HP ProCurve Switch 2900yl-24G Access Security Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Switch
  5. ProCurve Switch 2900yl-24G
  6. Access security manual

HP ProCurve Switch 2900yl-24G Access Security Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Access Security Guide
2900yl
ProCurve Switches
T.12.XX
www.procurve.com

Advertisement

Table of Contents
loading

Related Manuals for HP ProCurve Switch 2900yl-24G

Summary of Contents for HP ProCurve Switch 2900yl-24G

  • Page 1 Access Security Guide 2900yl ProCurve Switches T.12.XX www.procurve.com...
  • Page 3 ProCurve Switch 2900yl February 2007 T.12.XX Access Security Guide...
  • Page 4 This product includes software developed by the performance, or use of this material. OpenSSL Project for use in the OpenSSL Toolkit. For more The only warranties for HP products and services are set information on OpenSSL, visit forth in the express warranty statements accompanying www.openssl.org.

  • Page 5: Table Of Contents

    Contents Product Documentation About Your Switch Manual Set ........xv Feature Index .
  • Page 6 2 Configuring Username and Password Security Contents ............2-1 Overview .
  • Page 7 General Setup Procedure for Web/MAC Authentication ..3-12 Do These Steps Before You Configure Web/MAC Authentication . . 3-12 Additional Information for Configuring the RADIUS Server To Support MAC Authentication ......3-14 Configuring the Switch To Access a RADIUS Server .
  • Page 8 Local Authentication Process ....... . 4-22 Using the Encryption Key ........4-23 General Operation .
  • Page 9 Using Vendor Specific Attributes (VSAs) ....5-23 Example Configuration on Cisco Secure ACS for MS Windows 5-25 Example Configuration Using FreeRADIUS ....5-28 Configuring RADIUS Accounting .
  • Page 10 5. Configuring the Switch for SSH Authentication ....6-18 6. Use an SSH Client To Access the Switch ..... 6-22 Further Information on SSH Client Public-Key Authentication .
  • Page 11 Filter Limits ..........8-3 Using Port Trunks with Filters .
  • Page 12 General 802.1X Authenticator Operation ..... . 9-10 Example of the Authentication Process ......9-10 VLAN Membership Priority .
  • Page 13 Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches ....... 9-45 Example .
  • Page 14 Notice of Security Violations ....... . 10-33 How the Intrusion Log Operates ......10-34 Keeping the Intrusion Log Current by Resetting Alert Flags .
  • Page 15 12 Key Management System Contents ........... . . 12-1 Overview .

  • Page 17: Product Documentation

    Product Documentation About Your Switch Manual Set The switch manual set includes the following documentation: ■ Read Me First—a printed guide shipped with your switch. Provides software update information, product notes, and other information. Installation and Getting Started Guide—a printed guide shipped with ■...

  • Page 18: Feature Index

    Product Documentation Feature Index For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. Feature Management Advanced Multicast Access Traffic Security Configuration Management Routing Guide 802.1Q VLAN Tagging 802.1p Priority 802.1X Authentication AAA Authentication...
  • Page 19 Product Documentation Feature Management Advanced Multicast Access Traffic Security Configuration Management Routing Guide Flow Control (802.3x) File Management File Transfers Friendly Port Names GVRP Identity-Driven Management (IDM) IGMP Interface Access (Telnet, Console/Serial, Web) IP Addressing IP Routing Jumbos Support LACP Link LLDP LLDP-Med...
  • Page 20 Product Documentation Feature Management Advanced Multicast Access Traffic Security Configuration Management Routing Guide Ping Port Configuration Port Monitoring Port Security Port Status Port Trunking (LACP) Port-Based Access Control Port-Based Priority (802.1Q) Protocol Filters Protocol VLANS Quality of Service (QoS) RADIUS Authentication and Accounting RADIUS-Based Configuration RMON 1,2,3,9 Routing...
  • Page 21 Product Documentation Feature Management Advanced Multicast Access Traffic Security Configuration Management Routing Guide Syslog System Information TACACS+ Authentication Telnet Access TFTP Time Protocols (TimeP, SNTP) Traffic/Security Filters Troubleshooting UDP Forwarder VLANs VLAN Mirroring (1 static VLAN) Voice VLAN Web Authentication RADIUS Support Web-based Authentication Web UI Xmodem...
  • Page 22 Product Documentation...

  • Page 23: Getting Started

    Getting Started Contents Introduction ..........1-2 Conventions .

  • Page 24: Introduction

    Introduction This Management and Configuration Guide is intended for use with the following switches: ■ ProCurve Switch 2900yl-24G ProCurve Switch 2900yl-48G ■ This guide describes how to use the command line interface (CLI), Menu interface, and web browser to configure, manage, monitor, and troubleshoot switch operation.

  • Page 25: Command Syntax Statements

    Getting Started Conventions Command Syntax Statements Syntax: ip default-gateway < ip-addr > Syntax: show interfaces [port-list ] ■ Vertical bars ( | ) separate alternative, mutually exclusive elements. ■ Square brackets ( [ ] ) indicate optional elements. Braces ( < > ) enclose required elements. ■...

  • Page 26: Screen Simulations

    Getting Started Conventions Screen Simulations Displayed Text. Figures containing simulated screen text and command output look like this: ProCurve> show version Image stamp: /sw/code/build/info July 1, 2006 13:43:13 T.11.01 ProCurve> Figure 1-1. Example of a Figure Showing a Simulated Screen In some cases, brief command-output sequences appear without figure iden- tification.

  • Page 27: Sources For More Information

    Getting Started Sources for More Information Sources for More Information For additional information about switch operation and features not covered in this guide, consult the following sources: ■ Feature Index—For information on which product manual to consult for a given software feature, refer to the “Feature Index” on page xvi. N o t e For the latest version of all ProCurve switch documentation, including Release Notes covering recently added features, visit the ProCurve Network-...
  • Page 28 Getting Started Sources for More Information Management and Configuration Guide—Use this guide for information ■ on topics such as: • various interfaces available on the switch • memory and configuration operation • interface access • IP addressing • time protocols •...

  • Page 29: Getting Documentation From The Web

    Getting Started Sources for More Information Getting Documentation From the Web Go to the ProCurve Networking Web Site at www.procurve.com Click on Technical support. Click on Product manuals. Click on the product for which you want to view or download a manual. Online Help If you need information on specific parameters in the menu interface, refer to the online help provided in the interface.

  • Page 30: Need Only A Quick Start

    Getting Started Need Only a Quick Start? If you need information on specific features in the ProCurve Web Browser Interface (hereafter referred to as the “web browser interface”), use the online help available for the web browser interface. For more information on web browser Help options, refer to “Online Help for the ProCurve Web Browser Interface”...

  • Page 31: To Set Up And Install The Switch In Your Network

    Getting Started To Set Up and Install the Switch in Your Network To Set Up and Install the Switch in Your Network Physical Installation Use the ProCurve Installation and Getting Started Guide (shipped with the switch) for the following: ■ Notes, cautions, and warnings related to installing and using the switch and its related modules ■...
  • Page 32 Getting Started Overview of Access Security Features Secure Socket Layer (SSL) (page 7-1): Provides remote web access to ■ the switch via encrypted authentication paths between the switch and management station clients capable of SSL/TLS operation. ■ Traffic/Security Filters (page 8-1): Enhance in-band security and improve control over access to network resources by configuring static filters to forward (the default action) or drop unwanted traffic.

  • Page 33: General Switch Traffic Security Guideline

    Getting Started General Switch Traffic Security Guideline General Switch Traffic Security Guideline Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port.
  • Page 34 Getting Started General Switch Traffic Security Guideline 1-12...

  • Page 35: Configuring Username And Password Security

    Configuring Username and Password Security Contents Overview ........... . . 2-2 Configuring Local Password Security .

  • Page 36: Overview

    Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames none — — page 2-8 Set a Password none page 2-5 page 2-7 page 2-8 Delete Password Protection page 2-6 page 2-7 page 2-8 show front-panel-security — page 1-13 —...
  • Page 37 Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level. That is, if a Manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface.
  • Page 38 Configuring Username and Password Security Overview N o t e The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface. If you configure only a Manager password (with no Operator password), and in a later session the Manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session.

  • Page 39: Configuring Local Password Security

    Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the web browser interface. From the Main Menu select: 3.
  • Page 40 Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass- words (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.

  • Page 41: Cli: Setting Passwords And Usernames

    Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below. Configuring Manager and Operator Passwords. Syntax: [ no ] password <manager | operator > [ user-name ASCII-STR ] [ no ] password <...

  • Page 42: Web: Setting Passwords And Usernames

    Configuring Username and Password Security Front-Panel Security Web: Setting Passwords and Usernames In the web browser interface you can enter passwords and (optional) user- names. To Configure (or Remove) Usernames and Passwords in the Web Browser Interface. Click on the tab.

  • Page 43: When Security Is Important

    Configuring Username and Password Security Front-Panel Security When Security Is Important Some customers require a high level of security for information. Also, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires that systems handling and transmitting confidential medical records must be secure.

  • Page 44: Front-Panel Button Functions

    Configuring Username and Password Security Front-Panel Security Front-Panel Button Functions The front panel of the switch includes the Reset button and the Clear button. Reset Clear Figure 2-4. Front-Panel Button Locations on a ProCurve 2900yl Switch Clear Button Pressing the Clear button alone for one second resets the password(s) con- figured on the switch.

  • Page 45: Reset Button

    Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.

  • Page 46: Configuring Front-Panel Security

    Configuring Username and Password Security Front-Panel Security Release the Reset button. Reset Clear Test When the Test LED to the right of the Clear button begins flashing, release the Clear button. Reset Clear Test It can take approximately 20-25 seconds for the switch to reboot. This process restores the switch configuration to the factory default settings.
  • Page 47 Configuring Username and Password Security Front-Panel Security • Configure the Clear button to reboot the switch after clearing any local usernames and passwords. This provides an immediate, visual means (plus an Event Log message) for verifying that any usernames and passwords in the switch have been cleared. •...

  • Page 48: Disabling The Clear Password Function Of The Clear Button On The Switch's Front Panel

    Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to “Password Recovery Process” on page 2-20.) (Default: Enabled.) CAUTION: Disabling this option removes the ability to recover a password on the switch.
  • Page 49 Configuring Username and Password Security Front-Panel Security Indicates the command has disabled the Clear button on the switch’s front panel. In this case the Show command does not include the reset- on-clear status because it is inoperable while the Clear Password functionality is disabled, and must be reconfigured whenever Clear Password is re-enabled .

