Page of 306
Download Print This PagePrint Bookmark Comment

HP 2600 Series Function Manual

Access security guide procurve 2600, 2600-pwr, 2800, 4100, 6108 series.
Hide thumbs
ProCurve Switches
Switch 2600 Series
Switch 2600-PWR Series
Switch 2800 Series
Switch 4100 Series
Switch 6108 Series

Advertising

   Summary of Contents for HP 2600 Series

  • Page 1: Access Security Guide

    ProCurve Switches Access Security Guide Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100 Series Switch 6108 Series...

  • Page 3

    ProCurve Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100gl Series Switch 6108 Access Security Guide December 2008...

  • Page 4

    (J8152A) Warranty (J4902A). See the Customer Support/Warranty booklet included with the product. A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.

  • Page 5: Table Of Contents, Getting Started, Configuring Username And Password Security

    About Your Switch Manual Set ........

  • Page 6: Table Of Contents, Web And Mac Authentication For The Series, Pwr And 2800 Switches

    Configure the Switch for Web-Based Authentication ... . . 3-18 Configuring MAC Authentication on the Switch ....3-22 Overview .

  • Page 7: Table Of Contents, Tacacs+ Authentication, Radius Authentication And Accounting

    Terminology ........... 5-3 Switch Operating Rules for RADIUS ....... 5-4 General RADIUS Setup Procedure .

  • Page 8: Table Of Contents, Configuring Secure Shell (ssh), Configuring Secure Shell (ssh)

    General Operating Rules and Notes ....... . 6-8 Configuring the Switch for SSH Operation ......6-9 1.

  • Page 9: Table Of Contents

    General Operating Rules and Notes ....... . 7-6 Configuring the Switch for SSL Operation ......7-7 1.

  • Page 10: Table Of Contents, Configuring And Monitoring Port Security

    4. Enter the RADIUS Host IP Address(es) ..... . 8-20 5. Enable 802.1X Authentication on the Switch ....8-20 802.1X Open VLAN Mode .

  • Page 11: Table Of Contents

    MAC Lockdown ..........9-17 Differences Between MAC Lockdown and Port Security .

  • Page 12: Table Of Contents

    Defining Authorized Management Stations ......11-4 Overview of IP Mask Operation ......11-4 Menu: Viewing and Configuring IP Authorized Managers .

  • Page 13: Product Documentation

    Product Documentation About Your Switch Manual Set The switch manual set includes the following: Read Me First - a printed guide shipped with your switch. Provides ■ software update information, product notes, and other information. ■ Installation and Getting Started Guide - a printed guide shipped with your switch.

  • Page 14

    Product Documentation Feature Index For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. (Note that some software features are not supported on all switch models.) Feature 802.1Q VLAN Tagging...

  • Page 15

    Feature LACP Link LLDP MAC Address Management MAC Lockdown MAC Lockout MAC-based Authentication Monitoring and Analysis Multicast Filtering Network Management Applications (LLDP, SNMP) Passwords Ping Port Configuration Port Security Port Status Port Trunking (LACP) Port-Based Access Control Port-Based Priority (802.1Q) Power over Ethernet (PoE) Quality of Service (QoS) RADIUS Authentication and Accounting...

  • Page 16

    Product Documentation Feature Source-Port Filters Spanning Tree (STP, RSTP, MSTP) SSH (Secure Shell) Encryption SSL (Secure Socket Layer) Stack Management (Stacking) Syslog System Information TACACS+ Authentication Telnet Access TFTP Time Protocols (TimeP, SNTP) Traffic/Security Filters Troubleshooting VLANs Web-based Authentication Xmodem Management and Advanced Traffic Configuration...

  • Page 17: Contents

    Management Access Security Protection ......1-3 General Switch Traffic Security Guidelines ..... . 1-4 Conventions .

