Download  Print this page
   
1
2
3
4
5
6
Table of Contents
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778

Advertisement

HP Switch Software
Access Security Guide
3500 switches
3500yl switches
5400zl switches
6200yl switches
6600 switches
8200zl switches
Software version K.15.06
September 201 1

Advertisement

Table of Contents

   Related Manuals for HP 3500yl Series

   Summary of Contents for HP 3500yl Series

  • Page 1 HP Switch Software Access Security Guide 3500 switches 3500yl switches 5400zl switches 6200yl switches 6600 switches 8200zl switches Software version K.15.06 September 201 1...
  • Page 3 HP Networking 3500 Switches 3500yl Switches 5400zl Switches 6200yl Switch 6600 Switches 8200zl Switches September 2011 K.15.06 Access Security Guide...
  • Page 4 Software Credits and Notices HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, SSH on HP switches is based on the OpenSSH soft- ware INCLUDING, BUT NOT LIMITED TO, THE IMPLIED toolkit. This product includes software developed by the WARRANTIES OF MERCHANTABILITY AND FITNESS OpenSSH Project for use in the OpenSSH Toolkit.
  • Page 5 Software End User License Agreement and Hardware Limited Warranty For the software end user license agreement and the hardware limited warranty information for HP Networking products, visit www.hp.com/networking/support. Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 www.hp.com/networking/support...
  • Page 7: Table Of Contents

    Dynamic Configuration Arbiter ....... 1-15 HP E-Network Immunity Manager ......1-16 Arbitrating Client-Specific Attributes .
  • Page 8 CLI: Setting Passwords and Usernames ......2-6 Setting an Encrypted Password ....... 2-9 WebAgent: Setting Passwords and Usernames .
  • Page 9 Restoring the Factory Default Configuration ....2-36 Configuring Front-Panel Security ......2-37 Disabling the Clear Password Function of the Clear Button .
  • Page 10 Configuring a Connection-Rate ACL Using Source IP Address Criteria ........3-20 Configuring a Connection-Rate ACL Using UDP/TCP Criteria .
  • Page 11 Customizable HTML Templates ......4-34 Configuring MAC Authentication on the Switch ....4-48 Overview .
  • Page 12 Configuring the TACACS+ Server for Single Login ....5-12 Configuring the Switch’s TACACS+ Server Access ....5-17 How Authentication Operates .
  • Page 13 Cached Reauthentication ........6-28 Timing Considerations .
  • Page 14 RADIUS Client and Server Requirements ....7-1 Optional HP PCM+ and IDM Network Management Applications ....... . . 7-2 RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting .
  • Page 15 Example Using HP VSA 63 To Assign IPv6 and/or IPv4 ACLs . . 7-30 Example Using HP VSA 61 To Assign IPv4 ACLs ... . 7-33 Configuration Notes ........7-35 Configuring the Switch To Support RADIUS-Assigned ACLs .
  • Page 16 SSH Client and Secure Sessions ....... 8-31 Opening a Secure Session to an HP Switch ..... 8-32 Operating Notes .
  • Page 17 Generate a CA-Signed server host certificate with the WebAgent ..........9-13 3.
  • Page 18 Guidelines for Planning the Structure of a Static ACL ... 10-31 IPv4 ACL Configuration and Operating Rules ....10-32 How an ACE Uses a Mask To Screen Packets for Matches .
  • Page 19 Filtering Inbound IPv4 Traffic Per Port ..... . . 10-83 Classifier-Based Rate-Limiting with RL-PACLs ....10-84 Deleting an ACL .
  • Page 20 IPv4 Counter Operation with Multiple Interface Assignments ......... 10-124 General ACL Operating Notes .
  • Page 21 Potential Issues with Bindings ......11-28 Adding a Static Binding ....... . . 11-29 Verifying the Dynamic IP Lockdown Configuration .
  • Page 22 Filter Indexing ..........12-21 Displaying Traffic/Security Filters .
  • Page 23 7. Optional: Configure 802.1X Controlled Directions ... . 13-27 Wake-on-LAN Traffic ........13-28 Operating Notes .
  • Page 24 14 Configuring and Monitoring Port Security Overview ........... . 14-1 Port Security .
  • Page 25 15 Using Authorized IP Managers Overview ........... . 15-1 Options .
  • Page 26 xxiv...
  • Page 27: Product Documentation

    Electronic Publications The latest version of each of the publications listed below is available in PDF format on the HP Networking web site, as described in the Note at the top of this page. ■ Installation and Getting Started Guide—Explains how to prepare for and perform the physical installation and connect the switch to your network.
  • Page 28: Software Feature Index

    Intelligent Edge Software Features. These features are automatically included on all switches. Premium License Software Features. For the HP 3500, 3500yl, 5400zl, 6600, and 8200zl switches, Premium License features can be acquired by purchasing the optional Premium License and installing it on the Intelligent Edge version of these switches.
  • Page 29 Intelligent Edge Manual Software Features Management Advanced Multicast and Access IPv6 Basic Traffic Routing Security Configura- Operation Configura- Management Guide tion Guide Guide tion Access Control Lists (ACLs) Access Control Lists (ACLs) (IPv6) AAA Authentication Authorized IP Managers Authorized IP Managers (IPv6) Authorized Manager List (Web, Telnet, TFTP)
  • Page 30 Intelligent Edge Manual Software Features Management Advanced Multicast and Access IPv6 Basic Traffic Routing Security Configura- Operation Configura- Management Guide tion Guide Guide tion Dynamic ARP Protection Dynamic Configuration Arbiter Dynamic IP Lockdown Eavesdrop Protection PCM/PCM+ Equal Cost Multi-Path (ECMP) Event Log Factory Default Settings Flow Control (802.3x)
  • Page 31 Intelligent Edge Manual Software Features Management Advanced Multicast and Access IPv6 Basic Traffic Routing Security Configura- Operation Configura- Management Guide tion Guide Guide tion Key Management System (KMS) LACP LLDP LLDP-MED Loop Protection MAC Address Management MAC Lockdown MAC Lockout MAC-based Authentication Management VLAN Management Security (IPv6)
  • Page 32 Intelligent Edge Manual Software Features Management Advanced Multicast and Access IPv6 Basic Traffic Routing Security Configura- Operation Configura- Management Guide tion Guide Guide tion Ping Policy-based Routing (PBR) Port Configuration Port Monitoring Port Security Port Status Port Trunking (LACP) Port-Based Access Control (802.1X) Power over Ethernet (PoE and PoE+)
  • Page 33 Intelligent Edge Manual Software Features Management Advanced Multicast and Access IPv6 Basic Traffic Routing Security Configura- Operation Configura- Management Guide tion Guide Guide tion Secure FTP (IPv6) sFlow SFTP SNMPv3 SNMP (IPv6) Software Downloads (SCP/ SFTP, TFPT, Xmodem) Source-Port Filters Spanning Tree (STP, RSTP, MSTP) SSHv2 (Secure Shell)
  • Page 34 Intelligent Edge Manual Software Features Management Advanced Multicast and Access IPv6 Basic Traffic Routing Security Configura- Operation Configura- Management Guide tion Guide Guide tion Tunneling (6in4) Uni-Directional Link Detection (UDLD) UDP Forwarder USB Device Support Virus Throttling (Connection-Rate Filtering) VLANs VLAN Mirroring (1 static VLAN) Voice VLAN...
  • Page 35: Security Overview

    For detailed information on individual features, see the references provided. Before you connect your switch to a network, HP strongly recommends that you review the section titled “Getting Started with Access Security” on page 1-9.
  • Page 36: Access Security Features

    Security Overview Access Security Features Access Security Features This section provides an overview of the switch’s access security features, authentication protocols, and methods. Table 1-1 lists these features and provides summary configuration guidelines. For more in-depth information, see the references provided (all chapter and page references are to this Access Security Guide unless a different manual name is indicated).
  • Page 37 Security Overview Access Security Features Feature Default Security Guidelines More Information and Setting Configuration Details Telnet and enabled The default remote management protocols enabled on “Quick Start: Using the Web-browser the switch are plain text protocols, which transfer Management Interface access passwords in open or plain text that is easily captured.
  • Page 38 Secure disabled This feature creates an isolated network for managing Advanced Traffic Management the HP switches that offer this feature. When a secure Management Guide, refer to VLAN management VLAN is enabled, CLI, Menu interface, and the chapter “Static Virtual WebAgent access is restricted to ports configured as LANs (VLANs)”...
  • Page 39 • port-based access control allowing authentication by a single client to open the port • switch operation as a supplicant for point-to-point connections to other 802.1X-compliant HP switches Web and MAC none These options are designed for application on the edge Chapter 4, “Web and MAC...
  • Page 40: Network Security Features

    “Using Secure Copy and SFTP” USB Autorun enabled Used in conjunction with HP PCM+, this feature allows Management and (disabled diagnosis and automated updates to the switch via the Configuration Guide, once a USB flash drive.
  • Page 41 Security Overview Network Security Features Feature Default Security Guidelines More Information and Setting Configuration Details Access Control none ACLs can filter traffic to or from a host, a group of hosts, Chapter 10, “IPv4 Access Lists (ACLs) or entire subnets. Layer 3 IP filtering with Access Control Control Lists (ACLs)”...
  • Page 42 Default Security Guidelines More Information and Setting Configuration Details none KMS is available in several HP switch models and is Chapter 16, “Key Management designed to configure and maintain key chains for use Management System” System (KMS) with KMS-capable routing protocols that use time- dependent or time-independent keys.
  • Page 43: Getting Started With Access Security

    Getting Started with Access Security Getting Started with Access Security HP switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network...
  • Page 44: Quick Start: Using The Management Interface Wizard

    Security Overview Getting Started with Access Security Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you can do the following: Disable or re-enable the password-clearing function of the Clear button. ■...
  • Page 45: Cli: Management Interface Wizard

    Security Overview Getting Started with Access Security CLI: Management Interface Wizard To configure security settings using the CLI wizard, follow the steps below: At the command prompt, type setup mgmt-interfaces. The welcome banner appears and the first setup option is displayed (Operator password).
  • Page 46: Webagent: Management Interface Wizard

    Security Overview Getting Started with Access Security When you enter the wizard, you have the following options: • To update a setting, type in a new value, or press [Enter] to keep the current value. • To quit the wizard without saving any changes, press [CTRL-C] at any time.
  • Page 47: Snmp Security Guidelines

    1 and 2c compatibility, which uses plain text and does not provide security options. HP recommends that you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected operation).
  • Page 48 Security Overview Getting Started with Access Security authentication configuration (hpSwitchAuth). This means that the switch’s default configuration now allows SNMP access to security settings in hpSwitchAuth. N o t e o n S N M P Downloading and booting from the K.12.xx or greater software version for the A c c e s s t o first time enables SNMP access to the authentication configuration MIB (the A u t h e n t i c a t i o n...
  • Page 49: Precedence Of Security Options

    Security Overview Precedence of Security Options Precedence of Security Options This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch. Precedence of Port-Based Security Options Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest.
  • Page 50: Hp E-network Immunity Manager

    HP E-Network Immunity Manager HP E-Network Immunity Manager (NIM) is a plug-in to HP PCM+ and a key component of the HP E-Network Immunity security solution that provides comprehensive detection and per-port-response to malicious traffic at the HP network edge.
  • Page 51: Arbitrating Client-specific Attributes