  • Page 50: Re-Enabling The Clear Button On The Switch's Front Panel And Setting Or Changing The "Reset-On-Clear" Operation

    Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel.

  • Page 51: Changing The Operation Of The Reset+Clear Combination

    Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on- clear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-9. Example of Re-Enabling the Clear Button’s Default Operation Changing the Operation of the Reset+Clear Combination In their default configuration, using the Reset+Clear buttons in the combina- tion described under “Restoring the Factory Default Configuration”...

  • Page 52: Password Recovery

    Configuring Username and Password Security Front-Panel Security The command to disable the factory-reset operation produces this caution. To complete the command, press [Y]. To abort the command, press [N]. Completes the command to disable the factory reset option. Displays the current front- panel-security configuration, with Factory Reset disabled.
  • Page 53 Configuring Username and Password Security Front-Panel Security Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form of the command) disables the ability to recover a lost password. When this feature is enabled, the switch allows management access through the password recovery process described below. This provides a method for recovering from a lost manager username (if configured) and password.

  • Page 54: Password Recovery Process

    Configuring Username and Password Security Front-Panel Security Figure 2-11. Example of the Steps for Disabling Password-Recovery Password Recovery Process If you have lost the switch’s manager username/password, but password- recovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by ProCurve.

  • Page 55: Web And Mac Authentication

    Web and MAC Authentication Contents Overview ........... . . 3-2 Client Options .

  • Page 56: Overview

    Web and MAC Authentication Overview Overview Feature Default Menu Configure Web Authentication — 3-17 — Configure MAC Authentication — 3-27 — Display Web Authentication Status and Configuration — 3-25 — Display MAC Authentication Status and Configuration — 3-33 — Web and MAC Authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access.

  • Page 57: Client Options

    Web and MAC Authentication Overview password, and grants or denies network access in the same way that it does for clients capable of interactive logons. (The process does not use either a client device configuration or a logon session.) MAC authentication is well- suited for clients that are not capable of providing interactive logons, such as telephones, printers, and wireless access points.

  • Page 58: General Features

    Web and MAC Authentication Overview General Features Web and MAC Authentication on the switches covered in this guide include the following: On a port configured for Web or MAC Authentication, the switch ■ operates as a port-access authenticator using a RADIUS server and the CHAP protocol.

  • Page 59: How Web And Mac Authentication Operate

    Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Authenticator Operation Before gaining access to the network clients first present their authentication credentials to the switch. The switch then verifies the supplied credentials with a RADIUS authentication server.
  • Page 60 Web and MAC Authentication How Web and MAC Authentication Operate Figure 3-2. Progress Message During Authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access.

  • Page 61: Mac-Based Authentication

    Web and MAC Authentication How Web and MAC Authentication Operate moves have not been enabled (client-moves) on the ports, the session ends and the client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port’s VLAN memberships made while it is an authorized port take affect at the end of the session.
  • Page 62 Web and MAC Authentication How Web and MAC Authentication Operate If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked. The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate).

  • Page 63: Terminology

    Web and MAC Authentication Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN.

  • Page 64: Operating Rules And Notes

    Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports concurrent 802.1X and either Web- or MAC- authentication operation on a port (one client allowed). However, concurrent operation of Web- or MAC-authentication with other types of authentication on the same port is not supported.
  • Page 65 Web and MAC Authentication Operating Rules and Notes • During an authenticated client session, the following hierarchy deter- mines a port’s VLAN membership: If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.

  • Page 66: General Setup Procedure For Web/Mac Authentication

    Web and MAC Authentication General Setup Procedure for Web/MAC Authentication Web- or MAC-based authentication and LACP cannot both be enabled ■ on the same port. N o t e o n Web / The switch does not allow Web or MAC Authentication and LACP to both be M A C enabled at the same time on the same port.
  • Page 67 Web and MAC Authentication General Setup Procedure for Web/MAC Authentication If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN” for an authenticated client session on a port, then the port’s VLAN membership remains unchanged during authenticated client ses- sions.

  • Page 68: Additional Information For Configuring The Radius Server To Support Mac Authentication

    Web and MAC Authentication General Setup Procedure for Web/MAC Authentication Additional Information for Configuring the RADIUS Server To Support MAC Authentication On the RADIUS server, configure the client device authentication in the same way that you would any other client, except: Configure the client device’s (hexadecimal) MAC address as both ■...

  • Page 69: Configuring The Switch To Access A Radius Server

    Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Configuring the Switch To Access a RADIUS Server RADIUS Server Configuration Commands radius-server [host < p-address>] below [key < global-key-string >] below radius-server host < p-address> key <server-specific key-string> 3-16 This section describes the minimal commands for configuring a RADIUS server to support Web-Auth and MAC Auth.
  • Page 70 Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Syntax: radius-server host < ip-address > key <server-specific key-string> [no] radius-server host < ip-address > key Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the speci- fied server.

  • Page 71: Configuring Web Authentication

    Web and MAC Authentication Configuring Web Authentication Configuring Web Authentication Configuration Overview If you have not already done so, configure a local username and password pair on the switch. Identify or create a redirect URL for use by authenticated clients. ProCurve recommends that you provide a redirect URL when using Web Authentication.

  • Page 72: Configuration Commands For Web-Based Authentication

    Web and MAC Authentication Configuring Web Authentication Configuration Commands for Web-Based Authentication Command Page Configuration Level aaa port-access web-based dhcp-addr 3-18 aaa port-access web-based dhcp-lease 3-19 [no] aaa port-access web-based [e] < port-list > 3-19 [auth-vid] 3-19 [client-limit] 3-19 [client-moves] 3-20 [logoff-period] 3-20...
  • Page 73 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based dhcp-lease <5 - 25> Specifies the lease length, in seconds, of the temporary IP address issued for Web Auth login purposes. (Default: 10 seconds) Syntax: [no] aaa port-access web-based [e] < port-list> Enables web-based authentication on the specified ports.
  • Page 74 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based [e] < port-list > [client-moves] Allows client moves between the specified ports under Web Auth control. When enabled, the switch allows clients to move without requiring a re-authentication. When disabled, the switch does not allow moves and when one does occur, the user will be forced to re- authenticate.
  • Page 75 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based [e] < port-list > [quiet-period <1 - 65535>] Specifies the time period, in seconds, the switch should wait before attempting an authentication request for a client that failed authentication. (Default: 60 seconds) Syntax: aaa port-access web-based [e] <...
  • Page 76 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based [e] < port-list > [ssl-login]] Enables or disables SSL login (https on port 443). SSL must be enabled on the switch. If SSL login is enabled, a user is redirected to a secure page, where they enter their username and password.
  • Page 77 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> After you enable web-based authentication on specified ports, you can use the aaa port-access controlled-direc- tions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.
  • Page 78 Web and MAC Authentication Configuring Web Authentication Notes: For information on how to configure the prerequisites for using ■ the aaa port-access controlled-directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation” in the Advanced Traffic Management Guide. To display the currently configured Controlled Directions value for ■...

  • Page 79: Show Commands For Web-Based Authentication

    Web and MAC Authentication Show Commands for Web-Based Authentication Show Commands for Web-Based Authentication Command Page port-list show port-access [ ] web-based 3-25 [clients] 3-25 [config] 3-25 [config [auth-server]] 3-26 [config [web-server]] 3-26 port-list show port-access web-based config detail 3-26 Syntax: show port-access [port-list] web-based Shows the status of all Web-Authentication enabled...

  • Page 80: Example: Verifying A Web Authentication Configuration

    Web and MAC Authentication Show Commands for Web-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-server]] Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.

  • Page 81: Configuring Mac Authentication

    Web and MAC Authentication Configuring MAC Authentication ProCurve(config)# show port-access web-based config Port Access Web-Based Configuration DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.255.0 DHCP Lease Length : 10 Client Client Logoff Re-Auth Unauth Auth Cntrl Port Enabled Limit Moves Period Period...

  • Page 82: Configuration Commands For Mac-Based Authentication

    Web and MAC Authentication Configuring MAC Authentication Use the ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support MAC-Auth on the switch. Configure the switch with the correct IP address and encryption key to access the RADIUS server.
  • Page 83 Web and MAC Authentication Configuring MAC Authentication no-delimiter — specifies an aabbccddeeff format. single-dash — specifies an aabbcc-ddeeff format. multi-dash — specifies an aa-bb-cc-dd-ee-ff format. multi-colon — specifies an aa:bb:cc:dd:ee:ff format. Syntax: [no] aaa port-access mac-based < port-list > Enables MAC-based authentication on the specified ports.
  • Page 84 Web and MAC Authentication Configuring MAC Authentication aaa port-access mac-based [e] < port-list > Syntax: [logoff-period] <60-9999999> Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense.
  • Page 85 Web and MAC Authentication Configuring MAC Authentication Syntax: aaa port-access mac-based [e] < port-list > [unauth-vid <vid>] no aaa port-access mac-based [e] < port-list > [unauth-vid] Specifies the VLAN to use for a client that fails authen- tication. If unauth-vid is 0, no VLAN changes occur. Use the no form of the command to set the unauth-vid to 0.
  • Page 86 Web and MAC Authentication Configuring MAC Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> —cont’d— For information on how to configure the prerequisites for using the aaa port-access controlled-directions in command, see Chapter 4, “Multiple Instance Span- ning-Tree Operation” in the Advanced Traffic Manage- ment Guide.

  • Page 87: Show Commands For Mac-Based Authentication

    Web and MAC Authentication Show Commands for MAC-Based Authentication Show Commands for MAC-Based Authentication Command Page port-list show port-access [ ] mac-based 3-33 [clients] 3-33 [config] 3-33 [config [auth-server]] 3-34 port-list show port-access mac-based config detail 3-34 Syntax: show port-access [port-list] mac-based Shows the status of all MAC-Authentication enabled ports or the specified ports.

  • Page 88: Example: Verifying A Mac Authentication Configuration

    Web and MAC Authentication Show Commands for MAC-Based Authentication Syntax: show port-access [port-list] mac-based [config [auth-server]] Shows MAC Authentication settings for all ports or the specified ports, along with the Radius server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.
  • Page 89 Web and MAC Authentication Show Commands for MAC-Based Authentication ProCurve(config)# show port-access mac-based config Port Access MAC-Based Configuration MAC Address Format : no-delimiter Client Client Logoff Re-Auth Unauth Auth Cntrl Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir ----- -------- ------ ------ ------- ------- ------- ------- ----...

  • Page 90: Client Status

    Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Possible Explanations Connection authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires.

  • Page 91: Tacacs+ Authentication

    TACACS+ Authentication Contents Overview ........... . . 4-2 Terminology Used in TACACS Applications: .