  • Page 18: Introduction, Overview Of Access Security Features

    Getting Started Introduction Introduction This Access Security Guide describes how to use ProCurve’s switch security features to protect access to your switch. This guide is intended to support the following switches: ProCurve Series 2600 ■ ProCurve Series 2600-PWR ■ ■...

  • Page 19: Management Access Security Protection

    ■ connections, enables the switch to allow or deny traffic between a port and an 802.1X-aware device (supplicant) attempting to access the switch. Also enables the switch to operate as a supplicant for connections to other 802.1X-aware switches. ■ Port Security (page 9-1): Enables a switch port to maintain a unique list of MAC addresses defining which specific devices are allowed to access the network through that port.

  • Page 20: General Switch Traffic Security Guidelines

    General Switch Traffic Security Guidelines Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port.

  • Page 21: Conventions, Feature Descriptions By Model, Command Syntax Statements

    This guide uses the following conventions for command syntax and displayed information. Feature Descriptions by Model In cases where a software feature is not available in all of the switch models covered by this guide, the section heading specifically indicates which product or product series offer the feature.

  • Page 22: Command Prompts, Screen Simulations, Port Identity Examples

    Getting Started Conventions Command Prompts In the default configuration, your switch displays one of the following CLI prompts: ProCurve Switch 4104# ProCurve Switch 4108# ProCurve Switch 2626# ProCurve Switch 2650# ProCurve Switch 6108# To simplify recognition, this guide uses ProCurve to represent command prompts for all models.

  • Page 23: Sources For More Information

    Sources for More Information For additional information about switch operation and features not covered in this guide, consult the following sources: For information on which product manual to consult on a given ■ software feature, refer to “Product Documentation” on page xi.

  • Page 24: Need Only A Quick Start?, Ip Addressing, Need Only A Quick Start

    Need Only a Quick Start? IP Addressing If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using multiple VLANs, ProCurve recommends that you use the Switch Setup screen to quickly configure IP addressing.

  • Page 25: To Set Up And Install The Switch In Your Network

    To Set Up and Install the Switch in Your Network I m po r t a n t ! Use the Installation and Getting Started Guide shipped with your switch for the following: Notes, cautions, and warnings related to installing and using the ■...

  • Page 26

    Getting Started Need Only a Quick Start? — This page is intentionally unused. — 1-10...

  • Page 27

    Configuring Username and Password Security Contents Overview ............2-2 Configuring Local Password Security .

  • Page 28: Overview

    Access to the Status and Counters menu, the Event Log, and the CLI*, but no Configuration capabilities. On the Operator level, the configuration menus, Download OS, and Reboot Switch options in the Main Menu are not available. — — page 2-6...

  • Page 29

    C a u t i o n If the switch has neither a Manager nor an Operator password, anyone having access to the switch through either Telnet, the serial port, or the web browser interface can access the switch with full manager privileges. Also, if you configure only an Operator password, entering the Operator pass- word enables full manager privileges.

  • Page 30: Configuring Local Password Security, Menu: Setting Passwords

    After you configure a password, if you subsequently start a new console session, you will be prompted to enter the password. (If you use the CLI or web browser interface to configure an optional username, the switch will prompt you for the username, and then the password.)

  • Page 31: Cli: Setting Passwords And Usernames

    If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.

  • Page 32: Web: Setting Passwords And Usernames

    The effect of executing the command in figure 2-3 is to remove password protection from the Operator level. (This means that anyone who can access the switch console can gain Operator access without having to enter a user- name or password.)

  • Page 33: Front-panel Security, When Security Is Important

    Passwords could easily be cleared by pressing the Clear button. Someone who has physical access to the switch may be able to erase the passwords (and possibly configure new passwords) and take control of the switch.

  • Page 34: Front-panel Button Functions

    As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch. Front-Panel Button Functions The front panel of the switch includes the Reset button and the Clear button. Power Fault Reset Button Figure 2-4.

  • Page 35

    Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.