    Precedence is always given to the temporarily applied NIM-configured parameters over RADIUS-assigned and locally configured parameters. For information on HP E-Network Immunity Manager, go to the HP Networking web site at www.hp.com/solutions, click on Security, and then click on Security Products.
  • Page 52 Security Overview Precedence of Security Options 802.1X authentication b. Web or MAC authentication Statically (local) configured Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.
  • Page 53 Security Overview Precedence of Security Options RADIUS-assigned CoS, rate-limiting, and ACLS: “Configuring RADIUS ■ Server Support for Switch Services” on page 7-1. ■ Statically (local) configured: “Configuring Username and Password Security” on page 2-1. 1-19...
  • Page 54: Hp Pmc Identity Driven Manager (idm)

    HP PMC Identity Driven Manager (IDM) HP PMC Identity Driven Manager (IDM) HP PMC IDM is a plug-in to HP PCM+ and uses RADIUS-based technologies to create a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of access security policy from a central management server, with policy enforcement to the network edge, and protection against both external and internal threats.
  • Page 55: Configuring Username And Password Security

    Configuring Username and Password Security Overview Feature Default Menu WebAgent Set Usernames none — — page 2-10 Set a Password none page page 2-6 page 2-10 Delete Password Protection page page 2-7 page 2-10 show front-panel-security — page 1-13 — front-panel-security —...
  • Page 56 Configuring Username and Password Security Overview Beginning with software release K.14.01, usernames and passwords for Man- ager and Operator access can also be configured using the Management Interface Wizard. For more information, refer to “Quick Start: Using the Management Interface Wizard” on page 1-10. Level Actions Permitted Manager:...
  • Page 57 Configuring Username and Password Security Overview Menu Interface: System Information screen (Select “2. Switch Configu- ■ ration.) CLI: Use the console inactivity-timer < 0 | 1 | 5 | 10 | 15 | 20 | 30 | 60 | 120 > ■...
  • Page 58: Configuring Local Password Security

    Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the WebAgent. From the Main Menu select: 3.
  • Page 59 Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass- words (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
  • Page 60: Cli: Setting Passwords And Usernames

    (up to 64 characters). The default type is plaintext, which is also the only type accepted for the port-access parameter. • Password entries appear HP Switch(config)# password manager as asterisks. New password: ******* • You must type the Please retype new password: ******* password entry twice.
  • Page 61 (This command also clears the username associated with a password you are removing.) For example, to remove the Operator password (and username, if assigned) from the switch, you would do the following: HP Switch(config)# no password Password protection will be deleted, do you want to continue [y/n]? y HP Switch(config)#...
  • Page 62 Configuring Username and Password Security Configuring Local Password Security The SPACE character is allowed to form a username or password pass-phrase. The username must be in quotes, for example “The little brown fox”. A space is not allowed as part of a username without the quotes. A password that includes a space or spaces should not have quotes.
  • Page 63: Setting An Encrypted Password

    Execute the CLI command no password all. This clears all the passwords. Then execute a CLI write memory command (required if the include- credentials feature has ever been enabled). HP Switch(config)# no password all Password protections will be deleted, do you want to continue [y/n]? y HP Switch(config)# write mem Clear the password by using the "Clear"...
  • Page 64: Webagent: Setting Passwords And Usernames

    Configuring Username and Password Security Configuring Local Password Security WebAgent: Setting Passwords and Usernames In the WebAgent you can enter passwords and (optional) usernames. See the WebAgent Online Help for detailed information. 2-10...
  • Page 65: Saving Security Credentials In A Config File

    By permanently saving a switch’s security credentials in a configuration file, you can upload the file to a TFTP server or Xmodem host, and later download the file to the HP switches on which you want to use the same security settings without having to manually configure the settings (except for SNMPv3 user parameters) on each switch.
  • Page 66: Enabling The Storage And Display Of Security Credentials

    Configuring Username and Password Security Saving Security Credentials in a Config File By storing different security settings in different files, you can test ■ different security configurations when you first download a new software version that supports multiple configuration files, by changing the configuration file used when you reboot the switch.
  • Page 67: Security Settings That Can Be Saved

    Configuring Username and Password Security Saving Security Credentials in a Config File radius-tacacs-only: When executed with the radius-tacacs-only option, only the RADIUS and TACACS security keys are included in the configuration when saving files remotely. The radius-tacacs-only option can be disabled with either command: no include-credentials no include-credentials radius-tacacs-only store-in-config: Stores passwords and SSH authorized keys in the...
  • Page 68: No Include-credentials Store-in-config Option

    Configuring Username and Password Security Saving Security Credentials in a Config File HP Switch(config)# include-credentials **** CAUTION **** You have invoked the command 'include-credentials'. This action will make changes to the password and SSH public-key storage. It will affect *all* stored configurations, which might need to be updated.
  • Page 69: Local Manager And Operator Passwords

    Configuring Username and Password Security Saving Security Credentials in a Config File HP Switch(config)# no include-credentials store-in-config This will remove any switch passwords and inactive SSH authorized keys from all configuration files. This will also restore the functionality to store only a single set of passwords and authorized keys on the switch.
  • Page 70: Password Command Options

    Configuring Username and Password Security Saving Security Credentials in a Config File Use the write memory command to save the password configurations in the startup-config file. The passwords take effect when the switch boots with the software version associated with that configuration file. C a u t i o n If a startup configuration file includes other security credentials, but does not contain a manager or operator password, the switch will not have password...
  • Page 71: Snmp Security Credentials

    Configuring Username and Password Security Saving Security Credentials in a Config File SNMP Security Credentials SNMPv1 community names and write-access settings, and SNMPv3 usernames continue to be saved in the running configuration file even when you enter the include-credentials command. In addition, the following SNMPv3 security parameters are also saved: snmpv3 user “<name>"...
  • Page 72: 802.1x Port-access Credentials

    Configuring Username and Password Security Saving Security Credentials in a Config File 802.1X Port-Access Credentials 802.1X authenticator (port-access) credentials can be stored in a configuration file. 802.1X authenticator credentials are used by a port to authenticate supplicants requesting a point-to-point connection to the switch. 802.1X supplicant credentials are used by the switch to establish a point-to- point connection to a port on another 802.1X-aware switch.
  • Page 73: Radius Shared-secret Key Authentication

    TACACS+ shared secret (encryption) keys can be saved in a configuration file by entering this command: HP Switch(config)# tacacs-server key <keystring> The option <keystring> is the encryption key (in clear text) used for secure communication with all or a specific TACACS+ server.
  • Page 74: Include-credentials Radius-tacacs-only Option

    Configuring Username and Password Security Saving Security Credentials in a Config File Include-Credentials Radius-Tacacs-Only Option This option allows you to execute include-credentials for only RADIUS and TACACS. The radius-tacacs-only option does not cause the switch to store authentication passwords and SSH keys in the configuration file. Syntax: [no] include-credentials [radius-tacacs-only | store-in-config] Enables the inclusion of passwords and security credentials in each configuration file when the file is saved onto a remote server...
  • Page 75: Ssh Client Public-key Authentication

    Figure 2-8. Example of Caution Message Displayed for radius-tacacs-only Option SSH Client Public-Key Authentication Secure Shell version 2 (SSHv2) is used by HP switches to provide remote access to SSH-enabled management stations. Although SSH provides Telnet- like functions, unlike Telnet, SSH provides encrypted, two-way authenticated transactions.
  • Page 76 Configuring Username and Password Security Saving Security Credentials in a Config File keystring:. a legal SSHv2 (RSA or DSA) public key. The text string for the public key must be a single quoted token. If the keystring contains double-quotes, it can be quoted with single quotes ('keystring').
  • Page 77 AAAAB3NzaC1yc2EAAABIwAAAIEA1Kk9sVQ9LJOR6XO/hCMPxbiMNOK8C/ay \ +SQ10qGw+K9m3w3TmCfjh0ud9hivgbFT4F99AgnQkvm2eVsgoTtLRnfF7uw \ NmpzqOqpHjD9YzItUgSK1uPuFwXMCHKUGKa+G46A+EWxDAIypwVIZ697QmM \ qPFj1zdI4sIo5bDett2d0= joe@hp.com” Figure 2-9. Example of SSH Public Keys If a switch configuration contains multiple SSH client public keys, each public key is saved as a separate entry in the configuration file. You can configure up to ten SSH client public-keys on a switch.
  • Page 78: Displaying The Status Of Include-credentials On The Switch

    SSH keys for the switch. Enabled in Active Configuration: Include-credentials is either enabled or disabled. RADIUS/TACACS only: Displayed when the option is configured. HP Switch(config)# show include-credentials Stored in Configuration : Yes Enabled in Active Configuration : N/A...
  • Page 79: Storage States When Using Include-credentials

    Configuring Username and Password Security Saving Security Credentials in a Config File Storage States When Using Include-Credentials The following table shows the states of several access types when the factory default settings are in effect or when include-credentials is enabled or not enabled.
  • Page 80: Operating Notes

    Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes C a u t i o n When you first enter the include-credentials command to save the ■ additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file.
  • Page 81 Configuring Username and Password Security Saving Security Credentials in a Config File • copy config <source-filename> config <target-filename>: Makes a local copy of an existing startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot.
  • Page 82: Restrictions

    Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command: ■ The private keys of an SSH host cannot be stored in the running configuration.
  • Page 83: Encrypting Credentials In The Configuration File

    When the encrypt-credentials feature is enabled, the affected credentials will be encrypted using aes-256-cbc encryption. By default, a fixed, hard-coded 256-bit key that is common to all HP networking devices is used. This allows transfer of configurations with all relevant credentials and provides much more security than plaintext passwords in the configuration.
  • Page 84: Enabling Encrypt-credentials

    If specified with pre-shared-key option, clears the pre- shared-key used to encrypt credentials. pre-shared-key: When specified, sets the pre-shared-key that is used for all AES encryption. If no key is set, an HP switch default AES key is used. Default: HP switch default AES key plaintext: Set the key using plaintext.
  • Page 85: Displaying The State Of Encrypt-credentials

    Save config and continue [y/n]? y Figure 2-11. Example of Enabling encrypt-credentials with Caution Message HP Switch(config)# encrypt-credentials pre-shared-key plaintext SecretKey1 Save config and continue [y/n]? y Figure 2-12. Example of Creating a pre-shared-key in Plaintext...
  • Page 86: Affected Commands

    Existing Command New Equivalent Option HP Switch(config)# radius-server key secret1 HP Switch(config)# radius-server encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= HP Switch(config)# radius-server host 10.0.0.1 key secret1 HP Switch(config)# radius-server host 10.0.0.1 encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA q+s5cV1NiYvx+TuA= HP Switch(config)# tacacs-server key secret1 HP Switch(config)# tacacs-server encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= HP Switch(config)# tacacs-server host 10.0.0.1 key secret1 HP Switch(config)# tacacs-server host 10.0.0.1...
  • Page 87: Important Operating Notes

    ■ HP recommends that when executing an “encrypted-<option>” command, you copy and paste the encrypted parameter from a known encrypted password that has been generated on the same switch or another switch with the same pre-shared key (whether user-specified or a default key).
  • Page 88: Front-panel Security

    Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together).
  • Page 89: Front-panel Button Functions