  • Page 92: Overview

    TACACS+ Authentication Overview Overview Feature Default Menu view the switch’s authentication configuration — page 4-9 — view the switch’s TACACS+ server contact — page — configuration 4-10 configure the switch’s authentication methods disabled — page — 4-11 configure the switch to contact TACACS+ server(s) disabled —...

  • Page 93: Terminology Used In Tacacs Applications

    TACACS+ Authentication Terminology Used in TACACS Applications: authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/ write) privilege level access. TACACS+ does not affect web browser interface access. See “Controlling Web Browser Interface Access”...
  • Page 94 TACACS+ Authentication Terminology Used in TACACS Applications: must distribute the password information on each switch to everyone who needs to access the switch, and you must configure and manage password protection on a per-switch basis. (For more on local authentication, refer to chapter 2, “Configuring Username and Password Security”.) •...

  • Page 95: General System Requirements

    TACACS+ Authentication General System Requirements General System Requirements To use TACACS+ authentication, you need the following: A TACACS+ server application installed and configured on one or ■ more servers or management stations in your network. (There are several TACACS+ software packages available.) A switch configured for TACACS+ authentication, with access to one ■...

  • Page 96: General Authentication Setup Procedure

    TACACS+ Authentication General Authentication Setup Procedure General Authentication Setup Procedure It is important to test the TACACS+ service before fully implementing it. Depending on the process and parameter settings you use to set up and test TACACS+ authentication in your network, you could accidentally lock all users, including yourself, out of access to a switch.
  • Page 97 TACACS+ Authentication General Authentication Setup Procedure Plan and enter the TACACS+ server configuration needed to support TACACS+ operation for Telnet access (login and enable) to the switch. This includes the username/password sets for logging in at the Operator (read-only) privilege level and the sets for logging in at the Manager (read/ write) privilege level.

  • Page 98: Configuring Tacacs+ On The Switch

    TACACS+ Authentication Configuring TACACS+ on the Switch On a remote terminal device, use Telnet to attempt to access the switch. If the attempt fails, use the console access to check the TACACS+ configuration on the switch. If you make changes in the switch configu- ration, check Telnet access again.

  • Page 99: Cli Commands Described In This Section

    TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs 4-10 aaa authentication 4-11 through 4-14 console Telnet num-attempts <1-10 > tacacs-server 4-15 host < ip-addr > 4-15 4-19 timeout < 1-255 > 4-20 Viewing the Switch’s Current Authentication Configuration...

  • Page 100: Viewing The Switch's Current Tacacs+ Server Contact Configuration

    TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. Syntax: show tacacs For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a (global) encryption key, show tacacs would produce a listing similar to the...

  • Page 101: Configuring The Switch's Authentication Methods

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied).
  • Page 102 TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-1. AAA Authentication Parameters Name Default Range Function console Specifies whether the command is configuring authentication for the console port - or - or Telnet access method for the switch. telnet enable Specifies the privilege level for the access method being configured.
  • Page 103 TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Console — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console —...
  • Page 104 TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server.

  • Page 105: Configuring The Switch's Tacacs+ Server Access

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these parameters: The host IP address(es) for up to three TACACS+ servers; one first- ■ choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server.
  • Page 106 TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string >] Adds a TACACS+ server and optionally assigns a server-specific encryption key [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its server- specific encryption key, if any) tacacs-server key <key-string>...
  • Page 107 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host <ip-addr> [key <key-string> none Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per- server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key”...
  • Page 108 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range key <key-string> none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server”...
  • Page 109 TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-5. Example of the Switch After Assigning a Different “First-Choice” Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.

  • Page 110: How Authentication Operates

    TACACS+ Authentication How Authentication Operates To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs-server host 10.28.227.104 Note...
  • Page 111 TACACS+ Authentication How Authentication Operates Using figure 4-6, above, after either switch detects an operator’s logon request from a remote or directly connected terminal, the following events occur: The switch queries the first-choice TACACS+ server for authentication of the request. •...

  • Page 112: Local Authentication Process

    TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentica- tion only if one of these two conditions exists: “Local” is the authentication option for the access method being used. ■...

  • Page 113: Using The Encryption Key

    TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “secret key”, or “secret”) helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.

  • Page 114: Controlling Web Browser Interface Access When Using Tacacs+ Authentication

    TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to configure a global encryp- tion key in the switch to match a key entered as in two target north40campus TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch: ProCurve(config)# tacacs-server key north40campus...

  • Page 115: Messages Related To Tacacs+ Operation

    TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa- tion on such messages, refer to the documentation you received with the application.

  • Page 116: Operating Notes

    TACACS+ Authentication Operating Notes Operating Notes ■ If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized manager list. That is, authentication traffic between a TACACS+ server and the switch is not subject to Authorized IP Manager controls configured on the switch.

  • Page 117: Radius Authentication And Accounting

    RADIUS Authentication and Accounting Contents Overview ........... . . 5-3 Authentication Services .
  • Page 118 RADIUS Authentication and Accounting Contents Steps for Configuring RADIUS Accounting ..... 5-31 1. Configure the Switch To Access a RADIUS Server ..5-32 2.

  • Page 119: Overview

    RADIUS Authentication and Accounting Overview Overview Feature Default Menu Configuring RADIUS Authentication None Configuring RADIUS Accounting None 5-29 Configuring RADIUS Authorization None 5-21 Viewing RADIUS Statistics 5-37 RADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one primary server and one or two backups) and maintain separate authentication and accounting for each RADIUS server employed.

  • Page 120: Accounting Services

    RADIUS Authentication and Accounting Terminology Note The switch does not support RADIUS security for SNMP (network manage- ment) access. For information on blocking access through the web browser interface, refer to “Controlling Web Browser Interface Access” on page 5-20. Accounting Services RADIUS accounting on the switch collects resource consumption data and forwards it to the RADIUS server.

  • Page 121: Switch Operating Rules For Radius

    RADIUS Authentication and Accounting Switch Operating Rules for RADIUS Host: See RADIUS Server. NAS (Network Access Server): In this case, a ProCurve switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): a protocol for carrying authentication, authorization, and accounting information between a Network Access Server and shared AAA servers in a distributed dial-in networking environment.
  • Page 122 RADIUS Authentication and Accounting Switch Operating Rules for RADIUS When primary/secondary authentication is set to Radius/Local (for ■ either Login or Enable) and the RADIUS server fails to respond to a client attempt to authenticate, the failure is noted in the Event Log with the message radius: Can't reach RADIUS server <...

  • Page 123: General Radius Setup Procedure

    RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: Configure one to three RADIUS servers to support the switch. (That is, one primary server and one or two backups.) Refer to the documentation provided with the RADIUS server application. Before configuring the switch, collect the information outlined below.

  • Page 124: Configuring The Switch For Radius Authentication

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you have configured the switch to access.) •...

  • Page 125: Outline Of The Steps For Configuring Radius Authentication

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: Configure RADIUS authentication for controlling access through one or more of the following •...

  • Page 126: Configure Authentication For The Access Methods You Want Radius To Protect

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Timeout Period: The timeout period the switch waits for a RADIUS server to reply. (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no server response to a RADIUS authentication request.
  • Page 127 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius (or tacacs) for primary authentication, you must configure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail. Syntax: aaa authentication <...

  • Page 128: Enable The (Optional) Access Privilege Option

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 2. Enable the (Optional) Access Privilege Option In the default RADIUS operation, the switch automatically admits any authen- ticated client to the Login (Operator) privilege level, even if the RADIUS server specifies Enable (Manager) access for that client.

  • Page 129: Configure The Switch To Access A Radius Server

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication — Continued from the preceding page. — The no form of the command returns the switch to the default RADIUS authentication operation. The default behavior for most interfaces is that a client authorized by the RADIUS server for Enable (Manager) access will be prompted twice, once for Login (Operator) access and once for Enable access.
  • Page 130 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication [acct-port < port-number >] Optional. Changes the UDP destination port for account- ing requests to the specified RADIUS server. If you do not use this option with the radius-server host command, the switch automatically assigns the default accounting port number.

  • Page 131: Configure The Switch's Global Radius Parameters

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-3. Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server To make the changes listed prior to figure 5-3, you would do the following: Changes the key for the existing server to “source0127”...
  • Page 132 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Global server key: The server key the switch will use for contacts ■ with all RADIUS servers for which there is not a server-specific key configured by radius-server host < ip-address > key < key-string >. This key is optional if you configure a server-specific key for each RADIUS server entered in the switch.
  • Page 133 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 - 15 > Specifies the maximum time the switch waits for a response to an authentication request before counting the attempt as a failure. (Default: 3 seconds; Range: 1 - 15 seconds) radius-server retransmit <...
  • Page 134 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in this guide. After two attempts failing due to username or password entry errors, the switch will terminate the session.

  • Page 135: Local Authentication Process

    RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: Local is the authentication option for the access method being used. ■...

  • Page 136: Controlling Web Browser Interface Access

    RADIUS Authentication and Accounting Controlling Web Browser Interface Access Controlling Web Browser Interface Access To help prevent unauthorized access through the web browser interface, do one or more of the following: ■ Configure the switch to support RADIUS authentication for web browser interface access.

  • Page 137: Configuring Radius Authorization

    RADIUS Authentication and Accounting Configuring RADIUS Authorization Configuring RADIUS Authorization Overview You can limit the services for a user by enabling AAA RADIUS authorization. The NAS uses the information set up on the RADIUS server to control the user’s access to CLI commands. The RADIUS protocol combines user authentication and authorization steps into one phase.

  • Page 138: Enabling Authorization With The Cli

    RADIUS Authentication and Accounting Configuring RADIUS Authorization Enabling Authorization with the CLI To configure authorization for controlling access to the CLI commands, enter this command. Syntax: [no] aaa authorization <commands> <radius | none> Configures authorization for controlling access to CLI commands.

  • Page 139: Showing Authorization Information

    Figure 5-7. Example of Show Authorization Command Configuring the RADIUS Server Using Vendor Specific Attributes (VSAs) Some RADIUS-based features implemented on ProCurve switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access- Accept packets sent to the switch may contain the vendor-specific informa- tion.
  • Page 140 (those that are available by default to any user). You must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.

  • Page 141: Example Configuration On Cisco Secure Acs For Ms Windows 5-25

    The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps. Create a dictionary file (for example, hp.ini) containing the HP VSA definitions, as shown in the example below. ;[User Defined Vendor] ;...
  • Page 142 Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils> csutil -addudv 0 hp.ini The zero (0) is the slot number.
  • Page 143 4 (100 in the example). Restart all Cisco services. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry. In the Authenticate Using field choose RADIUS(HP) as an option for the type of security control protocol.

