access, when a client authenticates on a port, the RADIUS server assigns an untagged VLAN that is statically configured on the switch for use in the authentication session.
■ MS-RAS-Vendor (RFC 2548): Allows HP switches to inform a Micro- soft RADIUS server that the switches are from HP Networking. This feature assists the RADIUS server in its network configuration. ■ HP-capability-advert: An HP proprietary RADIUS attribute that allows a switch to advertise its current capabilities to the RADIUS server for port-based (MAC, Web, or 802.1X) authentication;...
Page 283
6-16 and 6-17. See “3. Configure the Switch To Access a RADIUS Server” on page 6-15 for configuration commands for dynamic authoriza- tion. HP Switch (config)# show radius dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information NAS Identifier : LAB-8212...
Page 284
RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session HP Switch(config)# show radius host 154.23.45.111 dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information Authorization Client IP Address : 154.23.45.111 Unknown PKT Types Received : 0 Disc-Reqs CoA-Reqs...
RADIUS Authentication, Authorization, and Accounting MAC-Based VLANs MAC-Based VLANs MAC-Based VLANs (MBVs), available on the 5400 and 8200 version 2 interface modules, allow multiple clients on a single switch port to receive different untagged VLAN assignments. VLAN assignment of untagged traffic is based on the source MAC address rather than the port.
RADIUS Authentication, Authorization, and Accounting Accounting Services requests from the switch, a second or third server will not be accessed. (For more on this topic, refer to “Changing RADIUS-Server Access Order” on page 6-72.) If access to a RADIUS server fails during a session, but after the client ■...
Page 289
This incrementing of the NAS-Port-Type = Virtual session ID is normal operation Calling-Station-Id = "172.22.17.101" for command accounting in the HP-Command-String = "show ip" (default) Unique mode. Acct-Delay-Time = 0 Acct-Session-Id = "00330000000A" User “fred” executes the logout Acct-Status-Type = Stop command.
NAS-Port-Type = Virtual ID assigned when the session Calling-Station-Id = "172.22.17.101" was opened. No incrementing HP-Command-String = "show ip" of the session ID is done for Acct-Delay-Time = 0 individual commands. Acct-Session-Id = "00330000000B"...
RADIUS Authentication, Authorization, and Accounting Accounting Services • Provide the following: – A RADIUS server IP address. – Optional—a UDP destination port for authentication requests. Otherwise the switch assigns the default UDP port (1812; recom- mended). – Optional—if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are desig- nating, configure a server-specific key.
Page 293
RADIUS Authentication, Authorization, and Accounting Accounting Services yet configured the switch to use a RADIUS server, your server data has changed, or you need to specify a non-default UDP destination port for accounting requests. Note that switch operation expects a RADIUS server to accommodate both authentication and accounting.
RADIUS is already configured as an authentication method for one or more types of access to the switch (Telnet, Console, etc.). HP Switch (config)# radius-server host 10.33.18.151 acct-port 1750 key source0151...
For more on these options, refer to “Acct-Session-ID Options in a Management Session” on page 6-54. HP Switch(config)# aaa accounting session-id common HP Switch(config)# show accounting Status and Counters - Accounting Information Interval(min) : 0...
Page 296
RADIUS Authentication, Authorization, and Accounting Accounting Services Network: Use network if you want to collect accounting information ■ on 802.1X port-based-access to the network by users connected to the physical ports on the switch. (See also “Accounting Service Types” on page 6-61.) For information on this feature, refer to the chapter titled “Configuring Switch Ports as 802.1X Authenticators”...
Page 297
RADIUS Authentication, Authorization, and Accounting Accounting Services Note Configuring interim-update for Command accounting results in all commands being reported as “update” records, regardless of whether common or unique is configured for the accounting session ID (page 6-60). Syntax: [no] aaa accounting < exec | network | system > < start-stop | stop-only > radius [no] aaa accounting command <...
Page 298
RADIUS Authentication, Authorization, and Accounting Accounting Services HP Switch(config)# aaa accounting exec start-stop radius HP Switch(config)# aaa accounting system stop-only radius HP Switch(config)# aaa accounting commands interim-update radius HP Switch(config)# show accounting Status and Counters - Accounting Information Interval(min) : 0...
Page 299
Service-Type = NAS-Prompt-User Acct-Authentic = Local NAS-IP-Address = 10.1.242.15 NAS-Identifier = "gsf_dosx_15" NAS-Port-Type = Virtual Calling-Station-Id = "0.0.0.0" HP-Command-String = "reload" Acct-Delay-Time = 0 Acct-Session-Id = "003600000001" Record of System Accounting Off Acct-Status-Type = Accounting-Off When Switch Reboots NAS-IP-Address = 10.1.242.15 NAS-Identifier = "gsf_dosx_15"...
Send updates every 10 minutes on in-progress accounting sessions. ■ ■ Block accounting for unknown users (no username). HP Switch(config)# aaa accounting update periodic 10 HP Switch(config)# aaa accounting suppress null-username HP Switch(config)# show accounting Status and Counters - Accounting Information...
RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Accounting Services” on page 6-52.) HP Switch # show radius Status and Counters - General RADIUS Information Deadtime(min) : 5...
Page 302
RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics HP Switch(config)# show radius host 192.33.12.65 Status and Counters - RADIUS Server Information Server IP Addr : 192.33.12.65 Authentication UDP Port : 1812 Accounting UDP Port : 1813 Round Trip Time Round Trip Time...
RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics Term Definition Access Requests The number of RADIUS Access-Requests the switch has sent since it was last rebooted. (Does not include retransmissions.) Accounting Requests The number of RADIUS Accounting-Request packets sent. This does not include retransmissions.
Page 304
| Radius None Figure 6-27. Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command HP Switch(config)# show radius authentication Status and Counters - RADIUS Authentication Information NAS Identifier : HP_switch Invalid Server Addresses : 0 Server IP Addr...
Lists accounting statistics for the RADIUS server(s) config- ured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch. HP Switch(config)# show accounting Status and Counters - Accounting Information Interval(min) : 5 Suppress Empty User : No...
RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order HP Switch(config)# show radius accounting Status and Counters - RADIUS Accounting Information NAS Identifier : HP_switch Invalid Server Addresses : 0 Server IP Addr Port Timeouts Requests Responses --------------- ----- ---------- ---------- ---------- 192.33.12.65...
Page 307
RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order HP Switch# show radius Status and Counters - General RADIUS Information RADIUS server IP addresses listed in the order Deadtime(min) : 0 in which the switch will try to access them. In this Timeout(secs) : 5 case, the server at IP address 10.10.10.1 is first.
Page 308
RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order HP Switch(config)# no radius host 10.10.10.1 Removes the “3” and “1” addresses from the HP Switch(config)# radius host 10.10.10.3 RADIUS server list. HP Switch(config)# radius host 10.10.10.1 HP Switch# show radius Status and Counters - General RADIUS Information Inserts the “3”...
RADIUS Authentication, Authorization, and Accounting Creating Local Privilege Levels Creating Local Privilege Levels This feature allows more granular localized control over user access when accessing the switch through the console or by telnet or SSH. Instead of allowing access to all commands with the “manager” command, or very restricted access with the “operator”...
RADIUS Authentication, Authorization, and Accounting Creating Local Privilege Levels Configuring Groups for Local Authorization You must create a group for local authorization before you can assign local users to it. When creating the group, at least one command is created as part of that group.
HP Switch(config)# aaa authorization group Redgroup 100 match-command configure permit HP Switch(config)# aaa authorization group Redgroup 200 match-command “vlan *” permit Figure 6-35. Example of Configuring Authorized Commands for a Group in the Correct Order Some commands cause the switch CLI to enter a special context, such as test mode, and the input is not processed by the normal CLI.
Page 312
If a user is assigned to a command group and the group is subsequently deleted, the user will have operator privileges. HP Switch(config)# aaa authentication local-user User1 group Redgroup password plaintext New password for User1: *******...
Displays information about users and command authorization for command groups. Specifying the group parameter without any group names displays information for all configured groups. HP Switch(config)# show authorization group Local Management Groups - Authorization Information Group Name: Redgroup Username ----------------...
This enhancement allows a common port policy to be configured on all access ports by creating new RADIUS HP vendor-specific attributes (VSAs) that will dynamically override the authentication limits. The changes are always applied to the port on the authenticator switch associated with the supplicant being authenti- cated.
Page 315
VSA. A port-based VSA is set with a value of 1; a user-based VSA is set with a value of 2. This is an HP proprietary VSA with a value of 13.
If the command no aaa port-access authentication <port-list> client-limit is exe- cuted, the port access is in port-mode. If the 802.1X client-limit is configured with a value from 1-32, the port access is in user-mode. HP Switch (config)# show port-access summary Port Access Status Summary...
To display the configuration information for just those ports that are dynam- ically overridden by RADIUS attributes, use the show port-access summary radius-overridden command. HP Switch(config)# show port-access summary radius-overridden Port Access Status Summary Port-access authenticator activated [No} : No...
RADIUS Authentication, Authorization, and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning A designated RADIUS server is not responding to an Can’t reach RADIUS server < x.x.x.x >. authentication request. Try pinging the server to determine whether it is accessible to the switch.
— IPv4-only or IPv4 and IPv6) HP recommends using the Standard RADIUS attribute if available. Where both a standard attribute and a VSA are available, the VSA is maintained for backwards compatibility with configurations based on earlier software releases.
Management Applications For information on support for the above services in the PCM+ application using the HP PMC Identity Driven Management (IDM) plug-in, refer to the documentation for these applications on the HP web site at www.hp.com. All of the RADIUS-based services described in this chapter can be used without...
Inbound to the Switch Vendor-Specific Attribute used in the RADIUS server. Assigns a RADIUS- (This attribute is maintained for legacy configurations.) configured 802.1p HP vendor-specific ID:11 priority to the inbound VSA: 40 packets received from a specific client authenticated on a Setting: User-Priority-Table = xxxxxxxx where: switch port.
Page 322
Rate-Limiting Per- HP vendor-specific ID:11 User VSA: 46 Assigns a RADIUS- Setting: HP-Bandwidth-Max-Egress = < bandwidth-in-Kbps > configured bandwidth Note: RADIUS-assigned rate-limit bandwidths must be specified in limit to the inbound Kbps. (Bandwidth percentage settings are not supported.) Using a...
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting Applied Rates for RADIUS-Assigned Rate Limits On the switches covered by this guide, rate limits are applied incrementally, as determined by the RADIUS-applied rate. For any given bandwidth assign- ment, the switch applies the nearest rate increment that does not exceed the assigned value.
Page 324
RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting Per- Port HP recommends that rate-limiting be configured either solely through B a n d w i d t h RADIUS assignments or solely through static CLI configuration on the switch unless the potential for the override described below is specifically desired.
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting Viewing the Currently Active Per-Port CoS and Rate- Limiting Configuration Specified by a RADIUS Server While a RADIUS-assigned client session is active on a given port, any RADIUS- imposed values for the settings listed in table 7-5 are applied as shown: Table 7-5.
Page 326
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting web-based [ port-list ] clients detail displays, for a Web authen- ticated client (Web-Auth), the status of RADIUS-assignment details for that client.. (Refer to “Show Commands for Web Authentication”...
Page 327
10,000 kbs 50,000 kbs* “X” authenticates *Combined rate-limit output for all clients active on the port. HP Switch(eth-10)# show port-access web-based clients 4 detail Indicates there is an authenticated client session running on port 10. Port Access Web-Based Client Status Detailed...
Page 328
They also include indications of RADIUS-assigned rate-limiting and client traffic priority settings for any clients that may be authenticated on the same ports. HP Switch # show rate-limit all 1-5 All-Traffic Rate Limit Maximum % | Inbound...
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Introduction A RADIUS-assigned ACL is configured on a RADIUS server and dynamically assigned by the server to filter IP traffic from a specific client after the client is authenticated by the server.
Page 330
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists • RACL (IPv4 ACLs only): an ACL assigned to filter routed IPv4 traffic entering or leaving the switch on a VLAN. (Separate assignments are required for inbound and outbound traffic.) •...
Page 331
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists NAS (Network Attached Server): In this context, refers to a HP switch configured for RADIUS operation. Outbound Traffic: For defining the points where the switch applies an ACL to filter traffic, outbound traffic is routed IPv4 traffic leaving the switch through a VLAN interface (or a subnet in a multinetted VLAN).
Page 332
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists VLAN ACL (VACL): An ACL applied to traffic entering the switch on a given VLAN interface. See also “Access Control List”. VSA (Vendor-Specific-Attribute): A value used in a RADIUS-based config- uration to uniquely identify a networking feature that can be applied to a port on a given vendor’s switch during an authenticated client session.
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Overview of RADIUS-Assigned, Dynamic ACLs RADIUS-assigned ACLs enhance network and switch management access security and traffic control by permitting or denying authenticated client access to specific network resources and to the switch management interface. This includes preventing clients from using TCP or UDP applications, ICMP packet types, and IGMP (IPv4 only) if you do not want their access privileges to include these capabilities.
Page 334
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists switch to filter IP traffic coming from outside the network, thus removing unwanted IP traffic as soon as possible and helping to improve system performance. Also, applying RADIUS-assigned ACLs to the network edge is likely to be less complex than configuring static port and VLAN-based ACLs in the network core to filter unwanted IP traffic that could have been filtered at the edge.
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Contrasting RADIUS-Assigned and Static ACLs Table 7-1 highlights several key differences between the static ACLs configu- rable on switch VLANs and ports, and the dynamic ACLs that can be assigned by a RADIUS server to filter IP traffic from individual clients.
Page 336
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists RADIUS-Assigned ACLs Static Port and VLAN ACLs A given RADIUS-assigned ACL operates on a port to filter An RACL applied to inbound traffic on a VLAN filters routed only the IP traffic entering the switch from the authenticated IPv4 traffic entering the switch through a port on that VLAN, client corresponding to that ACL, and does not filter IP traffic...
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists How a RADIUS Server Applies a RADIUS-Assigned ACL to a Client on a Switch Port A RADIUS-assigned ACL configured on a RADIUS server is identified and invoked by the unique credentials (username/password pair or a client MAC address) of the specific client the ACL is intended to service.