    Clear Button Reset Button Figure 2-16. Front-Panel Button Locations on an HP Switch E8212zl Clear Button Pressing the Clear button alone for one second resets the password(s) con- figured on the switch.
  • Page 90: Reset Button

    Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-18. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.
  • Page 91: Configuring Front-panel Security

    Configuring Username and Password Security Front-Panel Security Reset Clear Test When the Test LED to the right of the Clear button begins flashing, release the Clear button. Reset Clear Test It can take approximately 20-25 seconds for the switch to reboot. This process restores the switch configuration to the factory default settings.
  • Page 92 Configuring Username and Password Security Front-Panel Security • Modify the operation of the Reset+Clear combination (page 2-36) so that the switch still reboots, but does not restore the switch’s factory default configuration settings. (Use of the Reset button alone, to simply reboot the switch, is not affected.) •...
  • Page 93 For example, show front-panel-security produces the following output when the switch is configured with the default front-panel security settings. HP Switch(config)# show front-panel-security Clear Password - Enabled Reset-on-clear - Disabled...
  • Page 94: Disabling The Clear Password Function Of The Clear Button

    Clear button, type ; otherwise type . For example: HP Switch(config)# no front—panel—security password—clear **** CAUTION **** Disabling the clear button prevents switch passwords from being easily reset or recovered. Ensure that you are familiar with the front panel security options before proceeding.
  • Page 95: Re-enabling The Clear Button And Setting Or Changing The "reset-on-clear" Operation

    Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. •...
  • Page 96: Changing The Operation Of The Reset+clear Combination

    Configuring Username and Password Security Front-Panel Security Switch(config)# show front—panel—security Shows password-clear disabled. Clear Password — Disabled Factory Reset — Enabled Enables password-clear, with reset-on- Password Recovery — Enabled clear disabled by the “no” statement at the beginning of the command. Switch(config)# no front—panel—security password—clear reset—on—clear Switch(config)# show front—panel—security Clear Password...
  • Page 97 The command to disable the factory-reset operation produces this caution. To complete the command, press [Y]. To abort the command, press [N]. HP Switch(config)# no front—panel—security factory—reset **** CAUTION **** Disabling the factory reset option prevents switch configuation and passwords from being easily reset or recovered.
  • Page 98: Password Recovery

    Recovery requires: password-recovery enabled (the default) on the switch prior to an attempt ■ to recover from a lost username/password situation Contacting your HP Customer Care Center to acquire a one-time-use ■ password Disabling or Re-Enabling the Password Recovery...
  • Page 99 Configuring Username and Password Security Password Recovery C a u t i o n Disabling password-recovery requires that factory-reset be enabled, and locks out the ability to recover a lost manager username (if configured) and pass- word on the switch. In this event, there is no way to recover from a lost manager username/password situation without resetting the switch to its factory-default configuration.
  • Page 100: Password Recovery Process

    If you have lost the switch’s manager username/password, but password- recovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by HP. If you have disabled password-recovery, which locks out the ability to recover a...
  • Page 101 Password Recovery N o t e The alternate password provided by the HP Customer Care Center is valid only for a single login attempt. You cannot use the same “one-time-use” password if you lose the password a second time. Because the password algorithm is randomized based upon your switch's MAC address, the pass- word will change as soon as you use the “one-time-use”...
  • Page 102 Configuring Username and Password Security Password Recovery 2-48...
  • Page 103: Virus Throttling (connection-rate Filtering)

    Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering Feature Default Page Ref Global Configuration and Sensitivity Disabled 3-10 Per-Port Configuration None 3-11 Listing and Unblocking Blocked Hosts 3-16 Viewing the Current Configuration 3-14 Configuring Connection-Rate ACLs None 3-18 The spread of malicious agents in the form of worms exhibiting worm behavior has severe implications for network performance.
  • Page 104: Features And Benefits

    Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering connection-rate filtering can help reduce the impact of worm-like malicious code and give system administrators more time to isolate and eradicate the threat. Thus, while traditional worm and virus-signature updates will still need to be deployed to hosts, the network remains functional and the overall distribution of the malicious code is limited.
  • Page 105: General Operation

    Event Log message the high connection-rate traffic (characteristic of worm attacks) that is detected on the edge port connected to device D. HP switch with connection-rate filtering configured, and block spreading option enabled. Port is blocked Device infected with worm-like malicious code Figure 3-1.
  • Page 106: Sensitivity To Connection Rate Detection

    Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering Notify only (of potential attack): While the apparent attack ■ continues, the switch generates an Event Log notice identifying the offending host’s source IP address and (if a trap receiver is configured on the switch) a similar SNMP trap notice).
  • Page 107: Operating Rules

    Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering Connection-Rate ACLs. The basic connection-rate filtering policy is con- figured per-port as notify-only, throttle, and block. A connection-rate ACL cre- ates exceptions to these per-port policies by creating special rules for individual hosts, groups of hosts, or entire subnets. Thus, you can adjust a connection-rate filtering policy to create and apply an exception to configured filters on the ports in a VLAN.
  • Page 108: Unblocking A Currently Blocked Host

    Virus Throttling (Connection-Rate Filtering) Overview of Connection-Rate Filtering Unblocking a Currently Blocked Host A host blocked by connection-rate filtering remains blocked until explicitly unblocked by one of the following methods: Using the connection-rate-filter unblock command (page 3-16). ■ ■ Rebooting the switch. Disabling connection-rate filtering using the no connection-rate-filter ■...
  • Page 109: General Configuration Guidelines

    Virus Throttling (Connection-Rate Filtering) General Configuration Guidelines General Configuration Guidelines As stated earlier, connection-rate filtering is triggered only by inbound IP traffic generating a relatively high number of new IP connection requests from the same host. For a network that is relatively attack-free: Enable notify-only mode on the ports you want to monitor.
  • Page 110: For A Network That Appears To Be Under Significant Attack

    Virus Throttling (Connection-Rate Filtering) General Configuration Guidelines Note On a given VLAN, to unblock the hosts that have been blocked by the connection-rate feature, use the vlan < vid > connection-rate filter unblock command. Maintain a practice of carefully monitoring the Event Log or configured trap receivers for any sign of high connectivity-rate activity that could indicate an attack by malicious code.
  • Page 111: Configuring Connection-rate Filtering

    Virus Throttling (Connection-Rate Filtering) Configuring Connection-Rate Filtering Configuring Connection-Rate Filtering Command Page Global and Per-Port Configuration connection-rate-filter sensitivity < low | medium | high | aggressive > 3-10 filter connection-rate < port-list > < notify-only | throttle | block > 3-11 show connection-rate-filter <...
  • Page 112: Enabling Connection-rate Filtering And Configuring

    Virus Throttling (Connection-Rate Filtering) Configuring Connection-Rate Filtering Enabling Connection-Rate Filtering and Configuring Sensitivity Syntax: connection-rate-filter sensitivity < low | medium | high | aggressive > no connection-rate-filter This command: • Enables connection-rate filtering. • Sets the global sensitivity level at which the switch interprets a given host’s attempts to connect to a series of different devices as a possible attack by a malicious agent residing in the host.
  • Page 113: Configuring The Per-port Filtering Mode

    Virus Throttling (Connection-Rate Filtering) Configuring Connection-Rate Filtering Configuring the Per-Port Filtering Mode Syntax: filter connection-rate < port-list > < notify-only | throttle | block > no filter connection-rate < port-list > Configures the per-port policy for responding to detection of a relatively high number of inbound IP connection attempts from a given source.
  • Page 114: Example Of A Basic Connection-rate Filtering Configuration

    Virus Throttling (Connection-Rate Filtering) Configuring Connection-Rate Filtering Example of a Basic Connection-Rate Filtering Configuration Switch HP Switch VLAN 1 15.45.100.1 Server VLAN 10 Switch Server 15.45.200.1 Server VLAN 15 15.45.300.1 Switch Company Intranet Server Figure 3-2. Sample Network Basic Configuration. Suppose that in the sample network, the administra-...
  • Page 115 HP Switch(config)# filter connection-rate b1-b3 throttle the sensitivity to “low”. HP Switch(config)# filter connection-rate b4 notify-only HP Switch(config)# filter connection-rate b9, d1-d2 block HP Switch(config)# write mem HP Switch(config)# show config Startup configuration : J8697A Configuration Editor; Created on release #K.15.XX hostname “HP Switch”...
  • Page 116: Viewing And Managing Connection-rate Status

    Displays the current global connection-rate status (enabled/disabled) and sensitivity setting, and the cur- rent per-port configuration. This command does not display the current (optional) connection-rate ACL con- figuration, if any. HP Switch(config)# show connection-rate-filter Connection Rate Filter Configuration Global Status: Enabled Sensitivity:...
  • Page 117 (page 3-18), use show config (for the startup-config file) or show running (for the running-config file). For example: Entry showing that connection-rate- HP Switch(config)# show config filtering is enabled Startup configuration and set to “medium” ; J8697A Configuration Editor; Created on sensitivity.
  • Page 118: Listing Currently-blocked Hosts

    Lists, by VLAN membership, the hosts cur- rently in a throttling state due to connection-rate action. blocked-hosts: Lists, by VLAN membership, the hosts currently blocked by connection-rate action. HP Switch(config)# show connection-rate-filter all-hosts VLAN ID | Source IP Address | Filter Mode -------------+-------------------+------------ | 13.28.234.175...
  • Page 119 Src IP xxx.xxx.xxx.xxx blocked Note HP recommends that, before you unblock a host that has been blocked by connection-rate filtering, you inspect the host with current antivirus tools and remove any malicious agents that pose a threat to your network.
  • Page 120: Configuring And Applying Connection-rate Acls

    Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs Configuring and Applying Connection-Rate ACLs Command Page ip access-list connection-rate-filter < crf-list-name > 3-20, 3-22 < filter | ignore > ip < any | host < ip-addr > | ip-addr < mask >> 3-20 <...
  • Page 121: Connection-rate Acl Operation

    Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs For more information on when to apply connection-rate ACLs, refer to “Appli- cation Options” on page 3-4. Note Connection-rate ACLs are a special case of the switch’s ACL feature. If you need information on other applications of ACLs or more detailed information on how ACLs operate, refer to Chapter 10, “IPv4 Access Control Lists (ACLs)”.
  • Page 122: Configuring A Connection-rate Acl Using Source Ip Address Criteria

    Syntax: ip access-list connection-rate-filter < crf-list-name > Creates a connection-rate-filter ACL and puts the CLI into the access control entry (ACE) context: HP Switch(config-crf-nacl)# If the ACL already exists, this command simply puts the CLI into the ACE context. Syntax: < filter | ignore > ip < any | host < ip-addr > | ip-addr < mask-length > >...
  • Page 123 Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs < filter | ignore > The filter option assigns policy filtering to traffic with source IP address (SA) matching the source address in the ACE. The ignore option specifies bypassing policy filtering for traffic with an SA that matches the source address in the ACE.
  • Page 124: Configuring A Connection-rate Acl Using Udp/tcp Criteria