  • Page 144: Example Configuration Using Freeradius

    Find the location of the dictionary files used by FreeRADIUS (try /usr/ local/share/freeradius). Copy dictionary.hp to that location. Open the existing dictionary file and add this entry: $ INCLUDE dictionary.hp You can now use HP VSAs with other attributes when configuring user entries. 5-28...

  • Page 145: Configuring Radius Accounting

    RADIUS Authentication and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 5-32 [acct-port < port-number >] 5-32 [key < key-string >] 5-32 [no] aaa accounting < exec | network | system | 5-35 commands >...

  • Page 146: Operating Rules For Radius Accounting

    RADIUS Authentication and Accounting Configuring RADIUS Accounting Network accounting: Provides records containing the information ■ listed below on clients directly connected to the switch and operating under Port-Based Access Control (802.1X): • Acct-Session-Id • Acct-Output-Packets • Service-Type • Acct-Status-Type • Acct-Input-Octets •...

  • Page 147: Steps For Configuring Radius Accounting

    RADIUS Authentication and Accounting Configuring RADIUS Accounting RADIUS servers are accessed in the order in which their IP addresses ■ were configured in the switch. Use show radius to view the order. As long as the first server is accessible and responding to authentica- tion requests from the switch, a second or third server will not be accessed.

  • Page 148: Configure The Switch To Access A Radius Server

    RADIUS Authentication and Accounting Configuring RADIUS Accounting (Optional) Configure session blocking and interim updating options • Updating: Periodically update the accounting data for sessions-in- progress • Suppress accounting: Block the accounting session for any unknown user with no username access to the switch 1.

  • Page 149: Configure Accounting Types And The Controls For Sending Reports To The Radius Server

    RADIUS Authentication and Accounting Configuring RADIUS Accounting For example, suppose you want to the switch to use the RADIUS server described below for both authentication and accounting purposes. IP address: 10.33.18.151 ■ ■ A non-default UDP port number of 1750 for accounting. For this example, assume that all other RADIUS authentication parameters for accessing this server are acceptable at their default settings, and that RADIUS is already configured as an authentication method for one or more...
  • Page 150 RADIUS Authentication and Accounting Configuring RADIUS Accounting Note that there is no time span associated with using the system option. It simply causes the switch to transmit whatever accounting data it currently has when one of the above events occurs. Network: Use Network if you want to collect accounting information ■...

  • Page 151: Optional) Configure Session Blocking And Interim Updating Options

    RADIUS Authentication and Accounting Configuring RADIUS Accounting For example, to configure RADIUS accounting on the switch with start-stop for exec functions and stop-only for system functions: ProCurve(config)# aaa accounting exec start-stop radius Configures exec and system accounting and controls. ProCurve(config)# aaa accounting system stop-only radius ProCurve(config)# show accounting Status and Counters - Accounting Information Interval(min) : 0...
  • Page 152 RADIUS Authentication and Accounting Configuring RADIUS Accounting Syntax: [no] aaa accounting suppress null-username Disables accounting for unknown users having no user- name. (Default: suppression disabled) To continue the example in figure 5-9, suppose that you wanted the switch to: ■ Send updates every 10 minutes on in-progress accounting sessions.

  • Page 153: Viewing Radius Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which.
  • Page 154 RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 5-12. RADIUS Server Information From the Show Radius Host Command Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.

  • Page 155: Radius Authentication Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics Term Definition Requests The number of RADIUS Accounting-Request packets sent. This does not include retransmissions. AccessChallenges The number of RADIUS Access-Challenge packets (valid or invalid) received from this server. AccessAccepts The number of RADIUS Access-Accept packets (valid or invalid) received from this server. AccessRejects The number of RADIUS Access-Reject packets (valid or invalid) received from this server.

  • Page 156: Radius Accounting Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 5-14. Example of RADIUS Authentication Information from a Specific Server RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres- sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config- ured in the switch (using the radius-server host command).

  • Page 157: Changing Radius-Server Access Order

    RADIUS Authentication and Accounting Changing RADIUS-Server Access Order ProCurve(config)# show radius accounting Status and Counters - RADIUS Accounting Information NAS Identifier : ProCurve Switch Invalid Server Addresses : 0 Server IP Addr Port Timeouts Requests Responses --------------- ----- ---------- ---------- ---------- Figure 5-16.
  • Page 158 RADIUS Authentication and Accounting Changing RADIUS-Server Access Order RADIUS server IP addresses listed in the order in which the switch will try to access them. In this case, the server at IP address 1.1.1.1 is first. Note: If the switch successfully accesses the first server, it does not try to access any other servers in the list, even if the client is denied access by the first server.
  • Page 159 RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Removes the “003” and “001” addresses from the RADIUS server list. Inserts the “003” address in the first position in the RADIUS server list, and inserts the “001” address in the last position in the list. Shows the new order in which the switch searches for a RADIUS server.

  • Page 160: Messages Related To Radius Operation

    RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning A designated RADIUS server is not responding to an Can’t reach RADIUS server < x.x.x.x >. authentication request. Try pinging the server to determine whether it is accessible to the switch.
  • Page 161 Configuring Secure Shell (SSH) Contents Overview ........... . . 6-2 Terminology .

  • Page 162: Configuring Secure Shell (Ssh)

    Configuring Secure Shell (SSH) Overview Overview Feature Default Menu Generating a public/private key pair on the switch page 6-10 Using the switch’s public key page 6-12 Enabling SSH Disabled page 6-15 Enabling client public-key authentication Disabled pages 6-19, 6-22 Enabling user authentication Disabled page 6-18 The switches covered in this guide use Secure Shell version 2 (SSHv2) to...
  • Page 163 Configuring Secure Shell (SSH) Overview Note SSH in ProCurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication shown in figure 6-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.

  • Page 164: Terminology

    Configuring Secure Shell (SSH) Terminology Terminology ■ SSH Server: An ProCurve switch with SSH enabled. ■ Key Pair: A pair of keys generated by the switch or an SSH client application. Each pair includes a public key, that can be read by anyone and a private key held internally in the switch or by a client.

  • Page 165: Prerequisite For Using Ssh

    Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 6-2), then the client program must have the capability to generate or import keys.

  • Page 166: Steps For Configuring And Using Ssh For Switch And Client Authentication

    Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 6-1.
  • Page 167 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation Assign a login (Operator) and enable (Manager) password on the switch (page 6-9). Generate a public/private key pair on the switch (page 6-10). You need to do this only once.

  • Page 168: General Operating Rules And Notes

    Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store 10 keys client key pairs. The switch’s own public/private key pair and the (optional) client ■...

  • Page 169: Configuring The Switch For Ssh Operation

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 6-17 show crypto client-public-key [<manager | operator>] 6-25 [keylist-str] [< babble | fingerprint >] show crypto host-public-key [< babble | fingerprint >] 6-14 show authentication 6-21...

  • Page 170: Generating The Switch's Public And Private Key Pair

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-4. Example of Configuring Local Passwords 2. Generating the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
  • Page 171 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be “permanent”;...

  • Page 172: Providing The Switch's Public Key To Clients

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch Version 1 and Version 2 views of same host public key Figure 6-5. Example of Generating a Public/Private Host Key Pair for the Switch The 'show crypto host-public-key' displays it in two different formats because your client may store it in either of these formats after learning the key.
  • Page 173 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below. The public key generated by the switch consists of three parts, separated by one blank space each: Bit Size Exponent <e>...
  • Page 174 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Modulus <n>...

  • Page 175: Enabling Ssh On The Switch And Anticipating Ssh Client Contact Behavior

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 6-9. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 6-9 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host”...
  • Page 176 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if the switch’s public key has not been copied into the client, then the client’s first connection to the switch will question the connection and, for security reasons, provide the option of accepting or refusing.
  • Page 177 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (default: 22). Important: See “Note on Port Number” on page 6-17. [timeout < 5 - 120 >] The SSH login timeout value (default: 120 seconds).

  • Page 178: Configuring The Switch For Ssh Authentication

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation C a u t i o n Protect your private key file from access by anyone other than yourself. If someone can access your private key file, they can then penetrate SSH security on the switch by appearing to be you.
  • Page 179 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< local | none >] Configures a password method for the primary and second- ary login (Operator) access. If you do not specify an optional secondary method, it defaults to none.
  • Page 180 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: copy tftp pub-key-file < ip-address > < filename > Copies a public key file into the switch. aaa authentication ssh login public-key Configures the switch to authenticate a client public-key at the login level with an optional secondary password method (default: none).
  • Page 181 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configures Manager Configures the user- name and switch to allow SSH access only ProCurve(config)# password manager user-name leader for a client whose public key New password for Manager: ******** matches one of the Please retype new password for Manager: ******** keys in the public ProCurve(config)# aaa authentication ssh login public-key none...

  • Page 182: Use An Ssh Client To Access The Switch

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 6. Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems"...
  • Page 183 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The client sends its public key to the switch with a request for authenti- cation. The switch compares the client’s public key to those stored in the switch’s client-public-key file. (As a prerequisite, you must use the switch’s copy tftp command to download this file to flash.) If there is not a match, and you have not configured the switch to accept a login password as a secondary authentication method, the switch denies...
  • Page 184 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication To Create a Client-Public-Key Text File. These steps describe how to copy client-public-keys into the switch for RSA challenge-response authenti- cation, and require an understanding of how to use your SSH client applica- tion.
  • Page 185 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Copy the client’s public key into a text file (filename.txt). (For example, you can use the Notepad editor included with the Microsoft® Windows® software. If you want several clients to use client public-key authentica- tion, copy a public key for each of these clients (up to ten) into the file.
  • Page 186 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The babble option converts the key data to phonetic hashes that are easier for visual comparisons. The fingerprint option converts the key data to hexadec- imal hashes that are for the same purpose. The keylist-str option allows you to select keys to display (a comma-delimited list).

  • Page 187: Messages Related To Ssh Operation

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Enabling Client Public-Key Authentication. After you TFTP a client- public-key file into the switch (described above), you can configure the switch to allow the following: If an SSH client’s public key matches the switch’s client-public-key ■...
  • Page 188 Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning File transfer did not occur. ndicates the switch 00000K Transport error. experienced a problem when trying to copy tftp the requested file. The file may not be in the expected directory, the filename may be misspelled in the command, or the file permissions may be wrong.
  • Page 189 Configuring Secure Socket Layer (SSL) Contents Overview ........... . . 7-2 Terminology .