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists actual IP traffic inbound from any client on the switch carries a source MAC address unique to that client. The RADIUS-assigned ACL uses this MAC address to identify the traffic to be filtered.) Effect of Multiple ACL Application Types on an Interface.
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists The Packet-filtering Process Packet-Filtering in an applied ACL is sequential, from the first ACE in the ACL to the implicit “deny any any” following the last explicit ACE. This operation is the same regardless of whether the ACL is applied dynamically from a RADIUS server or statically in the switch configuration.
Page 340
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Effect of Other, Statically Configured ACLs: Suppose that port ■ B1 belongs to VLAN “Y” and has a RADIUS-assigned ACL to filter inbound traffic from an authenticated client. Port B1 is also config- ured with IPv4 and IPv6 static port ACLs, and VLAN “Y”...
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Configuring an ACL in a RADIUS Server This section provides general guidelines for configuring a RADIUS server to specify RADIUS-assigned ACLs. Also included is an example configuration for a FreeRADIUS server application.
(Using this option causes the ACL to drop any IPv6 traffic received from the authenticated client.) Setting: HP-Nas-Rules-IPv6 = < 1 | 2 > Nas-filter-Rule “< permit or deny ACE >” Note: When the configured integer option is “1”, the any keyword used as a destination applies to both IPv4 and IPv6 destinations for the selected traffic type (such as Telnet).
Page 343
Switch for new or updated configurations (and any configurations supporting IPv6 traffic filtering) HP Assigns a RADIUS- recommends using the Standard Attribute (92) described earlier in this table instead of the HP- configured IPv4 ACL Nas-filter-Rule attribute described here. to filter inbound IPv4...
: Standard attribute for filtering inbound IPv4 traffic from an authenticated Nas-filter-Rule = client. When used without the HP VSA option (below) for filtering inbound IPv6 traffic from the client, drops the IPv6 traffic. Refer also to table 7-7, “Nas-Filter-Rule Attribute Options”...
Page 345
Nas-filter-Rule+=”permit in ip from any to 10.10.10.1/24” Nas-filter-Rule+=”deny in ip from any to any” – the HP-Nas-Filter-Rule VSA is used instead of either of the above options. For example, all of the following destinations are for IPv4 traffic: HP-Nas-filter-Rule=”permit in tcp from any to any 23”...
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists host < ipv6-addr >: Specifies a single destination IPv6 address. Note: Filtering IPv6 traffic requires the Standard Attribute (Nas-Filter-Rule) with the HP-Nas-Rules-IPv6 VSA set to 1. (Refer to table 7-7 on page 7-24.) <...
Page 347
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists client 10.10.10.125 Note: The key configured in the switch and the secret configured in the RADIUS server nastype = other supporting the switch must be identical. Refer secret = 1234 to the chapter titled “RADIUS Authentication and Accounting”...
Figure 7-5. Example of Configuring the FreeRADIUS Server To Support ACLs for the Indicated Clients Example Using HP VSA 63 To Assign IPv6 and/or IPv4 ACLs The ACL VSA HP-Nas-Rules-IPv6=1 is used in conjunction with the standard attribute (Nas-Filter-Rule) for ACL assignments filtering both IPv6 and IPv4 traffic inbound from an authenticated client.
Page 349
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key (“secret”) is “1234”, you would enter the following in the server’s clients.conf file: client 10.10.18.12 Note: The key configured in the switch and the...
Page 350
Client’s Username (802.1X or Web Authentication) Client’s Password (802.1X or Web Authentication) Admin01 Auth-Type:= Local, User-Password == myAuth9 HP-Nas-Rules-IPv6 = 1, IPv6 VSA for the standard attribute-92. Nas-filter-rule = “permit in tcp from any to FE80::a40 80”, Nas-filter-rule += “deny in tcp from any to ::/0 80”, Nas-filter-rule += “permit in tcp from any to 10.10.10.117 80”,...
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Example Using HP VSA 61 To Assign IPv4 ACLs Software release K.14.01 continues to support the HP VSA 61 vendor-specific method of earlier releases for enabling RADIUS-based IPv4 ACL assignments on the switch. The recommended use of this option is to support legacy ACL configurations that rely on VSA 61.
Page 352
Client’s Password (802.1X or Web Authentication) User-10 Auth-Type:= Local, User-Password == auth7X HP-Nas-Rules-IPv6 = 1, HP-Nas-filter-Rule = “permit in tcp from any to 10.10.10.117 80”, HP-Nas-filter-Rule += “deny in tcp from any to any 80”, HP-Nas-filter-Rule += “deny in tcp from any to any 23”, HP-Nas-filter-Rule += “permit in ip from any to any”...
HP-Nas-Rules-IPv6 = 1 exist elsewhere in the ACL. Refer to table 7-7 on page 7-24 for more on HP-Nas-Rules-IPv6. ■ HP-Nas-Filter-Rule += permit in ip from any to any ■ Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6 = 2 Explicitly Denying Inbound Traffic From an Authenticated Client.
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Configuring the Switch To Support RADIUS-Assigned ACLs An ACL configured in a RADIUS server is identified by the authentication credentials of the client or group of clients the ACL is designed to support. When a client authenticates with credentials associated with a particular ACL, the switch applies that ACL to the switch port the client is using.
Page 355
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists 802.1X Option: Syntax: aaa port-access authenticator < port-list > aaa authentication port-access chap-radius aaa port-access authenticator active These commands configure 802.1X port-based access control on the switch, and activates this feature on the specified ports.
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Displaying the Current RADIUS-Assigned ACL Activity on the Switch These commands output data indicating the current ACL activity imposed per- port by RADIUS server responses to client authentication. Syntax: show access-list radius <...
Page 357
Indicates that IPv6 traffic filtering is not enabled for the ACL assigned to the authenticated client. IPv6 ACLs enabled (HP-Nas-Rules-Ipv6): FALSE deny in tcp from any to 10.30.248.184 23 cnt Lists “deny” ACE for Inbound Telnet (23 = TCP port...
Page 358
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Access Policy Details: COS Map: Indicates the 802.1p priority assigned by the RADIUS server for traffic inbound on the port from an authenticated client. The field shows an eight-digit value where all digits show the same, assigned 802.1p number.
Page 359
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists HP Switch (config)# show port-access web-based clients 10 detailed Port Access Web-Based Client Status Detailed Client Base Details : Port Session Status : authenticated Session Time(sec) : 5...
Page 360
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Table 7-8. ICMP Type Numbers and Keywords IPv4 ICMP IPv6 ICMP Keyword Keyword echo reply destination unreachable destination unreachable packet too big source quench time exceeded redirect parameter problem echo request...
7-7 on page 7-24 for more on this attribute. Monitoring Shared Resources Currently active, RADIUS-based authentication sessions (including HP PMC IDM client sessions) using RADIUS-assigned ACLs share internal switch resources with several other features. The switch provides ample resources for all features.
Page 362
Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists 7-44...
Configuring Secure Shell (SSH) Overview Feature Default Menu WebAgent Generating a public/private key pair on the switch page 8-9 Using the switch’s public key page 8-13 Enabling SSH Disabled page 8-15 Enabling client public-key authentication Disabled pages 8-21, 8-25 Enabling user authentication Disabled page 8-20 The switches covered in this guide use Secure Shell version 2 (SSHv2) to...
Page 364
– None Figure 8-1. Client Public Key Authentication Model Note SSH in HP switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication shown in figure 8-1.
Configuring Secure Shell (SSH) Terminology Terminology ■ SSH Server: An HP switch with SSH enabled. Key Pair: A pair of keys generated by the switch or an SSH client ■ application. Each pair includes a public key, that can be read by anyone and a private key held internally in the switch or by a client.
Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 8-1), then the client program must have the capability to generate or import keys.
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 8-1.
Page 368
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation Assign a login (Operator) and enable (Manager) password on the switch (page 8-9). Generate a public/private key pair on the switch (page 8-9). You need to do this only once.
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be exportable to the switch. The switch can store 100 client key pairs. The switch’s own public/private key pair and the (optional) client ■...
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 8-17 show crypto client-public-key [<manager | operator>] 8-29 [keylist-str] [< babble | fingerprint>] show crypto host-public-key [< babble | fingerprint >] 8-14 show authentication 8-24...
1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Page 372
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH clients which should have access to the switch. Some SSH client appli- cations automatically add the switch’s public key to a "known hosts" file. Other SSH applications require you to manually create a known hosts file and place the switch’s public key in the file.
Page 373
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation cert Install RSA key for https certificate. See “Configuring the Switch for SSL Operation” on page 9-6 in this guide for more information. ssh [dsa | rsa] Install host key for ssh server. Specify the key type as DSA or RSA.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation HP Switch(config)# crypto key generate ssh rsa Host Public Installing new key pair. If the key/entropy cache is Key for the depleted, this could take up to a minute. Switch...
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 3. Providing the Switch’s Public Key to Clients When an SSH client contacts the switch for the first time, the client will challenge the connection unless you have already copied the key into the client’s "known host"...
Page 376
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Modulus <n>...
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation The two commands shown in figure 8-9 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host” file. The switch has only one RSA host key.
Page 378
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When an SSH client connects to the switch for the first time, it is possible for a “man-in-the-middle” attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch.
Page 379
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher <cipher-type>] Specify a cipher type to use for connection. Valid types are: • aes128-cbc • 3des-cbc • aes192-cbc •...
Page 380
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [mac <mac-type>] Allows configuration of the set of MACs that can be selected. Valid types are: • hmac-md5 • hmac-sha1 • hmac-sha1-96 • hmac-md5-96 Default: All MAC types are available. Use the no form of the command to disable a MAC type.
Page 381
Configuring the Switch for SSH Operation N o t e o n P o r t HP Networking recommends using the default TCP port number (22). How- Num b er ever, you can use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes.
Client Public-Key Authentication” on page 8-25 Note HP Networking recommends that you always assign a Manager-Level (enable) password to the switch. Without this level of protection, any user with Telnet, web, or serial port access to the switch can change the switch’s configuration.
Page 383
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option B: Configuring the Switch for Client Public-Key SSH Authentication. If configured with this option, the switch uses its public key to authenticate itself to a client, but the client must also provide a client public-key for the switch to authenticate.
Page 384
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh enable < local | tacacs | radius > < local | none > Configures a password method for the primary and second- ary enable (Manager) access. If you do not specify an optional secondary method, it defaults to none.
Page 385
Please retype new password for Manager: ******** keys in the public HP Switch(config)# aaa authentication ssh login public-key none key file. HP Switch(config)# aaa authentication ssh enable tacacs local HP Switch(config)# coy tftp pub-key-file 10.33.18.117...
None example, the file | Tacacs Local contains two client public-keys. Client Key Index Number HP Switch(config)# show crypto client-public-key 0,”Maden name [1024-bit rsa, Local_cryto @ Local crypto, Thu Nov 07 2009 21:25:42]” ssh-rsa AAAAB3NzaClyc2EAAAADAQABAAAAgQcz9oNfqxMHUFEC6frSu1Sa4Uh1EFznFhQqmgP2 9HXYp6NR/1QOumACtrFU+QD11Etm/XvZH/ KIxTdEc5exFZXKIxTdEc5exFXS10tcRaFYxI9UjK80dBMavBGKBLvVebCVwlqdAqbkaEX3d/ WaPS2xArLCFHsTZhnCvqTZDOGAB1frlcw==1,”[768-bit rsa, Local_crypto@Localcrypto, Mon Dec 16 2009 23:01:51]”ssh-rsaAAAAb3NzaClyc2EAAAADQABAAAAYQD0tmzA32JBgeu...
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Further Information on SSH Client Public-Key Authentication The section titled “5. Configuring the Switch for SSH Authentication” on page 8-20 lists the steps for configuring SSH authentication on the switch. However, if you are new to SSH or need more details on client public-key authentication, this section may be helpful.
Page 388
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication If there is not a match, and you have not configured the switch to accept a login password as a secondary authentication method, the switch denies SSH access to the client. If there is a match, the switch: Generates a random sequence of bytes.
Page 389
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Public Key Comment Comment ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCKzbhu89Lp5vmpuDwHmynUDnaBPPDtL9J8zcr4BLXi k8G7VoMGghxJisLewYjFFUVVSOha8XCCGh4aVCur/HllP1enMGMGl/fu42oYDobmfgf/kJCK6U527rEU gc+1VjxebjRGA5j0Bs8R2xo2k5ty6ZciMnDoEBeRcuoxd58dwzy7kU5hjQHSkubgwBBHYv7vmLtY0dPz RHIRSoEezm5jFDhtF2EuubuB9adA43hggmKqciZZ8EfiOmKE9QwQCWLw2vUnXLhfFhxYwo7CoTir4yJA 1ITSYFTrDd0G/pD67VfToz9DeHO163Yl9ukQQNXGES0LRK+8I1SZO33smith@support.cairns.com Figure 8-13. Example of a Client Public Key Notes Comments in public key files, such as smith@support.cairns.com in figure 8-13, may appear in a SSH client application’s generated public key.
Page 390
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Copy the client’s public key into a text file (filename.txt). (For example, you can use the Notepad editor included with the Microsoft® Windows® software. If you want several clients to use client public-key authentica- tion, copy a public key for each of these clients (up to ten) into the file.
Page 391
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication For switches that have a separate out-of-band manage- ment port, the oobm parameter specifies that the traffic will go through the out-of-band management interface. If this parameter is not specified, the traffic goes through the data interface.
Page 392
For example, if you wanted to copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 and then display the file contents: HP Switch(config)# copy tftp pub—key—file 10.33.252.195 C1ientkeys.txt HP Switch(confiq)# show crypto client—public—key 0,"Maden name [l024—bit rsa, Jamie_wi1son@Jamiewi1son, Thu Nov 07 2002 21:25:41 2]"...
Operator password. SSH Client and Secure Sessions SSH Client provides a method for establishing a secure session from one HP switch to another. In addition to providing secure sessions, SFTP is enhanced to allow bidirectional secure copying of files between a switch and an SFTP server, initiated from the switch with the copy command.
Syntax: ssh [user <username | username@>] <hostname | IPv4 | IPv6> [port <1-65535>] Enables an SSH client to open a secure session to an HP switch. Opening secure sessions to devices other than HP switches is not supported.