    Syntax: ip access-list connection-rate-filter < crf-list-name > Creates a connection-rate-filter ACL and puts the CLI into the access control entry (ACE) context: HP Switch(config-crf-nacl)# If the ACL already exists, this command simply puts the CLI into the ACE context. Syntax: < filter | ignore > < udp | tcp > < any >...
  • Page 125 Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs ip-addr < mask-length >: Applies the ACEs action (filter or ignore) to IP traffic having an SA within the range defined by either: < src-ip-addr/cidr-mask-bits> <src-ip-addr < mask >> Use this criterion for traffic received from either a subnet or a group of IP addresses.
  • Page 126 (161) snmp-trap: Simple Network Management Pro- tocol (162) tftp: Trivial File Transfer Protocol (69) HP Switch(config)# ignore tcp host 15.75.10.11 destination-port eq 1812 source-port eq 1812 Ignore (allow) tcp traffic from the host at 15.75.10.11 with both source and destination tcp ports of 1812.
  • Page 127: Applying Connection-rate Acls

    Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs Applying Connection-Rate ACLs To apply a connection-rate ACL, use the access group command described below. Note that this command differs from the access group command for non-connection-rate ACLs. Syntax: [no] vlan < vid > ip access-group < crf-list-name > connection-rate-filter This command applies a connection-rate access control list (ACL) to inbound traffic on ports in the specified VLAN that are configured for connection-rate filtering.
  • Page 128: Example Of Using An Acl In A Connection-rate Configuration

    Matches” on page 10-35. Example of Using an ACL in a Connection-Rate Configuration This example adds connection-rate ACLs to the basic example on page 3-12. IP Address: 15.45.100.7 Switch HP Switch VLAN 1 15.45.100.1 Server VLAN 10 Switch Server 15.45.200.1...
  • Page 129 15.45.50.17 without filtering through the per-port connection- rate ACL context and rate policy configured on port D2. names the ACL. HP Switch(config)# ip access-list connection-rate-filter 17-server HP Switch(config-crf-nacl)# ignore ip host 15.45.50.17 HP Switch(config-crf-nacl)# exit HP Switch(config)# vlan 15 HP Switch(vlan-15)# ip access-group 17-server connection-rate-filter...
  • Page 130: Connection-rate Acl Operating Notes

    Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs HP Switch(config)# show config Startup configuration ; J8697A Configuration Editor; Created on release #K.15.XX hostname “HP Switch” connection-rate-filter sensitivity high ip access-list connection-rate-filter “17-server” ignore ip 15.45.50.17 0.0.0.0 exit The new switch configuration...
  • Page 131 Virus Throttling (Connection-Rate Filtering) Configuring and Applying Connection-Rate ACLs the port through which the traffic entered the switch. For example, ignore host 15.45.120.70 tells the switch to permit traffic from the host at 15.45.120.70 without filtering this host’s traffic through the connec- tion-rate policy configured for the port on which the traffic entered the switch.
  • Page 132: Connection-rate Log And Trap Messages

    Virus Throttling (Connection-Rate Filtering) Connection-Rate Log and Trap Messages determining current resource availability and usage, refer to the appendix titled “Monitoring Resources” in the Management and Configuration Guide for your switch. Connection-Rate Log and Trap Messages Please see the Event Log Message Reference Guide for information about Event Log messages.
  • Page 133: Web And Mac Authentication

    Web and MAC Authentication Overview Feature Default Menu Configure Web Authentication — 4-18 — Configure MAC Authentication — 4-48 — Display Web Authentication Status and Configuration — 4-26 — Display MAC Authentication Status and Configuration — 4-65 — Web and MAC authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and a switch from unauthorized access.
  • Page 134: Web Authentication

    Web and MAC Authentication Overview Web Authentication The Web Authentication (Web-Auth) method uses a web page login to authen- ticate users for access to the network. When a client connects to the switch and opens a web browser, the switch automatically presents a login page. Note A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web authentication.
  • Page 135: Concurrent Web And Mac Authentication

    Web and MAC Authentication Overview Concurrent Web and MAC Authentication Web authentication and MAC authentication can be configured at the same time on a port. It is assumed that MAC authentication will use an existing MAC address. The following conditions apply for concurrent Web and MAC authen- tication: A specific MAC address cannot be authenticated by both Web and ■...
  • Page 136: Radius-based Authentication

    Web and MAC Authentication Overview support multiple client sessions in different VLANs for a network application, design your system so that clients request network access on different switch ports.) In the default configuration, the switch blocks access to all clients that the RADIUS server does not authenticate.
  • Page 137: How Web And Mac Authentication Operate

    Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Before gaining access to the network, a client first presents authentication credentials to the switch. The switch then verifies the credentials with a RADIUS authentication server. Successfully authenticated clients receive access to the network, as defined by the System Administrator.
  • Page 138 Web and MAC Authentication How Web and MAC Authentication Operate enabled SSL on the switch, you can specify the ssl-login option when you configure web authentication so that clients who log in to specified ports are redirected to a secure login page (https://...) to enter their credentials. The switch passes the supplied username and password to the RADIUS server for authentication and displays the following progress message: Figure 4-2.
  • Page 139: Mac-based Authentication

    Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period).
  • Page 140 Web and MAC Authentication How Web and MAC Authentication Operate If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (auth-vid if configured) and temporarily drops all other VLAN memberships. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.
  • Page 141: Terminology

    VLAN. Authentication Server: The entity providing an authentication service to the switch. In the case of a HP Switch 8212zl running Web/MAC-Authen- tication, this is a RADIUS server. Authenticator: In HP switch applications, a device such as a HP Switch...
  • Page 142: Operating Rules And Notes

    Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports concurrent 802.1X , Web and MAC authentication operation on a port (with up to 2 clients allowed). However, concur- rent operation of Web and MAC authentication with other types of authentication on the same port is not supported.
  • Page 143 Web and MAC Authentication Operating Rules and Notes • During an authenticated client session, the following hierarchy deter- mines a port’s VLAN membership: If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.
  • Page 144: Setup Procedure For Web/mac Authentication

    Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this is not required for a Web- or MAC-based configuration, HP recommends that you use a local user name and password pair, at least until your other security measures are in place, to protect the switch configuration from unauthorized access.)
  • Page 145 Setup Procedure for Web/MAC Authentication To display the current configuration of 802.1X, Web-based, and MAC authentication on all switch ports, enter the show port-access config command. HP Switch (config)# show port-access config Port Access Status Summary Port-access authenticator activated [No] : Yes...
  • Page 146 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that when configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100”...
  • Page 147: Configuring The Radius Server To Support Mac Authentication

    Web and MAC Authentication Setup Procedure for Web/MAC Authentication Configuring the RADIUS Server To Support MAC Authentication On the RADIUS server, configure the client device authentication in the same way that you would any other client, except: Configure the client device’s (hexadecimal) MAC address as both ■...
  • Page 148 The tilde (~) character is allowed in the string, for example, radius- server key hp~switch. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
  • Page 149 For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of ‘1A7rd’: HP Switch(config)# radius-server host 192.158.32.11 HP Switch(config)# radius-server host 192.158.32 11 key 1A7rd HP Switch(config)# show radius...
  • Page 150: Configuring Web Authentication

    If you have not already done so, configure a local username and password pair on the switch. Identify or create a redirect URL for use by authenticated clients. HP recommends that you provide a redirect URL when using Web Authenti- cation.
  • Page 151: Configuration Commands For Web Authentication

    Web and MAC Authentication Configuring Web Authentication • You can block only incoming traffic on a port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web authentication. For example, Wake-on-LAN traffic is transmitted on a web-authenti- cated egress port that has not yet transitioned to the authenticated state;...
  • Page 152 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> After you enable web-based authentication on specified ports, you can use the aaa port-access controlled-direc- tions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.
  • Page 153 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> — Continued — Notes: ■ For information on how to configure the prerequisites for using the aaa port-access controlled-directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation”...
  • Page 154 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based <port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax: aaa port-access web-based <port-list> [auth-vid <vid>]] no aaa port-access web-based <port-list>...
  • Page 155 If the web server is also used for other purposes, you may wish to group the HTML files in their own directory, for example in “/EWA/”) HP Switch (config)# aaa port-access web-based 47 ewa-server 10.0.12.179 /EWA HP Switch( config)# aaa port-access web-based 47 ewa-server 10.0.12.180...
  • Page 156 Web and MAC Authentication Configuring Web Authentication HP Switch (config)# no aaa port-access web-based 47 ewa-server 10.0.12.181 HP Switch (config)# Figure 4-7. Removing a Web Server with the aaa port-access web-based ews-server Command aaa port-access web-based <port-list > logoff-period <60-9999999>...
  • Page 157 Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. HP recommends that you provide a redirect URL when using Web Authentication. Note: The redirect-url command accepts only the first 103 characters of the allowed 127 characters.
  • Page 158: Show Commands For Web Authentication

    Web and MAC Authentication Configuring Web Authentication Show Commands for Web Authentication Command Page show port-access web-based [port-list] 4-26 show port-access web-based clients [port-list] 4-27 show port-access web-based clients <port-list> detailed 4-28 show port-access web-based config [port-list] 4-29 show port-access web-based config <port-list> detailed 4-30 show port-access web-based config [port-list] auth-server 4-31...
  • Page 159: Show Port-access Web-based Clients [port-list]

    If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table, n/a - no info is displayed. HP Switch(config)# show port-access web-based clients Port Access Web-Based Client Status Port Client Name...
  • Page 160: Show Port-access Web-based Clients Detailed

    IPv6 address. n/a-no info—DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table. HP Switch (config)# show port-access web-based clients 1 detailed Port Access Web-Based Client Status Detailed Client Base Details :...
  • Page 161: Show Port-access Web-based Config [port-list]

    • Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0, the default VLAN ID is used unless overridden by a RADIUS- assigned value. HP Switch (config)# show port-access web-based config Port Access Web-Based Configuration DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.255.0...
  • Page 162: Show Port-access Web-based Config Detailed

    Syntax: show port-access web-based config <port-list> detailed Displays more detailed information on the currently config- ured Web Authentication settings for specified ports. HP Switch (config)# show port-access web-based config 1 detailed Port Access Web-Based Detailed Configuration Port Web-based enabled : Yes...
  • Page 163: Show Port-access Web-based Config [port-list] Auth-server

    • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts HP Switch (config)# show port-access web-based config auth-server Port Access Web-Based Configuration Client Client Logoff Re-Auth...
  • Page 164: Customizing Web Authentication Html Files (optional)

    Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Customizing Web Authentication HTML Files (Optional) The Web Authentication process displays a series of web pages and status messages to the user during login. The web pages that are displayed can be: ■...
  • Page 165: Customizing Html Templates

    Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) To configure a web server on your network, follow the instructions ■ in the documentation provided with the server. ■ Before you enable custom Web Authentication pages, you should: • Determine the IP address or host name of the web server(s) that will host your custom pages.
  • Page 166: Customizable Html Templates

    Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Customizable HTML Templates The sample HTML files described in the following sections are customizable templates. To help you create your own set HTML files, a set of the templates can be found on the download page for ‘K’ software. File Name Page 4-34...
  • Page 167: Index.html

    Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- HP Web Authentication Template index.html --> <html> <head> <title>User Login</title> </head> <body> <h1>User Login</h1> <p>In order to access this network, you must first log in.</p> <form action="/webauth/loginprocess" method="POST"> <table>...
  • Page 168 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Access Granted Page (accept.html). Figure 4-16. Access Granted Page The accept.html file is the web page used to confirm a valid client login. This web page is displayed after a valid username and password are entered and accepted.
  • Page 169: Accept.html

    Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- HP Web Authentication Template accept.html --> <html> <head> <title>Access Granted</title> <!-- The following line is required to automatically redirect --> <meta http-equiv="refresh"content="<%GETWAUTHREDIRECTTIME%>; URL=<%GETWAUTHREDIRECTURL%>"/> </head> <body> <h1>Access Granted</h1> <!-- The ESI tag below will be replaced with the time in seconds until the page redirects.
  • Page 170: Authen.html

    Authenticating Page (authen.html). Figure 4-18. Authenticating Page The authen.html file is the web page used to process a client login and is refreshed while user credentials are checked and verified. <!-- HP Web Authentication Template authen.html --> <html> <head> <title>Authenticating</title>...
  • Page 171 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Invalid Credentials Page (reject_unauthvlan.html). Figure 4-20. Invalid Credentials Page The reject_unauthvlan.html file is the web page used to display login failures in which an unauthenticated client is assigned to the VLAN configured for unauthorized client sessions.
  • Page 172: Reject_unauthvlan.html

    Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- HP Web Authentication Template reject_unauthvlan.html --> <html> <head> <title>Invalid Credentials</title> <!-- The following line is required to automatically redirect --> <meta http-equiv="refresh"content="<%GETWAUTHREDIRECTTIME%>; URL=<%GETWAUTHREDIRECTURL%>"/> </head> <body> <h1>Invalid Credentials</h1> <p>Your credentials were not accepted. However, you have been granted gues account status.
  • Page 173 RADIUS server is not reachable. You can configure the time period (in seconds) that the switch waits for a response from the RADIUS server used to verify client credentials with the aaa port-access web-based server-timeout command when you enable Web Authentication. <!-- HP Web Authentication Template timeout.html --> <html> <head>...
  • Page 174 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Retry Login Page (retry_login.html). Figure 4-24. Retry Login Page The retry_login.html file is the web page displayed to a client that has entered an invalid username and/or password, and is given another opportunity to log The GETWAUTHRETRIESLEFT ESI displays the number of login retries that remain for a client that entered invalid login credentials.
  • Page 175: Retry_login.html

    Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- HP Web Authentication Template retry_login.html --> <html> <head> <title>Invalid Credentials</title> <!-- The following line is required to automatically redirect the user back to the login page. --> <meta http-equiv="refresh" content="5;URL=/EWA/index.html">...
  • Page 176 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) SSL Redirect Page (sslredirect.html). Figure 4-26. SSL Redirect Page The sslredirect file is the web page displayed when a client is redirected to an SSL server to enter credentials for Web Authentication. If you have enabled SSL on the switch, you can enable secure SSL-based Web Authentication by entering the aaa port-access web-based ssl-login command when you enable Web Authentication.
  • Page 177: Sslredirect.html

    Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- HP Web Authentication Template sslredirect.html --> <html> <head> <title>User Login SSL Redirect</title> <meta http-equiv="refresh" content="5;URL=https://<%GETWAUTHSSLSRV%>/EWA/ index.html"> </head> <body> <h1>User Login SSL Redirect</h1> <p>In order to access this network, you must first log in.</p>...
  • Page 178 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Access Denied Page (reject_novlan.html). Figure 4-28. Access Denied Page The reject_novlan file is the web page displayed after a client login fails and no VLAN is configured for unauthorized clients. The GETWAUTHQUIETTIME ESI inserts the time period used to block an unauthorized client from attempting another login.
  • Page 179: Rejectnovlan.html

    Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- HP Web Authentication Template reject_novlan.html --> <html> <head> <title>Access Denied</title> <!-- The line below is required to automatically redirect the user back to the login page. --> <meta http-equiv="refresh" content="<%GETWAUTHQUIETTIME%>;URL=/EWA/ index.html">...
  • Page 180: Configuring Mac Authentication On The Switch

    Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview If you have not already done so, configure a local username and password pair on the switch. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made.
  • Page 181: Configuration Commands For Mac Authentication

    Web and MAC Authentication Configuring MAC Authentication on the Switch Configuration Commands for MAC Authentication Command Page Configuration Level aaa port-access mac-based addr-format 4-49 [no] aaa port-access mac-based password <password-value> below [no] aaa port-access mac-based [e] < port-list > 4-51 [addr-limit] 4-52 [addr-moves]...
  • Page 182 Web and MAC Authentication Configuring MAC Authentication on the Switch HP Switch (config)# aaa port-access mac-based password secretMAC1 HP Switch (config)# show port-access mac-based config Port Access MAC-Based Configuration MAC Address Format : no-delimiter Password : secretMAC1 Unauth Redirect Configuration URL :...
  • Page 183: Configuring A Mac-based Address Format

    Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring a MAC-based Address Format Syntax: aaa port-access mac-based addr-format <no-delimiter | single-dash | multi-dash | multi-colon | no-delimiter-uppercase | single-dash- uppercase | multi-dash-uppercase | multi-colon-uppercase> Specifies the MAC address format to be used in the RADIUS request message.
  • Page 184 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-256>] Specifies the maximum number of authenticated MACs to allow on the port. (Default: 1) Note: On switches where MAC Auth and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods.
  • Page 185 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [max-requests <1-10>] Specifies the number of authentication attempts that must time-out before authentication fails. (Default: 2) Syntax: aaa port-access mac-based [e] < port-list > [quiet-period <1 - 65535>] Specifies the time period (in seconds) that the switch waits before processing an authentication request from a MAC address that failed authentication.
  • Page 186: Configuring Custom Messages

    The string can be up to 250 ASCII characters. radius-response: Use the text message provided in the RADIUS server response to the authentication request. HP Switch (config)# aaa port-access web-based access-denied-message “Please contact your system administrator to obtain authentication privileges.”...
  • Page 187 Web and MAC Authentication Configuring MAC Authentication on the Switch HP Switch (config)# show port-access web-based config Port Access Web-based Configuration DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.248.0 DHCP Lease Length : 10 seconds Allow RADIUS-assigned dynamic (GVRP) VLANs[No]: Yes Access Denied Message : Custom: Please contact your system administrator to obtain authentication privileges.
  • Page 188: Web Page Display Of Access Denied Message

    Web and MAC Authentication Configuring MAC Authentication on the Switch Unauthenticated clients may be assigned to a specific static, untagged VLAN (unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients, the port is blocked and no network access is available.
  • Page 189 Web and MAC Authentication Configuring MAC Authentication on the Switch Invalid Credentials Your credentials were not accepted. Please wait 96 seconds to retry.You will be redirected automatically to the login page. Unauthorized access to this network is prohibited. Access to this network requires prior authorization from the System Administrator.
  • Page 190 Configuring MAC Authentication on the Switch HP Switch (config)# show running-config Running configuration: ; J8692A Configuration Editor; Created on release #K.14.00x hostname "HP Switch 3500yl-24G" web-management ssl qos dscp-map 000000 priority 0 module 1 type J86xxA module 3 type J8694A...
  • Page 191: Http Redirect When Mac Address Not Found

    Configuring MAC Authentication on the Switch HP Switch (config)# show running-config Running configuration: ; J8692A Configuration Editor; Created on release #K.14.00x hostname "HP Switch 3500yl-24G" web-management ssl qos dscp-map 000000 priority 0 module 1 type J86xxA module 3 type J8694A...
  • Page 192: How Http Redirect Works

    Web and MAC Authentication Configuring MAC Authentication on the Switch Notes The HTTP redirect feature cannot be enabled if web authentication is enabled on any port, and conversely, if HTTP redirect is enabled, web authentication cannot be enabled on any port. The web/registration server software is not included with this feature.
  • Page 193 Web and MAC Authentication Configuring MAC Authentication on the Switch C a u t i o n Rogue clients can attempt to access any web pages on the web/registration server via interface ports configured for MAC authentication. The following steps are involved in HTTP registration. When the redirect feature is enabled, a client that fails MAC authentica- tion is moved into the unauthorized MAC authentication redirection state.
  • Page 194: Diagram Of The Registration Process

    Web and MAC Authentication Configuring MAC Authentication on the Switch Diagram of the Registration Process RADIUS Client Switch Web Server Packet is sent RADIUS request is made Client fails authentication Client is put in unauth MAC-auth redirect Client sends DHCP request state.
  • Page 195: Using The Restrictive-filter Option

    HTTP request is to the registration server’s destination IP address. Show Command Output Figure 4-39 is an example of the show command that displays the HTTP redirect configuration. HP Switch (config)# show port-access mac-based config Port Access MAC-Based Configuration Configured HTTP redirect URL MAC Address Format : no-delimiter Unauth Redirect Configuration URL : http://14.29.16.192:80/myserver.html...
  • Page 196: Configuring The Registration Server Url

    Unconfiguring a MAC-Auth Registration Server Each configured registration server’s URL must be removed by specifying it exactly, for example: HP Switch(config)# no aaa port-access mac-based unauth-redirect https://serverA.com:124/ registration server/reg.html Operating Notes for HTTP Redirect ■ If the configured URL contains a domain name (as opposed to an IP address) the switch’s DNS resolver must be configured:...
  • Page 197: Show Commands For Mac-based Authentication

    Web and MAC Authentication Configuring MAC Authentication on the Switch Show Commands for MAC-Based Authentication Command Page show port-access mac-based [port-list] 4-66 show port-access mac-based clients [port-list] 4-66 show port-access mac-based clients <port-list> detailed 4-67 show port-access mac-based config [port-list] 4-68 show port-access mac-based config <port-list>...
  • Page 198 Web and MAC Authentication Configuring MAC Authentication on the Switch HP Switch (config)# show port-access mac-based Port Access MAC-Based Status Auth Unauth Untagged Tagged Port % In RADIUS Port Clients Clients VLAN VLANs Limit ---- ------- ------- -------- ------ --------...
  • Page 199 IPv6 address. n/a-no info—DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table. HP Switch (config)# show port-access mac-based clients 1 detailed Port Access MAC-Based Client Status Detailed Client Base Details :...
  • Page 200 • Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0, the default VLAN ID is used unless overridden by a RADIUS- assigned value. HP Switch (config)# show port-access mac-based config Port Access MAC-Based Configuration MAC Address Format : no-delimiter...
  • Page 201 Syntax: show port-access mac-based config <port-list> detailed Displays more detailed information on the currently config- ured MAC Authentication settings for specified ports. HP Switch (config)# show port-access mac-based config 1 detailed Port Access MAC-Based Detailed Configuration Port Web-based enabled : Yes...
  • Page 202 • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts HP Switch (config)# show port-access mac-based config auth-server Port Access MAC-Based Configuration Client Client Logoff Re-Auth...
  • Page 203: Client Status

    Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Possible Explanations Connection authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires.
  • Page 204 Web and MAC Authentication Client Status 4-72...
  • Page 205: Tacacs+ Authentication

    TACACS+ Authentication Overview Feature Default Menu view the switch’s authentication configuration — page 5-8 — view the switch’s TACACS+ server contact — page 5-9 — configuration configure the switch’s authentication methods disabled — page — 5-10 configure the switch to contact TACACS+ server(s) disabled —...
  • Page 206: Terminology Used In Tacacs Applications

    TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ in the switches covered in this guide manages authentication of logon attempts through either the Console port or Telnet. TACACS+ uses an authentication hierarchy consisting of (1) remote passwords assigned in a TACACS+ server and (2) local passwords configured on the switch.
  • Page 207 TACACS+ Authentication Terminology Used in TACACS Applications: • Local Authentication: This method uses username/password pairs configured locally on the switch; one pair each for manager- level and operator-level access to the switch. You can assign local usernames and passwords through the CLI or WebAgent. (Using the menu interface you can assign a local password, but not a username.) Because this method assigns passwords to the switch instead of to individuals who access the switch, you must...
  • Page 208: General System Requirements