  • Page 190: Configuring Secure Socket Layer (Ssl)

    Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu Generating a Self Signed Certificate on the switch page 7-9 page 7-13 Generating a Certificate Request on the switch page 7-15 Enabling SSL Disabled page 7-17 page 7-19 The switches covered in this guide use Secure Socket Layer Version 3 (SSLv3) and support for Transport Layer Security(TLSv1) to provide remote web access to the switches via encrypted paths between the switch and manage- ment station clients capable of SSL/TLS operation.

  • Page 191: Terminology

    Configuring Secure Socket Layer (SSL) Terminology 1. Switch-to-Client SSL Cert. SSL Client ProCurve Browser Switch 2. User-to-Switch (login password and (SSL enable password authentication) Server) options: – Local – TACACS+ – RADIUS Figure 7-1. Switch/User Authentication SSL on the switches covered in this guide supports these data encryption methods: ■...
  • Page 192 Configuring Secure Socket Layer (SSL) Terminology Root Certificate: A trusted certificate used by certificate authorities to ■ sign certificates (CA-Signed Certificates) and used later on to verify that authenticity of those signed certificates. Trusted certificates are distrib- uted as an integral part of most popular web clients. (see browser docu- mentation for which root certificates are pre-installed).

  • Page 193: Prerequisite For Using Ssl

    Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com- puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include:...

  • Page 194: General Operating Rules And Notes

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re- generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all management stations (clients) you previously set up for SSL access to the switch.

  • Page 195: Configuring The Switch For Ssl Operation

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 7-19 show config page 7-19 show crypto host-cert page 7-12 crypto key generate cert [rsa] <512 | 768 |1024> page 7-10 zeroize cert page 7-10...
  • Page 196 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface, refer to the chapter titled “Using the ProCurve Web Browser Interface”...

  • Page 197: Generating The Switch's Server Host Certificate

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’s Server Host Certificate You must generate a server certificate on the switch before enabling SSL. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch.

  • Page 198: To Generate Or Erase The Switch's Server Certificate

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To Generate or Erase the Switch’s Server Certificate with the CLI Because the host certificate is stored in flash instead of the running-config file, it is not necessary to use write memory to save the certificate. Erasing the host certificate automatically disables SSL.

  • Page 199: Comments On Certificate Fields

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on Certificate Fields. There are a number arguments used in the generation of a server certificate. table 7-1, “Certificate Field Descriptions” describes these arguments. Table 7-1. Certificate Field Descriptions Field Name Description Valid Start Date...
  • Page 200 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation N o t e s “Zeroizing” the switch’s server host certificate or key automatically disables SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation.

  • Page 201: Generate A Self-Signed Host Certificate With The Web Browser

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a Self-Signed Host Certificate with the Web browser interface You can configure SSL from the web browser interface. For more information on how to access the web browser interface refer to the chapter titled “Using the ProCurve Web Browser Interface”...
  • Page 202 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter- face: Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments Figure 7-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface: Proceed to the Security tab Then the...

  • Page 203: Generate A Ca-Signed Server Host Certificate With The Web Browser Interface

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 7-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web browser interface To install a CA-Signed server host certificate from the web browser interface. For more information on how to access the web browser interface, refer to the chapter titled “Using the ProCurve Web Browser Interface”...
  • Page 204 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.

  • Page 205: Enabling Ssl On The Switch And Anticipating Ssl Browser Contact Behavior

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE----- MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMBIGA1UEChMLT3Bwb3J0dW5pdGkxGDAW BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0+aMcXgVruVixw/xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B Figure 7-7. Request for Verified Host Certificate Web Browser Interface Screen 3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients.
  • Page 206 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation N o t e Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generating the Switch’s Server Host Certificate”...

  • Page 207: Using The Cli Interface To Enable Ssl

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443).
  • Page 208 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 7-8. Using the web browser interface to enable SSL and select TCP port number N o t e o n P o r t ProCurve recommends using the default IP port number (443).

  • Page 209: Common Errors In Ssl Setup

    Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 7-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host...
  • Page 210 Configuring Secure Socket Layer (SSL) Common Errors in SSL setup 7-22...
  • Page 211 Traffic/Security Filters Contents Overview ........... . . 8-2 Introduction .

  • Page 212: Traffic/Security Filters

    Traffic/Security Filters Overview Overview Applicable Switch Models. As of August, 2006, Traffic/Security filters are available on these current ProCurve switch models: Switch Models Source-Port Protocol Multicast Filters Filters Filters Series 6400cl Series 5400zl Series 4200vl Series 3500yl Series 3400cl Switch 2900 Series 2810 Series 2800 Series 2500...

  • Page 213: Filter Limits

    Traffic/Security Filters Filter Types and Operation You can enhance in-band security and improve control over access to network resources by configuring static filters to forward (the default action) or drop unwanted traffic. That is, you can configure a traffic filter to either forward or drop all network traffic moving to outbound (destination) ports and trunks (if any) on the switch.

  • Page 214: Source-Port Filters

    Traffic/Security Filters Filter Types and Operation Source-Port Filters This filter type enables the switch to forward or drop traffic from all end nodes on the indicated source-port to specific destination ports. Server Node “A” Port Port Switch 2900 Configured for Node Source-Port “B”...

  • Page 215: Example

    Traffic/Security Filters Filter Types and Operation When you create a source port filter, all ports and port trunks (if any) ■ on the switch appear as destinations on the list for that filter, even if routing is disabled and separate VLANs and/or subnets exist. Where traffic would normally be allowed between ports and/or trunks, the switch automatically forwards traffic to the outbound ports and/or trunks you do not specifically configure to drop traffic.

  • Page 216: Named Source-Port Filters

    Traffic/Security Filters Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to destination port 7 (server "A"). Notice that the filter allows traffic to move from source port 5 to all other destination ports. Figure 8-3.

  • Page 217: Defining And Configuring Named Source-Port Filters

    Traffic/Security Filters Filter Types and Operation To change the named source-port filter used on a port or port trunk, ■ the current filter must first be removed, using the no filter source-port named-filter <filter-name > command. A named source-port filter can only be deleted when it is not applied ■...
  • Page 218 Traffic/Security Filters Filter Types and Operation filter source-port named-filter <filter-name > forward Syntax: < destination-port-list > Configures the named source-port filter to forward traffic having a destination on the ports and/or port trunks in the <destination-port-list>. Since “forward” is the default state for destinations in a filter, this command is useful when destinations in an existing filter are configured for “drop”...

  • Page 219: Viewing A Named Source-Port Filter

    Traffic/Security Filters Filter Types and Operation Viewing a Named Source-Port Filter You can list all source-port filters configured in the switch, both named and unnamed, and their action using the show command below. Syntax: show filter source-port Displays a listing of configured source-port filters, where each filter entry includes a Filter Name, Port List, and Action: Filter Name: The filter-name used when a named...
  • Page 220 Traffic/Security Filters Filter Types and Operation Defining and Configuring Example Named Source-Port Filters. While named source-port filters may be defined and configured in two steps, this is not necessary. Here we define and configure each of the named source-port filters for our example network in a single step. ProCurve(config)# filter source-port named-filter web-only drop 2-26 ProCurve(config)# filter source-port named-filter accounting drop 1-6,8,9,12-26 ProCurve(config)# filter source-port named-filter no-incoming-web drop 7,10,11...
  • Page 221 Traffic/Security Filters Filter Types and Operation ProCurve(config)# show filter Traffic/Security Filters Indicates the port number or port- IDX Filter Type | Value trunk name of the source port or trunk --- ------------ + ------------------- assigned to the filter. Source Port Source Port An automatically assigned index Source Port...
  • Page 222 Traffic/Security Filters Filter Types and Operation ProCurve(config)# show filter 24 ProCurve(config)# show filter 4 Traffic/Security Filters Traffic/Security Filters Filter Type : Source Port Filter Type : Source Port Source Port : 10 Source Port : 5 Dest Port Type | Action Dest Port Type Action...
  • Page 223 Traffic/Security Filters Filter Types and Operation ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- --------- + ------------------------ 10/100TX | Forward 10/100TX | Forward 10/100TX | Forward 10/100TX | Forward 10/100TX | Forward...
  • Page 224 Traffic/Security Filters Filter Types and Operation The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command. ProCurve(config)# filter source-port named-filter accounting forward 8,12,13 ProCurve(config)# filter source-port named-filter no-incoming-web drop 8,12,13 ProCurve(config)# ProCurve(config)# show filter source-port Traffic/Security Filters...

  • Page 225: Static Multicast Filters

    Traffic/Security Filters Filter Types and Operation Static Multicast Filters This filter type enables the switch to forward or drop multicast traffic to a specific set of destination ports. This helps to preserve bandwidth by reducing multicast traffic on ports where it is unnecessary, and to isolate multicast traffic to enhance security.

  • Page 226: Protocol Filters

    Traffic/Security Filters Filter Types and Operation N o t e s : Per-Port IP Multicast Filters. The static multicast filters described in this section filter traffic having a multicast address you specify. To filter all multicast traffic on a per-VLAN basis, refer to the section titled “Configuring and Displaying IGMP”...

  • Page 227: Configuring Traffic/Security Filters

    Traffic/Security Filters Configuring Traffic/Security Filters Configuring Traffic/Security Filters Use this procedure to specify the type of filters to use on the switch and whether to forward or drop filtered packets for each filter you specify. Select the static filter type(s). For inbound traffic matching the filter type, determine the filter action you want for each outbound (destination) port on the switch (forward or drop).

  • Page 228: Configuring A Source-Port Traffic Filter

    Traffic/Security Filters Configuring Traffic/Security Filters Configuring a Source-Port Traffic Filter Syntax: [no] filter [source-port < port-number | trunk-name>] Specifies one inbound port or trunk. Traffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the source- port filter for <...

  • Page 229: Example Of Creating A Source-Port Filter

    Traffic/Security Filters Configuring Traffic/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a source-port filter that drops all traffic received on port 5 with a destination of port trunk 1 (Trk1) and any port in the range of port 10 to port 15.

  • Page 230: Editing A Source-Port Filter

    Traffic/Security Filters Configuring Traffic/Security Filters The *5* shows that port 5 is configured for filtering, but the filtering action has been suspended while the port is a member of a trunk. If you want the trunk to which port 5 belongs to filter traffic, then you must explicitly configure filtering on the trunk.

  • Page 231: Configuring A Multicast Or Protocol Traffic Filter

    Traffic/Security Filters Configuring Traffic/Security Filters Figure 8-7. Assigning Additional Destination Ports to an Existing Filter Configuring a Multicast or Protocol Traffic Filter Syntax: [no] filter [multicast < mac- address >] Specifies a multicast address. Inbound traffic received (on any port) with this multicast address will be filtered.