Configuring Secure Shell (SSH) SSH Client and Secure Sessions During “public-key” authentication, the client must use its private key to ■ authenticate itself to the server. There can be only one key pair on the switch for the manager. ■ The private key should be passphrase protected for highest security;...
Configuring Secure Shell (SSH) SSH Client and Secure Sessions IPv4: Specifies the SFTP or TFTP server’s IPv4 address. IPv6: Specifies the SFTP or TFTP server’s IPv6 address. <private-key-filename>: The remote filename containing the key. [port <tcp-port-num>]: TCP port of the SSH server on the remote system.
Configuring Secure Shell (SSH) SSH Client and Secure Sessions IPv4: Specifies the TFTP server’s IPv4 address. IPv6: Specifies the TFTP server’s IPv6 address. <filename>: The remote filename containing the key. [append]: Append hosts to the existing ssh-client-known- hosts file. Default: Replace the existing known hosts file. Copying the SSH Client Known Hosts File to Another Location The SSH client known hosts file can be copied to a location on a remote device...
Configuring Secure Shell (SSH) SSH Client and Secure Sessions Copying the Host Public Key The following copy commands can be used to manage public keys in a known hosts file. The public key can only be coped from the switch to a server or other media, not to another switch.
Configuring Secure Shell (SSH) SSH Client and Secure Sessions Removing the SSH Client Known Hosts File To remove the SSH client known hosts file, use this command. Syntax: crypto key zeroize ssh-client-known-hosts Deletes the SSH client known hosts file. You will be prompted with a message: Warning: The SSH client known hosts file will be deleted, continue [y/n] ?
Page 400
Configuring Secure Shell (SSH) SSH Client and Secure Sessions HP Switch (config)# show session-list Session Information Source IP Selection: Outgoing Interface ------------------------------------------------------------- Session Privilege: Superuser From : Console ------------------------------------------------------------- Session Privilege: Manager From : 172.22.16.3 : 10.1.248.198 ------------------------------------------------------------- Session : **...
Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning File transfer did not occur. Indicates an error in 00000K Peer unreachable. communicating with the tftp server or not finding the file to download. Causes include such factors as: •...
Note: Only up to 39 characters of the key comment are included in the event log message. Debug Logging To add ssh messages to the debug log output, enter this command: HP Switch# debug ssh LOGLEVEL where LOGLEVEL is one of the following (in order of increasing verbosity): • fatal •...
SSL/TLS operation. Note HP Switches use SSL and TLS for all secure web transactions, and all refer- ences to SSL mean using one of these algorithms unless otherwise noted SSL provides all the web functions but, unlike standard web access, SSL provides encrypted, authenticated transactions.
Page 404
SSL on the switches covered in this guide supports these data encryption methods: ■ 3DES (168-bit, 112 Effective) DES (56-bit) ■ RC4 (40-bit, 128-bit) ■ Note HP Switches use RSA public key algorithms and Diffie-Hellman, and all references to a key mean keys generated using these algorithms unless otherwise noted...
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL-enabled web browser application on the com- puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include:...
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Enable SSL on the switch. (page 9-15) Use your SSL enabled browser to access the switch using the switch’s IP address or DNS name (if allowed by your browser). Refer to the documentation provided with the browser application.
1. Assigning a Local Login (Operator) and Enabling (Manager) Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The server certificate is stored in the switch’s flash memory. The server certificate should be added to your certificate folder on the SSL clients who you want to have access to the switch. Most browser applications automati- cally add the switch’s host certificate to there certificate folder on the first use.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. Syntax: crypto key generate cert rsa bits < 1024 | 2048> Generates a key pair for use in the certificate. crypto key zeroize cert Erases the switch’s certificate key and disables SSL opera- tion.
Page 411
This is the name of the state or province where switch is in service Country code This is the ISO two-letter country-code where switch is in service For example, to generate a new host certificate: HP Switch(config)# crypto host-cert generate self-signed Generate New Certificate Validity start date [05/17/2011]: 05/31/2011 Validity end date...
Page 412
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. Syntax: show crypto host-cert Displays switch’s host certificate To view the current host certificate from the CLI you use the show crypto host- cert command.
Page 413
HP Switch(config)# show crypto host-cert Version: 3 (0x2) Serial Number: 32:aa:d2:c3:f6:2f:fe:8f:69:4f:28:e4:09:8e:20:5d:d7:e6:0b:bc Signature Algorithm: sha1withRSAEncryption Issuer: CN=10.255.255.255, C=US, L=Roseville, O=HP Networking, OU=Hewlett- Packar d, ST=CA Validity Not Before: May 31 18:54:41 2011 GMT Not After : Jun 15 23:59:59 2011 GMT Subject: CN=10.255.255.255, C=US, L=Roseville, O=HP Networking, OU=Hewlett-...
Generate a Self-Signed Host Certificate with the WebAgent You can configure SSL from the WebAgent. For more information on how to access the WebAgent refer to the chapter titled “Using the HP WebAgent” in the Basic Operation Guide for your switch.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 9-4. Self-Signed Certificate generation via SSL WebAgent Screen Generate a CA-Signed server host certificate with the WebAgent The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.
Page 416
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation iv. In the SSL Certificate box, fill out the fields and select Create request. Figure 9-5. Example of CA Certificate Generation via SSL WebAgent Screen To access the online help for SSL certificate generation, click on “?” in the upper right corner of the screen.
Switch’s Server Host Certificate” on page 9-6. When configured for SSL, the switch uses its host certificate to authenticate itself to SSL clients, however unless you disable the standard HP WebAgent with the no web-management command it will be still available for unsecured transactions.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The security concern described above does not exist when using CA-signed certificates that have been generated by certificate authorities that the web browser already trusts Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch.
Page 419
Click on Save. N o t e o n P o r t HP recommends using the default IP port number (443). However, you can Num b er use web-management ssl tcp-port to specify any TCP port for SSL connections except those reserved for other purposes.
Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup Common Errors in SSL Setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 9-8.) Enabling SSL on the CLI or WebAgent You have not generated a host...
IPv4 Access Control Lists (ACLs) Introduction An Access Control List (ACL) is a list of one or more Access Control Entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing the switch’s interfaces. This chapter describes how to configure, apply, and edit static IPv4 ACLs in a network populated with the switches covered by this guide, and how to monitor IPv4 ACL actions.
Page 422
IPv4 Access Control Lists (ACLs) Introduction Feature Default Configure an ACL from a TFTP Server 10-107 Enable ACL Logging 10-114 IPv4 filtering with ACLs can help improve network performance and restrict network use by creating policies for: Switch Management Access: Permits or denies in-band manage- ■...
IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Overview of Options for Applying IPv4 ACLs on the Switch To apply IPv4 ACL filtering, assign a configured IPv4 ACL to the interface on which you want traffic filtering to occur. VLAN and routed IPv4 traffic ACLs can be applied statically using the switch configuration.
Page 424
IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch clients. For information on RADIUS-assigned ACLs assigned by a RADIUS server, refer to the chapter titled “Configuring RADIUS Server Support for Switch Services”. Note This chapter describes the IPv4 ACL applications you can statically configure on the switch.
HP Switch(config)# ip access-list standard < name-str | 1-99 > 10-92 Remark from a HP Switch(config-ext-nacl)# [ remark < remark-str > | no < 1-2147483647 > remark ] 10-95 Standard ACL For numbered, standard ACLs only, the following remark commands can be substituted for the above: HP Switch(config)# access-list <...
HP Switch(config)# no access-list < 100 - 199 > Command Summary for Enabling, Disabling, and Displaying ACLs Enable or Disable an HP Switch(config)# [no] vlan < vid > ip access-group < identifier > < in | out > 10-81 RACL Enable or Disable a HP Switch(config)# [no] vlan <...
IPv4 Access Control Lists (ACLs) Terminology Terminology Access Control Entry (ACE): A policy consisting of criteria and an action (permit or deny) to execute on a packet if it meets the criteria. The elements composing the criteria include: • source IPv4 address and mask (standard and extended ACLs) •...
Page 429
IPv4 Access Control Lists (ACLs) Terminology ACL ID: A number or alphanumeric string used to identify an ACL. A standard IPv4 ACL ID can have either an alphanumeric string or a number in the range of 1 to 99. An extended IPv4 ACL ID can have either an alphanumeric string or a number in the range of 100 to 199.
Page 430
IPv4 Access Control Lists (ACLs) Terminology ACLs). You can preempt the Implicit Deny in a given ACL by configuring a permit any (standard) or permit ip any any (extended) as the last explicit ACE in the ACL. Doing so permits any IPv4 packet that is not explicitly permitted or denied by other ACEs configured sequentially earlier in the ACL.
Page 431
IPv4 Access Control Lists (ACLs) Terminology Outbound Traffic: For defining the points where the switch applies an RACL to filter traffic, outbound traffic is routed traffic leaving the switch through a VLAN interface (or a subnet in a multinetted VLAN). “Outbound traffic”...
Page 432
IPv4 Access Control Lists (ACLs) Terminology seq-#: The term used in ACL syntax statements to represent the sequence number variable used to insert an ACE within an existing list. The range allowed for sequence numbers is 1 - 2147483647. Standard ACL: This type of access control list uses the layer-3 IP criteria of source IPv4 address to determine whether there is a match with an IPv4 packet.
IPv4 Access Control Lists (ACLs) Overview Overview Types of IPv4 ACLs A permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, or on source address plus other factors. Standard ACL: Use a standard ACL when you need to permit or deny IPv4 traffic based on source address only.
IPv4 Access Control Lists (ACLs) Overview • Routed IPv4 traffic having a destination address (DA) on the switch itself. In figure 10-1 on page 10-15, this is any of the IP addresses shown in VLANs “A”, “B”, and “C”. (Routing need not be enabled.) •...
Page 435
IPv4 Access Control Lists (ACLs) Overview Where multiple subnets are configured on the same VLAN, you can ■ use either inbound or outbound ACLs to filter routed IPv4 traffic between the subnets on the VLAN. (Traffic source and destination IP addresses must be on devices external to the switch.) The subnet mask for this Switch with IPv4 Routing...
IPv4 Access Control Lists (ACLs) Overview VACL Applications VACLs filter any IPv4 traffic entering the switch on a VLAN configured with the “VLAN” ACL option. vlan < vid > ip access-group < identifier > vlan For example, in figure 10-2, you would assign a VACL to VLAN 2 to filter all inbound switched or routed IPv4 traffic received from clients on the 10.28.20.0 network.
IPv4 Access Control Lists (ACLs) Overview RADIUS-Assigned (Dynamic) Port ACL Applications Note Beginning with software release K.14.01, IPv6 support is available for RADIUS-assigned port ACLs configured to filter inbound IPv4 and IPv6 traffic from an authenticated client. Also, the implicit deny in RADIUS-assigned ACLs applies to both IPv4 and IPv6 traffic inbound from the client.
Page 438
IPv4 Access Control Lists (ACLs) Overview 802.1X User-Based and Port-Based Applications. User-Based 802.1X access control allows up to 32 individually authenticated clients on a given port. Port-Based access control does not set a client limit, and requires only one authenticated client to open a given port (and is recommended for applications where only one client at a time can connect to the port).
IPv4 Access Control Lists (ACLs) Overview For 802.1X or MAC authentication methods, clients can authenticate ■ regardless of their IP version (IPv4 or IPv6). For the Web authentication method, clients must authenticate using ■ IPv4. However, this does not prevent the client from using a dual stack, or the port receiving a RADIUS-assigned ACL configured with ACEs to filter IPv6 traffic.
Page 440
IPv4 Access Control Lists (ACLs) Overview Note In cases where an RACL and any type of port or VLAN ACL are filtering traffic entering the switch, the switched traffic explicitly permitted by the port or VLAN ACL is not filtered by the RACL (except where the traffic has a destination on the switch itself).
Page 441
IPv4 Access Control Lists (ACLs) Overview An inbound, switched packet entering on port A10, with a destination on port A12, will be screened by the static port ACL and the VACL, regardless of a match with any permit or deny action. A match with a deny action (including an implicit deny) in either ACL will cause the switch to drop the packet.
IPv4 Access Control Lists (ACLs) Overview Features Common to All ACL Applications Any ACL can have multiple entries (ACEs). ■ You can apply any one ACL to multiple interfaces. ■ ■ All ACEs in an ACL configured on the switch are automatically sequenced (numbered).
IPv4 Access Control Lists (ACLs) Overview General Steps for Planning and Configuring ACLs Identify the ACL action to apply. As part of this step, determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted IPv4 traffic at the edge of the network instead of in the core.
Page 444
IPv4 Access Control Lists (ACLs) Overview Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL, VACL, or RACL) appropriate for each assign- ment. (For RADIUS-assigned ACLs, refer to the Note in the table in step 1 on page 10-23.) If you are using an RACL, ensure that IPv4 routing is enabled on the switch.
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation IPv4 Static ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). A static ACL applies only to the switch in which it is configured.
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation Note After you assign an IPv4 ACL to an interface, the default action on the interface is to implicitly deny IPv4 traffic that is not specifically permitted by the ACL. (This applies only in the direction of traffic flow filtered by the ACL.) The Packet-filtering Process Sequential Comparison and Action.
Page 447
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation no further comparisons of the packet are made with the remaining ACEs in the list. This means that when an ACE whose criteria matches a packet is found, the action configured for that ACE is invoked, and any remaining ACEs in the ACL are ignored.
Page 448
40 permit tcp 10.11.11.33 0.0.0.0 0.0.0.0 255.255.255.255 eq 23 < Implicit Deny > exit HP Switch(config)# vlan 12 ip access-group Test-02 in 1. Permits IPv4 traffic from source address 10.11.11.42. Packets 4. Permits Telnet traffic from source address 10.11.11.33. Packets...
IPv4 Access Control Lists (ACLs) Planning an ACL Application It is important to remember that all IPv4 ACLs configurable on the switch include an implicit deny ip any. That is, IPv4 packets that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped instead of forwarded on the interface.
Page 450
IPv4 Access Control Lists (ACLs) Planning an ACL Application Any TCP traffic (only) for a specific TCP port or range of ports, ■ including optional control of connection traffic based on whether the initial request should be allowed Any UDP traffic or UDP traffic for a specific UDP port ■...