  • Page 36: Configuring Front-panel Security

    Release the Reset button and wait for about one second for the Self-Test LED to start flashing. When the Self-Test LED begins flashing, release the Clear button This process restores the switch configuration to the factory default settings. Configuring Front-Panel Security Using the front-panel-security command from the global configuration context in the CLI you can: •...

  • Page 37

    Enabled means that pressing the Reset button reboots the switch and also enables the Reset button to be used with the Clear button (page 2-9) to reset the switch to its factory-default configuration. (Default: Enabled.) Password Recovery: Shows whether the switch is configured with the ability to recover a lost password.

  • Page 38

    Configuring Username and Password Security Front-Panel Security For example, show front-panel-security produces the following output when the switch is configured with the default front-panel security settings. Figure 2-7. The Default Front-Panel Security Settings Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel...

  • Page 39

    This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. • Specifies whether the switch reboots if the Clear button is pressed. To re-enable password-clear, you must also specify whether to enable or disable the reset-on-clear option.

  • Page 40

    2-9 replaces the switch’s current startup-config file with the factory-default startup-config file, then reboots the switch, and removes local password protection. This means that anyone who has physical access to the switch could use this button combination to replace the switch’s current configu- ration with the factory-default configuration, and render the switch acces- sible without the need to input a username or password.

  • Page 41: Password Recovery

    Disabling password-recovery requires that factory-reset be enabled, and locks out the ability to recover a lost manager username (if configured) and pass- word on the switch. In this event, there is no way to recover from a lost manager username/password situation without resetting the switch to its factory-default configuration.

  • Page 42

    If it is disabled, use the front-panel-security factory- reset command to enable it. Press and release the Clear button on the front panel of the switch. Within 60-seconds of pressing the Clear button, enter the following com- mand: Do one of the following after the “CAUTION”...

  • Page 43: Password Recovery Process

    To use the password-recovery option to recover a lost password: Note the switch’s base MAC address. It is shown on the label located on the upper right front corner of the switch.

  • Page 44

    Configuring Username and Password Security Front-Panel Security — This page is intentionally unused. — 2-18...

  • Page 45

    Configure the Switch for Web-Based Authentication ... . . 3-18 Configuring MAC Authentication on the Switch ....3-22 Overview .

  • Page 46

    The user then enters a username and password, which the switch forwards to a RADIUS server for authentication. After authentication, the switch grants access to the secured network. Other than a web browser, the client needs no special supplicant software.

  • Page 47: Client Options

    MAC Authentication (MAC-Auth). This method grants access to a secure network by authenticating devices for access to the network. When a device connects to the switch, either by direct link or through the network, the switch forwards the device’s MAC address to the RADIUS server for authentication.

  • Page 48: General Features

    General Features Web and MAC Authentication on the ProCurve Series 2600, 2600-PWR, and 2800 switches include the following: On a port configured for Web or MAC Authentication, the switch ■ operates as a port-access authenticator using a RADIUS server and the CHAP protocol.

  • Page 49: How Web And Mac Authentication Operate, Authenticator Operation

    Web-based Authentication When a client connects to a Web-Auth enabled port communication is redi- rected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their credentials.

  • Page 50

    Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches How Web and MAC Authentication Operate Figure 3-2. Progress Message During Authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access.

  • Page 51

    The max-retries parameter specifies how many times a client may enter their credentials before authentication fails. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out. The max-requests parameter specifies how many authentication attempts may result in a RADIUS server timeout before authentication fails.

  • Page 52

    A client may not be authenticated due to invalid credentials or a RADIUS server timeout. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out. The max- requests parameter specifies how many authentication attempts may result in a RADIUS server timeout before authentication fails.

  • Page 53: Terminology

    Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN.

  • Page 54: Operating Rules And Notes

    Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Operating Rules and Notes Operating Rules and Notes ■ You can configure one type of authentication on a port. That is, the following authentication types are mutually exclusive on a given port: •...