  • Page 232: Filter Indexing

    Traffic/Security Filters Configuring Traffic/Security Filters For example, suppose you wanted to configure the filters in table 8-3 on a switch. (For more on source-port filters, refer to “Configuring a Source-Port Traffic Filter” on page 8-18.) Table 8-3. Filter Example Filter Type Filter Value Action Destination Ports...

  • Page 233: Displaying Traffic/Security Filters

    Traffic/Security Filters Configuring Traffic/Security Filters Displaying Traffic/Security Filters This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters. Syntax: show filter Lists the filters configured in the switch, with corresponding filter index (IDX) numbers.
  • Page 234 Traffic/Security Filters Configuring Traffic/Security Filters Lists all filters configured in the switch. Filter Index Numbers Criteria for Individual (Automatically Assigned) Filters Uses the index number (IDX) for a specific filter to list the details for that filter only. Figure 8-9. Example of Displaying Filter Data 8-24...

  • Page 235: Configuring Port-Based And Client-Based Access Control (802.1X)

    Configuring Port-Based and Client-Based Access Control (802.1X) Contents Overview ........... . . 9-3 Why Use Port-Based or Client-Based Access Control? .
  • Page 236 Configuring Port-Based and Client-Based Access Control (802.1X) Contents 3. Configure the 802.1X Authentication Method ....9-23 4. Enter the RADIUS Host IP Address(es) ..... . 9-24 5.

  • Page 237: Overview

    Configuring Port-Based and Client-Based Access Control (802.1X) Overview Overview Feature Default Menu Configuring Switch Ports as 802.1X Authenticators Disabled page 9-17 Configuring 802.1X Open VLAN Mode Disabled page 9-28 Configuring Switch Ports to Operate as 802.1X Supplicants Disabled page 9-45 Displaying 802.1X Configuration, Statistics, and Counters page 9-50 How 802.1X Affects VLAN Operation...

  • Page 238: User Authentication Methods

    Configuring Port-Based and Client-Based Access Control (802.1X) Overview • Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication.

  • Page 239: 802.1X Port-Based Access Control

    Configuring Port-Based and Client-Based Access Control (802.1X) Overview the session total includes any sessions begun by the Web Authentication or MAC Authentication features covered in chapter 3.) For more information, refer to “Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices”...

  • Page 240: Alternative To Using A Radius Server

    Configuring Port-Based and Client-Based Access Control (802.1X) Overview N o t e Port-Based 802.1X can operate concurrently with Web-Authentication or MAC-Authentication on the same port. However, this is not a commonly used application and is not generally recommended. For more information, refer to “Operating Notes”...

  • Page 241: Terminology

    Configuring Port-Based and Client-Based Access Control (802.1X) Terminology Terminology 802.1X-Aware: Refers to a device that is running either 802.1X authenticator software or 802.1X client software and is capable of interacting with other devices on the basis of the IEEE 802.1X standard. Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static VLAN previously configured on the switch by the System Administrator.
  • Page 242 Configuring Port-Based and Client-Based Access Control (802.1X) Terminology as defined in the EAPOL: Extensible Authentication Protocol Over LAN, 802.1X standard Friendly Client: A client that does not pose a security risk if given access to the switch and your network. MD5: An algorithm for calculating a unique digital signature over a stream of bytes.
  • Page 243 Configuring Port-Based and Client-Based Access Control (802.1X) Terminology designate as the Unauthorized-Client VLAN.) A port configured to use a given Unauthorized-Client VLAN does not have to be statically configured as a member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unauthorized-Client VLAN.

  • Page 244: General 802.1X Authenticator Operation

    Configuring Port-Based and Client-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode”...

  • Page 245: Vlan Membership Priority

    Configuring Port-Based and Client-Based Access Control (802.1X) General 802.1X Authenticator Operation N o t e The switches covered in this guide can use either 802.1X port-based authen- tication or 802.1X client-based authentication. For more information, refer to “802.1X Port-Based Access Control” on page 9-5. VLAN Membership Priority Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration.
  • Page 246 Configuring Port-Based and Client-Based Access Control (802.1X) General 802.1X Authenticator Operation New Client Authenticated Another Assign New Client (Old) Client RADIUS- to RADIUS- Already Using Assigned Specified VLAN Port VLAN? Authorized Client VLAN Assign New Client Accept New Client VLAN Same As Old to Authorized VLAN Configured?

  • Page 247: General Operating Rules And Notes

    Configuring Port-Based and Client-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the client-based mode, when there is an authenticated client on a port, the following traffic movement is allowed: • Multicast and broadcast traffic is allowed on the port. •...
  • Page 248 Configuring Port-Based and Client-Based Access Control (802.1X) General Operating Rules and Notes If a port on switch “A” is configured as an 802.1X supplicant and is ■ connected to a port on another switch, “B”, that is not 802.1X-aware, access to switch “B” will occur without 802.1X security protection. ■...

  • Page 249: General Setup Procedure For 802.1X Access Control

    Configuring Port-Based and Client-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Access Control Do These Steps Before You Configure 802.1X Operation Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels.

  • Page 250: Overview: Configuring 802.1X Authentication On The Switch

    Configuring Port-Based and Client-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802.1X Authentication on the Switch This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to the following: “802.1X Client-Based Access Control”...

  • Page 251: Configuring Switch Ports As 802.1X Authenticators

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators N o t e If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected.

  • Page 252: Enable 802.1X Authentication On Selected Ports

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches, and consists of two steps: A.

  • Page 253: Example: Configuring Client-Based 802.1X Authentication

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators session. If another client session begins later on the same port while an earlier session is active, the later session will be on the same untagged VLAN membership as the earlier session.

  • Page 254: Example: Configuring Port-Based 802.1X Authentication

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring Port-Based 802.1X Authentication This example enables ports A13-A15 to operate as authenticators, and then configures the ports for port-based authentication. ProCurve(config)# aaa port-access authenticator a13-a15 Figure 9-3.
  • Page 255 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page).
  • Page 256 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid <...

  • Page 257: Configure The 802.1X Authentication Method

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how the switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator. Syntax: aaa authentication port-access <...

  • Page 258: Enter The Radius Host Ip Address(Es)

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the authentication method, configure the switch to use 1, 2, or 3 RADIUS servers for authentication. The following syntax shows the basic commands.

  • Page 259: Optionally Resetting Authenticator Operation

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optionally Resetting Authenticator Operation After authentication has begun operating, these commands can be used to reset authentication and related statistics on specific ports. Syntax: aaa port-access authenticator < port-list > [initialize] On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process.

  • Page 260: Wake-On-Lan Traffic

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Prerequisite. As documented in the IEEE 802.1X standard, the disabling of incoming traffic and transmission of outgoing traffic on an 802.1X-aware egress port in an unauthenticated state (using the aaa port-access controlled- directions in command) is supported only if: The port is configured as an edge port in the network using the spanning- ■...

  • Page 261: Operating Notes

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Operating Notes Using the aaa port-access controlled-directions in command, you can enable ■ the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features: •...

  • Page 262: 802.1X Open Vlan Mode

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 9-17 802.1X Supplicant Commands page 9-47 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator < port-list > page 9-42 [auth-vid < vlan-id >] [unauth-vid <...

  • Page 263: Vlan Membership Priorities

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports configured to allow multiple sessions using 802.1X client-based access control, all clients must use the same untagged VLAN. On a given port where there are no currently active, authenticated clients, the first authenti- cated client determines the untagged VLAN in which the port will operate for all subsequent, overlapping client sessions.

  • Page 264: Use Models For 802.1X Open Vlan Modes

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode N o t e After client authentication, the port resumes membership in any tagged VLANs for which it is configured. If the port is a tagged member of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the client is connected.
  • Page 265 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 9-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN •...
  • Page 266 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Authorized-Client VLAN • After client authentication, the port drops membership in the Unauthorized-Client VLAN and becomes an untagged member of this VLAN. Notes: If the client is running an 802.1X supplicant application when the authentication session begins, and is able to authenticate itself before the switch assigns the port to the Unauthorized-Client VLAN, then the port does not become a...
  • Page 267 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
  • Page 268 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session. • If the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.

  • Page 269: Operating Rules For Authorized-Client And Unauthorized-Client Vlans

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorized- These must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1X authenticator port to use them.
  • Page 270 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily session on untagged port VLAN moves the port to the Unauthorized-Client VLAN (also untagged).
  • Page 271 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an untagged member. This rule assumes no other authenticated clients are already using the port on a different VLAN.

  • Page 272: Setting Up And Configuring 802.1X Open Vlan Mode

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Note: Limitation on Using an You can optionally enable switches to allow up to 8 clients per-port. Unauthorized-Client VLAN on an The Unauthorized-Client VLAN feature can operate on an 802.1X- 802.1X Port Configured to Allow configured port regardless of how many clients the port is configured Multiple-Client Access...
  • Page 273 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Statically configure an Authorized-Client VLAN in the switch. The only ■ ports that should belong to this VLAN are ports offering services and access you want available to authenticated clients. 802.1X authenticator ports do not have to be members of this VLAN.
  • Page 274 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Configuring General 802.1X Operation: These steps enable 802.1X authentication, and must be done before configuring 802.1X VLAN operation. Enable 802.1X authentication on the individual ports you want to serve as authenticators.
  • Page 275 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration.
  • Page 276 Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 9-38. Syntax: aaa port-access authenticator <...

  • Page 277: 802.1X Open Vlan Operating Notes

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1X Open VLAN Mode Status” on page 9-53. 802.1X Open VLAN Operating Notes ■...

  • Page 278: Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices

    Configuring Port-Based and Client-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices The first client to authenticate on a port configured to support multiple ■ clients will determine the port’s VLAN membership for any subsequent clients that authenticate while an active session is already in effect.

  • Page 279: Configuring Switch Ports To Operate As Supplicants For 802.1X Connections To Other Switches

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configure the port access type. Syntax: aaa port-access auth < port-list > client-limit < 1 - 8> Configures client-based 802.1X authentication on the specified ports and sets the number of authenticated devices the port is allowed to learn.

  • Page 280: Example

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Example Suppose that you want to connect two switches, where: ■ Switch “A” has port A1 configured for 802.1X supplicant operation. You want to connect port A1 on switch “A”...