IPv4 Access Control Lists (ACLs) Planning an ACL Application Security ACLs can enhance security by blocking traffic carrying an unauthorized source IPv4 address (SA). This can include: blocking access from specific devices or interfaces (port or VLAN) ■ ■ blocking access to or from subnets in your network ■...
IPv4 Access Control Lists (ACLs) Planning an ACL Application The sequence of ACEs is significant. When the switch uses an ACL to ■ determine whether to permit or deny a packet on a particular VLAN, it compares the packet to the criteria specified in the individual Access Control Entries (ACEs) in the ACL, beginning with the first ACE in the list and proceeding sequentially until a match is found.
Page 453
IPv4 Access Control Lists (ACLs) Planning an ACL Application Per Switch ACL Limits for All ACL Types. At a minimum an ACL ■ must have one, explicit “permit” or “deny” Access Control Entry. You can configure up to 2048 IPv4 ACLs each for IPv4 and IPv6. The maximums are as follows: •...
Page 454
IPv4 Access Control Lists (ACLs) Planning an ACL Application application on the same interface. For example, configuring an RACL named “100” to filter inbound routed traffic on VLAN 20, but later, you configured another RACL named 112 to filter inbound routed traffic on this same VLAN, RACL 112 replaces RACL 100 as the ACL to use.
IPv4 Access Control Lists (ACLs) Planning an ACL Application Note RACLs do filter routed or switched IPv4 traffic having an SA or DA on the switch itself. How an ACE Uses a Mask To Screen Packets for Matches When the switch applies an ACL to IPv4 traffic, each ACE in the ACL uses an IPv4 address and ACL mask to enforce a selection policy on the packets being screened.
IPv4 Access Control Lists (ACLs) Planning an ACL Application Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) For a given ACE, when the switch compares an IPv4 address and ■ corresponding mask in the ACE to an IPv4 address carried in a packet: •...
Page 457
IPv4 Access Control Lists (ACLs) Planning an ACL Application Every IPv4 address and mask pair (source or destination) used in an ■ ACE creates one of the following policies: • Any IPv4 address fits the matching criteria. In this case, the switch automatically enters the address and mask in the ACE.
Page 458
IPv4 Access Control Lists (ACLs) Planning an ACL Application Example of How the Mask Bit Settings Define a Match . Assume an ACE where the second octet of the mask for an SA is 7 (the rightmost three bits are “on”, or “1”) and the second octet of the corresponding SA in the ACE is 31 (the rightmost five bits).
Page 459
IPv4 Access Control Lists (ACLs) Planning an ACL Application Examples Allowing Multiple IPv4 Addresses. Table 10-3 provides exam- ples of how to apply masks to meet various filtering requirements. Table 10-3. Example of Using an IPv4 Address and Mask in an Access Control Entry Address in the ACE Mask Policy for a Match Between a...
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL CIDR Notation. For information on using CIDR notation to specify ACL masks, refer to “Using CIDR Notation To Enter the IPv4 ACL Mask” on page 10-49. Configuring and Assigning an IPv4 ACL ACL Feature Page Configuring and Assigning a Standard ACL...
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Options for Permit/Deny Policies The permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, or on source address plus other IPv4 factors. Standard ACL: Uses only a packet's source IPv4 address as a crite- ■...
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL One or more deny/permit list entries (ACEs): One entry per line. Element Notes Type Standard or Extended Identifier • Alphanumeric; Up to 64 Characters, Including Spaces • Numeric: 1 - 99 (Standard) or 100 - 199 (Extended) Remark Allows up to 100 alphanumeric characters, including blank spaces.
Configuring and Assigning an IPv4 ACL For example, figure 10-10 shows how to interpret the entries in a standard ACL. (Config)# show running HP Switch ACL List Heading with List Type and Identifier (Name or Number) ip access-list standard “Sample-List”...
Page 464
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL ip access-list extended < identifier > [ [ seq-# ] remark < remark-str >] < permit | deny > < ipv4-protocol-type > < SA > < src-acl-mask > < DA > <dest-acl-mask > <...
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 10-12 shows how to interpret the entries in an extended ACL. HP Switch(config)# show running ACL List Heading with List Type and ID String (Name or Number)
Page 466
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, suppose that you have applied the ACL shown in figure 10-13 to inbound IPv4 traffic on VLAN 1 (the default VLAN): Source Address Mask DestinationAddress Mask ip access-list extended "Sample-List-2" 10 deny ip 10.28.235.10 0.0.0.0 0.0.0.0 255.255.255.255 20 deny ip 10.28.245.89 0.0.0.0 0.0.0.0 255.255.255.255 30 permit tcp 10.28.18.100 0.0.0.0 10.28.237.1 0.0.0.0...
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Allowing for the Implied Deny Function In any ACL having one or more ACEs there will always be a packet match. This is because the switch automatically applies an Implicit Deny as the last ACE in any ACL.
ACE without the sequence number. For example, if you wanted to add a “permit” ACL at the end of a list named “List-1” to allow traffic from the device at 10.10.10.100: HP Switch(config)# ip access-list standard List-1 HP Switch(config-std-nacl)# permit host 10.10.10.100 Insert an ACE anywhere in a named ACL by specifying a sequence number.
For example, to insert an ACE denying IPv4 traffic from the host at 10.10.10.77 as line 52 in an existing ACL identified (named) with the number 11: HP Switch(config)# ip access-list standard 99 HP Switch(config-std-nacl)# 52 deny host 10.10.10.77 Note After a numbered ACL has been created (using access-list <...
HP Switch(config)# ip access-list standard < name-str | 1-99 > 10-92 Remark from an ACL HP Switch(config-ext-nacl)# [ remark < remark-str > | no < 1-2147483647 > remark ] 10-95 For numbered, standard ACLs only, the following remark commands can be substituted for the above: HP Switch(config)# access-list <...
Page 471
HP Switch(config)# ip access-list standard Test-List HP Switch(config-std-nacl)# permit host 10.10.10.147 HP Switch(config)# access-list 1 permit host 10.10.10.147 Note that once a numbered ACL has been created, it can be accessed using the named ACL method. This is useful if it becomes necessary to edit a numbered ACL by inserting or removing individual ACEs.
Page 472
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Named, Standard ACLs This section describes the commands for performing the following: creating and/or entering the context of a named, standard ACL ■ ■ appending an ACE to the end of an existing list or entering the first ACE in a new list For other IPv4 ACL topics, refer to the following: Topic...
Page 473
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring ACEs in an Named, Standard ACL. Configuring ACEs is done after using the ip access-list standard < name-str > command described above to enter the “Named ACL” (nacl) context of an access list. For a standard ACL syntax summary, refer to table on page 10-50.
Page 474
IPv4 traffic from a host with the address of 10.10.10.104 creates another ACE that blocks all other IPv4 traffic from the same subnet allows all other IPv4 traffic HP Switch(config)# ip access-list standard Sample-List Creates the “Sample-List” ACL and enters the “Named HP Switch(config-std-nacl)# permit host 10.10.10.104 ACL”...
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs HP Switch(config)# show access-list Sample-List Access Control Lists Name: Sample-List Type: Standard Applied: No Entry ------------------------------------------------------------------------------- Action: permit : 10.10.10.104 Mask: 0.0.0.0 Note that each ACE is automatically assigned a Action: deny (log) sequence number.
Page 476
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Creating or Adding to an Standard, Numbered ACL. This command is an alternative to using ip access-list standard < name-str > and does not use the “Named ACL” (nacl) context. For a standard ACL syntax summary, refer to table on page 10-50.
Page 477
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs < any | host < SA > | SA < mask | SA/mask-length >> Defines the source IPv4 address (SA) a packet must carry for a match with the ACE. • any — Allows IPv4 packets from any SA. •...
Page 478
Example of Creating and Viewing a Standard ACL. This example cre- ates a standard, numbered ACL with the same ACE content as show in figure 10-14 on page 10-54. HP Switch(config)# access-list 17 permit host 10.10.10.104 HP Switch(config)# access-list 17 deny 10.10.10.1/24 log HP Switch(config)# access-list 17 permit any...
Page 480
HP Switch(config)# ip access-list extended < name-str | 100-199 > 10-92 Remark HP Switch(config-ext-nacl)# [ remark < remark-str > | no < 1 - 2147483647 > remark ] 10-95 For numbered, extended ACLs only, the following remark commands can be substituted for the above: HP Switch(config)# access-list <...
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Named, Extended ACLs For a match to occur with an ACE in an extended ACL, a packet must have the source and destination address criteria specified by the ACE, as well as any IPv4 protocol-specific criteria included in the command.
Page 482
“Accounting ACL”. You can also use this command to access an existing, numbered ACL. Refer to “Using the CLI To Edit ACLs” on page 10-86 (config)# ip access-list extended Sample-List HP Switch (config-ext-nacl)# HP Switch Figure 10-17. Example of Entering the Named ACL Context...
Page 483
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configure ACEs in a Named, Extended ACL and/or Enter the “Named ACL” (nacl) Context. Configuring ACEs is done after using the ip access- list standard < name-str > command described on page 10-62 to enter the “Named ACL”...
Page 484
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Used after deny or permit to specify the packet protocol type required for a match. An extended ACL must include one of the following: • ip — any IPv4 packet. •...
Page 485
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < any | host < DA > | DA/mask-length | DA/ < mask >> This is the second instance of IPv4 addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination address (DA) that a packet must carry in order to have a match with the ACE.
Page 486
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ tos < tos-setting > ] This option can be used after the DA to cause the ACE to match packets with the specified Type-of-Service (ToS) setting. ToS values can be entered as the following numeric settings or, in the case of 0, 2, 4, and 8, as alphanumeric names: or normal “...
Page 487
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for TCP and UDP Traffic in Extended ACLs. An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic.
Page 488
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Comparison Operators: eq < tcp/udp-port-nbr > • — “Equal To”; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to < tcp/udp-port-nbr >. gt <...
Page 489
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [established] — This option applies only where TCP is the configured protocol type. It blocks the synchronizing packet associated with establishing a TCP connection in one direction on a VLAN while allowing all other IPv4 traffic for the same type of connection in the opposite direction.
Page 490
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for ICMP Traffic in Extended ACLs. This option is useful where it is necessary to permit some types of ICMP traffic and deny other types, instead of simply permitting or denying all types of ICMP traffic. That is, an ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE.
Page 491
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ icmp-type-name ] These name options are an alternative to the [icmp-type [ icmp-code] ] methodology described above. For more infor- mation, visit the IANA website cited above. administratively-prohibited net-tos-unreachable alternate-address net-unreachable conversion-error network-unknown dod-host-prohibited...
Page 492
This option, if used, is entered immediately after the destination addressing entry. The following example shows an IGMP ACE entered in the Named ACL context: HP Switch(config-ext-nacl)# permit igmp any any host-query [ igmp-type ] The complete list of IGMP packet-type options includes:...
Page 493
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Example of a Named, Extended ACL. Suppose that you want to imple- ment these policies on a switch configured for IPv4 routing and membership in VLANs 10, 20, and 30: A. Permit Telnet traffic from 10.10.10.44 to 10.10.20.78, deny all other IPv4 traffic from network 10.10.10.0 (VLAN 10) to 10.10.20.0 (VLAN 20), and permit all other IPv4 traffic from any source to any destination.
HP Switch(config)# ip access-list extended Extended-List-02 HP Switch(config-ext-nacl)# permit tcp host 10.10.20.100 host 10.10.30.55 eq ftp HP Switch(config-ext-nacl)# deny tcp 10.10.20.1/24 any eq ftp log HP Switch(config-ext-nacl)# permit ip any any HP Switch(config-ext-nacl)# exit HP Switch(config)# vlan 20 ip access-group Extended-List-02 in Figure 10-19.
Page 495
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Creating or Adding to an Extended, Numbered ACL. This command is an alternative to using ip access-list extended < name-str > and does not use the Named ACL (nacl) context. (For an extended ACL syntax summary, refer to table on page 10-59.) Syntax: access-list <...
Page 496
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < deny | permit > Specifies whether to deny (drop) or permit (forward) a packet that matches the criteria specified in the ACE, as described below. < ip | ip-protocol | ip-protocol-nbr > Specifies the packet protocol type required for a match.
Page 497
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs SA Mask Application: The mask is applied to the SA in the ACL to define which bits in a packet’s source SA must exactly match the address configured in the ACL and which bits need not match.
Page 498
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ precedence < 0 - 7 | precedence-name >] This option causes the ACE to match packets with the specified IP precedence value. Values can be entered as the following IP precedence numbers or alphanumeric names: or routine priority “...
Page 499
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Additional Options for TCP and UDP Traffic. An ACE designed to per- mit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic.
Page 500
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Additional Option for IGMP. This option is useful where it is necessary to permit some types of IGMP traffic and deny other types, instead of simply permitting or denying all types of IGMP traffic. That is, an ACE designed to permit or deny IGMP traffic can optionally include an IGMP packet type to permit or deny an individual type of IGMP packet while not addressing other IGMP traffic types in the same ACE.
IPv4 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface Adding or Removing an ACL Assignment On an Interface Filtering Routed IPv4 Traffic For a given VLAN interface on a switch configured for routing, you can assign an ACL as an RACL to filter inbound IPv4 traffic and another ACL as a RACL to filter outbound IPv4 traffic.
HP Switch(config)# vlan 20 HP Switch(vlan-20)# ip access-group 155 out Enables an RACL from a HP Switch(vlan-20)# exit VLAN Context. HP Switch(config)# no vlan 20 ip access-group My-List in Disables an RACL from the Global Configuration Level HP Switch(config)# vlan 20...
HP Switch(config)# vlan 20 HP Switch(vlan-20)# ip access-group 155 vlan Enables a VACL from a HP Switch(vlan-20)# exit VLAN Context. HP Switch(config)# no vlan 20 ip access-group My-List vlan Disables a VACL from the Global Configuration Level HP Switch(config)# vlan 20...
IPv4 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface HP Switch(config)# interface b10 ip access-group My-List in Enables a static port ACL from the Global Configuration level. HP Switch(config)# interface b10 HP Switch(eth-b10)# ip access-group 155 in...