    TACACS+ configurations used in your network. TACACS-aware HP switches include the capability of configuring multiple backup TACACS+ servers. HP recommends that you use a TACACS+ server application that supports a redundant backup installation. This allows you to configure the switch to use a backup TACACS+ server if it loses access to the first-choice TACACS+ server.
  • Page 209 TACACS+ Authentication General Authentication Setup Procedure Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation” in the Trouble- shooting chapter of the Management and Configuration Guide for your switch.
  • Page 210 15. For more on this topic, refer to the documentation you received with your TACACS+ server application. If you are a first-time user of the TACACS+ service, HP recommends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment.
  • Page 211: Configuring Tacacs+ On The Switch

    Configuring TACACS+ on the Switch Before You Begin If you are new to TACACS+ authentication, HP recommends that you read the “General Authentication Setup Procedure” on page 5-4 and configure your TACACS+ server(s) before configuring authentication on the switch.
  • Page 212: Cli Commands Described In This Section

    TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs aaa authentication 5-10 through 5-16 console Telnet num-attempts <1-10 > tacacs-server 5-17 host < ip-addr > 5-17 5-22 timeout < 1-255 > 5-23 Viewing the Switch’s Current Authentication Configuration...
  • Page 213: Viewing The Switch's Current Tacacs+ Server Contact Configuration

    TACACS+ Authentication Configuring TACACS+ on the Switch HP Switch(config)# show authentication Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Disabled | Login Login Login Access Task | Primary Server Group Secondary ----------- + ---------- ------------ ----------...
  • Page 214: Configuring The Switch's Authentication Methods

    The TACACS+ server returns the allowed privilege level to the switch. You are placed directly into Operator or Manager mode, depending on your privilege level. HP Switch(config) aaa authentication login privilege-mode The no version of the above command disables TACACS+ single login capa- bility.
  • Page 215 TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: aaa authentication < console | telnet | ssh | web | port-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level. <login [privilege-mode] > The server grants privileges at the Operator privilege level.
  • Page 216: Authentication Parameters

    TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters Table 5-1. AAA Authentication Parameters Name Default Range Function console, Telnet, Specifies the access method used when authenticating. TACACS+ SSH, web or port- authentication only uses the console, Telnet or SSH access methods. access enable Specifies the Manager (read/write) privilege level for the access...
  • Page 217 TACACS+ Authentication Configuring TACACS+ on the Switch numbers 0 through 15, with zero allowing only Operator privileges (and requiring two logins) and 15 representing root privileges. The root privilege level is the only level that will allow Manager level access on the switch. Figure 5-4.
  • Page 218 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 5-5. The Shell Section of the TACACS+ Server User Setup As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch’s console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.
  • Page 219 TACACS+ Authentication Configuring TACACS+ on the Switch Table 5-2. Primary/Secondary Authentication Table Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Console — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console —...
  • Page 220 Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. HP Switch(config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server. Secondary using Local. HP Switch(config)# aaa authentication console enable tacacs local Telnet Login (Operator or Read-Only) Access: Primary using TACACS+ server.
  • Page 221: Configuring The Switch's Tacacs+ Server Access

    Note As described under “General Authentication Setup Procedure” on page 5-4, HP recommends that you configure, test, and troubleshoot authentication via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up authentication in either the switch or your TACACS+ server.
  • Page 222 TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string > | encrypted-key <key- string>] | [oobm] Adds a TACACS+ server and optionally assigns a server- specific encryption key. If the switch is configured to access multiple TACACS+ servers having different encryp- tion keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
  • Page 223 TACACS+ Authentication Configuring TACACS+ on the Switch If TACACS+ server “X” does not have an encryption key assigned for the switch, then configuring either a global encryption key or a server-specific key in the switch for server “X” will block authentication support from server “X”. Name Default Range...
  • Page 224 <key-string> entry at the beginning of this table.) You can configure a TACACS+ encryption key that includes a tilde (~) as part of the key, for example, “hp~switch”. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character For more on the encryption key, see “Using the Encryption Key”...
  • Page 225 "good morning Shows the key configured for a specific host. tacacs-server host 10.10.10.2 key "hp~switch" snmp-server community "public" unrestricted Figure 5-7. Example of the Running Configuration File Showing the Host-Specific Key for TACACS+ with the “~” Included Adding, Removing, or Changing the Priority of a TACACS+ Server.
  • Page 226 To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: HP Switch(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key. Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key.
  • Page 227 TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: HP Switch(config)# tacacs-server host 10.28.227.104 Note You can save the encryption key in a configuration file by entering this command: HP Switch(config)# tacacs-server key <keystring>...
  • Page 228: How Authentication Operates

    TACACS+ Operation Second-Choice TACACS+ Server (Optional) Terminal “B” Remotely Accessing This Switch Via Telnet HP Switch Configured for TACACS+ Operation Third-Choice TACACS+ Server (Optional) Figure 5-10. Using a TACACS+ Server for Authentication Using figure 5-10, above, after either switch detects an operator’s logon...
  • Page 229: Local Authentication Process

    TACACS+ Authentication How Authentication Operates After the server receives the username input, the requesting terminal receives a password prompt from the server via the switch. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs: •...
  • Page 230: Using The Encryption Key

    TACACS+ Authentication How Authentication Operates If the username/password pair entered at the requesting terminal does ■ not match either username/password pair previously configured locally in the switch, access is denied. In this case, the terminal is again prompted to enter a username/password pair. In the default configuration, the switch allows up to three attempts.
  • Page 231: Encryption Options In The Switch

    HP Switch(config)# tacacs-server host 10.28.227.87 key south10campus With both of the above keys configured in the switch, the...
  • Page 232: Controlling Webagent Access When Using Tacacs+ Authentication

    TACACS+ Authentication Controlling WebAgent Access When Using TACACS+ Authentication Controlling WebAgent Access When Using TACACS+ Authentication Configuring the switch for TACACS+ authentication does not affect WebAgent access. To prevent unauthorized access through the WebAgent, do one or more of the following: ■...
  • Page 233: Messages Related To Tacacs+ Operation

    TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa- tion on such messages, refer to the documentation you received with the application.
  • Page 234: Operating Notes

    TACACS+ Authentication Operating Notes Operating Notes ■ If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized manager list. That is, authentication traffic between a TACACS+ server and the switch is not subject to Authorized IP Manager controls configured on the switch.
  • Page 235: Radius Authentication, Authorization, And Accounting

    For accounting, this can help you track network resource usage. Authentication Services You can use RADIUS to verify user identity for the following types of primary password access to the HP switch: ■ Serial port (Console) ■...
  • Page 236: Accounting Services

    RADIUS Authentication, Authorization, and Accounting Overview The switch also supports RADIUS accounting for Web Authentication and MAC authentication sessions. Note The switch does not support RADIUS security for SNMP (network manage- ment) access. For information on blocking access through the WebAgent, refer to “Controlling WebAgent Access”...
  • Page 237: Snmp Access To The Switch's Authentication Configuration Mib

    SNMP access to the hpSwitchAuth MIB (Management Information Base). A management station running an SNMP networked device manage- ment application such as HP PCM+ or HP OpenView can access the switch’s MIB for read access to the switch’s status and read/write access to the switch’s configuration.
  • Page 238: Terminology

    EXEC Session: a service (EXEC shell) granted to the authenticated login user for doing management operations on the HP device. Host: See RADIUS Server. NAS (Network Access Server): In this case, a HP switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): a protocol for...
  • Page 239: Switch Operating Rules For Radius

    ■ type of access. (Only one primary and one secondary access method is allowed for each access type.) In the HP switch, EAP RADIUS uses MD5 and TLS to encrypt a ■ response to a challenge from a RADIUS server.
  • Page 240: General Radius Setup Procedure

    (local or none) if the RADIUS authentication fails or does not respond. Note: The WebAgent HP Switch(config)# show authentication access task shown in this figure is available only on the switches covered in Status and Counters - Authentication Information this guide.
  • Page 241: Configuring The Switch For Radius Authentication

    IP address to the switch. • Determine an acceptable timeout period for the switch to wait for a server to respond to a request. HP recommends that you begin with the default (five seconds).
  • Page 242: Outline Of The Steps For Configuring Radius Authentication

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands Page [no] radius-server encrypted-key <global key-string> 6-19 radius-server timeout < 1 - 15> 6-19 radius-server retransmit < 1 - 5 > 6-19 [no] radius-server dead-time < 1 - 1440 > 6-21 show radius 6-67...
  • Page 243 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication • (Optional) UDP destination port for authentication requests (default: 1812; recommended) • (Optional) UDP destination port for accounting requests (default: 1813; recommended) • (Optional) encryption key for use during authentication sessions with a RADIUS server.
  • Page 244: Configure Authentication For The Access Methods You Want Radius To Protect

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication 1. Configure Authentication for the Access Methods You Want RADIUS To Protect This section describes how to configure the switch for RADIUS authentication through the following access methods: ■ Console: Either direct serial-port connection or modem connection.
  • Page 245 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication [none | authorized]: Provides options for secondary authentication. The none option specifies that a backup authentication method is not used. The authorized option allows access without authentication. (default: none). In certain situations, RADIUS servers can become isolated from the network.
  • Page 246 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch (config)# show authentication Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Disabled | Login Login Login Access Task | Primary Server Group Secondary...
  • Page 247: Enable The (optional) Access Privilege Option

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch (config)# aaa authentication telnet login radius none HP Switch (config)# aaa authentication telnet enable radius none HP Switch (config)# aaa authentication ssh login radius none HP Switch...
  • Page 248 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication this default behavior for clients with Enable (manager) access. That is, with privilege-mode enabled, the switch immediately allows Enable (Manager) access to a client for whom the RADIUS server specifies this access level. Syntax: [no] aaa authentication login privilege-mode When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server.
  • Page 249: Configure The Switch To Access A Radius Server

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 6-52: “Accounting Services”...
  • Page 250: [dyn-authorization]

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication [dyn-authorization] Enables or disables the processing of Disconnect and Change of Authorization messages from this host. When enabled, the RADIUS server can dynamically terminate or change the authorization parameters (such as VLAN assignment) used in an active client session on the switch.
  • Page 251 Change the encryption key for the server at 10.33.18.127 to “source0127”. Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of “source0119”. HP Switch (config)# radius-server host 10.22.18.127 key source0127 HP Switch (config)# radius-server host 10.22.18.119 key source0119...
  • Page 252: Configure The Switch's Global Radius Parameters

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch (config)# radius-server host 10.33.18.127 key source0127 HP Switch (config)# radius-server host 10.33.18.119 key source0119 Changes HP Switch (config)# show radius the key for the existing server to Status and Counters - General RADIUS Information “source012...
  • Page 253: [no] Radius-server Key < Global Key-string