  • Page 281: Supplicant Port Configuration

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches The RADIUS server then analyzes the response and sends either a “suc- cess” or “failure” packet back through switch “B” to port A1. •...
  • Page 282 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches [identity < username >] Sets the username and password to pass to the authenti- cator port when a challenge-request packet is received from the authenticator port due to an authentication request.
  • Page 283 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches [initialize] On the specified ports, blocks inbound and outbound traf- fic and restarts the 802.1X authentication process. Affects only ports configured as 802.1X supplicants. [clear-statistics] Clears and restarts the 802.1X supplicant statistics counters.

  • Page 284: Displaying 802.1X Configuration, Statistics, And Counters

    Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 9-17 802.1X Supplicant Commands page 9-45 802.1X Open VLAN Mode Commands page 9-28 802.1X-Related Show Commands show port-access authenticator below show port-access supplicant page 9-57...
  • Page 285 Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters show port-access authenticator (Syntax Continued) config [< port-list >] Shows: • Whether port-access authenticator is active • The 802.1X configuration of ports configured as 802.1X authenticators (For descriptions of these elements, refer to the syntax descriptions under “1.
  • Page 286 Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters ProCurve(config)# show port-access authenticator config Port Access Authenticator Configuration Port-access authenticator activated [No] : No | Re-auth Access Quiet Supplicant Server Cntrl Port | Period Control Reqs Period Timeout Timeout...

  • Page 287: Viewing 802.1X Open Vlan Mode Status

    Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Viewing 802.1X Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show port- access authenticator vlan and show port-access authenticator < port-list > com- mands as illustrated in figure 9-9.
  • Page 288 Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Thus, in the output shown in figure 9-9: When the Auth VLAN ID is configured and matches the Current VLAN ID, an ■ authenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Auth VLAN.) When the Unauth VLAN ID is configured and matches the Current VLAN ID,...
  • Page 289 Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 9-4. Output for Determining Open VLAN Mode Status (Figure 9-9, Lower) Status Indicator Meaning Status Closed: Either no client is connected or the connected client has not received authorization through 802.1X authentication.
  • Page 290 Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Note that ports B1 and B3 are not in the upper listing, but are included under “Overridden Port VLAN configuration”. This shows that static, untagged VLAN memberships on ports B1 and B3 have been overridden by temporary assignment to the authorized or unauthorized...

  • Page 291: Show Commands For Port-Access Supplicant

    Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [< port-list >] [statistics] show port-access supplicant [< port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list >...

  • Page 292: How Radius/802.1X Authentication Affects Vlan Operation

    Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Thus, if the supplicant’s link to the authenticator fails, the supplicant retains the transaction statistics it most recently received until one of the above events occurs. Also, if you move a link with an authenticator from one supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports.
  • Page 293 Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1X client requires access...
  • Page 294 Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1X session. This is to accommodate an 802.1X client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22.
  • Page 295 Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation When the 802.1X client’s session on port A2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN actually configured as untagged on the port again becomes available. Thus, when the RADIUS-authenticated 802.1X session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored.

  • Page 296: Operating Notes

    Configuring Port-Based and Client-Based Access Control (802.1X) Operating Notes Operating Notes ■ Applying Web Authentication or MAC Authentication Concur- rently with Port-Based 802.1X Authentication: While 802.1X port- based access control can operate concurrently with Web Authentication or MAC Authentication, port-based access control is subordinate to Web- Auth and MAC-Auth operation.

  • Page 297: Messages Related To 802.1X Operation

    Configuring Port-Based and Client-Based Access Control (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation Table 9-5. 802.1X Operating Messages Message Meaning < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.1X Port authenticators.
  • Page 298 Configuring Port-Based and Client-Based Access Control (802.1X) Messages Related to 802.1X Operation 9-64...

  • Page 299: Configuring And Monitoring Port Security

    Configuring and Monitoring Port Security Contents Overview ........... . 10-3 Port Security .
  • Page 300 Configuring and Monitoring Port Security Contents Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags ......10-41 Operating Notes for Port Security .

  • Page 301: Overview

    Configuring and Monitoring Port Security Overview Overview Feature Default Menu Displaying Current Port Security — page 10-8 page 10-33 Configuring Port Security disabled — page 10-12 page 10-33 Retention of Static Addresses — page 10-17 MAC Lockdown disabled — page 10-22 MAC Lockout disabled —...

  • Page 302: Port Security

    Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port security setting for each port is off, or “continuous”. That is, any device can access a port without causing a security reaction. Intruder Protection.

  • Page 303: Eavesdrop Protection

    Configuring and Monitoring Port Security Port Security • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses. (If you specify only some of the authorized addresses, the port learns the remaining authorized addresses from the traffic it receives from connected devices.) •...

  • Page 304: Trunk Group Exclusion

    Configuring and Monitoring Port Security Port Security configuration to ports on which hubs, switches, or other devices are connected, and to maintain security while also maintaining network access to authorized users. For example: Physical Topology Logical Topology for Access to Switch A Switch A Switch A Port Security...

  • Page 305: Planning Port Security

    Configuring and Monitoring Port Security Port Security Planning Port Security Plan your port security configuration and monitoring according to the following: On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port? For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmit- ting to the network.) You can configure the switch to (1) send intrusion alarms to an SNMP management station and to (2) option-...

  • Page 306: Port Security Command Options And Operation

    Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 10-9 show mac-address port-security 10-12 < port-list > 10-12 learn-mode 10-12 address-limit 10-15 mac-address 10-16 action 10-16 clear-intrusion-flag 10-17 no port-security 10-17...
  • Page 307 Configuring and Monitoring Port Security Port Security Displaying Port Security Settings. Syntax: show port-security show port-security <port number> show port-security [<port number>-<port number>]. . .[,<port number>] The CLI uses the same command to provide two types of port security listings: •...
  • Page 308 Configuring and Monitoring Port Security Port Security Figure 10-3. Example of the Port Security Configuration Display for a Single Port The next example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string: ProCurve(config)# show port-security A1-A3,A6,A8 Listing Authorized and Detected MAC Addresses.
  • Page 309 Configuring and Monitoring Port Security Port Security Figure 10-4. Examples of Show Mac-Address Outputs 10-11...

  • Page 310: Configuring Port Security

    Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security and edit security settings. Add or delete devices from the list of authorized addresses for one or more ■ ports. Clear the Intrusion flag on specific ports ■...
  • Page 311 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port.
  • Page 312 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an un-wanted device to become “authorized”.
  • Page 313 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system-information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces.
  • Page 314 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [<mac-addr>] [<mac-addr>] . . . [<mac-addr>] Available for learn-mode with the, static, configured, or limited-continuous option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in the address-limit parameter.

  • Page 315: Retention Of Static Addresses

    Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) clear-intrusion-flag Clears the intrusion flag for a specific port. (See “Reading Intrusion Alerts and Resetting Alert Flags” on page 10-33.) no port-security <port-list> mac-address <mac-addr> [<mac-addr> <mac-addr>] Removes the specified learned MAC address(es) from the specified port.
  • Page 316 Configuring and Monitoring Port Security Port Security Assigned/Authorized Addresses. : If you manually assign a MAC address (using port-security <port-number> address-list <mac-addr>) and then execute write memory, the assigned MAC address remains in memory until you do one of the following: Delete it by using no port-security <...
  • Page 317 Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s existing Authorized Addresses list, enter the port number with the mac-address parameter and the device’s MAC address. This assumes that Learn Mode is set to static and the Authorized Addresses list is not full (as determined by the current Address Limit value).
  • Page 318 Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. Note that if you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode.
  • Page 319 Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list. (An Authorized Address list is available for each port for which Learn Mode is currently set to “Static”. Refer to the command syntax listing under “Configuring Port Security”...

  • Page 320: Mac Lockdown

    Configuring and Monitoring Port Security MAC Lockdown The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090- 123456 The above command sequence results in the following configuration for port Figure 10-9.
  • Page 321 Configuring and Monitoring Port Security MAC Lockdown You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you do not specify a VLAN ID (VID) the switch inserts a VID of “1”. How It Works.

  • Page 322: Differences Between Mac Lockdown And Port Security

    Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair cannot be locked down on a different port. You cannot perform MAC Lockdown and 802.1X authentication on the same port or on the same MAC address.

  • Page 323: Mac Lockdown Operating Notes

    Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.

  • Page 324: Deploying Mac Lockdown

    Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as “meshing” or Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths.
  • Page 325 Configuring and Monitoring Port Security MAC Lockdown Internal Server “A” Core 2900yl Switch 2900yl Switch Network There is no need to lock MAC addresses on switches in the internal core network. 3500yl Switch 3500yl Switch Network Edge Lock Server “A” to these ports.
  • Page 326 Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
  • Page 327 Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fails, Server A traffic to Server A will not use the backup path via Switch 3 Switch 3 Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 External...

  • Page 328: Mac Lockout

    Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so that any traffic to or from the “locked-out” MAC address will be dropped. This means that all data packets addressed to or from the given address are stopped by the switch.
  • Page 329 Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti- cation. You cannot use MAC Lockout to lock: • Broadcast or Multicast Addresses (Switches do not learn these) • Switch Agents (The switch’s own MAC Address) There are limits for the number of VLANs, Multicast Filters, and Lockout MACs that can be configured concurrently as all use MAC table entries.

  • Page 330: Port Security And Mac Lockout

    Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in conjunction with port-security.

  • Page 331: Web: Displaying And Configuring Port Security Features

    Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features Click on the Security tab. Click on [Port Security] Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field.

  • Page 332: How The Intrusion Log Operates

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The switch enables notification of the intrusion through the following ■ means: • In the CLI: The show port-security intrusion-log command displays the – Intrusion Log The log command displays the Event Log –...

  • Page 333: Keeping The Intrusion Log Current By Resetting Alert Flags

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.

  • Page 334: Menu: Checking For Intrusions, Listing Intrusion Alerts, And Resetting Alert Flags

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen. From the Main Menu select: 1.
  • Page 335 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The example in Figure 7-11 shows two intrusions for port A3 and one intrusion for port A1. In this case, only the most recent intrusion at port A3 has not been acknowledged (reset). This is indicated by the following: •...

  • Page 336: Cli: Checking For Intrusions, Listing Intrusion Alerts, And Resetting Alert Flags

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The following commands display port status, including whether there are intrusion alerts for any port(s), list the last 20 intrusions, and either reset the alert flag on all ports or for a specific port for which an intrusion was detected.
  • Page 337 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ProCurve Switch 2900yl-24G(config)# show interfaces brief Status and Counters - Port Status Intrusion Alert on port 1. | Intrusion Flow Bcast Port Type | Alert Enabled Status Mode...