IPv4 Access Control Lists (ACLs) Deleting an ACL Deleting an ACL Syntax: no ip access-list standard < name-str | 1-99 > no ip access-list extended < name-str | 100-199 > no access-list < 1 - 99 | 100 - 199 > Removes the specified ACL from the switch’s running- config file.
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Editing an Existing ACL The CLI provides the capability for editing in the switch by using sequence numbers to insert or delete individual ACEs. An offline method is also avail- able. This section describes using the CLI for editing ACLs. To use the offline method for editing ACLs, refer to “Creating or Editing ACLs Offline”...
ACL. HP Switch(config)# ip access-list standard My-list HP Switch(config-ext-nacl)# permit ip any host 10.10.10.125 Enters the context of an extended ACL and appends an ACE to the end of the list. Figure 10-24. Examples of Adding an ACE to the end of Numbered or Named ACLs...
IPv4 Access Control Lists (ACLs) Editing an Existing ACL For example, to append a fourth ACE to the end of the ACL in figure 10-23: HP Switch(config)# ip access-list standard My-List HP Switch(config-std-nacl)# permit any HP Switch(config-std-nacl)# show run ip access-list standard "My-List"...
Page 509
For example, inserting a new ACE between the ACEs numbered 10 and 20 in figure 10-25 requires a sequence number in the range of 11-19 for the new ACE. HP Switch(config)# ip access-list standard My-List HP Switch(config-std-nacl)# 15 deny 10.10.10.1/24 HP Switch(config-std-nacl)# show run Enters the “Named-ACL...
IPv4 Access Control Lists (ACLs) Editing an Existing ACL HP Switch(config)# ip access-list standard List-01 Becomes Line 10 HP Switch(config-std-nacl)# permit 10.10.10.1/24 HP Switch(config-std-nacl)# deny 10.10.1.1/16 Becomes Line 20 HP Switch(config-std-nacl)# 15 permit 10.10.20.1/24 HP Switch(config-std-nacl)# show run Lines 10 and 20...
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Figure 10-28 illustrates the process for deleting an ACE from a list: (config)# show run HP Switch . . . ACL Before Deleting an ACE ip access-list standard "My-List" 10 permit 10.10.10.25 0.0.0.0 15 deny 10.10.10.1 0.0.0.255...
15 deny 10.10.10.1 0.0.0.255 30 deny 10.20.10.1 0.0.0.255 40 permit 0.0.0.0 255.255.255.255 exit . . . HP Switch(config)# ip access-list resequence My-List 100 100 HP Switch(config)# show run . . . ip access-list standard "My-List" 100 permit 10.10.10.25 0.0.0.0 200 deny 10.10.10.1 0.0.0.255 300 deny 10.20.10.1 0.0.0.255...
Page 513
ACL with a numeric identifier of “115”, either of the following com- mand sets adds an ACE denying IPv4 traffic from any source to a host at 10.10.10.100: HP Switch(config)# access-list 115 deny ip host 10.10.10.100 HP Switch(config)# ip access-list extended 115 HP Switch(config-ext-nacl)# deny ip any 10.10.10.100...
Page 514
Editing an Existing ACL remark and the subsequent ACE having the same sequence number. For example, to add remarks using the “Named-ACL” (nacl) context: HP Switch(config)# ip access-list standard My-List HP Switch(config-std-nacl)# permit host 10.10.10.15 HP Switch(config-std-nacl)# deny 10.10.10.1/24 HP Switch(config-std-nacl)# remark HOST-10.20.10.34 The remark is assigned the same HP Switch(config-std-nacl)# permit host 10.20.10.34...
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Inserting a Remark for an ACE that Already Exists in an ACL. If a sequence number is already assigned to an ACE in a list, you cannot insert a remark by assigning it to the same number. (To configure a remark with the same number as a given ACE, the remark must be configured first.) To assign a remark to the same number as an existing ACE: Delete the ACE.
Page 516
IPv4 Access Control Lists (ACLs) Editing an Existing ACL HP Switch(config)# ip access-list standard Accounting HP Switch(config-std-nacl)# permit host 10.10.10.115 HP Switch(config-std-nacl)# deny 10.10.10.1/24 HP Switch(config-std-nacl)# remark Marketing HP Switch(config-std-nacl)# remark Channel_Mktg Where multiple remarks are HP Switch(config-std-nacl)# show run...
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying ACL Configuration Data The show commands in this section apply to both IPv4 and IPv6 ACLs. For information on IPv6 ACL operation, refer to the chapter titled “IPv6 Access Control Lists” in the IPv6 Configuration Guide for your switch. ACL Commands Function Page...
VLANs. Syntax: show access-list List a summary table of the name, type, and application status of IPv4 and IPv6 ACLs configured on the switch. For example: HP Switch(config)# show access-list Access Control Lists Type Appl Name...
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display the Content of All ACLs on the Switch This command lists the configuration details for the IPv4 and IPv6 ACLs in the running-config file, regardless of whether any are actually assigned to filter IPv4 traffic on specific VLANs.
For example, the following output shows that all inbound IPv6 traffic and the inbound and outbound, routed IPv4 traffic are all filtered on VLAN 20. HP Switch(config)# show access-list vlan 20 • An extended IPv4 ACL named “Account-2” is Access Lists for VLAN 20 assigned to filter routed IPv4 traffic entering the switch on VLAN 20.
Page 522
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data HP Switch(config)# show access-list ports all • An IPv6 ACL is filtering Access Lists for Port B1 inbound traffic on port B1. Inbound Ipv6: List-01-Inbound • Both an IPv4 ACL and an IPv6...
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying the Content of a Specific ACL This command displays a specific IPv6 or IPv4 ACL configured in the running config file in an easy-to-read tabular format. Note This information also appears in the show running display. If you execute write memory after configuring an ACL, it also appears in the show config display.
Page 524
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data HP Switch(config)# show access-list Accounting Access Control Lists Name: Accounting Type: ipv6 Indicates whether the ACL Applied: Yes is applied to an interface. Entry Remark Field (Appears if remark configured.) -----------------------------------------------------------------------...
Page 525
< identifier > but in the format used by the show < run | config > commands to list the switch configuration. For example: HP Switch(config)# show access-list List-120 config ip access-list extended "List-120" 10 remark "Telnet Allowed"...
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Table 10-7. Descriptions of Data Types Included in Show Access-List < acl-id > Output Field Description Name The ACL identifier. Can be a number from 1 to 199, or a name. Type Standard or Extended.
ACL configuration to a file in your TFTP server. For example, to copy the ACL configuration to a file named acl-02.txt in the TFTP directory on a server at 10.28.227.2: HP Switch# copy command-output 'show access-list config' tftp 10.28.227.2 acl02.txt pc •...
IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline If you are replacing an ACL on the switch with a new ACL that uses the same number or name syntax, begin the command file with a no ip access- list command to remove the earlier version of the ACL from the switch’s running-config file.
Page 529
IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline Deny all other IPv4 traffic from VLAN 20 to VLAN 10. ■ ■ Deny all IPv4 traffic from VLAN 30 (10.10.30.0) to the server at 10.10.10.100 on VLAN 10 (without ACL logging), but allow any other IPv4 traffic from VLAN 30 to VLAN 10.
Page 530
If a transport error occurs, the switch does not execute the command and the ACL is not configured. HP Switch(config)# copy tftp command-file 10.10.10.1 LIST-20-IN.txt pc Running configuration may change, do you want to continue [y/n]? 1. ip access-list extended LIST-20-IN As illustrated here, blank lines in the .txt...
Page 531
IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline HP Switch(config)# show run Note that the comments preceded . . . by “ ; “ in the .txt source file for this configuration do not appear in the ip access-list extended "LIST-20-IN"...
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enable ACL “Deny” Logging ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny” action. You can use ACL logging to help: Test your network to ensure that your ACL configuration is detecting ■...
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includes both the deny action and the optional log parameter, an ACL log message is sent to the designated debug destination.
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enabling ACL Logging on the Switch If you are using a Syslog server, use the logging < ip-addr > command to configure the Syslog server IPv4 address(es). Ensure that the switch can access any Syslog server(s) you specify.
Page 535
Enable ACL “Deny” Logging HP Switch(config)# ip access-list extended NO-TELNET HP Switch(config-ext-nacl)# remark "DENY 10.10.10.3 TELNET TRAFFIC IN" HP Switch(config-ext-nacl)# deny tcp host 10.10.10.3 any eq telnet log HP Switch(config-ext-nacl)# permit ip any any HP Switch(config-ext-nacl)# exit HP Switch(config)# vlan 10 ip access-group NO-TELNET in HP Switch(config)# logging 10.10.20.3...
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Configuring the Logging Timer By default, the wait period for logging “deny” matches (described above in “ACL Logging Operation”) is approximately five minutes (300 seconds). You can manually set the wait period timer to an interval between 30 and 300 seconds, using the access-list command from the config context.
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Monitoring Static ACL Performance ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help, for example, to determine whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.
Page 538
ACEs in an applied ACL since the ACL’s counters were last reset to 0 (zero) For example, figure 10-46 illustrates both IPv6 and IPv4 ACL activity: HP Switch# show statistics aclv6 IPV6-ACL vlan 20 vlan HitCounts for ACL IPV6-ACL Total 10 permit icmp ::/0 fe80::20:2/128 128...
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging ACE Counter Operation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset.
Page 540
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging HP Switch# show statistics aclv6 V6-02 vlan 20 vlan HitCounts for ACL V6-02 Total 10 permit icmp ::/0 fe80::20:2/128 128 20 permit icmp ::/0 fe80::20:3/128 128 136) 30 permit tcp fe80::20:1/128 ::/0 eq 23...
The following example uses the counter activity in figure 10-47 (page 10-120) to demonstrate using to reset the counters to zero. clear statistics HP Switch# show statistics aclv6 V6-02 vlan 20 vlan HitCounts for ACL V6-02 Total 10 permit icmp ::/0 fe80::20:2/128 128...
20 deny tcp ::/0 fe80::20:2/128 eq 23 log 30 permit ipv6 ::/0 ::/0 Assigns the ACL to port B2. exit HP Switch(config)# int b2 ipv access-group V6-01 in Figure 10-50. ACL “V6-01” and Command for PACL Assignment on Port B2 10-122...
Page 543
Figure 10-52. Ping and Telnet from FE80::20:117 to FE80::20:2 Filtered by the Assignment of “V6-01” as a PACL on Port B2 HP Switch# show statistics aclv6 IP-01 port b2 Hit Counts for ACL IPV6-ACL Shows the succesful ping permitted by ACE 10.
20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit Assigns the ACL as a VACL to VLAN 20. HP Switch(config)# vlan 20 ip access-group Test-1 vlan Assigns the ACL as HP Switch(config)# vlan 50 ip access-group Test-1 in an RACL to VLANs HP Switch(config)# vlan 70 ip access-group Test-1 in 50 and 70.
Page 545
Using the network in figure 10-55, a device at 10.10.20.4 on VLAN 20 attempting to ping and Telnet to 10.10.20.12 is filtered through the VACL instance of the “Test-1” ACL on VLAN 20 and results in the following: HP Switch(config)# ping 10.10.20.2 10.10.20.2 is alive, time = 5 ms HP Switch(config)# telnet 10.10.20.2 Telnet failed: Connection timed out.
Page 546
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging HP Switch(config)# show statistics aclv4 Test-1 vlan 20 vlan Hit Counts for ACL Test-1 Indicates denied attempts to Telnet to 10.10.20.12 filtered by the instance of the “Test-1” VACL Total assignment on VLAN 20.
Page 547
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging HP Switch(config)# show statistics aclv4 Test-1 vlan 50 in Indicates the same type of data as shown in figure 10-57 for the VACL assignment Hit Counts for ACL Test-1 of the “Test-1” ACL. That is, the Ping attempt incremented the counters for ACE...
Logging enables you to selectively test specific devices or groups. However, excessive logging can affect switch performance. For this reason, HP recommends that you remove the logging option from ACEs for which you do not have a present need. Also, avoid config- uring logging where it does not serve an immediate purpose.
Page 549
“strict” TCP and UDP mode for increased control. In this case, the switch compares all TCP and UDP packets against the ACLs. (In the HP 9300m and 9404sl Routing Switches, the Strict TCP and Strict UDP modes are optional and must be specifically invoked.)
Page 550
IPv4 Access Control Lists (ACLs) General ACL Operating Notes 10-130...
Configuring Advanced Threat Protection Introduction As your network expands to include an increasing number of mobile devices, continuous Internet access, and new classes of users (such as partners, temporary employees, and visitors), additional protection from attacks launched from both inside and outside your internal network is often neces- sary.
Page 552
Configuring Advanced Threat Protection Introduction • Attempts to fill all IP address entries in the switch’s forwarding table and cause legitimate traffic to be dropped, indicated by an increased number of learned IP destination addresses • Attempts to spread viruses, indicated by an increased number of ARP request packets •...
Configuring Advanced Threat Protection DHCP Snooping Overview You can use DHCP snooping to help avoid the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users.
Enabling DHCP Snooping DHCP snooping is enabled globally by entering this command: (config)# dhcp-snooping HP Switch Use the no form of the command to disable DHCP snooping. Syntax: [no] dhcp-snooping [authorized-server | database | option | trust | verify |...
Page 556
Figure 11-1. An Example of the DHCP Snooping Command Output To display statistics about the DHCP snooping process, enter this command: (config)# show dhcp-snooping stats HP Switch An example of the output is shown below. HP Switch(config)# show dhcp-snooping stats Packet type Action Reason Count...
You can also use this command in the vlan context, in which case you cannot enter a range of VLANs for snooping. Below is an example of DHCP snooping enabled on VLAN 4. HP Switch(config)# dhcp-snooping vlan 4 HP Switch(config)# show dhcp-snooping DHCP Snooping Information...
Configuring Advanced Threat Protection DHCP Snooping HP Switch(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans Verify MAC : No Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : subnet-ip Authorized Servers --------------------- 111.222.3.4...
Page 560
Configuring Advanced Threat Protection DHCP Snooping If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.