  • Page 55

    When a port on the switch is configured for Web or MAC Authentica- ■ tion and is supporting a current session with another device, rebooting the switch invokes a re-authentication of the connection.

  • Page 56: General Setup Procedure For Web/mac Authentication, Do These Steps Before You Configure Web/mac Authentication

    General Setup Procedure for Web/MAC Authentication N o t e o n Web / The switch does not allow Web or MAC Authentication and LACP to both be M A C enabled at the same time on the same port. The switch automatically disables A u t h e n t i c a t i on LACP on ports configured for Web or MAC Authentication.

  • Page 57

    VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100” or “vlan100” to specify the VLAN.

  • Page 58: Mac Authentication

    Note that each switch covered by this guide applies a single MAC address to all VLANs configured in the switch. Thus, for a given switch, the MAC address is the same for all VLANs configured on the switch. (Refer to the chapter titled “Static Virtual LANs (VLANs)”...

  • Page 59: Configuring The Switch To Access A Radius Server

    Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can config- ure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (Refer to “RADIUS Authentication and Accounting” on page 5-1.) [key <...

  • Page 60

    Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring the Switch To Access a RADIUS Server For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server-specific shared secret key of ‘2Pzo22’...

  • Page 61: Configuring Web Authentication, Overview

    Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configure Web Authentication on the switch ports you want to use. specify the base IP address and mask to be used by the switch for temporary DHCP addresses.The lease length for these temporary IP addresses may also be set.

  • Page 62: Configure The Switch For Web-based Authentication

    Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring Web Authentication Configure the Switch for Web-Based Authentication Command Configuration Level aaa port-access web-based dhcp-addr aaa port-access web-based dhcp-lease [no] aaa port-access web-based [e] < port-list > [auth-vid]...

  • Page 63

    Web Auth control. When enabled, the switch allows clients to move without requiring a re-authentication. When disabled, the switch does not allow moves and when one does occur, the user will be forced to re- authenticate. At least two ports (from port(s) and to port(s)) must be specified.

  • Page 64

    This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre- authentication state. (Default: 300 seconds) aaa port-access web-based [e] <...

  • Page 65

    Syntax: aaa port-access web-based [e] < port-list > [server-timeout <1 - 300>] Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depend- ing on the current max-requests value, the switch sends a new attempt or ends the authentication session.

  • Page 66: Configuring Mac Authentication On The Switch, Overview

    VLANs are configured on the switch and that the appropriate port assignments have been made. Use the ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support MAC-Auth on the switch.

  • Page 67: Configure The Switch For Mac-based Authentication

    Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configure the Switch for MAC-Based Authentication Command Configuration Level aaa port-access mac-based addr-format [no] aaa port-access mac-based [e] < port-list > [addr-limit] [addr-moves] [auth-vid] [logoff-period] [max-requests] [quiet-period] [reauth-period] [reauthenticate]...

  • Page 68

    This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre- authentication state. (Default: 300 seconds) aaa port-access mac-based [e] <...

  • Page 69

    Syntax: aaa port-access mac-based [e] < port-list > [server-timeout <1 - 300>] Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depend- ing on the current max-requests value, the switch sends a new attempt or ends the authentication session.

  • Page 70: Show Status And Configuration Of Web-based Authentication

    Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of Web-Based Authentication Show Status and Configuration of Web-Based Authentication Command show port-access [ [clients] [config] [config [auth-server]] [config [web-server]] show port-access Syntax: Syntax: Syntax: 3-26 port-list ] web-based...

  • Page 71: Show Status And Configuration Of Mac-based Authentication

    Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-server]] Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.

  • Page 72

    Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of MAC-Based Authentication Syntax: Syntax: Syntax: Syntax: 3-28 show port-access [port-list] mac-based [clients]] Shows the port address, MAC address, session status, and elapsed session time for attached clients on all ports or the specified ports.

