HP ProCurve 6120G/XG Manual

Hp procurve series 6120 blade switches access security guide
Hide thumbs

Advertisement

Table of Contents
ProCurve Series 6120 Switches
Access Security Guide
November 2010
Version Z.14.22

Advertisement

Table of Contents
loading

  Related Manuals for HP ProCurve 6120G/XG

  Summary of Contents for HP ProCurve 6120G/XG

  • Page 1 ProCurve Series 6120 Switches Access Security Guide November 2010 Version Z.14.22...
  • Page 3 HP ProCurve 6120G/XG Switch 6120XG Switch November 2010 Z.14.22 Access Security Guide...
  • Page 4 ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF Applicable Products MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors HP ProCurve Switch 6120G/XG (498358-B21) contained herein or for incidental or consequential damages in...
  • Page 5: Table Of Contents

    Contents Product Documentation About Your Switch Manual Set ......xix Printed Publications......... . xix Electronic Publications .
  • Page 6 2 Configuring Username and Password Security Contents ............2-1 Overview .
  • Page 7 Password Recovery ......... . . 2-32 Disabling or Re-Enabling the Password Recovery Process .
  • Page 8 Configuration Commands for MAC Authentication ....3-51 Configuring the Global MAC Authentication Password ..3-51 Configuring a MAC-based Address Format ....3-53 Show Commands for MAC-Based Authentication .
  • Page 9 5 RADIUS Authentication, Authorization, and Accounting Contents ............5-1 Overview .
  • Page 10 Using Vendor Specific Attributes (VSAs) ....5-37 Example Configuration on Cisco Secure ACS for MS Windows 5-39 Example Configuration Using FreeRADIUS ....5-41 VLAN Assignment in an Authentication Session .
  • Page 11 Contrasting Dynamic (RADIUS-Assigned) and Static ACLs ..........6-13 How a RADIUS Server Applies a RADIUS-Assigned ACL to a Switch Port .
  • Page 12 Configuring the Switch for SSH Operation ..... . 7-9 1. Assigning a Local Login (Operator) and Enable (Manager) Password ....... . . 7-10 2.
  • Page 13 3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior ........8-17 Using the CLI Interface to Enable SSL .
  • Page 14 Guidelines for Planning the Structure of an ACL ....9-24 ACL Configuration and Operating Rules ..... . . 9-25 How an ACE Uses a Mask To Screen Packets for Matches .
  • Page 15 Editing ACLs and Creating an ACL Offline ....9-61 Using the CLI To Edit ACLs ........9-61 General Editing Rules .
  • Page 16 Verifying the Configuration of Dynamic ARP Protection ..10-21 Displaying ARP Packet Statistics ......10-22 Monitoring Dynamic ARP Protection .
  • Page 17 Viewing a Named Source-Port Filter ..... . . 11-8 Using Named Source-Port Filters ......11-9 Configuring Traffic/Security Filters .
  • Page 18 B. Specify User-Based Authentication or Return to Port-Based Authentication ......12-21 Example: Configuring User-Based 802.1X Authentication .
  • Page 19 How RADIUS/802.1X Authentication Affects VLAN Operation . 12-68 VLAN Assignment on a Port ....... . . 12-69 Operating Notes .
  • Page 20 How the Intrusion Log Operates ......13-33 Keeping the Intrusion Log Current by Resetting Alert Flags ..13-34 Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags .
  • Page 21 Building IP Masks ......... . . 14-10 Configuring One Station Per Authorized Manager IP Entry .
  • Page 23: Product Documentation

    Product Documentation About Your Switch Manual Set N o t e For the latest version of switch documentation, please visit any of the follow­ ing websites: www.hp.com/networking/support www.hp.com/go/bladesystem/documentation h18004.www1.hp.com/products/blades/components/c-class-tech-installing.html Printed Publications The publication listed below is printed and shipped with your switch. The latest version is also available in PDF format, as described in the Note at the top of this page.
  • Page 24: Software Feature Index

    Software Feature Index This feature index indicates which manual to consult for information on a given software feature. N o t e This Index does not cover IPv6 capable software features. For information on IPv6 protocol operations and features (such as DHCPv6, DNS for IPv6, and Ping6), refer to the IPv6 Configuration Guide.
  • Page 25 Intelligent Edge Software Manual Features Management Advanced Multicast and Access Traffic Routing Security Configuration Management Guide Authorized Manager List (Web, Telnet, TFTP) Auto MDIX Configuration BOOTP CEE (Converged Enhanced Ethernet) (6120XG only) Config File Console Access Copy Command CoS (Class of Service) Debug DHCP Configuration DHCP Option 82...
  • Page 26 Intelligent Edge Software Manual Features Management Advanced Multicast and Access Traffic Routing Security Configuration Management Guide IGMP Interface Access (Telnet, Console/Serial, Web) IP Addressing IP Routing Jumbo Packets LACP LLDP LLDP-MED Loop Protection MAC Address Management MAC Lockdown MAC Lockout MAC-based Authentication Monitoring and Analysis Network Management Applications (SNMP)
  • Page 27 Intelligent Edge Software Manual Features Management Advanced Multicast and Access Traffic Routing Security Configuration Management Guide RADIUS Authentication and Accounting RADIUS-Based Configuration RMON 1,2,3,9 Routing - IP static Secure Copy sFlow SFTP SNMPv3 Software Downloads (SCP/SFTP, TFPT, Xmodem) Source-Port Filters Spanning Tree (STP, RSTP, MSTP) SSHv2 (Secure Shell) Encryption SSL (Secure Socket Layer)
  • Page 28 Intelligent Edge Software Manual Features Management Advanced Multicast and Access Traffic Routing Security Configuration Management Guide Web UI xxiv...
  • Page 29: Security Overview

    Security Overview Contents Security Overview Contents Introduction ..........1-2 About This Guide .
  • Page 30: Introduction

    Security Overview Introduction Introduction This chapter provides an overview of the security features included on your switch. Table 1-1 on page 1-3 outlines the access security and authentication features, while Table 1-2 on page 1-7 highlights the additional features designed to help secure and protect your network. For detailed information on individual features, see the references provided.
  • Page 31: Access Security Features

    Security Overview Access Security Features Access Security Features This section provides an overview of the switch’s access security features, authentication protocols, and methods. Table 1-1 lists these features and provides summary configuration guidelines. For more in-depth information, see the references provided (all chapter and page references are to this Access Security Guide unless a different manual name is indicated).
  • Page 32 Security Overview Access Security Features Feature Default Security Guidelines More Information and Setting Configuration Details Telnet and enabled The default remote management protocols enabled on “Quick Start: Using the Web-browser the switch are plain text protocols, which transfer Management Interface access passwords in open or plain text that is easily captured.
  • Page 33 Security Overview Access Security Features Feature Default Security Guidelines More Information and Setting Configuration Details disabled Secure Socket Layer (S SL) and Transport Layer Security “Quick Start: Using the (TLS) provide remote Web browser access to the switch Management Interface via authenticated transactions and encrypted paths Wizard”...
  • Page 34 Security Overview Access Security Features Feature Default Security Guidelines More Information and Setting Configuration Details 802.1X Access none This feature provides port-based or user-based Chapter 13 “Configuring Control authentication through a RADIUS server to protect the Port-Based and User-Based switch from unauthorized access and to enable the use Access Control (802.1X)” of RADIUS-based user profiles to control client access to network services.
  • Page 35: Network Security Features

    Security Overview Network Security Features Network Security Features This section outlines features and defence mechanisms for protecting access through the switch to the network. For more detailed information, see the indicated chapters. Table 1-2. Network Security—Default Settings and Security Guidelines Feature Default Security Guidelines...
  • Page 36 Security Overview Network Security Features Feature Default Security Guidelines More Information and Setting Configuration Details Connection- none This feature helps protect the network from attack and Chapter 3, “Virus Throttling Rate Filtering is recommended for use on the network edge. It is (Connection-Rate Filtering)”...
  • Page 37: Getting Started With Access Security

    Security Overview Getting Started with Access Security Getting Started with Access Security ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network operation, therefore, ProCurve strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible...
  • Page 38: Quick Start: Using The Management Interface Wizard

    Security Overview Getting Started with Access Security Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you can do the following: Disable or re-enable the password-clearing function of the Clear button. ■...
  • Page 39 Security Overview Getting Started with Access Security The welcome banner appears and the first setup option is displayed (Operator password). As you advance through the wizard, each setup option displays the current value in brackets [ ] as shown in Figure 1-1. Welcome to the Management Interface Setup Wizard This wizard will help you with the initial setup of the various management interfaces.
  • Page 40: Web: Management Interface Wizard

    Security Overview Getting Started with Access Security 2. When you enter the wizard, you have the following options: • To update a setting, type in a new value, or press [Enter] to keep the current value. • To quit the wizard without saving any changes, press [CTRL-C] at any time.
  • Page 41 Security Overview Getting Started with Access Security The Welcome window appears. Figure 1-2. Management Interface Wizard: Welcome Window This page allows you to choose between two setup types: Typical—provides a multiple page, step-by-step method to configure • security settings, with on-screen instructions for each option. •...
  • Page 42 Security Overview Getting Started with Access Security 4. The summary setup screen displays the current configuration settings for all setup options (see Figure 1-3). Figure 1-3. Management Interface Wizard: Summary Setup From this screen, you have the following options: • To change any setting that is shown, type in a new value or make a different selection.
  • Page 43: Snmp Security Guidelines

    Security Overview Getting Started with Access Security SNMP Security Guidelines In the default configuration, the switch is open to access by management stations running SNMP (Simple Network Management Protocol) management applications capable of viewing and changing the settings and status data in the switch’s MIB (Management Information Base).
  • Page 44 Security Overview Getting Started with Access Security If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then you should implement the following security precautions when downloading and booting from the software: ■ If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above is not desirable for your network, then immediately after downloading and booting from the software for the first time, use the following command to disable this feature:...
  • Page 45: Precedence Of Security Options

    Security Overview Precedence of Security Options Precedence of Security Options This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch. Precedence of Port-Based Security Options Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest.
  • Page 46: Network Immunity Manager

    Security Overview Precedence of Security Options value applied to a client session is determined in the following order (from highest to lowest priority) in which a value configured with a higher priority overrides a value configured with a lower priority: 1. Attribute profiles applied through the Network Immunity network-man­...
  • Page 47: Arbitrating Client-Specific Attributes