IP address of the management VLAN can be used instead by entering this command with the associated parameter: (config)# dhcp-snooping option 82 remote-id HP Switch <mac|subnet-ip|mgmt-ip> HP Switch(config)# dhcp-snooping option 82 remote-id subnet- HP Switch(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes...
A message is logged in the system event log if the DHCP binding database fails to update. To display the contents of the DHCP snooping binding database, enter this command. Syntax: show dhcp-snooping binding HP Switch(config)# show dhcp-snooping binding MacAddress VLAN Interface Time left ------------- --------------- ---- --------- --------- 22.22.22.22.22.22 10.0.0.1...
Configuring Advanced Threat Protection DHCP Snooping HP recommends running a time synchronization protocol such as SNTP ■ in order to track lease times accurately. ■ A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot.
Page 565
Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay information logs for <duration>. More than one DHCP client packet received on an untrusted port with a relay information field was dropped. To avoid filling the log file with repeated attempts, untrusted relay information packets will not be logged for the specified <duration>.
Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings adver- tised in the source protocol address and source physical address fields are discarded.
Page 567
During this process, if ARP packets are received at too high a line rate, some ARP packets may be dropped and will need to be retrans- mitted. The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure ■ dynamic ARP protection and to report ARP packet-forwarding status and counters.
4094; for example, 1–200. An example of the arp-protect vlan command is shown here: (config)# arp-protect vlan 1-101 HP Switch Configuring Trusted Ports In a similar way to DHCP snooping, dynamic ARP protection allows you to configure VLAN interfaces in two categories: trusted and untrusted ports. ARP packets received on trusted ports are forwarded without validation.
Page 569
Specifies a port number or a range of port numbers. Separate individual port numbers or ranges of port numbers with a comma; for example: c1-c3, c6. An example of the arp-protect trust command is shown here: (config)# arp-protect trust b1-b4, d1 HP Switch 11-19...
DHCP binding database. An example of the ip source-binding command is shown here: (config)# ip source-binding 0030c1-7f49c0 HP Switch interface vlan 100 10.10.20.1 interface A4 N o t e Note that the ip source-binding command is the same command used by the Dynamic IP Lockdown feature to configure static bindings.
MAC address and destination AMC address: (config)# arp-protect validate src-mac dest-mac HP Switch Verifying the Configuration of Dynamic ARP Protection To display the current configuration of dynamic ARP protection, including the...
Configuring Advanced Threat Protection Dynamic ARP Protection (config)# show arp-protect HP Switch ARP Protection Information Enabled Vlans : 1-4094 Validate : dest-mac, src-mac Port Trust ----- ----- Figure 11-1. The show arp-protect Command Displaying ARP Packet Statistics To display statistics about forwarded ARP packets, dropped ARP packets, MAC validation failure, and IP validation failures, enter the show arp-protect statistics <vid-range>...
The switch is dropping valid ARP packets that should be allowed. The switch is allowing invalid ARP packets that should be dropped. ■ (config)# debug arp-protect HP Switch 1. ARP request is valid "DARPP: Allow ARP request 000000-000001,10.0.0.1 for 10.0.0.2 port A1, vlan "...
Configuring Advanced Threat Protection Dynamic IP Lockdown Protection Against IP Source Address Spoofing Many network attacks occur when an attacker injects packets with forged IP source addresses into the network. Also, some network services use the IP source address as a component in their authentication schemes. For example, the BSD “r”...
Configuring Advanced Threat Protection Dynamic IP Lockdown The DHCP binding database allows VLANs enabled for DHCP ■ snooping to be known on ports configured for dynamic IP lockdown. As new IP-to-MAC address and VLAN bindings are learned, a corre- sponding permit rule is dynamically created and applied to the port (preceding the final deny any vlan <VLAN_IDs>...
Configuring Advanced Threat Protection Dynamic IP Lockdown Assuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown applies the following dynamic VLAN filtering on port 5: permit 10.0.8.5 001122-334455 vlan 2 permit 10.0.8.7 001122-334477 vlan 2 permit 10.0.10.3 001122-334433 vlan 5 permit 10.0.10.1 001122-110011 vlan 5 deny any vlan 1-10...
Page 577
Configuring Advanced Threat Protection Dynamic IP Lockdown • Dynamic IP lockdown only filters packets in VLANs that are enabled for DHCP snooping. In order for Dynamic IP lockdown to work on a port, the port must be configured for at least one VLAN that is enabled for DHCP snooping.
Configuring Advanced Threat Protection Dynamic IP Lockdown Adding an IP-to-MAC Binding to the DHCP Binding Database A switch maintains a DHCP binding database, which is used for dynamic IP lockdown as well as for DHCP and ARP packet validation. The DHCP snooping feature maintains the lease database by learning the IP-to-MAC bindings of VLAN traffic on untrusted ports.
Configuring Advanced Threat Protection Dynamic IP Lockdown Adding a Static Binding To add the static configuration of an IP-to-MAC binding for a port to the lease database, enter the ip source-binding command at the global configuration level. Use the no form of the command to remove the IP-to-MAC binding from the database.
Figure 11-5. Note that the operational status of all switch ports is displayed. This information indicates whether or not dynamic IP lockdown is supported on a port. HP Switch(config)# show ip source-lockdown status Dynamic IP Lockdown (DIPLD) Information Global State: Enabled...
Configuring Advanced Threat Protection Dynamic IP Lockdown HP Switch(config)# show ip source-lockdown bindings Dynamic IP Lockdown (DIPLD) Bindings Mac Address IP Address VLAN Port Not in HW ----------- ---------- ----- ----- --------- 001122-334455 10.10.10.1 1111 005544-332211 10.10.10.2 2222 Trk11 ......
Configuring Advanced Threat Protection Dynamic IP Lockdown HP Switch(config)# debug dynamic-ip-lockdown DIPLD 01/01/90 00:01:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 1 packets DIPLD 01/01/90 00:06:25 : denied ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 294 packets DIPLD 01/01/90 00:11:25 : denied ip 192.168.2.100 (0)
Page 583
A source is considered “trusted” for all VLANs if it is seen on any VLAN ■ without DHCP snooping enabled. ■ On the HP switch series 5400 and 3500, dynamic IP lockdown is supported on a port configured for statically configured port-based ACLs. 11-33...
Configuring Advanced Threat Protection Using the Instrumentation Monitor Using the Instrumentation Monitor The instrumentation monitor can be used to detect anomalies caused by security attacks or other irregular operations on the switch. The following table shows the operating parameters that can be monitored at pre-deter- mined intervals, and the possible security attacks that may trigger an alert: Parameter Name Description...
Configuring Advanced Threat Protection Using the Instrumentation Monitor Operating Notes To generate alerts for monitored events, you must enable the instru- ■ mentation monitoring log and/or SNMP trap. The threshold for each monitored parameter can be adjusted to minimize false alarms (see “Configuring Instrumentation Monitor”...
Configuring Advanced Threat Protection Using the Instrumentation Monitor Configuring Instrumentation Monitor The following commands and parameters are used to configure the opera- tional thresholds that are monitored on the switch. By default, the instrumen- tation monitor is disabled. Syntax: [no] instrumentation monitor [parameterName|all] [<low|med|high|limitValue>] [log] : Enables/disables instrumentation monitoring log so that event log messages are generated every time there is an event which exceeds a configured threshold.
Examples To turn on monitoring and event log messaging with the default medium values: (config)# instrumentation monitor HP Switch To turn off monitoring of the system delay parameter: (config)# no instrumentation monitor system- HP Switch delay...
Configuring Advanced Threat Protection Using the Instrumentation Monitor Viewing the Current Instrumentation Monitor Configuration The show instrumentation monitor configuration command displays the config- ured thresholds for monitored parameters. # show instrumentation monitor configuration HP Switch PARAMETER LIMIT ------------------------- --------------- mac-address-count 1000 (med) ip-address-count...
4000m and 8000m Switches This chapter describes Traffic/Security filters on the switches covered in this guide. For information on filters for other HP switches in the above table or switches not listed here, refer to the documentation provided for those switches.
Traffic/Security Filters and Monitors Introduction Introduction Feature Default Menu WebAgent configure source-port filters none page 12-20 configure protocol filters none page 12-20 configure multicast filters none page 12-20 display filter data page 12-22 You can enhance in-band security and improve control over access to network resources by configuring static filters to forward (the default action) or drop unwanted traffic.
Traffic/Security Filters and Monitors Filter Types and Operation Filter Types and Operation Table 12-1. Filter Types and Criteria Static Filter Selection Criteria Type Source-Port Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis. Multicast Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports (the default) or dropped on a per-port (destination) basis.
Traffic/Security Filters and Monitors Filter Types and Operation You can include all destination ports and trunks in the switch on a ■ single source-port filter. Each source-port filter includes: ■ One source port or port trunk (trk1, trk2, ...trkn) • •...
Traffic/Security Filters and Monitors Filter Types and Operation Port 7 Switch Server "A" Workstation " X" Port 5 Port 8 Server "B" Port 9 Server "C" Figure 12-2. Example of a Filter Blocking Traffic only from Port 5 to Server "A" This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to...
Traffic/Security Filters and Monitors Filter Types and Operation Operating Rules for Named Source-Port Filters A port or port trunk may only have one source-port filter, named or ■ not named. A named source-port filter can be applied to multiple ports or port ■...
Page 595
A named source-port filter must first be defined and configured before it can be applied. In the following example two named source-port filters are defined, web-only and accounting. (config)# filter source-port named-filter web- HP Switch only (config)# filter source-port named-filter HP Switch...
Traffic/Security Filters and Monitors Filter Types and Operation Viewing a Named Source-Port Filter You can list all source-port filters configured in the switch, both named and unnamed, and their action using the show command below. Syntax: show filter source-port Displays a listing of configured source-port filters, where each filter entry includes a Filter Name, Port List, and Action: Filter Name: The filter-name used when a named...
Page 597
Here we define and configure each of the named source-port filters for our example network in a single step. HP Switch(config)# filter source-port named-filter web-only drop 2-26 HP Switch(config)# filter source-port named-filter accounting drop 1-6,8,9,12-26 HP Switch(config)# filter source-port named-filter no-incoming-web drop 7,10,11...
Page 598
Traffic/Security Filters and Monitors Filter Types and Operation HP Switch(config)# show filter Traffic/Security Filters Indicates the port number or port- IDX Filter Type | Value trunk name of the source port or trunk --- ------------ + ------------------- assigned to the filter.
Page 599
Traffic/Security Filters and Monitors Filter Types and Operation HP Switch(config)# show filter 24 HP Switch(config)# show filter 4 Traffic/Security Filters Traffic/Security Filters Filter Type : Source Port Filter Type : Source Port Source Port : 10 Source Port : 5...
Page 600
Traffic/Security Filters and Monitors Filter Types and Operation HP Switch(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- --------- + ------------------------ 10/100TX | Forward 10/100TX | Forward 10/100TX...
Page 601
The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command. HP Switch(config)# filter source-port named-filter accounting forward 8,12,13 HP Switch(config)# filter source-port named-filter no-incoming-web drop 8,12,13 HP Switch(config)#...
Traffic/Security Filters and Monitors Filter Types and Operation HP Switch(config)# show filter source-port Traffic/Security Filters Filter Name | Port List | Action -------------------- + -------------------- + -------------------------- web-only | 2-6,9,14-26 | drop 2-26 accounting | 7-8,10-13 | drop 1-6,9,14-26 no-incoming-web...
Traffic/Security Filters and Monitors Filter Types and Operation Table 12-2. Multicast Filter Limits Max-VLANs Maximum # of Multicast Filters (Static and Setting IGMP Combined) 1 (the minimum) 8 (the default) 32 or higher N o t e s Per-Port IP Multicast Filters. The static multicast filters described in this section filter traffic having a multicast address you specify.
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Only one filter for a particular protocol type can be configured at any one time. For example, a separate protocol filter can be configured for each of the protocol types listed above, but only one of those can be an IP filter. Also, the destination ports for a protocol filter can be on different VLANs.
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Configuring a Source-Port Traffic Filter Syntax: [no] filter [source-port < port-number | trunk-name>] Specifies one inbound port or trunk. Traffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the source- port filter for <...
(config)# filter source-port 5 drop trk1,10-15 HP Switch Later, suppose you wanted to shift the destination port range for this filter up by two ports; that is, to have the filter drop all traffic received on port 5 with a destination of any port in the range of port 12 to port 17.
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters HP Switch(config)# filter source-port 5 drop 2 HP Switch(config)# trunk 5-6 trk1 HP Switch(config)# show filter Traffic/Security Filters IDX Filter Type | Value The *5* shows that port 5 is --- ------------ + --------------...
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Switch(config)# show filter 1 Switch(config)# show filter 1 Traffic/Security Filters Traffic/Security Filters Filter Type : Source Port Filter Type : Source Port Source Port : 8 Source Port : 8 Dest Port Type | Action Dest Port Type | Action...
A1 and A2 means you will configure two separate source-port filters. The following commands configure the filters listed above: HP Switch(config)# filter source-port a1 drop e d1-d4 HP Switch(config)# filter source-port a2 drop d1-d4 HP Switch(config)# filter multicast 010000-123456 drop e c1-c24,d5-d10...
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Displaying Traffic/Security Filters This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters. Syntax: show filter Lists the filters configured in the switch, with corresponding filter index (IDX) numbers.
Page 611
| 010000-123456 Multicast | 010000-224466 Protocol | Appletalk Protocol | ARP HP Switch(config)# show filter 4 Uses the index number (IDX) for a specific filter to list the details for that Traffic/Security Filters filter only. Filter Type : Multicast Multi-cast Addres : 010000-224466...
Page 612
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters 12-24...
Configuring Port-Based and User-Based Access Control (802.1X) Overview Feature Default Menu WebAgent Configuring Switch Ports as 802.1X Authenticators Disabled page 13-17 Configuring 802.1X Open VLAN Mode Disabled page 13-32 Configuring Switch Ports to Operate as 802.1X Supplicants Disabled page 13-50 Displaying 802.1X Configuration, Statistics, and Counters page 13-55 How 802.1X Affects VLAN Operation...
Page 614
Configuring Port-Based and User-Based Access Control (802.1X) Overview • Provision for enabling clients that do not have 802.1 supplicant soft- ware to use the switch as a path for downloading the software and initiating the authentication process (802.1X Open VLAN mode). •...