  • Page 73: Show Client Status

    Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Connection authenticated Authorized VLAN authenticating Switch only rejected-no vlan No network access rejected-unauth vlan Unauthorized VLAN only 1. Invalid credentials supplied. timed out-no vlan No network access...

  • Page 74

    Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Client Status — This page is intentionally unused. — 3-30...

  • Page 75

    General Authentication Setup Procedure ......4-5 Configuring TACACS+ on the Switch ......4-8 Before You Begin .

  • Page 76

    TACACS+ server(s) disabled TACACS+ authentication enables you to use a central server to allow or deny access to the switch (and other TACACS-aware devices) in your network. This means that you can use a central database to create multiple unique username/ password sets with associated privilege levels for use by individuals who have reason to access the switch from either the switch’s console port (local...

  • Page 77: Terminology Used In Tacacs Applications:, Terminology Used In Tacacs Applications

    If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/write) privilege level access.

  • Page 78

    • • Local Authentication: This method uses username/password pairs configured locally on the switch; one pair each for manager- level and operator-level access to the switch. You can assign local usernames and passwords through the CLI or web browser inter- face.

  • Page 79: General System Requirements, General Authentication Setup Procedure

    TACACS+ servers. ProCurve recommends that you use a TACACS+ server application that supports a redundant backup installation. This allows you to configure the switch to use a backup TACACS+ server if it loses access to the first-choice TACACS+ server.

  • Page 80

    The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation” in the Trouble- shooting chapter of the Management and Configuration Guide for your switch.

  • Page 81

    When a TACACS+ server authenticates an access request from a switch, Privil ege Levels it includes a privilege level code for the switch to use in determining which privilege level to grant to the terminal requesting access. The switch interprets a privilege level code of “15” as authorization for the Manager (read/write) privilege level access.

  • Page 82: Configuring Tacacs+ On The Switch, Before You Begin

    TACACS+ server application for console access. Then test the console access. If access problems occur, check for and correct any problems in the switch configuration, and then test console access again. If problems persist, check your TACACS+ server application for mis-configurations or missing data that could affect the console access.

  • Page 83: Cli Commands Described In This Section, Viewing The Switch's Current Authentication Configuration

    < ip-addr > timeout < 1-255 > Viewing the Switch’s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configured for each type of access. Syntax: This example shows the default authentication configuration.

  • Page 84

    TACACS+ servers the switch can contact. Syntax: For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a (global) encryption key, show tacacs would produce a listing similar to the...

  • Page 85: Configuring The Switch's Authentication Methods

    Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied).

  • Page 86

    No secondary type of authentication for the specified method/privilege path. (Available only if the primary method of authentication for the access being configured is local.) Note: If you do not specify this parameter in the command line, the switch automatically assigns the secondary method as follows: tacacs •...

  • Page 87

    *When “local” is the primary option, you can also select “local” as the secondary option. However, in this case, a secondary “local” is meaningless because the switch has only one local level of username/password protection. Caution Regarding During local authentication (which uses passwords configured in the switch...

  • Page 88

    TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server.

  • Page 89: Configuring The Switch's Tacacs+ Server Access

    If the switch sends an authentication request, but does not receive a response within the period specified by the timeout value, the switch resends the request to the next server in its Server IP Addr list, if any. If the switch still fails to receive a response from any...

  • Page 90

    TACACS+ servers the switch will attempt to use for authentication. If you configure a global encryption key, the switch uses it only with servers for which you have not also configured a server-specific key. Thus, a global...

  • Page 91

    Use show tacacs to view the current IP address list. If the first-choice TACACS+ server fails to respond to a request, the switch tries the second address, if any, in the show tacacs list. If the second address also fails, then the switch tries the third address, if any.

  • Page 92

    <1 - 255> Specifies how long the switch waits for a TACACS+ server to respond to an authentication request. If the switch does not detect a response within the timeout period, it initiates a new request to the next TACACS+ server in the list. If all TACACS+ servers in the list fail to respond within the timeout period, the switch uses either local authentication (if configured) or denies access (if none configured for local authentication).