    Security Overview Precedence of Security Options The profile of attributes applied for each client (MAC address) session is stored in the hpicfUsrProfile MIB, which serves as the configuration interface for Network Immunity Manager. A client profile consists of NIM-configured, RADIUS-assigned, and statically configured parameters. Using show commands for 802.1X, web or MAC authentication, you can verify which RADIUS -assigned and statically configured parameters are supported and if they are supported on a per-port or per-client basis.
  • Page 48 Security Overview Precedence of Security Options Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.
  • Page 49: Procurve Identity-Driven Manager (Idm)

    Security Overview ProCurve Identity-Driven Manager (IDM) ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+) and uses RADIUS-based technologies to create a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of access security policy from a central management server, with policy enforcement to the network edge, and protection against both external and internal threats.
  • Page 50 Security Overview ProCurve Identity-Driven Manager (IDM) 1-22...
  • Page 51: Configuring Username And Password Security

    Configuring Username and Password Security Contents Overview ........... . . 2-3 Configuring Local Password Security .
  • Page 52 Configuring Username and Password Security Contents Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation ....2-30 Changing the Operation of the Reset+Clear Combination ..2-31 Password Recovery .
  • Page 53: Overview

    Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames none — — page 2-9 Set a Password none page page 2-8 page 2-9 Delete Password Protection page page 2-8 page 2-9 show front-panel-security — page 1-13 — front-panel-security —...
  • Page 54 Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level. That is, if a Manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface.
  • Page 55 Configuring Username and Password Security Overview N o t e s The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface. If you configure only a Manager password (with no Operator password), and in a later session the Manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session.
  • Page 56: Configuring Local Password Security

    Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the web browser interface. From the Main Menu select: 3.
  • Page 57 Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass­ words (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
  • Page 58: Cli: Setting Passwords And Usernames

    Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below. Configuring Manager and Operator Passwords. N o t e You can configure manager and operator passwords in one step. See “Saving Security Credentials in a Config File”...
  • Page 59: Web: Setting Passwords And Usernames

    Configuring Username and Password Security Configuring Local Password Security If you want to remove both operator and manager password protection, use the no password all command. Web: Setting Passwords and Usernames In the web browser interface you can enter passwords and (optional) user- names.
  • Page 60: Saving Security Credentials In A Config File

    Configuring Username and Password Security Saving Security Credentials in a Config File Saving Security Credentials in a Config File You can store and view the following security settings in internal flash memory by entering the include-credentials command: ■ Local manager and operator passwords and (optional) user names that control access to a management session on the switch through the CLI, menu interface, or web browser interface SNMP security credentials used by network management stations to...
  • Page 61: Enabling The Storage And Display Of Security Credentials

    Configuring Username and Password Security Saving Security Credentials in a Config File The chapter on “Switch Memory and Configuration” in the Management ■ and Configuration Guide. ■ “Configuring Local Password Security” on page 2-6 in this guide. Enabling the Storage and Display of Security Credentials To enable the security settings, enter the include-credentials command.
  • Page 62: Local Manager And Operator Passwords

    Configuring Username and Password Security Saving Security Credentials in a Config File Local Manager and Operator Passwords The information saved to the running-config file when the include-credentials command is entered includes: password manager [user-name <name>] <hash-type> <pass-hash> password operator [user-name <name>] <hash-type> <pass-hash> where <name>...
  • Page 63: Snmp Security Credentials

    Configuring Username and Password Security Saving Security Credentials in a Config File user-name <name>: the optional text string of the user name associated with the password. <hash-type>: specifies the type of algorithm (if any) used to hash the password. Valid values are plaintext or sha-1 <password>: the clear ASCII text string or SHA-1 hash of the password.
  • Page 64: 802.1X Port-Access Credentials

    Configuring Username and Password Security Saving Security Credentials in a Config File [priv <priv-pass>] is the (optional) hashed privacy password used by a privacy protocol to encrypt SNMPv3 messages between the switch and the station. The following example shows the additional security credentials for SNMPv3 users that can be saved in a running-config file: snmpv3 user boris \ auth md5 “9e4cfef901f21cf9d21079debeca453”...
  • Page 65: Tacacs+ Encryption Key Authentication

    Configuring Username and Password Security Saving Security Credentials in a Config File The password port-access values are configured separately from the manager and operator passwords configured with the password manager and password operator commands and used for management access to the switch. For information on the new password command syntax, see “Password Command Options”...
  • Page 66: Ssh Client Public-Key Authentication

    Configuring Username and Password Security Saving Security Credentials in a Config File during authentication sessions. Both the switch and the server have a copy of the key; the key is never transmitted across the network. For more information, refer to “3. Configure the Switch To Access a RADIUS Server” on page 5-14 in this guide.
  • Page 67 Configuring Username and Password Security Saving Security Credentials in a Config File “keystring”: a legal SSHv2 (RSA or DSA) public key. The text string for the public key must be a single quoted token. If the keystring contains double-quotes, it can be quoted with single quotes ('keystring').
  • Page 68 Configuring Username and Password Security Saving Security Credentials in a Config File To display the SSH public-key configurations (72 characters per line) stored in a configuration file, enter the show config or show running-config command. The following example shows the SSH public keys configured for manager access, along with the hashed content of each SSH client public-key, that are stored in a configuration file: ...
  • Page 69: Operating Notes

    Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes C a u t i o n When you first enter the include-credentials command to save the ■ additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file.
  • Page 70 Configuring Username and Password Security Saving Security Credentials in a Config File • copy config <source-filename> config <target-filename>: Makes a local copy of an existing startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot.
  • Page 71: Restrictions

    Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command: ■ The private keys of an SSH host cannot be stored in the running configuration.
  • Page 72 Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. You can store the password port-access values in the running configuration file by using the include-credentials command. Note that the password port-access values are configured separately from local operator username and passwords configured with the password operator command and used for management access to the switch.
  • Page 73: Front-Panel Security

    Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together).
  • Page 74: Front-Panel Button Functions

    This section describes the functionality of the Clear and Reset buttons located on the front panel of the switch. Reset Button Clear Button Figure 2-6. Front-Panel Button Locations on a ProCurve 6120G/XG Switch Clear Button Reset Button Figure 2-7. Front-Panel Button Locations on a ProCurve 6120XG Switch...
  • Page 75: Clear Button

    Configuring Username and Password Security Front-Panel Security Clear Button Pressing the Clear button alone for five seconds resets the password(s) configured on the switch. Reset Clear Figure 2-8. Press the Clear Button for Five Seconds To Reset the Password(s) Reset Button Pressing the Reset button alone for one second causes the switch to reboot.
  • Page 76 Configuring Username and Password Security Front-Panel Security 2. While holding the Reset button, press and hold the Clear button for five seconds. Clear Reset Release the Reset button. Clear Reset 4. If the Clear button is held for greater then 2.5 seconds, configuration will be cleared, and the switch will reboot.
  • Page 77: Configuring Front-Panel Security

    Configuring Username and Password Security Front-Panel Security Configuring Front-Panel Security Using the front-panel-security command from the global configuration context in the CLI you can: • Disable or re-enable the password-clearing function of the Clear button. Disabling the Clear button means that pressing it does not remove local password protection from the switch.
  • Page 78 Configuring Username and Password Security Front-Panel Security Reset-on-clear: Shows the status of the reset-on-clear option (Enabled or Disabled). When reset-on-clear is disabled and Clear Password is enabled, then pressing the Clear button erases the local usernames and passwords from the switch. When reset-on-clear is enabled, pressing the Clear button erases the local usernames and passwords from the switch and reboots the switch.
  • Page 79: Disabling The Clear Password Function Of The Clear Button

    Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button Syntax: no front-panel-security password-clear In the factory-default configuration, pressing the Clear button on the switch’s front panel erases any local usernames and passwords configured on the switch. This command disables the password clear function of the Clear button, so that pressing it has no effect on any local usernames and passwords.
  • Page 80: Re-Enabling The Clear Button And Setting Or Changing The "Reset-On-Clear" Operation

    Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. •...
  • Page 81: Changing The Operation Of The Reset+Clear Combination

    Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on­ clear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-12. Example of Re-Enabling the Clear Button’s Default Operation Changing the Operation of the Reset+Clear Combination In their default configuration, using the Reset+Clear buttons in the combina­...
  • Page 82: Password Recovery

    Configuring Username and Password Security Password Recovery The command to disable the factory-reset operation produces this caution. To complete the command, press [Y]. To abort the command, press [N]. Completes the command to disable the factory reset option. Displays the current front­ panel-security configuration, with Factory Reset disabled.
  • Page 83 Configuring Username and Password Security Password Recovery factory-default configuration. This can disrupt network operation and make it necessary to temporarily disconnect the switch from the network to prevent unauthorized access and other problems while it is being reconfigured. Also, with factory-reset enabled, unauthorized users can use the Reset+Clear button combination to reset the switch to factory-default configuration and gain management access to the switch.
  • Page 84: Password Recovery Process

    Configuring Username and Password Security Password Recovery Figure 2-14. Example of the Steps for Disabling Password-Recovery Password Recovery Process If you have lost the switch’s manager username/password, but password- recovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by ProCurve.
  • Page 85: Web And Mac Authentication

    Web and MAC Authentication Contents Overview ........... . . 3-3 Web Authentication .
  • Page 86 Web and MAC Authentication Contents Overview ..........3-50 Configuration Commands for MAC Authentication .
  • Page 87: Overview

    Web and MAC Authentication Overview Overview Feature Default Menu Configure Web Authentication — 3-20 — Configure MAC Authentication — 3-50 — Display Web Authentication Status and Configuration — 3-28 — Display MAC Authentication Status and Configuration — 3-55 — Web and MAC authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and a switch from unauthorized access.
  • Page 88: Mac Authentication

    Web and MAC Authentication Overview In the login page, a client enters a username and password, which the ■ switch forwards to a RADIUS server for authentication. After authen­ ticating a client, the switch grants access to the secured network. Besides a web browser, the client needs no special supplicant soft­...
  • Page 89: Authorized And Unauthorized Client Vlans

    Web and MAC Authentication Overview Each new Web/MAC Auth client always initiates a MAC authentica­ ■ tion attempt. This same client can also initiate Web authentication at any time before the MAC authentication succeeds. If either authenti­ cation succeeds then the other authentication (if in progress) is ended.
  • Page 90: Radius-Based Authentication

    Web and MAC Authentication How Web and MAC Authentication Operate clients by using an “unauthorized” VLAN for each session. The unauthorized VLAN ID assignment can be the same for all ports, or different, depending on the services and access you plan to allow for unauthenticated clients. You configure access to an optional, unauthorized VLAN when you configure Web and MAC authentication on a port.
  • Page 91: Web-Based Authentication