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Retransmit attempts: If the first attempt to contact a RADIUS ■ server fails, specifies how many retries you want the switch to attempt on that server. Change of Authorization port: The dyn-autz-port parameter ■...
  • Page 254 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 - 15 > Specifies the maximum time the switch waits for a response to an authentication request before counting the attempt as a failure. (Default: 3 seconds; Range: 1 - 15 seconds) radius-server retransmit <...
  • Page 255 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Allow three seconds for request timeouts. ■ Allow two retries following a request that did not receive a response. ■ Switch(config)# aaa authentication num-attempts 2 Switch(config)# radius-server key My-Global-KEY-1099 Switch(config)# radius-server dead-time 5 Switch(config)# radius-server timeout 3 Switch(config)# radius-server retransmit 2...
  • Page 256 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch (config)# show authentication Status and Counters - Authentication Information After two attempts failing due to Login Attempts : 2 username or password entry Respect Privilege : Disabled errors, the switch will terminate the session.
  • Page 257: Using Multiple Radius Server Groups

    RADIUS server must be configured before it can be added to a group. See “Configuring the Switch for RADIUS Authentication” on page 6-7 for more information about configuring RADIUS servers. HP Switch (config)# radius-server host 10.33.18.151 acct-port 1750 key source0151...
  • Page 258: Enhanced Commands

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa server-group radius <group-name> host <ip-addr> no aaa server-group radius <group-name> host <ip-addr> Associates a RADIUS server with a server group. Each group can contain up to 3 RADIUS servers. The default group (called ‘radius’) can only contain the first three RADIUS servers.
  • Page 259 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication [ local | none | authorized ]: Provides options for secondary authentication (default: none). Note that for console access, secondary authentication must be local if primary access is not local. This prevents you from being locked out of the switch in the event of a failure in other access methods.
  • Page 260: Displaying The Radius Server Group Information

    Displaying the RADIUS Server Group Information The show server-group radius command displays the same information as the show radius command, but displays the servers in their server groups. HP Switch (config)# show server-group radius Status and Counters - AAA Server Groups...
  • Page 261 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication HP Switch (config)# show authentication Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Disabled | Login Login Login Access Task | Primary Server Group Secondary...
  • Page 262: Cached Reauthentication

    RADIUS Authentication, Authorization, and Accounting Cached Reauthentication Cached Reauthentication Cached reauthentication allows 802.1X, web, or MAC reauthentications to succeed when the RADIUS server is unavailable. Users already authenticated retain their currently-assigned RADIUS attributes. Uninterrupted service is provided for authenticated users with RADIUS-assigned VLANS if the RADIUS server becomes temporarily unavailable during periodic reauthentications.
  • Page 263: Timing Considerations

    Configures the period of time (in seconds) during which cached reauthentication is allowed on the port. Default: No limit is set. HP Switch (config)# aaa port-access web-based 6-8 cached-reauth-period 86400 The cached-reauth-period is set to 86400 seconds (1440 minutes, or 24 hours).
  • Page 264 RADIUS Authentication, Authorization, and Accounting Cached Reauthentication authentication have been changed from their default values. The period of time represented by X is how long 802.1X or Web MAC authentication will wait for a RADIUS response. For example: A cached-reauth-period is set to 900 seconds (15 minutes) and the reauth period is 180 seconds.
  • Page 265 RADIUS Authentication, Authorization, and Accounting Cached Reauthentication The time between step 8 and step 9 is X seconds. The total time is 180 + X + 900 + 180 + X, which equals 900 +2(180+X) seconds. Note The period of 1 to 30 seconds, represented by X, is not a firm time period; the time can vary depending on other 802.1X and Web/MAC auth parameters.
  • Page 266: Using Snmp To View And Configure Switch Authentication Features

    If you choose to leave SNMP access to the security MIB open (the default setting), HP recommends that you configure the switch with the SNMP version 3 management and access security feature, and disable SNMP version 2c access.
  • Page 267: Changing And Viewing The Snmp Access Configuration

    RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Switch Authentication Features Changing and Viewing the SNMP Access Configuration Syntax: snmp-server mib hpswitchauthmib < excluded | included > included: Enables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB. excluded: Disables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB.
  • Page 268 RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Switch Authentication Features HP Switch (config)# snmp-server mib hpswitchauthmib excluded HP Switch (config)# show snmp-server Indicates that SNMP security MIB access is disabled, which is the SNMP Communities nondefault setting.
  • Page 269 Using SNMP To View and Configure Switch Authentication Features An alternate method of determining the current Authentication MIB access state is to use the show run command. HP Switch(config)# show run Running configuration: ; J9091A Configuration Editor; Created on release #K.15.01.000x hostname "HP Switch"...
  • Page 270: Local Authentication Process

    RADIUS Authentication, Authorization, and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: Local is the authentication option for the access method being used. ■...
  • Page 271: Controlling Webagent Access

    RADIUS Authentication, Authorization, and Accounting Controlling WebAgent Access Controlling WebAgent Access To help prevent unauthorized access through the WebAgent, do one or more of the following: Configure the switch to support RADIUS authentication for ■ WebAgent access (Web Authentication, Chapter 7). Options for the switches covered in this guide: ■...
  • Page 272: Commands Authorization

    RADIUS Authentication, Authorization, and Accounting Commands Authorization Commands Authorization The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server will send authorization information (from the user’s profile) to the Network Access Server (NAS). After user authentication has occurred, the authorization information provided by the RADIUS server is stored on the NAS for the duration of the user’s session.
  • Page 273: Enabling Authorization

    The NAS does not request authorization information. For example, to enable the RADIUS protocol as the authorization method: HP Switch (config)# aaa authorization commands radius When the NAS sends the RADIUS server a valid username and password, the RADIUS server sends an Access-Accept packet that contains two attributes —the command list and the command exception flag.
  • Page 274: Displaying Authorization Information

    Configuring Commands Authorization on a RADIUS Server Using Vendor Specific Attributes (VSAs) Some RADIUS-based features implemented on HP switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access-Accept pack- ets sent to the switch may contain the vendor-specific information.
  • Page 275 The ^ metacharacter defines the start of the string and the $ character defines the end of the string. Do not leave a space between the semi-colon and the start of the next regular expression. So the HP-Command-String with more than one regular expression defined may look as follows: HP-Command-String = “^configure$;^show running-config$”.
  • Page 276 (those that are available by default to any user). You must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.
  • Page 277: Example Configuration On Cisco Secure Acs For Ms Windows

    The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps. Create a dictionary file (for example, hp.ini) containing the HP VSA definitions, as shown in the example below. ;[User Defined Vendor] ;...
  • Page 278 Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils> csutil -addudv 0 hp.ini The zero (0) is the slot number.
  • Page 279 4 (100 in the example). Restart all Cisco services. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry. In the Authenticate Using field choose RADIUS(HP) as an option for the type of security control protocol.
  • Page 280: Example Configuration Using Freeradius

    Find the location of the dictionary files used by FreeRADIUS (try /usr/ local/share/freeradius). Copy dictionary.hp to that location. Open the existing dictionary file and add this entry: $ INCLUDE dictionary.hp You can now use HP VSAs with other attributes when configuring user entries. 6-46...
  • Page 281: Vlan Assignment In An Authentication Session

    RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session VLAN Assignment in an Authentication Session A switch supports concurrent 802.1X and either Web- or MAC-authentication sessions on a port (with up to 32 clients allowed). If you have configured RADIUS as the primary authentication method for a type of access, when a client authenticates on a port, the RADIUS server assigns an untagged VLAN that is statically configured on the switch for use in the authentication session.
  • Page 282: Additional Radius Attributes

    ■ MS-RAS-Vendor (RFC 2548): Allows HP switches to inform a Micro- soft RADIUS server that the switches are from HP Networking. This feature assists the RADIUS server in its network configuration. ■ HP-capability-advert: An HP proprietary RADIUS attribute that allows a switch to advertise its current capabilities to the RADIUS server for port-based (MAC, Web, or 802.1X) authentication;...
  • Page 283 6-16 and 6-17. See “3. Configure the Switch To Access a RADIUS Server” on page 6-15 for configuration commands for dynamic authoriza- tion. HP Switch (config)# show radius dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information NAS Identifier : LAB-8212...
  • Page 284 RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session HP Switch(config)# show radius host 154.23.45.111 dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information Authorization Client IP Address : 154.23.45.111 Unknown PKT Types Received : 0 Disc-Reqs CoA-Reqs...
  • Page 285: Mac-based Vlans

    RADIUS Authentication, Authorization, and Accounting MAC-Based VLANs MAC-Based VLANs MAC-Based VLANs (MBVs), available on the 5400 and 8200 version 2 interface modules, allow multiple clients on a single switch port to receive different untagged VLAN assignments. VLAN assignment of untagged traffic is based on the source MAC address rather than the port.
  • Page 286: Accounting Services

    • Nas-Port • NAS-Identifier • Acct-Authentic • Acct-Output-Octets • Calling-Station-Id • Acct-Delay-Time • Acct-Session-Time • HP-acct-terminate- cause • Acct-Input-Packets • User-Name • MS-RAS-Vendor ■ Exec accounting: Provides records holding the information listed below about login sessions (console, Telnet, and SSH) on the switch: •...
  • Page 287: Operating Rules For Radius Accounting

    ■ on CLI command execution during user sessions. • Acct-Session-Id • User-Name • Calling-Station-Id • Acct-Status-Type • NAS-IP-Address • HP-Command-String • Service-Type • NAS-Identifier • Acct-Delay-Time • Acct-Authentic • NAS-Port-Type RADIUS accounting with IP attribute: The RADIUS Attribute 8 ■...
  • Page 288: Acct-session-id Options In A Management Session

    RADIUS Authentication, Authorization, and Accounting Accounting Services requests from the switch, a second or third server will not be accessed. (For more on this topic, refer to “Changing RADIUS-Server Access Order” on page 6-72.) If access to a RADIUS server fails during a session, but after the client ■...
  • Page 289 This incrementing of the NAS-Port-Type = Virtual session ID is normal operation Calling-Station-Id = "172.22.17.101" for command accounting in the HP-Command-String = "show ip" (default) Unique mode. Acct-Delay-Time = 0 Acct-Session-Id = "00330000000A" User “fred” executes the logout Acct-Status-Type = Stop command.
  • Page 290: Common Acct-session-id Operation

    NAS-Port-Type = Virtual ID assigned when the session Calling-Station-Id = "172.22.17.101" was opened. No incrementing HP-Command-String = "show ip" of the session ID is done for Acct-Delay-Time = 0 individual commands. Acct-Session-Id = "00330000000B"...
  • Page 291: Configuring Radius Accounting

    RADIUS Authentication, Authorization, and Accounting Accounting Services Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 6-58 [acct-port < port-number >] 6-58 [key < key-string >] 6-58 [no] aaa accounting < exec | network | system > < start-stop | stop-only> radius 6-64 [no] aaa accounting commands <...
  • Page 292: Configure The Switch To Access A Radius Server

    RADIUS Authentication, Authorization, and Accounting Accounting Services • Provide the following: – A RADIUS server IP address. – Optional—a UDP destination port for authentication requests. Otherwise the switch assigns the default UDP port (1812; recom- mended). – Optional—if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are desig- nating, configure a server-specific key.
  • Page 293 RADIUS Authentication, Authorization, and Accounting Accounting Services yet configured the switch to use a RADIUS server, your server data has changed, or you need to specify a non-default UDP destination port for accounting requests. Note that switch operation expects a RADIUS server to accommodate both authentication and accounting.
  • Page 294: Optional) Reconfigure The Acct-session-id Operation