Configuring Port-Based and User-Based Access Control (802.1X) Overview 802.1X User-Based Access Control 802.1X operation with access control on a per-user basis provides client-level security that allows LAN access to individual 802.1X clients (up to 32 per port), where each client gains access to the LAN by entering valid user credentials. This operation improves security by opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenticated.
Configuring Port-Based and User-Based Access Control (802.1X) Overview If the first client authenticates and opens the port, and then one or more ■ other clients connect without trying to authenticate, then the port config- uration as determined by the original RADIUS response remains unchanged and all such clients will have the same access as the authenti- cated client.
Authenticator: In HP applications, a switch that requires a supplicant to provide the proper credentials before being allowed access to the net- work.
Page 618
Configuring Port-Based and User-Based Access Control (802.1X) Terminology as defined in the EAPOL: Extensible Authentication Protocol Over LAN, 802.1X standard Friendly Client: A client that does not pose a security risk if given access to the switch and your network. MD5: An algorithm for calculating a unique digital signature over a stream of bytes.
Page 619
Configuring Port-Based and User-Based Access Control (802.1X) Terminology designate as the Unauthorized-Client VLAN.) A port configured to use a given Unauthorized-Client VLAN does not have to be statically configured as a member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unauthorized-Client VLAN.
Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode”...
Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation N o t e The switches covered in this guide can use either 802.1X port-based authen- tication or 802.1X user-based authentication. For more information, refer to “User Authentication Methods” on page 13-2. VLAN Membership Priority Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration.
Page 622
Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation New Client Authenticated Another Assign New Client (Old) Client RADIUS- to RADIUS- Already Using Assigned Specified VLAN Port VLAN? Authorized Client VLAN Assign New Client Accept New Client VLAN Same As Old to Authorized VLAN Configured?
Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the user-based mode, when there is an authenticated client on a port, the following traffic movement is allowed: • Multicast and broadcast traffic is allowed on the port. •...
Page 624
Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes statically configured with any tagged VLAN memberships, any authenti- cated client configured to use these tagged VLANs will have access to them.) ■ If a port on switch “A” is configured as an 802.1X supplicant and is connected to a port on another switch, “B”, that is not 802.1X-aware, access to switch “B”...
Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, HP recommends that you use a local username and password pair at least until your other security measures are in place.)
Page 626
General Setup Procedure for 802.1X Access Control Figure 13-2 shows how to configure a local operator password for 802.1X access. HP Switch(config)# password port-access user-name Jim secret3 Figure 13-2. Example of the Password Port-Access Command You can save the port-access password for 802.1X authentication in the configuration file by using the include-credentials command.
Page 627
Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Determine whether to use user-based access control (page 13-3) or port- based access control (page 13-3). Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware;...
Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802.1X Authentication on the Switch This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to the following: “802.1X User-Based Access Control”...
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators N o t e If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected.
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches, and consists of two steps: A.
This example enables ports A10-A12 to operate as authenticators, and then configures the ports for user-based authentication. HP Switch(config)# aaa port-access authenticator a10-A12 HP Switch(config)# aaa port-access authenticator a10-A12 client-limit 4 Figure 13-4. Example of Configuring User-Based 802.1X Authentication Example: Configuring Port-Based 802.1X Authentication This example enables ports A13-A15 to operate as authenticators, and then configures the ports for port-based authentication.
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 2. Reconfigure Settings for Port-Access The commands in this section are initially set by default and can be reconfig- ured as needed. Syntax: aaa port-access authenticator < port-list > [control <...
Page 634
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page).
Page 635
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid <...
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how the switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator You can configure local, chap-radius or eap-radius as the primary password authentication method for the port-access method.
Configuring Switch Ports as 802.1X Authenticators For example, to enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers: HP Switch(config)# aaa authentication port-access eap-radius HP Switch(config)# show authentication Status and Counters - Authentication Information Login Attempts : 3...
The tilde (~) character is allowed in the string, for example, radius-server key hp~switch. It is not backward compatible; the “~” char- acter is lost if you use a software version that does not support the “~” character.
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentication is operating, you can use the following aaa port- access authenticator commands to reset 802.1X authentication and statistics on specified ports. Syntax: aaa port-access authenticator <...
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Prerequisite. As documented in the IEEE 802.1X standard, the disabling of incoming traffic and transmission of outgoing traffic on an 802.1X-aware egress port in an unauthenticated state (using the aaa port-access controlled- directions in command) is supported only if: The port is configured as an edge port in the network using the spanning- ■...
HP Switch(config)# aaa port-access authenticator a10 HP Switch(config)# aaa authentication port-access eap-radius HP Switch(config)# aaa port-access authenticator active HP Switch(config)# aaa port-access a10 controlled-directions in Figure 13-7. Example of Configuring 802.1X Controlled Directions Unauthenticated VLAN Access (Guest VLAN Access) When a PC is connected through an IP phone to a switch port that has been authorized using 802.1X or Web/MAC authentication, the IP phone is authen-...
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators have access to the insecure guest VLAN (unauthenticated VLAN) that has been configured for 802.1X or Web/MAC authentication. 802.1X and Web/MAC authentication normally do not allow authenticated clients (the phone) and unauthenticated clients (the PC) on the same port (unless MAC-based VLANs are enabled.
Configuring Mixed Port Access Mode Syntax: [no] aaa port-access <port-list> mixed Enables or disables guests on ports with authenticated clients. Default: Disabled; guests do not have access HP Switch(config)# aaa port-access 6 mixed Figure 13-8. Example of Configuring Mixed Port Access Mode 13-31...
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports configured to allow multiple sessions using 802.1X user-based access control, all clients must use the same untagged VLAN (unless MAC-based VLANs are enabled. Please see “MAC-Based VLANs” on page 6-51). On a given port where there are no currently active, authenticated clients, the first authenticated client determines the untagged VLAN in which the port will operate for all subsequent, overlapping client sessions.
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode N o t e After client authentication, the port resumes membership in any tagged VLANs for which it is configured. If the port is a tagged member of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the client is connected.
Page 647
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 13-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN •...
Page 648
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Authorized-Client VLAN • After client authentication, the port drops membership in the Unauthorized-Client VLAN and becomes an untagged member of this VLAN. Notes: If the client is running an 802.1X supplicant application when the authentication session begins, and is able to authenticate itself before the switch assigns the port to the Unauthorized-Client VLAN, then the port does not become a...
Page 649
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
Page 650
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session. • If the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorized- These must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1X authenticator port to use them.
Page 652
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily session on untagged port VLAN moves the port to the Unauthorized-Client VLAN (also untagged).
Page 653
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an untagged member. This rule assumes no other authenticated clients are already using the port on a different VLAN.
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Note: Limitation on Using an You can optionally enable switches to allow up to 32 clients per-port. Unauthorized-Client VLAN on an The Unauthorized-Client VLAN feature can operate on an 802.1X- 802.1X Port Configured to Allow configured port regardless of how many clients the port is configured Multiple-Client Access...
Page 655
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Statically configure an Authorized-Client VLAN in the switch. The only ■ ports that should belong to this VLAN are ports offering services and access you want available to authenticated clients. 802.1X authenticator ports do not have to be members of this VLAN.
Page 656
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Enable 802.1X authentication on the individual ports you want to serve as authenticators. (The switch automatically disables LACP on the ports on which you enable 802.1X.) On the ports you will use as authenticators with VLAN operation, ensure that the port-control parameter is set to auto (the default).
Page 657
The tilde (~) character is allowed in the string, for example, radius- server key hp~switch. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
Page 658
The switch's default VLAN is already configured with an IP address of ■ 10.28.127.100 and a network mask of 255.255.255.0 (config)# aaa authentication port-access eap-radius HP Switch Configures the switch for 802.1X authentication using an EAP-RADIUS server. (config)# aaa port-access authenticator a10-a20 HP Switch Configures ports A10 - A20 as 802.1 authenticator ports.
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode (config)# radius host 10.28.127.101 key rad4all HP Switch Configures the switch to look for a RADIUS server with an IP address of 10.28.127.101 and an encryption key of rad4all.
Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices During an authentication session on a port in 802.1X Open VLAN mode, ■ if RADIUS specifies membership in an untagged VLAN, this assignment overrides port membership in the Authorized-Client VLAN.
Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices HP Switch(config)# aaa port-access authenticator a10 control auto HP Switch(config)# show port-access authenticator a10 config Port Access Authenticator Configuration Control mode required for Port-...
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands page 13-17 802.1X Supplicant Commands [no] aaa port-access <...
Page 663
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches • If, after the supplicant port sends the configured number of start packets, it does not receive a response, it assumes that switch “B” is not 802.1X-aware, and transitions to the authenticated state.
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. You can configure a switch port as a supplicant for a point-to-point link to an 802.1X-aware port on another switch.
Page 665
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [secret] Enter secret: < password > Repeat secret: < password > Sets the secret password to be used by the port supplicant when an MD5 authentication request is received from an authenticator.
Page 666
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches [initialize] On the specified ports, blocks inbound and outbound traf- fic and restarts the 802.1X authentication process. Affects only ports configured as 802.1X supplicants. [clear-statistics] Clears and restarts the 802.1X supplicant statistics coun- ters.
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 13-17 802.1X Supplicant Commands page 13-50 802.1X Open VLAN Mode Commands page 13-32 802.1X-Related Show Commands show port-access authenticator page 13-57 show port-access authenticator config page 13-58...
Page 668
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator [port-list] [config | statistics | session-counters | vlan | clients | clients detailed —Continued— • Untagged VLAN: VLAN ID number of the untagged VLAN used in client sessions.
Page 669
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters HP Switch(config)# show port-access authenticator Port Access Authenticator Status Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes Auth Unauth Untagged Tagged...
Page 670
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters HP Switch(config)# show port-access authenticator config Port Access Authenticator Configuration Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No | Re-auth Access...
Page 671
802.1X configuration information for ports that are not enabled as an 802.1X authenticators is not displayed. HP Switch(config)# show port-access authenticator statistics Port Access Authenticator Statistics Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No...
Page 672
<username> command (see page 13-49). 802.1X configuration information for ports that are not enabled as an 802.1X authenticators is not displayed. HP Switch(config)# show port-access authenticator session-counters Port Access Authenticator Session Counters Port-access authenticator activated [No] : Yes...
Page 673
802.1X configuration information for ports that are not enabled as an 802.1X authenticators is not displayed. HP Switch(config)# show port-access authenticator vlan Port Access Authenticator VLAN Configuration Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No...
Page 674
If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table, n/a - no info is displayed. HP Switch(config)# show port-access authenticator clients Port Access Authenticator Client Status Port Client Name...
Page 675
ACEs configured with the cnt (counter) option in an ACL assigned to the port by a RADIUS server. HP Switch(config)# show port-access authenticator clients 5 detailed Port Access Authenticator Client Status Detailed Client Base Details :...
Figure 13-19 shows related VLAN data that can help you to see how the switch is using statically configured VLANs to support 802.1X operation. HP Switch# show port-access authenticator vlan Port Access Authenticator VLAN Configuration Port-access authenticator activated [No] : Yes...
Page 677
This state is controlled by the following port-access command syntax: HP Switch(config)# aaa port-access authenticator < port-list > control < authorized | auto | unauthorized > Auto: Configures the port to allow network access to any connected device that supports 802.1X authentication and provides valid 802.1X credentials.
Page 678
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 13-2. Output for Determining Open VLAN Mode Status (Figure 13-18, Lower) Status Indicator Meaning Status Closed: Either no client is connected or the connected client has not received authorization through 802.1X authentication.
Page 679
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters HP Switch(config)# show vlan 1 Status and Counters - VLAN Information - VLAN 1 VLAN ID : 1 Name : DEFAULT_VLAN Status : Static Voice : No...
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [< port-list >] [statistics] show port-access supplicant [< port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list >...
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement.
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation N o t e You can use 802.1X (port-based or client-based) authentication and either Web or MAC authentication at the same time on a port, with a maximum of 32 clients allowed on the port.
Page 683
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation • If the port is assigned as a member of an untagged dynamic VLAN that was learned through GVRP, the dynamic VLAN configuration must exist on the switch at the time of authentication and GVRP- learned dynamic VLANs for port-access authentication must be enabled.
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation If this temporary VLAN assignment causes the switch to disable a different untagged static or dynamic VLAN configured on the port (as described in the preceding bullet and in “Example of Untagged VLAN Assignment in a RADIUS-Based Authentication Session”...
Page 685
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1X client requires access...
Page 686
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation HP Switch(config)# show vlan 22 Status and Counters - VLAN Information - VLAN 22 VLAN ID : 22 Name : vlan 22 Status : Static Voice : No...
Page 687
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation HP Switch(config)# show vlan 33 Status and Counters - VLAN Information - VLAN 33 VLAN ID : 33 Even though port A2 is configured as Untagged Name : VLAN_33...
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions Syntax: aaa port-access gvrp-vlans Enables the use of dynamic VLANs (learned through GVRP) in the temporary untagged VLAN assigned by a RADIUS server on an authenticated port in an 802.1X, MAC, or Web authentication session.
Page 689
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation 3. If you disable the use of dynamic VLANs in an authentication session using the no aaa port-access gvrp-vlans command, client sessions that were authenticated with a dynamic VLAN continue and are not deauthenticated.
The ports in the port list have not been enabled as 802.1X Port authenticators. Use this command to enable the ports as authenticators: HP Switch(config)# aaa port-access authenticator e 10 < port-list > Occurs when there is an attempt to change the supplicant Port is not a supplicant.
Configuring and Monitoring Port Security Overview Feature Default Menu WebAgent Displaying Current Port Security — page 14-8 Configuring Port Security disabled — page 14-12 Retention of Static Addresses — page 14-17 MAC Lockdown disabled — page 14-24 MAC Lockout disabled —...
Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port security setting for each port is off, or “continuous”. That is, any device can access a port without causing a security reaction. Intruder Protection.
Configuring and Monitoring Port Security Port Security • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses. (If you specify only some of the authorized addresses, the port learns the remaining authorized addresses from the traffic it receives from connected devices.) •...