  • Page 338: Using The Event Log To Find Intrusion Alerts

    Intrusion Alert status.) ProCurve(config)# port-security a1 clear-intrusion-flag ProCurve(config)# show interfaces brief ProCurve Switch 2900yl-24G(config)# show interfaces brief Status and Counters - Port Status Intrusion Alert on port 1 is now cleared. | Intrusion...

  • Page 339: Web: Checking For Intrusions, Listing Intrusion Alerts, And Resetting Alert Flags

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Syntax: log < search-text > For < search-text >, you can use ffi, security, or violation. For example: Log Command Log Listing with with Security Violation “security” for Detected Search Log Listing with No...

  • Page 340: Operating Notes For Port Security

    Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder. The Intrusion Log lists detected intruders by MAC address. If you are using ProCurve Manager to manage your network, you can use the device properties page to link MAC addresses to their corresponding IP addresses.
  • Page 341 Configuring and Monitoring Port Security Operating Notes for Port Security LACP Not Available on Ports Configured for Port Security. To main- tain security, LACP is not allowed on ports configured for port security. If you configure port security on a port on which LACP (active or passive) is configured, the switch removes the LACP configuration, displays a notice that LACP is disabled on the port(s), and enables port security on that port.
  • Page 342 Configuring and Monitoring Port Security Operating Notes for Port Security 10-44...
  • Page 343 Using Authorized IP Managers Contents Overview ........... . 11-2 Options .

  • Page 344: Using Authorized Ip Managers

    Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu Listing (Showing) Authorized page 11-5 page 11-7 page 11-10 Managers Configuring Authorized IP None page 11-5 page 11-7 page 11-10 Managers Building IP Masks page 11-10 page 11-10 page 11-10 Operating and Troubleshooting page 11-13 page 11-13 page 11-13 Notes...

  • Page 345: Options

    Using Authorized IP Managers Options Options You can configure: ■ Up to 10 authorized manager addresses, where each address applies to either a single management station or a group of stations Manager or Operator access privileges (for Telnet, SNMPv1, and ■...

  • Page 346: Defining Authorized Management Stations

    Using Authorized IP Managers Defining Authorized Management Stations For each authorized manager address using Telnet, SNMPv1, or SNMPv2c, you can configure either of these access levels: ■ Manager: Enables full access to all web browser and console interface screens for viewing, configuration, and all other operations available in these interfaces.

  • Page 347: Overview Of Ip Mask Operation

    Using Authorized IP Managers Defining Authorized Management Stations Overview of IP Mask Operation The default IP Mask is 255.255.255.255 and allows switch access only to a station having an IP address that is identical to the Authorized Manager IP parameter value. (“255” in an octet of the mask means that only the exact value in the corresponding octet of the Authorized Manager IP parameter is allowed in the IP address of an authorized management station.) However, you can alter the mask and the Authorized Manager IP parameter to specify ranges of...
  • Page 348 Using Authorized IP Managers Defining Authorized Management Stations 1. Select Add to add an authorized manager to the list. Figure 11-1. Example of How To Add an Authorized Manager Entry 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices.

  • Page 349: Cli: Viewing And Configuring Authorized Ip Managers

    Using Authorized IP Managers Defining Authorized Management Stations CLI: Viewing and Configuring Authorized IP Managers Authorized IP Managers Commands Used in This Section Command Page show ip authorized-managers below ip authorized-managers 11-8 <ip-address> 11-9 mask <mask-bits> 11-9 <operator | manager> Listing the Switch’s Current Authorized IP Manager(s) Use the show ip authorized-managers command to list IP stations authorized to access the switch.

  • Page 350: Configuring Ip Authorized Managers For The Switch

    Using Authorized IP Managers Defining Authorized Management Stations Configuring IP Authorized Managers for the Switch Syntax: ip authorized-managers <ip address> Configures one or more authorized IP addresses. [<ip-mask-bits>] Configures the IP mask for < ip address > [access <operator | manager>] Configures the privilege level for <...
  • Page 351 Using Authorized IP Managers Defining Authorized Management Stations To Edit an Existing Manager Access Entry. To change the mask or access level for an existing entry, use the entry’s IP address and enter the new value(s). (Notice that any parameters not included in the command will be set to their default.): ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.0 access operator...

  • Page 352: Web: Configuring Ip Authorized Managers

    Using Authorized IP Managers Web: Configuring IP Authorized Managers Web: Configuring IP Authorized Managers In the web browser interface you can configure IP Authorized Managers as described below. To Add, Modify, or Delete an IP Authorized Manager address: Click on the Security tab. Click on [Authorized Addresses].

  • Page 353: Configuring Multiple Stations Per Authorized Manager Ip Entry

    Using Authorized IP Managers Building IP Masks Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access.
  • Page 354 Using Authorized IP Managers Building IP Masks Figure 11-6. Analysis of IP Mask for Multiple-Station Entries Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask The “255” in the first three octets of the mask specify that only the exact value in the octet of the corresponding IP address is allowed.

  • Page 355: Additional Examples For Authorizing Multiple Stations

    Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 This combination specifies an authorized IP address of 10.33.xxx.1. It could be applied, for example, to a subnetted network where each subnet is defined by the Authorized 248 1 third octet and includes a management station defined by the value of “1”...
  • Page 356 Using Authorized IP Managers Operating Notes • Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions”...
  • Page 357 Key Management System Contents Overview ........... . 12-2 Terminology .

  • Page 358: Key Management System

    Key Management System Overview Overview The switches covered in this guide provide support for advanced routing capabilities. Security turns out to be extremely important as complex net- works and the internet grow and become a part of our daily life and business. This fact forces protocol developers to improve security mechanisms employed by their protocols, which in turn becomes an extra burden for system administrators who have to set up and maintain them.

  • Page 359: Configuring Key Chain Management

    Key Management System Configuring Key Chain Management Configuring Key Chain Management KMS-Related CLI Commands in This Section Page show key-chain < chain_name > page 12-3 [ no ] key-chain chain_name page 12-3 [ no ] key-chain chain_name key Key_ID page 12-4 The Key Management System (KMS) has three configuration steps: Create a key chain entry.

  • Page 360: Assigning A Time-Independent Key To A Chain

    Key Management System Configuring Key Chain Management Add new key chain Entry “Procurve1”. Display key chain entries. Figure 12-1. Adding a New Key Chain Entry After you add an entry, you can assign key(s) to it for use by a KMS-enabled protocol.

  • Page 361: Assigning Time-Dependent Keys To A Chain

    Key Management System Configuring Key Chain Management For example, to generate a new time-independent key for the Procurve1 key chain entry: Adds a new Time-Independent key to the “Procurve1” chain. Displays keys in the key chain entry. Figure 12-2. Example of Adding and Displaying a Time-Independent Key to a Key Chain Entry Assigning Time-Dependent Keys to a Chain A time-dependent key has Accept or Send time constraints.
  • Page 362 Key Management System Configuring Key Chain Management duration < mm/dd/yy [ yy ] hh:mm:ss | seconds > Specifies the time period during which the switch can use this key to authenticate inbound packets. Duration is either an end date and time or the number of seconds to allow after the start date and time (which is the accept-lifetime setting).
  • Page 363 Key Management System Configuring Key Chain Management Note Given transmission delays and the variations in the time value from switch to switch, it is advisable to include some flexibility in the Accept lifetime of the keys you configure. Otherwise, the switch may disregard some packets because either their key has expired while in transport or there are significant time variations between switches.
  • Page 364 Key Management System Configuring Key Chain Management The “Procurve1” key chain entry is a time-independent key and will not expire. “Procurve2” uses time-dependent keys, which result in this data: Expired = 1 Key 1 has expired because its lifetime ended at 8:10 on 01/18/03, the previous day.

  • Page 365: Index

    Index Numerics unauthorized-Client VLAN, multiple clients … 9-38 3DES … 6-3, 7-3 VLAN 802.1X access control unauthorized-client, best use … 9-38 authentication methods … 9-4 untagged … 9-29 authentication, client-based … 9-4 untagged membership … 9-19 authenticator … 9-18 VLAN, assignment conflict … 9-13 client-based Wake-on-LAN traffic …...
  • Page 366 GVRP … 9-58 port-security … 9-41 effect … 9-61 port-security, with 802.1x … 9-44 initialize … 9-25 priority of VLAN, per-port … 9-11, 9-29 LACP not allowed … 9-63 PVID … 9-55 local … 9-23 quiet-period … 9-21 local username and password … 9-4 RADIUIS logoff-period …...
  • Page 367 tempory membership … 9-35 root … 7-4 unauthorized-client … 9-35, 9-36 self-signed … 7-3 unauthorized-client, caution … 9-36 Clear button unauthorized-client, different to delete password protection … 2-6 ports … 9-38 configuration untagged … 9-29, 9-32, 9-33 filters … 8-2 VLAN operation …...
  • Page 368 source-port filter value … 8-22 overview … 1-10, 12-2 static … 8-3 send key time … 12-5 types … 8-3 time protocol … 12-6 time-dependent key … 12-2, 12-5, 12-6 time-independent key … 12-2, 12-4 guest VLAN … 9-7, 9-8, 9-28 GVRP …...
  • Page 369 configuring … 10-7 configuring in browser interface … 10-33, 10-41 named source port filter event log … 10-40 viewing … 8-9 notice of security violations … 10-33 named source port filters operating notes … 10-42 configuring … 8-7 overview … 10-3 operating rules …...
  • Page 370 … 5-23 security configuring switch global parameters … 5-15 authorized IP managers … 11-1 general setup … 5-7 per port … 10-3 HP-Command-Exception … 5-23 security violations HP-command-string … 5-23 notices of … 10-33 local authentication … 5-11 security, password login privilege-mode, application options …...
  • Page 371 messages, operating … 6-27 prerequisites … 7-5 OpenSSH … 6-3 remove self-signed certificate … 7-10 operating rules … 6-8 remove server host certificate … 7-10 outbound SSH not secure … 6-8 reserved TCP port numbers … 7-20 password security … 6-18 root …...
  • Page 372 local manager password requirement … 4-26 not advertised for GVRP … 9-61 messages … 4-25 VSAs, defining … 5-25 NAS … 4-3 overview … 1-9 precautions … 4-5 Wake-on-LAN preparing to configure … 4-8 on 802.1X-aware ports … 9-26 preventing switch lockout … 4-15 on MAC-authenticated ports …...
  • Page 374 Technical information in this document is subject to change without notice. © Copyright 2007 Hewlett-Packard Development Company, L.P. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws. February 2007 Manual Part Number 5991-6198...

This manual is also suitable for:

Procurve switch 2900yl-48gJ9049aJ9050a

Table of Contents