    RADIUS is already configured as an authentication method for one or more types of access to the switch (Telnet, Console, etc.). HP Switch (config)# radius-server host 10.33.18.151 acct-port 1750 key source0151...
  • Page 295: Configure Accounting Types And The Controls For Sending Reports To The Radius Server

    For more on these options, refer to “Acct-Session-ID Options in a Management Session” on page 6-54. HP Switch(config)# aaa accounting session-id common HP Switch(config)# show accounting Status and Counters - Accounting Information Interval(min) : 0...
  • Page 296 RADIUS Authentication, Authorization, and Accounting Accounting Services Network: Use network if you want to collect accounting information ■ on 802.1X port-based-access to the network by users connected to the physical ports on the switch. (See also “Accounting Service Types” on page 6-61.) For information on this feature, refer to the chapter titled “Configuring Switch Ports as 802.1X Authenticators”...
  • Page 297 RADIUS Authentication, Authorization, and Accounting Accounting Services Note Configuring interim-update for Command accounting results in all commands being reported as “update” records, regardless of whether common or unique is configured for the accounting session ID (page 6-60). Syntax: [no] aaa accounting < exec | network | system > < start-stop | stop-only > radius [no] aaa accounting command <...
  • Page 298 RADIUS Authentication, Authorization, and Accounting Accounting Services HP Switch(config)# aaa accounting exec start-stop radius HP Switch(config)# aaa accounting system stop-only radius HP Switch(config)# aaa accounting commands interim-update radius HP Switch(config)# show accounting Status and Counters - Accounting Information Interval(min) : 0...
  • Page 299 Service-Type = NAS-Prompt-User Acct-Authentic = Local NAS-IP-Address = 10.1.242.15 NAS-Identifier = "gsf_dosx_15" NAS-Port-Type = Virtual Calling-Station-Id = "0.0.0.0" HP-Command-String = "reload" Acct-Delay-Time = 0 Acct-Session-Id = "003600000001" Record of System Accounting Off Acct-Status-Type = Accounting-Off When Switch Reboots NAS-IP-Address = 10.1.242.15 NAS-Identifier = "gsf_dosx_15"...
  • Page 300: Optional) Configure Session Blocking And Interim Updating Options

    Send updates every 10 minutes on in-progress accounting sessions. ■ ■ Block accounting for unknown users (no username). HP Switch(config)# aaa accounting update periodic 10 HP Switch(config)# aaa accounting suppress null-username HP Switch(config)# show accounting Status and Counters - Accounting Information...
  • Page 301: Viewing Radius Statistics

    RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Accounting Services” on page 6-52.) HP Switch # show radius Status and Counters - General RADIUS Information Deadtime(min) : 5...
  • Page 302 RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics HP Switch(config)# show radius host 192.33.12.65 Status and Counters - RADIUS Server Information Server IP Addr : 192.33.12.65 Authentication UDP Port : 1812 Accounting UDP Port : 1813 Round Trip Time Round Trip Time...
  • Page 303: Radius Authentication Statistics

    RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics Term Definition Access Requests The number of RADIUS Access-Requests the switch has sent since it was last rebooted. (Does not include retransmissions.) Accounting Requests The number of RADIUS Accounting-Request packets sent. This does not include retransmissions.
  • Page 304 | Radius None Figure 6-27. Example of Login Attempt and Primary/Secondary Authentication Information from the Show Authentication Command HP Switch(config)# show radius authentication Status and Counters - RADIUS Authentication Information NAS Identifier : HP_switch Invalid Server Addresses : 0 Server IP Addr...
  • Page 305: Radius Accounting Statistics

    Lists accounting statistics for the RADIUS server(s) config- ured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch. HP Switch(config)# show accounting Status and Counters - Accounting Information Interval(min) : 5 Suppress Empty User : No...
  • Page 306: Changing Radius-server Access Order

    RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order HP Switch(config)# show radius accounting Status and Counters - RADIUS Accounting Information NAS Identifier : HP_switch Invalid Server Addresses : 0 Server IP Addr Port Timeouts Requests Responses --------------- ----- ---------- ---------- ---------- 192.33.12.65...
  • Page 307 RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order HP Switch# show radius Status and Counters - General RADIUS Information RADIUS server IP addresses listed in the order Deadtime(min) : 0 in which the switch will try to access them. In this Timeout(secs) : 5 case, the server at IP address 10.10.10.1 is first.
  • Page 308 RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order HP Switch(config)# no radius host 10.10.10.1 Removes the “3” and “1” addresses from the HP Switch(config)# radius host 10.10.10.3 RADIUS server list. HP Switch(config)# radius host 10.10.10.1 HP Switch# show radius Status and Counters - General RADIUS Information Inserts the “3”...
  • Page 309: Creating Local Privilege Levels

    RADIUS Authentication, Authorization, and Accounting Creating Local Privilege Levels Creating Local Privilege Levels This feature allows more granular localized control over user access when accessing the switch through the console or by telnet or SSH. Instead of allowing access to all commands with the “manager” command, or very restricted access with the “operator”...
  • Page 310: Configuring Groups For Local Authorization

    RADIUS Authentication, Authorization, and Accounting Creating Local Privilege Levels Configuring Groups for Local Authorization You must create a group for local authorization before you can assign local users to it. When creating the group, at least one command is created as part of that group.
  • Page 311: Configuring A Local User For A Group

    HP Switch(config)# aaa authorization group Redgroup 100 match-command configure permit HP Switch(config)# aaa authorization group Redgroup 200 match-command “vlan *” permit Figure 6-35. Example of Configuring Authorized Commands for a Group in the Correct Order Some commands cause the switch CLI to enter a special context, such as test mode, and the input is not processed by the normal CLI.
  • Page 312 If a user is assigned to a command group and the group is subsequently deleted, the user will have operator privileges. HP Switch(config)# aaa authentication local-user User1 group Redgroup password plaintext New password for User1: *******...
  • Page 313: Displaying Command Authorization Information

    Displays information about users and command authorization for command groups. Specifying the group parameter without any group names displays information for all configured groups. HP Switch(config)# show authorization group Local Management Groups - Authorization Information Group Name: Redgroup Username ----------------...
  • Page 314: Dynamic Removal Of Authentication

    This enhancement allows a common port policy to be configured on all access ports by creating new RADIUS HP vendor-specific attributes (VSAs) that will dynamically override the authentication limits. The changes are always applied to the port on the authenticator switch associated with the supplicant being authenti- cated.
  • Page 315 VSA. A port-based VSA is set with a value of 1; a user-based VSA is set with a value of 2. This is an HP proprietary VSA with a value of 13.
  • Page 316: Displaying The Port-access Information

    If the command no aaa port-access authentication <port-list> client-limit is exe- cuted, the port access is in port-mode. If the 802.1X client-limit is configured with a value from 1-32, the port access is in user-mode. HP Switch (config)# show port-access summary Port Access Status Summary...
  • Page 317: Operating Notes

    To display the configuration information for just those ports that are dynam- ically overridden by RADIUS attributes, use the show port-access summary radius-overridden command. HP Switch(config)# show port-access summary radius-overridden Port Access Status Summary Port-access authenticator activated [No} : No...
  • Page 318: Messages Related To Radius Operation

    RADIUS Authentication, Authorization, and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning A designated RADIUS server is not responding to an Can’t reach RADIUS server < x.x.x.x >. authentication request. Try pinging the server to determine whether it is accessible to the switch.
  • Page 319: Configuring Radius Server Support For Switch Services

    — IPv4-only or IPv4 and IPv6) HP recommends using the Standard RADIUS attribute if available. Where both a standard attribute and a VSA are available, the VSA is maintained for backwards compatibility with configurations based on earlier software releases.
  • Page 320: Optional Hp Pcm+ And Idm Network Management Applications

    Management Applications For information on support for the above services in the PCM+ application using the HP PMC Identity Driven Management (IDM) plug-in, refer to the documentation for these applications on the HP web site at www.hp.com. All of the RADIUS-based services described in this chapter can be used without...
  • Page 321: Radius Server Configuration For Cos (802.1p Priority) And Rate-limiting

    Inbound to the Switch Vendor-Specific Attribute used in the RADIUS server. Assigns a RADIUS- (This attribute is maintained for legacy configurations.) configured 802.1p HP vendor-specific ID:11 priority to the inbound VSA: 40 packets received from a specific client authenticated on a Setting: User-Priority-Table = xxxxxxxx where: switch port.
  • Page 322 Rate-Limiting Per- HP vendor-specific ID:11 User VSA: 46 Assigns a RADIUS- Setting: HP-Bandwidth-Max-Egress = < bandwidth-in-Kbps > configured bandwidth Note: RADIUS-assigned rate-limit bandwidths must be specified in limit to the inbound Kbps. (Bandwidth percentage settings are not supported.) Using a...
  • Page 323: Applied Rates For Radius-assigned Rate Limits

    Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting Applied Rates for RADIUS-Assigned Rate Limits On the switches covered by this guide, rate limits are applied incrementally, as determined by the RADIUS-applied rate. For any given bandwidth assign- ment, the switch applies the nearest rate increment that does not exceed the assigned value.
  • Page 324 RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting Per- Port HP recommends that rate-limiting be configured either solely through B a n d w i d t h RADIUS assignments or solely through static CLI configuration on the switch unless the potential for the override described below is specifically desired.
  • Page 325: Viewing The Currently Active Per-port Cos And Rate-limiting Configuration Specified By A Radius Server

    Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting Viewing the Currently Active Per-Port CoS and Rate- Limiting Configuration Specified by a RADIUS Server While a RADIUS-assigned client session is active on a given port, any RADIUS- imposed values for the settings listed in table 7-5 are applied as shown: Table 7-5.
  • Page 326 Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for CoS (802.1p Priority) and Rate-Limiting web-based [ port-list ] clients detail displays, for a Web authen- ticated client (Web-Auth), the status of RADIUS-assignment details for that client.. (Refer to “Show Commands for Web Authentication”...
  • Page 327 10,000 kbs 50,000 kbs* “X” authenticates *Combined rate-limit output for all clients active on the port. HP Switch(eth-10)# show port-access web-based clients 4 detail Indicates there is an authenticated client session running on port 10. Port Access Web-Based Client Status Detailed...
  • Page 328 They also include indications of RADIUS-assigned rate-limiting and client traffic priority settings for any clients that may be authenticated on the same ports. HP Switch # show rate-limit all 1-5 All-Traffic Rate Limit Maximum % | Inbound...
  • Page 329: Configuring And Using Dynamic (radius-assigned) Access Control Lists

    Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists Introduction A RADIUS-assigned ACL is configured on a RADIUS server and dynamically assigned by the server to filter IP traffic from a specific client after the client is authenticated by the server.
  • Page 330 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists • RACL (IPv4 ACLs only): an ACL assigned to filter routed IPv4 traffic entering or leaving the switch on a VLAN. (Separate assignments are required for inbound and outbound traffic.) •...
  • Page 331 Configuring RADIUS Server Support for Switch Services Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists NAS (Network Attached Server): In this context, refers to a HP switch configured for RADIUS operation. Outbound Traffic: For defining the points where the switch applies an ACL to filter traffic, outbound traffic is routed IPv4 traffic leaving the switch through a VLAN interface (or a subnet in a multinetted VLAN).
  • Page 332 Configuring RADIUS Server Support for Swi