    Web and MAC Authentication How Web and MAC Authentication Operate Web-based Authentication When a client connects to a Web-Auth enabled port, communication is redi­ rected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their username and password. The default User Login screen is shown in Figure 3-1.
  • Page 92 Web and MAC Authentication How Web and MAC Authentication Operate If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access. After a successful login, a client may be redirected to a URL if you specify a URL value (redirect-url) when you configure web authentication.
  • Page 93: Mac-Based Authentication

    Web and MAC Authentication How Web and MAC Authentication Operate A client may not be authenticated due to invalid credentials or a RADIUS server timeout. The max-retries parameter specifies how many times a client may enter their credentials before authentication fails. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out.
  • Page 94 Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period).
  • Page 95: Terminology

    Web and MAC Authentication Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN.
  • Page 96: Operating Rules And Notes

    Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports concurrent 802.1X , Web and MAC authentication operation on a port (with up to 2 clients allowed). However, concur­ rent operation of Web and MAC authentication with other types of authentication on the same port is not supported.
  • Page 97 Web and MAC Authentication Operating Rules and Notes 1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships. 2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (if configured) and temporarily drops all other VLAN memberships.
  • Page 98: Setup Procedure For Web/Mac Authentication

    Web and MAC Authentication Setup Procedure for Web/MAC Authentication We b / M A C Web or MAC authentication and LACP are not supported at the same time on A u t h e n t i c a t i o n a port.
  • Page 99 Web and MAC Authentication Setup Procedure for Web/MAC Authentication ProCurve (config)# show port-access config Port Access Status Summary Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes Supplicant Authenticator Web Auth Mac Auth Port Enabled Enabled Enabled Enabled...
  • Page 100 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that when configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100”...
  • Page 101: Configuring The Radius Server To Support Mac Authentication

    Web and MAC Authentication Setup Procedure for Web/MAC Authentication Configuring the RADIUS Server To Support MAC Authentication On the RADIUS server, configure the client device authentication in the same way that you would any other client, except: Configure the client device’s (hexadecimal) MAC address as both ■...
  • Page 102 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Syntax: [no] radius-server [host < ip-address >] [oobm] Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can config­ ure up to three RADIUS server addresses. The switch uses the first server it successfully accesses.
  • Page 103 Web and MAC Authentication Setup Procedure for Web/MAC Authentication For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of ‘1A7rd’ Figure 3-5. Example of Configuring a Switch To Access a RADIUS Server 3-19...
  • Page 104: Configuring Web Authentication

    Web and MAC Authentication Configuring Web Authentication Configuring Web Authentication Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. Identify or create a redirect URL for use by authenticated clients. Pro- Curve recommends that you provide a redirect URL when using Web Authentication.
  • Page 105: Configuration Commands For Web Authentication

    Web and MAC Authentication Configuring Web Authentication • You can block only incoming traffic on a port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web authentication. For example, Wake-on-LAN traffic is transmitted on a web-authenti­ cated egress port that has not yet transitioned to the authenticated state;...
  • Page 106 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> After you enable web-based authentication on specified ports, you can use the aaa port-access controlled-direc­ tions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.
  • Page 107 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> — Continued — Notes: ■ For information on how to configure the prerequisites for using the aaa port-access controlled-directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation”...
  • Page 108 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based <port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax: aaa port-access web-based <port-list> [auth-vid <vid>]] no aaa port-access web-based <port-list>...
  • Page 109 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based [dhcp-addr <ip-address/mask>] Specifies the base address/mask for the temporary IP pool used by DHCP. The base address can be any valid ip address (not a multicast address). Valid mask range value is <255.255.240.0 - 255.255.255.0>.
  • Page 110 Web and MAC Authentication Configuring Web Authentication ProCurve Switch (config)# no aaa port-access web-based 47 ewa-server 10.0.12.181 ProCurve Switch (config)# Figure 3-7. Removing a Web Server with the aaa port-access web-based ews-server Command aaa port-access web-based <port-list > logoff-period <60-9999999> Syntax: Specifies the period, in seconds, that the switch enforces for an implicit logoff.
  • Page 111 Web and MAC Authentication Configuring Web Authentication Specifies the time period, in seconds, the switch enforces on a client to re-authenticate. When set to 0, reauthentication is disabled. (Default: 300 seconds) Syntax: aaa port-access web-based <port-list> [reauthenticate] Forces a reauthentication of all attached clients on the port.
  • Page 112: Show Commands For Web Authentication

    Web and MAC Authentication Configuring Web Authentication Show Commands for Web Authentication Command Page show port-access web-based [port-list] 3-28 show port-access web-based clients [port-list] 3-29 show port-access web-based clients <port-list> detailed 3-30 show port-access web-based config [port-list] 3-31 show port-access web-based config <port-list> detailed 3-32 show port-access web-based config [port-list] auth-server 3-33...
  • Page 113 Web and MAC Authentication Configuring Web Authentication ProCurve (config)# show port-access web-based Port Access Web-Based Status Auth Unauth Untagged Tagged Port Cntrl Port Clients Clients VLAN VLANs ----- -------- -------- -------- ------ -------- ------ 4006 70000000 MACbased No Figure 3-8.Example of show port-access web-based Command Output Syntax: show port-access web-based clients [port-list] Displays the session status, name, and address for each web-...
  • Page 114 Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based clients <port-list> detailed Displays detailed information on the status of web- authenticated client sessions on specified switch ports. ProCurve (config)# show port-access web-based clients 1 detailed Port Access Web-Based Client Status Detailed Client Base Details : Port Session Status : authenticated...
  • Page 115 Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config [port-list] Displays the currently configured Web Authentication settings for all switch ports or specified ports, including: • Temporary DHCP base address and mask • Support for RADIUS-assigned dynamic VLANs (Yes or •...
  • Page 116 Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config <port-list> detailed Displays more detailed information on the currently config­ ured Web Authentication settings for specified ports. ProCurve (config)# show port-access web-based config 1 detailed Port Access Web-Based Detailed Configuration Port Web-based enabled : Yes Client Limit...
  • Page 117 Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config [port-list] auth-server Displays the currently configured Web Authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as: • Timeout waiting period • Number of timeouts supported before authentication login fails •...
  • Page 118: Customizing Web Authentication Html Files (Optional)

    Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Customizing Web Authentication HTML Files (Optional) The Web Authentication process displays a series of web pages and status messages to the user during login. The web pages that are displayed can be: ■...
  • Page 119: Customizing Html Templates

    Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) To configure a web server on your network, follow the instructions ■ in the documentation provided with the server. ■ Before you enable custom Web Authentication pages, you should: • Determine the IP address or host name of the web server(s) that will host your custom pages.
  • Page 120: Customizable Html Templates

    Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Customizable HTML Templates The sample HTML files described in the following sections are customizable templates. To help you create your own set HTML files, a set of the templates can be found on the download page for ‘K’ software. File Name Page 3-36...
  • Page 121 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- ProCurve Web Authentication Template index.html --> <html> <head> <title>User Login</title> </head> <body> <h1>User Login</h1> <p>In order to access this network, you must first log in.</p> <form action="/webauth/loginprocess" method="POST"> <table> <tr>...
  • Page 122 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Access Granted Page (accept.html). Figure 3-16. Access Granted Page The accept.html file is the web page used to confirm a valid client login. This web page is displayed after a valid username and password are entered and accepted.
  • Page 123 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- ProCurve Web Authentication Template accept.html --> <html> <head> <title>Access Granted</title> <!-- The following line is required to automatically redirect --> <meta http-equiv="refresh"content="<!- ESI(WAUTHREDIRECTTIMEGET, 1) ->;URL=<! ESI(WAUTHREDIRECTURLGET, 1) ->"/> </head> <body>...
  • Page 124 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Authenticating Page (authen.html). Figure 3-18. Authenticating Page The authen.html file is the web page used to process a client login and is refreshed while user credentials are checked and verified. <!-- ProCurve Web Authentication Template authen.html...
  • Page 125 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Invalid Credentials Page (reject_unauthvlan.html). Figure 3-20. Invalid Credentials Page The reject_unauthvlan.html file is the web page used to display login failures in which an unauthenticated client is assigned to the VLAN configured for unauthorized client sessions.
  • Page 126 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- ProCurve Web Authentication Template reject_unauthvlan.html --> <html> <head> <title>Invalid Credentials</title> <!-- The following line is required to automatically redirect --> <meta http-equiv="refresh"content="<!- ESI(WAUTHREDIRECTTIMEGET, 1) ->;URL=<! ESI(WAUTHREDIRECTURLGET, 1) ->"/> </head> <body>...
  • Page 127 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Timeout Page (timeout.html). Figure 3-22. Timeout Page The timeout.html file is the web page used to return an error message if the RADIUS server is not reachable. You can configure the time period (in seconds) that the switch waits for a response from the RADIUS server used to verify client credentials with the aaa port-access web-based server-timeout command when you enable Web Authentication.
  • Page 128 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Retry Login Page (retry_login.html). Figure 3-24. Retry Login Page The retry_login.html file is the web page displayed to a client that has entered an invalid username and/or password, and is given another opportunity to log The WAUTHRETRIESLEFTGET ESI displays the number of login retries that remain for a client that entered invalid login credentials.
  • Page 129 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- ProCurve Web Authentication Template retry_login.html --> <html> <head> <title>Invalid Credentials</title> <!-- The following line is required to automatically redirect the user back to the login page. --> <meta http-equiv="refresh" content="5;URL=/EWA/index.html"> </head>...
  • Page 130 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) SSL Redirect Page (sslredirect.html). Figure 3-26. SSL Redirect Page The sslredirect file is the web page displayed when a client is redirected to an SSL server to enter credentials for Web Authentication. If you have enabled SSL on the switch, you can enable secure SSL-based Web Authentication by entering the aaa port-access web-based ssl-login command when you enable Web Authentication.
  • Page 131 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- ProCurve Web Authentication Template sslredirect.html --> <html> <head> <title>User Login SSL Redirect</title> <meta http-equiv="refresh" content="5;URL=https://<!- ESI(WAUTHSSLSRVGET,1 ->/EWA/index.html"> </head> <body> <h1>User Login SSL Redirect</h1> <p>In order to access this network, you must first log in.</p> <p>Redirecting in 5 seconds to secure page for you to enter credentials or <...
  • Page 132 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Access Denied Page (reject_novlan.html). Figure 3-28. Access Denied Page The reject_novlan file is the web page displayed after a client login fails and no VLAN is configured for unauthorized clients. The WAUTHQUIETTIMEGET ESI inserts the time period used to block an unauthorized client from attempting another login.
  • Page 133 Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) <!-- ProCurve Web Authentication Template reject_novlan.html --> <html> <head> <title>Access Denied</title> <!-- The line below is required to automatically redirect the user back to the login page. --> <meta http-equiv="refresh" content="<!- ESI(WAUTHQUIETTIMEGET,1) ->;URL=/EW index.html">...
  • Page 134: Configuring Mac Authentication On The Switch

    Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made.
  • Page 135: Configuration Commands For Mac Authentication

    Web and MAC Authentication Configuring MAC Authentication on the Switch Configuration Commands for MAC Authentication Command Page Configuration Level aaa port-access mac-based password <password-value> 3-51 aaa port-access mac-based addr-format 3-51 [no] aaa port-access mac-based [e] < port-list > 3-53 [addr-limit] 3-53 [addr-moves] 3-54...
  • Page 136 Web and MAC Authentication Configuring MAC Authentication on the Switch ProCurve(config)# aaa port-access mac-based password secretMAC1 ProCurve(config)# show port-access mac-based config Port Access MAC-Based Configuration MAC Address Format : no-delimiter Password : secretMAC1 Unauth Redirect Configuration URL : Unauth Redirect Client Timeout (sec) : 1800 Unauth Redirect Restrictive Filter : Disabled Total Unauth Redirect Client Count : 0 Client Client Logoff...
  • Page 137: Configuring A Mac-Based Address Format

    Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring a MAC-based Address Format Syntax: aaa port-access mac-based addr-format <no-delimiter | single-dash | multi-dash | multi-colon | no-delimiter-uppercase | single-dash­ uppercase | multi-dash-uppercase | multi-colon-uppercase> Specifies the MAC address format to be used in the RADIUS request message.
  • Page 138 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: [no] aaa port-access mac-based [e] < port-list > [addr-moves] Allows client moves between the specified ports under MAC Auth control. When enabled, the switch allows addresses to move without requiring a re-authentica­ tion.
  • Page 139: Show Commands For Mac-Based Authentication

    Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [reauth-period <0 - 9999999>] Specifies the time period (in seconds) that the switch enforces on a client to re-authenticate. The client remains authenticated while the reauthentication occurs.
  • Page 140 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based [port-list] Displays the status of all ports or specified ports that are enabled for MAC authentication. The information displayed for each port includes: • Number of authorized and unauthorized clients •...
  • Page 141 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based clients [port-list] Displays the session status, name, and address for each MAC-authenticated client on the switch. The IP address displayed is taken from the DHCP binding table (learned through the DHCP Snooping feature).
  • Page 142 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based clients <port-list> detailed Displays detailed information on the status of MAC- authenticated client sessions on specified ports. ProCurve (config)# show port-access mac-based clients 1 detailed Port Access MAC-Based Client Status Detailed Client Base Details : Port Session Status : authenticated...
  • Page 143 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config [port-list] Displays the currently configured MAC Authentication settings for all switch ports or specified ports, including: • MAC address format • Support for RADIUS-assigned dynamic VLANs (Yes or •...
  • Page 144 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config <port-list> detailed Displays more detailed information on the currently config­ ured MAC Authentication settings for specified ports. ProCurve (config)# show port-access mac-based config 1 detailed Port Access MAC-Based Detailed Configuration Port Web-based enabled : Yes...
  • Page 145 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config [port-list] auth-server Displays the currently configured Web Authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as: • Timeout waiting period •...
  • Page 146: Client Status

    Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Possible Explanations Connection authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires.
  • Page 147: Tacacs+ Authentication

    TACACS+ Authentication Contents Overview ........... . . 4-2 Terminology Used in TACACS Applications: .
  • Page 148: Overview

    TACACS+ Authentication Overview Overview Feature Default Menu view the switch’s authentication configuration — page 4-9 — view the switch’s TACACS+ server contact — page — configuration 4-10 configure the switch’s authentication methods disabled — page — 4-11 configure the switch to contact TACACS+ server(s) disabled —...
  • Page 149: Terminology Used In Tacacs Applications

    TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/ write) privilege level access.
  • Page 150 TACACS+ Authentication Terminology Used in TACACS Applications: face. (Using the menu interface you can assign a local password, but not a username.) Because this method assigns passwords to the switch instead of to individuals who access the switch, you must distribute the password information on each switch to everyone who needs to access the switch, and you must configure and manage password protection on a per-switch basis.
  • Page 151: General System Requirements

    TACACS+ Authentication General System Requirements General System Requirements To use TACACS+ authentication, you need the following: A TACACS+ server application installed and configured on one or ■ more servers or management stations in your network. (There are several TACACS+ software packages available.) A switch configured for TACACS+ authentication, with access to one ■...
  • Page 152 TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation”...
  • Page 153 TACACS+ Authentication General Authentication Setup Procedure N o t e o n When a TACACS+ server authenticates an access request from a switch, Privil ege Levels it includes a privilege level code for the switch to use in determining which privilege level to grant to the terminal requesting access.
  • Page 154: Configuring Tacacs+ On The Switch

    TACACS+ Authentication Configuring TACACS+ on the Switch configuration in your TACACS+ server application for mis-configura­ tions or missing data that could affect the server’s interoperation with the switch. 8. After your testing shows that Telnet access using the TACACS+ server is working properly, configure your TACACS+ server application for console access.
  • Page 155: Cli Commands Described In This Section

    TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs 4-10 aaa authentication 4-11 through 4-17 console Telnet num-attempts <1-10 > tacacs-server 4-18 host < ip-addr > 4-18 4-22 timeout < 1-255 > 4-23 Viewing the Switch’s Current Authentication Configuration...
  • Page 156: Viewing The Switch's Current Tacacs+ Server Contact Configuration

    TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. Syntax: show tacacs For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a (global) encryption key, show tacacs would produce a listing similar to the...
  • Page 157: Configuring The Switch's Authentication Methods

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures access control for the following access methods: ■ Console Telnet ■ ■ ■ ■ Port-access (802.1X) However, TACACS+ authentication is only used with the console, Telnet, or SSH access methods.
  • Page 158: Authentication Parameters

    TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: aaa authentication < console | telnet | ssh | web | port-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level. <login [privilege-mode] > The server grants privileges at the Operator privilege level.
  • Page 159: Configuring The Tacacs+ Server For Single Login

    TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Function enable Specifies the Manager (read/write) privilege level for the access method being configured. login <privilege­ privilege-mode login: Specifies the Operator (read-only) privilege level for the mode> disabled access method being configured. The privilege-mode option enables TACACS+ for a single login.
  • Page 160 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-4. Advanced TACACS+ Settings Section of the TACACS+ Server User Setup Then scroll down to the section that begins with “Shell” (See Figure 4-5). Check the Shell box. Check the Privilege level box and set the privilege level to 15 to allow “root” privileges.
  • Page 161 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of the TACACS+ Server User Setup As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch’s console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.
  • Page 162 TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Console — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console —...
  • Page 163 TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server.
  • Page 164: Configuring The Switch's Tacacs+ Server Access

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these parameters: The host IP address(es) for up to three TACACS+ servers; one first- ■ choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server.
  • Page 165 TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [oobm] [key < key-string >] Adds a TACACS+ server and optionally assigns a server-specific encryption key. The oobm parameter specifies that the operation will go out from the out-of-band management interface. If this parameter is not specified, the operation goes out from the data interface.
  • Page 166 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per-server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key”...
  • Page 167 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server”...
  • Page 168 TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-7. Example of the Switch After Assigning a Different “First-Choice” Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.
  • Page 169 TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs-server host 10.28.227.104 Note...
  • Page 170: How Authentication Operates

    TACACS+ Authentication How Authentication Operates How Authentication Operates General Authentication Process Using a TACACS+ Server Authentication through a TACACS+ server operates generally as described below. For specific operating details, refer to the documentation you received with your TACACS+ server application. Terminal “A”...
  • Page 171 TACACS+ Authentication How Authentication Operates 4. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs: • If the username/password pair received from the requesting terminal matches a username/password pair previously stored in the server, then the server passes access permission through the switch to the terminal.
  • Page 172: Local Authentication Process

    TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authenti­ cation only if one of these two conditions exists: “Local” is the authentication option for the access method being used. ■...
  • Page 173: Using The Encryption Key

    TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “secret key”, or “secret”) helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.
  • Page 174: Controlling Web Browser Interface Access When Using Tacacs+ Authentication

    TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to configure a global encryp­ tion key in the switch to match a key entered as in two target north40campus TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch: ProCurve(config)# tacacs-server key north40campus...
  • Page 175: Messages Related To Tacacs+ Operation

    TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa­ tion on such messages, refer to the documentation you received with the application.
  • Page 176 TACACS+ Authentication Operating Notes When TACACS+ is not enabled on the switch—or when the switch’s ■ only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unauthor­ ized persons.
  • Page 177: Contents

    RADIUS Authentication, Authorization, and Accounting Contents Overview ........... . . 5-3 Authentication Services .
  • Page 178 RADIUS Authentication, Authorization, and Accounting Contents Controlling Web Browser Interface Access ....5-34 Commands Authorization ........5-35 Enabling Authorization .
  • Page 179: Radius Authentication, Authorization, And Accounting

    RADIUS Authentication, Authorization, and Accounting Overview Overview Feature Default Menu Configuring RADIUS Authentication None Configuring RADIUS Accounting None 5-47 Configuring RADIUS Authorization None 5-35 Viewing RADIUS Statistics 5-56 RADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one primary server and one or two backups) and maintain separate authentication and accounting for each RADIUS server employed.
  • Page 180: Accounting Services

    RADIUS Authentication, Authorization, and Accounting Overview Note The switch does not support RADIUS security for SNMP (network manage­ ment) access. For information on blocking access through the web browser interface, refer to “Controlling Web Browser Interface Access” on page 5-34. Accounting Services RADIUS accounting on the switch collects resource consumption data and forwards it to the RADIUS server.
  • Page 181: Terminology

    RADIUS Authentication, Authorization, and Accounting Terminology Terminology AAA: Authentication, Authorization, and Accounting groups of services pro­ vided by the carrying protocol. CHAP (Challenge-Handshake Authentication Protocol): A challenge- response authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a challenge from a RADIUS server. CoS (Class of Service): Support for priority handling of packets traversing the switch, based on the IEEE 802.1p priority carried by each packet.
  • Page 182: Switch Operating Rules For Radius