Configuring and Monitoring Port Security Port Security Feature Interactions When Eavesdrop Prevention is Disabled The following table explains the various interactions between learning modes and Eavesdrop Prevention when Eavesdrop Prevention is disabled. N o t e When the learning mode is “port-access”, Eavesdrop Prevention will not be applied to the port.
Configuring and Monitoring Port Security Port Security Physical Topology Logical Topology for Access to Switch A Switch A Switch A Port Security Port Security Configured Configured PC 1 PC 1 MAC Address MAC Address Authorized by Switch A Authorized by Switch A Switch B Switch B PC 2...
Configuring and Monitoring Port Security Port Security Planning Port Security Plan your port security configuration and monitoring according to the following: On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port? For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmit- ting to the network.) You can configure the switch to (1) send intrusion alarms to an SNMP management station and to (2) option-...
Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 14-9 show mac-address 14-10 port-security 14-12 < port-list > 14-12 learn-mode 14-12 address-limit 14-15 mac-address 14-16 action 14-16 clear-intrusion-flag 14-17 no port-security...
Page 699
• Only the specified ports with their Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses Without port parameters, displays Operating show port-security Control settings for all ports on a switch. HP Switch(config)# show port-security Port Security Port Learn Mode | Action Eavesdrop Prevention...
Page 700
Note that no spaces are allowed in the port number portion of the command string: HP Switch(config)# show port-security A1-A3,A6,A8 Listing Authorized and Detected MAC Addresses. Syntax: show mac-address [ port-list | mac-address | vlan < vid >] Without an optional parameter, show mac-address lists the authorized MAC addresses that the switch detects on all ports.
Page 701
Configuring and Monitoring Port Security Port Security Switch(config)# show mac-address Status and Counters - Port Address Table MAC Address Port VLAN ------------- ----- ---- 00000c-07ac00 7 0000aa-9c09cb 7 000102-f215c7 5 0018fe-a5e504 1 Switch(config)# show mac-address 7 Status and Counters - Port Address Table - 7 MAC Address VLANs ------------- ------------...
Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security and edit security settings. Add or delete devices from the list of authorized addresses for one or more ■ ports. Clear the Intrusion flag on specific ports ■...
Page 703
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port.
Page 704
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted device to become “authorized”.
Page 705
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces.
Page 706
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [<mac-addr>] [<mac-addr>] . . . [<mac-addr>] Available for learn-mode with the, static, configured, or limited-continuous option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in the address-limit parameter.
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) clear-intrusion-flag Clears the intrusion flag for a specific port. (See “Reading Intrusion Alerts and Resetting Alert Flags” on page 14-35.) no port-security <port-list> mac-address <mac-addr> [<mac-addr> <mac-addr>] Removes the specified learned MAC address(es) from the specified port.
Page 708
1.) It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port. HP Switch(config)# port-security a1 learn-mode static action send-disable The next example does the same as the preceding example, except that it...
Page 709
Figure 14-6. Example of Adding an Authorized Device to a Port With the above configuration for port A1, the following command adds the 0c0090-456456 MAC address as the second authorized address. HP Switch(config)# port-security a1 mac-address 0c0090- 456456 After executing the above command, the security configuration for port A1...
Page 710
To add a second authorized device to port A1, execute a command port-security for port A1 that raises the address limit to 2 and specifies the additional device’s MAC address. For example: HP Switch(config)# port-security a1 mac-address 0c0090- 456456 address-limit 2 14-20...
Page 711
For example, suppose port A1 is configured as shown below and you want to remove 0c0090-123456 from the Authorized Address list: HP Switch(config)# show port-security 1 Port Security Port : 1 Learn Mode [Continuous] : Static...
Clear MAC Address Table The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: HP Switch(config)# port-security a1 address-limit 1 HP Switch(config)# no port-security a1 mac-address 0c0090-123456 The above command sequence results in the following configuration for port...
Syntax: clear mac-address vlan <vid> mac< mac-addr> Removes the specified MAC address from the specified VLAN HP Switch(config)# clear mac-address vlan 2 mac 0001e6-b197a8 Figure 14-13.Example of clearing a specific MAC Address from a specific VLAN To view the results from clearing a MAC address, use the show mac-address command with the appropriate option.
MAC Address Located on Port ------------- --------------- 00000c-07ac00 000102-03db12 0001e6-b197a8 HP Switch(config)# clear mac-address vlan 2 mac 0001e6-b197a8 HP Switch(config)# show mac-address vlan 2 Status and Counters - Address Table - VLAN 2 MAC Address Located on Port ------------- ---------------...
Page 715
Configuring and Monitoring Port Security MAC Lockdown You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you do not specify a VLAN ID (VID) the switch inserts a VID of “1”. How It Works.
Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair cannot be locked down on a different port. You cannot perform MAC Lockdown and 802.1X authentication on the same port or on the same MAC address.
Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as “meshing” or Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths.
Page 719
Configuring and Monitoring Port Security MAC Lockdown Internal Server “A” Core 8212zl Switch 8212zl Switch Network There is no need to lock MAC addresses on switches in the internal core network. 3500yl Switch 3500yl Switch Network Edge Lock Server “A” to these ports.
Page 720
Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
Page 721
Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fails, Server A traffic to Server A will not use the backup path via Switch 3 Switch 3 Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 External...
Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so that any traffic to or from the “locked-out” MAC address will be dropped. This means that all data packets addressed to or from the given address are stopped by the switch.
Page 723
Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti- cation. You cannot use MAC Lockout to lock: • Broadcast or Multicast Addresses (Switches do not learn these) • Switch Agents (The switch’s own MAC Address) A MAC address can exist on many different VLANs, so a lockout MAC address must be added to the MAC table as a drop.
Configuring and Monitoring Port Security Port Security and MAC Lockout If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file: Lockout logging format: W 10/30/03 21:35:15 maclock: module A: 0001e6-1f96c0 detected on port A15 W 10/30/03 21:35:18 maclock: module A: 0001e6-1f96c0 detected on port A15...
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Reading Intrusion Alerts and Resetting Alert Flags Notice of Security Violations When the switch detects an intrusion on a port, it sets an “alert flag” for that port and makes the intrusion information available as described below. While the switch can detect additional intrusions for the same port, it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset.
1, only the most recent entry has not been acknowledged (by resetting the alert flag). The other entries give you a history of past intrusions detected on port A1. HP Switch(config)# show port-security intrusion-log Status and Counters - Intrusion Log Port...
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Note on On a given port, if the intrusion action is to send an SNMP trap and then disable Send-Disable the port (send-disable), and an intruder is detected on the port, then the switch Operation sends an SNMP trap, sets the port’s alert flag, and disables the port.
Page 728
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags MAC Address System Time of Intrusion on Port of Intruding Device on Port A3 Indicates this intrusion on port A3 occurred prior to a reset (reboot) at the indicated time Figure 14-20.
Clear the intrusion flag on one or more specific ports. In the following example, executing show interfaces brief lists the switch’s port status, which indicates an intrusion alert on port A1. HP Switch(config)# show int brief Intrusion Alert on port B1. Status and Counters - Port Status...
Page 730
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags HP Switch(config)# show port-security intrusion-log Status and Counters - Intrusion Log MAC Address of latest Dates and Times of Intruder on Port A1 Intrusions Port MAC Address Date / Time...
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags HP Switch(config)# show interfaces brief Intrusion Alert on port A1 is now Status and Counters - Port Status cleared. | Intrusion Flow Bcast Port Type | Alert Enabled Status Mode...
Configuring and Monitoring Port Security Operating Notes for Port Security HP Switch(config)# log security Log Command Log Listing with with Security Violation Keys: W=Warning I=Information “security” for Detected M=Major D=Debug E=Error Search String ---- Event Log listing: Events Since Boot...
Page 733
LACP configuration, displays a notice that LACP is disabled on the port(s), and enables port security on that port. For example: HP Switch(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s).
Page 734
Configuring and Monitoring Port Security Operating Notes for Port Security 14-44...
Using Authorized IP Managers Overview Authorized IP Manager Features Feature Default Menu WebAgent Listing (Showing) Authorized page 15-5 page 15-6 page 15-9 Managers Configuring Authorized IP None page 15-5 page 15-6 page 15-9 Managers Building IP Masks page 15-11 page 15-11 page 15-11 Operating and Troubleshooting page 15-14 page 15-14 page 15-14 Notes...
Page 736
Using Authorized IP Managers Overview N o t e When no Authorized IP manager rules are configured, the access method feature is disabled, that is, access is not denied. 15-2...
Using Authorized IP Managers Options Options You can configure: ■ Up to 100 authorized manager addresses, where each address applies to either a single management station or a group of stations Manager or Operator access privileges ■ C a u t i o n Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port.
Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations Authorizing Single Stations: The table entry authorizes a single man- ■ agement station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Autho- rized Manager IP column, and leave the IP Mask set to 255.255.255.255.
Only IPv4 is supported when using the menu to set the management access method. From the console Main Menu, select: 2. Switch Configuration … 6. IP Authorized Managers HP Switch 22-Apr-2008 20:17:53 ==========================- CONSOLE - MANAGER MODE -============================ Switch Configuration - IP Managers...
Using Authorized IP Managers Defining Authorized Management Stations HP Switch 22-Apr-2008 20:17:53 ==========================- CONSOLE - MANAGER MODE -============================ Switch Configuration - IP Managers Enter an Authorized Manager IP address here. Authorized Manager IP: 10.10.245.3 Use the default mask to allow access by one IP Mask [255.255.255.255]:255.255.255.255...
Configures access levels by access method and IP address. Each management method can have its own set of authorized managers. Default: all HP Switch(config)# ip authorized-managers 10.10.10.2 255.255.255.255 manager access-method ssh Figure 15-4. Example of Configuring IP Authorized Manager Access Method SSH 15-7...
Page 742
Similarly, the next command authorizes manager-level access for any station having an IP address of 10.28.227.101 through 103: HP Switch(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager If you omit the < mask bits > when adding a new authorized manager, the switch automatically uses 255.255.255.255.
Using Authorized IP Managers WebAgent: Configuring IP Authorized Managers WebAgent: Configuring IP Authorized Managers In the WebAgent you can configure IP Authorized Managers as described below. To Add, Modify, or Delete an IP Authorized Manager address: In the navigation tree, click on Security. Click on IP Authorization.
Using Authorized IP Managers WebAgent: Configuring IP Authorized Managers Web Proxy Servers If you use the WebAgent to access the switch from an authorized IP manager station, it is highly recommended that you avoid using a web proxy server in the path between the station and the switch.
Using Authorized IP Managers Building IP Masks Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network. Configuring One Station Per Authorized Manager IP Entry This is the easiest way to apply a mask.
Page 746
Using Authorized IP Managers Building IP Masks in the octet are “on”) means only one value is allowed for that octet—the value you specify in the corresponding octet of the Authorized Manager IP list. A “0” (all bits in the octet are “off”) means that any value from 0 to 255 is allowed in the corresponding octet in the IP address of an authorized station.
Using Authorized IP Managers Building IP Masks Figure 15-8. Example of How the Bitmap in the IP Mask Defines Authorized Manager Addresses 4th Octet of IP Mask: 4th Octet of Authorized IP Address: Bit Numbers Bit Bit Values 4th Octet of Bits 1 and 2 in the mask are “off”, and bits 0 and 3 IP Mask (249) - 7 are “on”, creating a value of 249 in the 4th octet.
Using Authorized IP Managers Operating Notes Operating Notes ■ Network Security Precautions: You can enhance your network’s secu- rity by keeping physical access to the switch restricted to authorized personnel, using the password features built into the switch, using the additional security features described in this manual, and preventing unauthorized access to data on your management stations.
Key Management System Overview The switches covered in this guide provide support for advanced routing capabilities. Security turns out to be extremely important as complex net- works and the internet grow and become a part of our daily life and business. This fact forces protocol developers to improve security mechanisms employed by their protocols, which in turn becomes an extra burden for system administrators who have to set up and maintain them.
Key Management System Terminology Terminology ■ Key Chain: A key or set of keys assigned for use by KMS-enabled protocols. A key chain may optionally contain the time to activate and deactivate a particular key. Time-Independent Key: A key that has no activate or deactivate ■...
32 characters. show key-chain Displays the current key chains on the switch and their overall status. For example, to generate a new key chain entry: HP Switch(config)# key-chain Networking1 Add new key chain HP Switch(config)# show key-chain Entry Key Chains Display key chain entries.
< chain_name >. For example, to generate a new time-independent key for the Networking1 key chain entry: HP Switch(config)# key-chain Networking1 key 1 Adds a new Time-Independent HP Switch(config)# show key-chain Networking1 key to the “Networking1” chain.
Key Management System Configuring Key Chain Management Assigning Time-Dependent Keys to a Chain A time-dependent key has Accept or Send time constraints. It is valid only during the times that are defined for the key . If a time-dependent key is used, there is usually more than one key in the key chain entry.
Page 754
Management and Configuration Guide for your switch. For example, to add a number of keys to the key chain entry “Networking2”: HP Switch(config)# key-chain Networking2 key 1 accept-1ifetime now 06/17/11 8:00:00 Adds a key with...
Page 760
control bits, TCP … 10-69 use … 10-13 copy operation appends … 10-108 features, common to all … 10-22 counter on multiple interfaces … 10-124 filter rule when RACL, VACL, and/or port ACL all create, CLI method … 10-48 apply … 10-20 DA, defined …...
Page 762
caution … 10-31 to/from the switch … 10-35 sequence number … 10-12, 10-87 types filtered … 10-2 interval … 10-75 traffic types filtered … 10-29 out-of-range … 10-88 troubleshooting … 10-117 use to delete ACE … 10-90 troubleshooting client authentication … 7-21 use to insert ACE …...
Page 763
user-based security … 10-19 effect of duplicate IP addresses … 15-14 ACLs IP mask for multiple stations … 15-11 See also RADIUS-assigned ACLs. IP mask for single station … 15-11 address IP mask operation … 15-4 authorized for port security … 14-3 manager, operator …...
Page 764
RADIUS operation … 3-3 See RADIUS. options … 3-3 saving security credentials in multiple penalty period, throttling … 3-11 files … 2-27 port setting change, effect … 3-6 reboot, effect … 3-6 See SSH. recommended application … 3-1 storage of security credentials re-enable blocked host …...