    RADIUS Authentication, Authorization, and Accounting Switch Operating Rules for RADIUS Vendor-Specific Attribute: A vendor-defined value configured in a RADIUS server to specific an optional switch feature assigned by the server during an authenticated client session. Switch Operating Rules for RADIUS ■...
  • Page 183: General Radius Setup Procedure

    RADIUS Authentication, Authorization, and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS servers to support the switch. (That is, one primary server and one or two backups.) Refer to the documentation provided with the RADIUS server application. 2. Before configuring the switch, collect the information outlined below.
  • Page 184: Configuring The Switch For Radius Authentication

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you have configured the switch to access.) • Determine whether you want to bypass a RADIUS server that fails to respond to requests for service.
  • Page 185: Outline Of The Steps For Configuring Radius Authentication

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: 1. Configure RADIUS authentication for controlling access through one or more of the following •...
  • Page 186: Configure Authentication For The Access Methods You Want Radius To Protect

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication • Timeout Period: The timeout period the switch waits for a RADIUS server to reply. (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no server response to a RADIUS authentication request.
  • Page 187 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail. Syntax: aaa authentication < console | telnet | ssh | web | < enable | login <local | radius>>...
  • Page 188 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Figure 5-2 shows an example of the show authentication command displaying authorized as the secondary authentication method for port-access, Web-auth access, and MAC-auth access. Since the configuration of authorized means no authentication will be performed and the client has unconditional access to the network, the “Enable Primary”...
  • Page 189: Enable The (Optional) Access Privilege Option

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in this guide. The switch now allows Telnet and SSH authentication only through RADIUS.
  • Page 190: Configure The Switch To Access A Radius Server

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication this default behavior for clients with Enable (manager) access. That is, with privilege-mode enabled, the switch immediately allows Enable (Manager) access to a client for whom the RADIUS server specifies this access level. Syntax: [no] aaa authentication login privilege-mode When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server.
  • Page 191 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Note If you want to configure RADIUS accounting on the switch, go to page 5-47: “Configuring RADIUS Accounting” instead of continuing here. Syntax: [no] radius-server host < ip-address > [oobm] Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration.
  • Page 192 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication [dyn-authorization] Enables or disables the processing of Disconnect and Change of Authorization messages from this host. When enabled, the RADIUS server can dynamically terminate or change the authorization parameters (such as VLAN assignment) used in an active client session on the switch.
  • Page 193: Configure The Switch's Global Radius Parameters

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of “source0119”. Figure 5-4. Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server To make the changes listed prior to figure 5-4, you would do the following: Changes the key...
  • Page 194 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Number of login attempts: In a given session, specifies how many ■ tries at entering the correct username and password pair are allowed before access is denied and the session terminated. (This is a general aaa authentication parameter and is not specific to RADIUS.) Global server key: The server key the switch will use for contacts ■...
  • Page 195 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication dead-time < 1 - 1440 > Optional. Specifies the time in minutes during which the switch will not attempt to use a RADIUS server that has not responded to an earlier authentication attempt. (Default: 0;...
  • Page 196 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Allow three seconds for request timeouts. ■ Allow two retries following a request that did not receive a response. ■ Figure 5-6. Example of Global Configuration Exercise for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in...
  • Page 197: Using Multiple Radius Server Groups

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Using Multiple RADIUS Server Groups The authentication and accounting features on the switch can use up to fifteen RADIUS servers. This option allows the RADIUS servers to be put into groups. Up to 5 groups of 3 RADIUS servers each can be configured.
  • Page 198: Enhanced Commands

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa server-group radius <group-name> host <ip-addr> no aaa server-group radius <group-name> host <ip-addr> Associates a RADIUS server with a server group. Each group can contain up to 3 RADIUS servers. The default group (called ‘radius’) can only contain the first three RADIUS servers.
  • Page 199 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication [ local | none | authorized ]: Provides options for secondary authentication (default: none). Note that for console access, secondary authentication must be local if primary access is not local. This prevents you from being locked out of the switch in the event of a failure in other access methods.
  • Page 200: Displaying The Radius Server Group Information

    RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Displaying the RADIUS Server Group Information The show server-group radius command displays the same information as the show radius command, but displays the servers in their server groups. ProCurve(config)# show server-group radius Status and Counters - AAA Server Groups Group Name: radius Auth...
  • Page 201 RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication ProCurve(config)# show authentication Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Disabled | Login Login Login Access Task | Primary Server Group Secondary ----------- + ---------- ------------ ---------- Console | Local radius...
  • Page 202: Cached Reauthentication

    RADIUS Authentication, Authorization, and Accounting Cached Reauthentication Cached Reauthentication Cached reauthentication allows 802.1X, web, or MAC reauthentications to succeed when the RADIUS server is unavailable. Users already authenticated retain their currently-assigned RADIUS attributes. Uninterrupted service is provided for authenticated users with RADIUS-assigned VLANS if the RADIUS server becomes temporarily unavailable during periodic reauthentications.
  • Page 203: Timing Considerations

    RADIUS Authentication, Authorization, and Accounting Cached Reauthentication Syntax: [no] aaa authentication <port-access | web-based | mac-based > <primary method> < secondary-method> Allows reauthentications to succeed when the RADIUS server is unavailable. Users already authenticated retain their currently-assigned session attributes. The primary methods for port-access authentication are local, chap-radius, or eap-radius.
  • Page 204 RADIUS Authentication, Authorization, and Accounting Cached Reauthentication authentication have been changed from their default values. The period of time represented by X is how long 802.1X or Web MAC authentication will wait for a RADIUS response. For example: 1. A cached-reauth-period is set to 900 seconds (15 minutes) and the reauth period is 180 seconds.
  • Page 205 RADIUS Authentication, Authorization, and Accounting Cached Reauthentication 4. The time between step 8 and step 9 is X seconds. 5. The total time is 180 + X + 900 + 180 + X, which equals 900 +2(180+X) seconds. Note The period of 1 to 30 seconds, represented by X, is not a firm time period; the time can vary depending on other 802.1X and Web/MAC auth parameters.
  • Page 206: Using Snmp To View And Configure Switch Authentication Features

    RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Switch Authentication Features Using SNMP To View and Configure Switch Authentication Features SNMP MIB object access is available for switch authentication configuration (hpSwitchAuth) features. This means that the switches covered by this Guide allow, by default, manager-only SNMP read/write access to a subset of the authentication MIB objects for the following features: ■...
  • Page 207: Changing And Viewing The Snmp Access Configuration

    RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Switch Authentication Features Changing and Viewing the SNMP Access Configuration Syntax: snmp-server mib hpswitchauthmib < excluded | included > included: Enables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB. excluded: Disables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB.
  • Page 208 RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Switch Authentication Features An alternate method of determining the current Authentication MIB access state is to use the show run command. ProCurve(config)# show run Running configuration: ; 498358-B21 Configuration Editor; Created on release #Z.14.XX hostname "ProCurve"...
  • Page 209: Local Authentication Process

    RADIUS Authentication, Authorization, and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: Local is the authentication option for the access method being used. ■...
  • Page 210: Controlling Web Browser Interface Access

    RADIUS Authentication, Authorization, and Accounting Controlling Web Browser Interface Access Controlling Web Browser Interface Access To help prevent unauthorized access through the web browser interface, do one or more of the following: ■ Configure the switch to support RADIUS authentication for web browser interface access.
  • Page 211: Commands Authorization

    RADIUS Authentication, Authorization, and Accounting Commands Authorization Commands Authorization The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server will send authorization information (from the user’s profile) to the Network Access Server (NAS). After user authentication has occurred, the authorization information provided by the RADIUS server is stored on the NAS for the duration of the user’s session.
  • Page 212: Enabling Authorization

    RADIUS Authentication, Authorization, and Accounting Commands Authorization Enabling Authorization To configure authorization for controlling access to the CLI commands, enter this command at the CLI. Syntax: [no] aaa authorization <commands> <radius | none> Configures authorization for controlling access to CLI commands.
  • Page 213: Displaying Authorization Information

    RADIUS Authentication, Authorization, and Accounting Commands Authorization Displaying Authorization Information You can show the authorization information by entering this command: Syntax: show authorization Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed.
  • Page 214 RADIUS Authentication, Authorization, and Accounting Commands Authorization The results of using the HP-Command-String and HP-Command-Exception attributes in various combinations are shown below. HP-Command-String HP-Command-Exception Description Not present Not present If command authorization is enabled and the RADIUS server does not provide any authorization attributes in an Access-Accept packet, the user is denied access to the server.
  • Page 215: Example Configuration On Cisco Secure Acs For Ms Windows

    RADIUS Authentication, Authorization, and Accounting Commands Authorization Example Configuration on Cisco Secure ACS for MS Windows It is necessary to create a dictionary file that defines the VSAs so that the RADIUS server application can determine which VSAs to add to its user interface.
  • Page 216 RADIUS Authentication, Authorization, and Accounting Commands Authorization Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). 3. From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils>...
  • Page 217: Example Configuration Using Freeradius

    RADIUS Authentication, Authorization, and Accounting Commands Authorization 6. Right click and then select New > key. Add the vendor Id number that you determined in step 4 (100 in the example). 7. Restart all Cisco services. 8. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes.
  • Page 218 RADIUS Authentication, Authorization, and Accounting Commands Authorization dictionary.hp As posted to the list by User <user_email> Version: $Id: dictionary.hp, v 1.0 2006/02/23 17:07:07 VENDOR # HP Extensions ATTRIBUTE Hp-Command-String string ATTRIBUTE Hp-Command-Exception integer # Hp-Command-Exception Attribute Values VALUE Hp-Command-Exception Permit-List VALUE Hp-Command-Exception Deny-List...
  • Page 219: Vlan Assignment In An Authentication Session

    RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session VLAN Assignment in an Authentication Session A switch supports concurrent 802.1X and either Web- or MAC-authentication sessions on a port (with up to 32 clients allowed). If you have configured RADIUS as the primary authentication method for a type of access, when a client authenticates on a port, the RADIUS server assigns an untagged VLAN that is statically configured on the switch for use in the authentication session.
  • Page 220: Tagged And Untagged Vlan Attributes

    RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session Tagged and Untagged VLAN Attributes When you configure a user profile on a RADIUS server to assign a VLAN to an authenticated client, you can use either the VLAN’s name or VLAN ID (VID) number.
  • Page 221: Additional Radius Attributes

    RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session Additional RADIUS Attributes The following attributes are included in Access-Request and Access-Account­ ing packets sent from the switch to the RADIUS server to advertise switch capabilities, report information on authentication sessions, and dynamically reconfigure authentication parameters: MS-RAS-Vendor (RFC 2548): Allows ProCurve switches to inform a ■...
  • Page 222 RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session ProCurve(config)# show radius dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information NAS Identifier : LAB-8212 Invalid Client Addresses (CoA-Reqs) : 0 Invalid Client Addresses (Disc-Reqs) : 0 Disc Disc Disc Client IP Addr...
  • Page 223: Configuring Radius Accounting

    RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 5-50 [acct-port < port-number >] 5-50 [key < key-string >] 5-50 [no] aaa accounting < exec | network | system | commands> 5-54 <...
  • Page 224 RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting Exec accounting: Provides records holding the information listed ■ below about login sessions (console, Telnet, and SSH) on the switch: • Acct-Authentic • Acct-Status-Type • NAS-Identifier • Acct-Delay-Time • Acct-Terminate-Cause • NAS-IP-Address •...
  • Page 225: Operating Rules For Radius Accounting

    RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting minute, it sends the accounting request packet to the RADIUS server without the Framed-IP-Address attribute. If the IP address is learned at a later time, it will be included in the next accounting request packet sent. The switch forwards the accounting information it collects to the designated RADIUS server, where the information is formatted, stored, and managed by the server.
  • Page 226: Configure The Switch To Access A Radius Server

    RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting – Optional—a UDP destination port for authentication requests. Otherwise the switch assigns the default UDP port (1812; recom­ mended). – Optional—if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are desig­...
  • Page 227 RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. For switches that have a separate out-of-band manage­ ment port, the oobm parameter specifies that the RADIUS traffic will go through the out-of-band man­...
  • Page 228: Configure Accounting Types And The Controls For Sending Reports To The Radius Server

    RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting For example, suppose you want to the switch to use the RADIUS server described below for both authentication and accounting purposes. IP address: 10.33.18.151 ■ ■ A non-default UDP port number of 1750 for accounting. For this example, assume that all other RADIUS authentication parameters for accessing this server are acceptable at their default settings, and that RADIUS is already configured as an authentication method for one or more...
  • Page 229 RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting Note that there is no time span associated with using the system option. It simply causes the switch to transmit whatever accounting data it currently has when one of the above events occurs. Network: Use Network if you want to collect accounting information ■...
  • Page 230: Optional) Configure Session Blocking And Interim Updating Options

    RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting For example, to configure RADIUS accounting on the switch with start-stop for exec functions and stop-only for system functions: Configures exec and system accounting and controls. Summarizes the switch’s accounting configuration. Exec and System accounting are active.
  • Page 231 RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting To continue the example in figure 5-19, suppose that you wanted the switch to: Send updates every 10 minutes on in-progress accounting sessions. ■ ■ Block accounting for unknown users (no username). Update Period Suppress Unknown User Figure 5-20.
  • Page 232: Viewing Radius Statistics

    RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which.
  • Page 233 RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics Figure 5-22. RADIUS Server Information From the Show Radius Host Command Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
  • Page 234: Radius Authentication Statistics

    RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics Term Definition Requests The number of RADIUS Accounting-Request packets sent. This does not include retransmissions. AccessChallenges The number of RADIUS Access-Challenge packets (valid or invalid) received from this server. AccessAccepts The number of RADIUS Access-Accept packets (valid or invalid) received from this server. AccessRejects The number of RADIUS Access-Reject packets (valid or invalid) received from this server.
  • Page 235: Radius Accounting Statistics

    RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics Figure 5-24. Example of RADIUS Authentication Information from a Specific Server RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres­ sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config­...
  • Page 236: Changing Radius-Server Access Order

    RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order Figure 5-26. Example of RADIUS Accounting Information for a Specific Server Figure 5-27. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command.
  • Page 237 RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order RADIUS server IP addresses listed in the order in which the switch will try to access them. In this case, the server at IP address 1.1.1.1 is first. Note: If the switch successfully accesses the first server, it does not try to access any other servers in the list, even if the client is denied access by the first server.
  • Page 238 RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order Removes the “003” and “001” addresses from the RADIUS server list. Inserts the “003” address in the first position in the RADIUS server list, and inserts the “001” address in the last position in the list. Shows the new order in which the switch searches for a RADIUS server.
  • Page 239: Messages Related To Radius Operation

    RADIUS Authentication, Authorization, and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch.
  • Page 240 RADIUS Authentication, Authorization, and Accounting Messages Related to RADIUS Operation 5-64...
  • Page 241: Configuring Radius Server Support

    Configuring RADIUS Server Support for Switch Services Contents Overview ........... . . 6-3 RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting .
  • Page 242 Configuring RADIUS Server Support for Switch Services Contents Configuring the Switch To Support RADIUS-Assigned ACLs ........... . . 6-24 Displaying the Current RADIUS-Assigned ACL Activity on the Switch .
  • Page 243: Overview

    Configuring RADIUS Server Support for Switch Services Overview Overview This chapter provides information that applies to setting up a RADIUS server to configure the following switch features on ports supporting RADIUS- authenticated clients: ■ Rate-Limiting ■ ■ ACLS Optional Network Management Applications. Per-port CoS and rate- limiting assignments through a RADIUS server are also supported in the ProCurve Manager (PCM) application.
  • Page 244: Radius Server Configuration For Per-Port Cos (802.1P Priority) And Rate-Limiting

    Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate- Limiting This section provides general guidelines for configuring a RADIUS server to dynamically apply CoS (Class of Service) and Rate-Limiting for inbound traffic on ports supporting authenticated clients.
  • Page 245: Applied Rates For Radius-Assigned Rate Limits

    Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Service Control Method and Operating Notes: Rate-Limiting on Vendor-Specific Attribute configured in the RADIUS server. inbound traffic ProCurve (HP) vendor-specific ID:11 This feature assigns a VSA: 46 (integer = HP) bandwidth limit to all Setting: HP-RATE-LIMIT = <...
  • Page 246: Viewing The Currently Active Per-Port Cos And Rate-Limiting Configuration Specified By A Radius Server

    Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Table 6-2. Examples of Assigned and Applied Rate Limits RADIUS-Assigned Applied Applied Rate Limit Difference/Kbps Bandwidth (Kbps) Increments (Kbps) 5,250 100 Kbps 5,200 50,250 1 Mbps 50,000...
  • Page 247 Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Syntax: show port-access authenticator [ port-list ] show rate-limit all show qos port-priority These commands display the CoS and Rate-Limiting settings specified by the RADIUS server used to grant authentication for a given client on a given port.
  • Page 248 Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting ProCurve(config)# show qos port-priority Priority in the Apply Rule column indicates a non- default CoS (802.1p) Port priorities priority configured in the switch for port B1. The 3 in Port Apply rule | DSCP Priority...
  • Page 249: Configuring And Using Radius-Assigned Access Control Lists

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuring and Using RADIUS-Assigned Access Control Lists Introduction A RADIUS-assigned ACL is configured on a RADIUS server and dynamically assigned by the server to filter traffic entering the switch through a specific port after the client is authenticated by the server.
  • Page 250 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists • RADIUS-assigned ACL: dynamic ACL assigned to a port by a RADIUS server to filter inbound traffic from an authenticated client on that port An ACL can be configured on an interface as a static port ACL. (RADIUS­ assigned ACLs are configured on a RADIUS server.) ACL Mask: Follows a destination IP address listed in an ACE.
  • Page 251 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Permit: An ACE configured with this action allows the switch to forward an inbound packet for which there is a match within an applicable ACL. Permit Any Any: An abbreviated form of permit in ip from any to any, which permits any inbound IP traffic from any source to any destination.
  • Page 252: Overview Of Radius-Assigned, Dynamic Acls

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Overview of RADIUS-Assigned, Dynamic ACLs RADIUS-assigned ACLs enhance network and switch management access security and traffic control by permitting or denying authenticated client access to specific network resources and to the switch management interface. This includes preventing clients from using TCP or UDP applications (such as Telnet, SSH, Web browser, and SNMP) if you do not want their access privi­...
  • Page 253: Contrasting Dynamic (Radius-Assigned) And Static Acls

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note A RADIUS-assigned ACL assignment filters all inbound IP traffic from an authenticated client on a port, regardless of whether the client’s IP traffic is to be switched or routed. RADIUS-assigned ACLs can be used either with or without PCM and IDM support.
  • Page 254: How A Radius Server Applies A Radius-Assigned

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists RADIUS-assigned ACLs Static Port ACLs Allows one RADIUS-assigned ACL per authenticated client Supports static ACLs on a port. (Each such ACL filters traffic from a different, authenticated client.) Note: The switch provides ample resources for supporting RADIUS-assigned ACLs and other features.
  • Page 255: General Acl Features, Planning, And Configuration

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists the same username/password pair. Where the client MAC address is the selection criteria, only the client having that MAC address can use the corre­ sponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured with that client’s credentials to the port.
  • Page 256: The Packet-Filtering Process

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 3. Configure the ACLs on a RADIUS server accessible to the intended clients. 4. Configure the switch to use the desired RADIUS server and to support the desired client authentication scheme.
  • Page 257: Configuring An Acl In A Radius Server

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists through MAC Authentication, then the client MAC address forms the credential set.) For more on this topic, refer to “Configuring an ACL in a RADIUS Server” on page 6-17. ■...
  • Page 258: Nas-Filter-Rule-Options

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists ACL configuration, including: ■ • one or more explicit “permit” and/or “deny” ACEs created by the system operator • implicit deny any any ACE automatically active after the last operator- created ACE Nas-Filter-Rule-Options Table 6-4.
  • Page 259 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Nas-filter-Rule = : Standard attribute for filtering inbound IPv4 traffic from an authenticated client. Refer also to table 6-4, “Nas-Filter-Rule Attribute Options” on page 6-18. Legacy HP VSA for filtering inbound IPv4 traffic from an authenticated HP-Nas-filter-Rule = : client.
  • Page 260: Example Using The Standard Attribute (92) In An Ipv4 Acl

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists < ipv4-addr >: Specifies a single destination IPv4 address. < ipv4-addr /< mask >: Specifies a series of contiguous destination addresses or all destination addresses in a subnet. The < mask > is CIDR notation for the number of leftmost bits in a packet’s destination IPv4 address that must match the corre­...
  • Page 261: Example Of Configuring A Radius-Assigned Acl Using The Freeradius Application

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists client 10.10.10.125 Note: The key configured in the switch and the secret configured in the RADIUS server nastype = other supporting the switch must be identical. Refer secret = 1234 to the chapter titled “RADIUS Authentication and Accounting”...
  • Page 262 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists VENDOR ProCurve (HP) Vendor-Specific ID BEGIN-VENDOR ATTRIBUTE HP-IP-FILTER-RAW 61 STRING END-VENDOR ProCurve (HP) Vendor-Specific Attribute for RADIUS-assigned ACLs Note that if you were also using the RADIUS server to administer 802.1p (CoS) priority, you would also insert the ATTRIBUTE entries for these functions above the END­...
  • Page 263: Format Details For Aces Configured In A Radius-Assigned Acl

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note For syntax details on RADIUS-assigned ACLs, refer to the next section, “Format Details for ACEs Configured in a RADIUS-Assigned ACL”. Client’s Username (802.1X or Web Authentication) Client’s Password (802.1X or Web Authentication) mobile011 Auth-Type:= Local, User-Password == run101112 HP-IP-FILTER-RAW = “permit in tcp from any to 10.10.10.101”,...
  • Page 264: Configuration Notes

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuration Notes Explicitly Permitting Any IP Traffic. Entering a permit in ip from any to any (permit any any) ACE in an ACL permits all IP traffic not previously permitted or denied by that ACL.
  • Page 265 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Syntax: aaa accounting network < start-stop | stop-only > radius Note Refer to the documentation provided with your RADIUS server for infor­ mation on how the server receives and manages network accounting information, and how to perform any configuration steps necessary to enable the server to support network accounting data from the switch.
  • Page 266: Displaying The Current Radius-Assigned Acl Activity

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Displaying the Current RADIUS-Assigned ACL Activity on the Switch These commands output data indicating the current ACL activity imposed per- port by RADIUS server responses to client authentication. Syntax: show access-list radius <...
  • Page 267 Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Syntax: show port-access authenticator < port-list > For ports, in < port-list > that are configured for authentication, this command indicates whether there are any RADIUS-assigned features active on the port(s). (Any ports in <...
  • Page 268: Icmp Type Numbers And Keywords

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists ProCurve(config)# show port-access authenticator 2-3 Port Access Authenticator Status Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Auth Unauth Untagged Tagged Kbps In RADIUS Cntrl Port Clients...
  • Page 269: Event Log Messages

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Event Log Messages Message Meaning Notifies of a problem with the keyword in permit deny ACE parsing error, permit/deny keyword < ace-# > client < mac-address > the indicated ACE included in the access list for the port <...
  • Page 270: Causes Of Client Deauthentication Immediately After Authenticating

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Message Meaning Notifies that the string configured for an ACE entry on the Invalid Access-list entry length, client < mac-address > port < port-# >. Radius server exceeds 80 characters. Memory allocation failure for IDM Notifies of a memory allocation failure for a RADIUS­...
  • Page 271: Contents

    Configuring Secure Shell (SSH) Contents Overview ........... . . 7-2 Terminology .
  • Page 272: Configuring Secure Shell (Ssh)

    Configuring Secure Shell (SSH) Overview Overview Feature Default Menu Generating a public/private key pair on the switch page 7-10 Using the switch’s public key page 7-13 Enabling SSH Disabled page 7-15 Enabling client public-key authentication Disabled pages 7-21, 7-24 Enabling user authentication Disabled page 7-20 The switches covered in this guide use Secure Shell version 2 (SSHv2) to...
  • Page 273: Terminology

    Configuring Secure Shell (SSH) Terminology Note SSH in ProCurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication shown in figure 7-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.
  • Page 274 Configuring Secure Shell (SSH) Terminology Enable Level: Manager privileges on the switch. ■ Login Level: Operator privileges on the switch. ■ ■ Local password or username: A Manager-level or Operator-level password configured in the switch. ■ SSH Enabled: (1) A public/private key pair has been generated on the switch (generate ssh [dsa | rsa]) and (2) SSH is enabled (ip ssh).
  • Page 275: Prerequisite For Using Ssh

    Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 7-2), then the client program must have the capability to generate or import keys.
  • Page 276: Steps For Configuring And Using Ssh For Switch And Client Authentication

    Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 7-1.
  • Page 277 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch (page 7-10). 2. Generate a public/private key pair on the switch (page 7-10). You need to do this only once.
  • Page 278: General Operating Rules And Notes

    Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store 10 client key pairs. The switch’s own public/private key pair and the (optional) client ■...
  • Page 279: Configuring The Switch For Ssh Operation

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 7-19 show crypto client-public-key [<manager | operator>] 7-27 [keylist-str] [< babble | fingerprint>] show crypto host-public-key [< babble | fingerprint >] 7-14 show authentication 7-23...
  • Page 280: Configuring The Switch For Ssh Operation

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
  • Page 281 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be “permanent”;...
  • Page 282 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation show crypto host-public-key Displays switch’s public key. Displays the version 1 and version 2 views of the key. [ babble ] Displays hashes of the switch’s public key in phonetic format.
  • Page 283: Configuring Key Lengths

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes "Zeroizing" the switch’s key automatically disables SSH (sets ip ssh to no). Thus, if you zeroize the key and then generate a new key, you must also re- enable SSH with the ip ssh command before the switch can resume SSH operation.
  • Page 284 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation (The generated public key on the switch is always 896 bits.) With a direct serial connection from a management station to the switch: 1. Use a terminal application such as HyperTerminal to display the switch’s public key with the show crypto host-public-key command (figure 7-5).
  • Page 285: Enabling Ssh On The Switch And Anticipating Ssh Client Contact Behavior

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Non-encoded ASCII numeric string: Requires a client ability to ■ display the keys in the “known hosts” file in the ASCII format. This method is tedious and error-prone due to the length of the keys. (See figure 7-7 on page 7-14.) Phonetic hash: Outputs the key as a relatively short series of alpha­...
  • Page 286 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note Before enabling SSH on the switch you must generate the switch’s public/ private key pair. If you have not already done so, refer to “2. Generating the Switch’s Public and Private Key Pair” on page 7-10. When configured for SSH, the switch uses its host public-key to authenticate itself to SSH clients.
  • Page 287 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation To disable SSH on the switch, do either of the following: Execute no ip ssh. ■ ■ Zeroize the switch’s existing key pair. (page 7-11). Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher <cipher-type>] Specify a cipher type to use for connection.
  • Page 288 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [mac <mac-type>] Allows configuration of the set of MACs that can be selected. Valid types are: • hmac-md5 • hmac-sha1 • hmac-sha1-96 • hmac-md5-96 Default: All MAC types are available. Use the no form of the command to disable a MAC type.
  • Page 289 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation N o t e o n P o r t ProCurve recommends using the default TCP port number (22). However, you Num b er can use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes.
  • Page 290: Configuring The Switch For Ssh Authentication

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation access to the serial port (and the Clear button, which removes local password protection), keep physical access to the switch restricted to authorized per­ sonnel. 5. Configuring the Switch for SSH Authentication Note that all methods in this section result in authentication of the switch’s public key by an SSH client.
  • Page 291 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option B: Configuring the Switch for Client Public-Key SSH Authentication. If configured with this option, the switch uses its public key to authenticate itself to a client, but the client must also provide a client public-key for the switch to authenticate.
  • Page 292 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh enable < local | tacacs | radius > < local | none > Configures a password method for the primary and second­ ary enable (Manager) access. If you do not specify an optional secondary method, it defaults to none.
  • Page 293 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configures Manager user- Configures the name and password. switch to allow SSH access only ProCurve(config)# password manager user-name leader for a client whose public key New password for Manager: ******** matches one of the Please retype new password for Manager: ******** keys in the public...
  • Page 294: Use An Ssh Client To Access The Switch

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 6. Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems"...
  • Page 295 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 1. The client sends its public key to the switch with a request for authenti­ cation. 2. The switch compares the client’s public key to those stored in the switch’s client-public-key file.
  • Page 296 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication To Create a Client-Public-Key Text File. These steps describe how to copy client-public-keys into the switch for challenge-response authentication, and require an understanding of how to use your SSH client application. Bit Size Exponent <e>...
  • Page 297 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 2. Copy the client’s public key into a text file (filename.txt). (For example, you can use the Notepad editor included with the Microsoft® Windows® software. If you want several clients to use client public-key authentica­ tion, copy a public key for each of these clients (up to ten) into the file.
  • Page 298 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The operator option replaces the key(s) for operator access (default); follow with the ‘append’ option to add the key(s). For switches that have a separate out-of-band manage­ ment port, the oobm parameter specifies that the traffic will go through the out-of-band management interface.
  • Page 299 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication For example, if you wanted to copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 and then display the file contents: Key Index Number Figure 7-14. Example of Copying and Displaying a Client Public-Key File Containing Two Different Client Public Keys for the Same Client Replacing or Clearing the Public Key File.
  • Page 300: Messages Related To Ssh Operation

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Syntax: aaa authentication ssh login public-key none Allows SSH client access only if the switch detects a match between the client’s public key and an entry in the client­ public-key file most recently copied into the switch. C a u t i o n To enable client public-key authentication to block SSH clients whose public keys are not in the client-public-key file copied into the switch, you must...
  • Page 301: Logging Messages

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning The client key does not exist in the switch. Use copy Client public key file corrupt or not tftp to download the key from a TFTP server. found. Use 'copy tftp pub-key-file <ip- addr>...
  • Page 302: Debug Logging

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Debug Logging To add ssh messages to the debug log output, enter this command: ProCurve# debug ssh LOGLEVEL where LOGLEVEL is one of the following (in order of increasing verbosity): • fatal •...
  • Page 303: Contents

    Configuring Secure Socket Layer (SSL) Contents Overview ........... . . 8-2 Terminology .
  • Page 304: Configuring Secure Socket Layer (Ssl)

    Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu Generating a Self Signed Certificate on the switch page 8-8 page 8-12 Generating a Certificate Request on the switch page 8-15 Enabling SSL Disabled page 8-17 page 8-19 The switches covered in this guide use Secure Socket Layer Version 3 (SSLv3) and support for Transport Layer Security(TLSv1) to provide remote web access to the switches via encrypted paths between the switch and manage­...
  • Page 305: Terminology

    Configuring Secure Socket Layer (SSL) Terminology 1. Switch-to-Client SSL Cert. SSL Client ProCurve Browser Switch 2. User-to-Switch (login password and (SSL enable password authentication) Server) options: – Local – TACACS+ – RADIUS Figure 8-1. Switch/User Authentication SSL on the switches covered in this guide supports these data encryption methods: ■...
  • Page 306 Configuring Secure Socket Layer (SSL) Terminology Root Certificate: A trusted certificate used by certificate authorities to ■ sign certificates (CA-Signed Certificates) and used later on to verify that authenticity of those signed certificates. Trusted certificates are distrib­ uted as an integral part of most popular web clients. (see browser docu­ mentation for which root certificates are pre-installed).
  • Page 307: Prerequisite For Using Ssl

    Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com­ puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include:...
  • Page 308: General Operating Rules And Notes

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re­ generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all management stations (clients) you previously set up for SSL access to the switch.
  • Page 309: Configuring The Switch For Ssl Operation

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 8-19 show config page 8-19 show crypto host-cert page 8-12 crypto key generate cert [rsa] <512 | 768 |1024> page 8-10 zeroize cert page 8-10...
  • Page 310: Generating The Switch's Server Host Certificate

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Security Tab Password Button Figure 8-2. Example of Configuring Local Passwords 1. Proceed to the security tab and select device passwords button. 2. Click in the appropriate box in the Device Passwords window and enter user names and passwords.
  • Page 311: To Generate Or Erase The Switch's Server Certificate

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation to connect via SSL to the switch. (The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client session, and then discarded.) The server certificate is stored in the switch’s flash memory.
  • Page 312: Comments On Certificate Fields

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. Syntax: crypto key generate cert [rsa] < 512 | 768 |1024 > Generates a key pair for use in the certificate. crypto key zeroize cert Erases the switch’s certificate key and disables SSL opera­...
  • Page 313 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Table 8-1. Certificate Field Descriptions Field Name Description Valid Start Date This should be the date you desire to begin using the SSL functionality. Valid End Date This can be any future date, however good security practices would suggest a valid duration of about one year between updates of passwords and keys.
  • Page 314: Generate A Self-Signed Host Certificate With The Web Browser

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. Syntax: show crypto host-cert Displays switch’s host certificate To view the current host certificate from the CLI you use the show crypto host­ cert command.
  • Page 315 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To generate a self signed host certificate from the web browser interface: i. Proceed to the Security tab then the SSL button. The SSL config­ uration screen is split up into two halves. The left half is used in creating a new certificate key pair and (self-signed / CA-signed) certificate.
  • Page 316 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter­ face: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments Figure 8-5.
  • Page 317: Generate A Ca-Signed Server Host Certificate With The Web Browser Interface

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 8-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web browser interface To install a CA-Signed server host certificate from the web browser interface. For more information on how to access the web browser interface, refer to the chapter titled “Using the ProCurve Web Browser Interface”...
  • Page 318 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.
  • Page 319: Enabling Ssl On The Switch And Anticipating Ssl Browser Contact Behavior

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE----­ MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMBIGA1UEChMLT3Bwb3J0dW5pdGkxGDAW BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0+aMcXgVruVixw/xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B Figure 8-7. Request for Verified Host Certificate Web Browser Interface Screen 3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients.
  • Page 320 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation N o t e Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generating the Switch’s Server Host Certificate”...
  • Page 321: Using The Cli Interface To Enable Ssl

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443).
  • Page 322 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 8-8. Using the web browser interface to enable SSL and select TCP port number N o t e o n P o r t ProCurve recommends using the default IP port number (443).
  • Page 323: Common Errors In Ssl Setup

    Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 8-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host...
  • Page 324 Configuring Secure Socket Layer (SSL) Common Errors in SSL setup 8-22...
  • Page 325: Ipv4 Access Control Lists (Acls)

    IPv4 Access Control Lists (ACLs) Contents Introduction ..........9-4 ACL Applications .
  • Page 326 IPv4 Access Control Lists (ACLs) Contents Guidelines for Planning the Structure of an ACL ....9-24 ACL Configuration and Operating Rules ..... . . 9-25 How an ACE Uses a Mask To Screen Packets for Matches .
  • Page 327 IPv4 Access Control Lists (ACLs) Contents Editing ACLs and Creating an ACL Offline ....9-61 Using the CLI To Edit ACLs ........9-61 General Editing Rules .
  • Page 328: Introduction

    IPv4 Access Control Lists (ACLs) Introduction Introduction Feature Default Menu Numbered ACLs Standard ACLs None — 9-40 — Extended ACLs None — 9-45 — Named ACLs — 9-51 — Enable or Disable an ACL — 9-53 — Display ACL Data —...
  • Page 329: Optional Pcm And Idm Applications

    IPv4 Access Control Lists (ACLs) Introduction Optional PCM and IDM Applications ProCurve Manager is a Windows-based network management solution for all manageable ProCurve devices. It provides network mapping and polling capabilities, device auto-discovery and topology, tools for device configura­ tion and management, monitoring network traffic, and alerts and trouble­ shooting information for ProCurve networks.
  • Page 330 IPv4 Access Control Lists (ACLs) Introduction For ACL filtering to take effect, configure an ACL and then assign it to the inbound traffic on a statically configured port or trunk. Table 9-1. Comprehensive Command Summary Action Command Page Configuring Standard ProCurve(config)# [no] access-list <...
  • Page 331: Terminology

    IPv4 Access Control Lists (ACLs) Terminology Action Command Page Deleting an ACL from ProCurve(config)# no ip access-list < standard < name-str | 1-99 >> 9-54 the Switch ProCurve(config)# no ip access-list < extended < name-str | 100 -199 >> Displaying ACL Data ProCurve(config)# show access-list 9-55...
  • Page 332 IPv4 Access Control Lists (ACLs) Terminology ACL ID: A number or alphanumeric string used to identify an ACL. A standard ACL ID can have either a number from 1 to 99 or an alphanumeric string. An extended ACL ID can have either a number from 100 to 199 or an alphanumeric string.
  • Page 333 IPv4 Access Control Lists (ACLs) Terminology the ACL. Doing so permits an inbound packet that is not explicitly permit­ ted or denied by other ACEs configured sequentially earlier in the ACL. Unless otherwise noted, “implicit deny IP any” refers to the “deny” action enforced by both standard and extended ACLs.
  • Page 334: Overview

    IPv4 Access Control Lists (ACLs) Overview Overview Types of IP ACLs Standard ACL: Use a standard ACL when you need to permit or deny traffic based on source IP address. Standard ACLs are also useful when you need to quickly control a performance problem by limiting traffic from a subnet, group of devices, or a single device.
  • Page 335: Features Common To All Acls

    IPv4 Access Control Lists (ACLs) Overview The subnet mask for this 2610Switch with IP Routing example is 255.255.255.0. Enabled VLAN A 10.28.10.5 10.28.10.1 Port 1 (One Subnet) VLAN B 10.28.20.1 Because of multinetting, (One Subnet) Port 2 traffic routed from 10.28.40.17 to 10.28.30.33 VLAN C 18.28.40.17...
  • Page 336: General Steps For Planning And Configuring Acls

    IPv4 Access Control Lists (ACLs) Overview General Steps for Planning and Configuring ACLs 1. Identify the traffic type to filter. Options include: • Any inbound IP traffic • Inbound TCP traffic only • Inbound UDP traffic only 2. The SA and/or the DA of inbound traffic you want to permit or deny. 3. Determine the best points at which to apply specific ACL controls.
  • Page 337: Acl Operation

    IPv4 Access Control Lists (ACLs) ACL Operation ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). An ACL applies only to the switch in which it is configured. ACLs operate on assigned ports and static trunks, and filter these traffic types: ■...
  • Page 338: The Packet-Filtering Process

    IPv4 Access Control Lists (ACLs) ACL Operation The Packet-Filtering Process Sequential Comparison and Action. When the switch uses an ACL to fil­ ter a packet, it sequentially compares each ACE’s filtering criteria to the corresponding data in the packet until it finds a match. For a packet with a source IP address of 10.28.156.3, the switch: 1.
  • Page 339 IPv4 Access Control Lists (ACLs) ACL Operation N o t e o n I m p l i c i t For ACLs configured to filter inbound packets, note that Implicit Deny filters D e n y any packets, including those with a DA specifying the switch itself. This operation helps to prevent management access from unauthorized IP sources.
  • Page 340 IPv4 Access Control Lists (ACLs) ACL Operation Deny only the inbound Telnet traffic sent from IP address 11.11.11.101. Permit only inbound Telnet traffic sent from IP address 11.11.11.33. Deny all other inbound traffic on port 12. The following ACL model, when assigned to inbound filtering on port 12, supports the above case: 1. Permits IP traffic inbound from source address 11.11.11.42.
  • Page 341: Planning An Acl Application

    IPv4 Access Control Lists (ACLs) Planning an ACL Application Overriding the Implicit “Deny Any”. If you want an ACL to permit any inbound packets that are not explicitly denied by other entries in the ACL, you can do so by configuring a permit any entry as the last entry in the ACL. Doing so permits any packet not explicitly denied by earlier entries.
  • Page 342: Rule Usage

    IPv4 Access Control Lists (ACLs) Planning an ACL Application Rule Usage There is only one implicit “deny any” entry per device for CLI ACLs, ■ and one implicit “deny any” entry per device for IDM ACLs. ■ The implicit “deny any” entry is created only the first time an ACL is applied to a port.
  • Page 343: Managing Acl Resource Consumption

    IPv4 Access Control Lists (ACLs) Planning an ACL Application The following two CLI commands are useful for planning and monitoring rule and mask usage in an ACL configuration. Syntax: access-list resources help Provides a quick reference on how ACLs use rule resources. Includes most of the information in table 9-2, plus an ACL usage summary.
  • Page 344: Example Of Acl Resource Usage

    IPv4 Access Control Lists (ACLs) Planning an ACL Application 3. Determine which of the existing policies you can remove to free up rule resources for the ACL policy you want to implement. Depending on your network topology and configuration, you can free up rule resources by moving some policies to other devices.
  • Page 345 IPv4 Access Control Lists (ACLs) Planning an ACL Application (Assume that ports 1-4 are tagged members of VLAN 22, although tagged/ untagged ports do not affect ACL operation because ACLs examine all inbound traffic, regardless of VLAN membership.) The system administrator wants to: Permit inbound VLAN 1 traffic on all ports ■...