  • Page 93

    Configuring an Encryption Key. Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key. (If the server expects a key, but the switch either does not provide one, or provides an incorrect key, then the authentication attempt will fail.) Use a global encryption key if the same key applies to all TACACS+...

  • Page 94: How Authentication Operates, General Authentication Process Using A Tacacs+ Server

    Configuring the Timeout Period. The timeout period specifies how long the switch waits for a response to an authentication request from a TACACS+ server before either sending a new request to the next server in the switch’s Server IP Address list or using the local authentication option. For example,...

  • Page 95

    After the server receives the username input, the requesting terminal receives a password prompt from the server via the switch. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs: •...

  • Page 96: Local Authentication Process

    Configuring TACACS+ on the Switch Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentica- tion only if one of these two conditions exists: “Local” is the authentication option for the access method being used.

  • Page 97: Using The Encryption Key

    Thus, on the TACACS+ server side, you have a choice as to how to implement a key. On the switch side, it is necessary only to enter the key parameter so that it exactly matches its counterpart in the server. For information on how to configure a general or individual key in the TACACS+ server, refer to the documentation you received with the application.

  • Page 98: Authentication, Controlling Web Browser Interface Access When Using Tacacs

    10.28.227.87) that has this key is different than the one used for the two servers in the previous example, you will need to assign a server-specific key in the switch that applies only to the designated server: ProCurve(config)# tacacs-server host 10.28.227.87 key...

  • Page 99: Messages Related To Tacacs+ Operation, Operating Notes

    CLI Message Meaning Connecting to Tacacs server The switch is attempting to contact the TACACS+ server identified in the switch’s server Connecting to secondary The switch was not able to contact the first-choice TACACS+ server, and is now Tacacs server attempting to contact the next (secondary) TACACS+ server identified in the switch’s...

  • Page 100

    TACACS+ Authentication Configuring TACACS+ on the Switch When TACACS+ is not enabled on the switch—or when the switch’s ■ only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unauthor- ized persons.)

  • Page 101

    Terminology ........... 5-3 Switch Operating Rules for RADIUS ....... 5-4 General RADIUS Setup Procedure .

  • Page 102

    ■ Port-Access Note The switch does not support RADIUS security for SNMP (network manage- ment) access or, for the 4100gl and 6108 switches, web browser interface access. For information on blocking unauthorized access through the web browser interface, refer to “Controlling Web Browser Interface Access When Using RADIUS Authentication”...

  • Page 103

    EAP type, such as MD5-Challenge, Generic Token Card, and TLS (Transport Level Security). Host: See RADIUS Server. NAS (Network Access Server): In this case, a ProCurve switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): RADIUS Client: The device that passes user information to designated RADIUS servers.

  • Page 104: Switch Operating Rules For Radius

    RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius (page 5-25). If the first server does not respond, the switch tries the next one, and so-on. (To change the order in which the switch accesses RADIUS servers, refer to “Changing RADIUS-Server Access Order”...

  • Page 105: General Radius Setup Procedure

    • Determine the IP address(es) of the RADIUS server(s) you want to support the switch. (You can configure the switch for up to three RADIUS servers.) • If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific RADIUS server, select it before beginning the configuration process.

  • Page 106: Configuring The Switch For Radius Authentication

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Determine an acceptable timeout period for the switch to wait for a server to respond to a request. ProCurve recommends that you begin with the default (five seconds). • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting.

  • Page 107: Outline Of The Steps For Configuring Radius Authentication

    (Optional) encryption key for use during authentication sessions with a RADIUS server. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server. (Default: null)

  • Page 108: To Protect

    (or tacacs) for primary authentication, you must configure local for the secondary method. This prevents the possibility of being com- pletely locked out of the switch in the event that all primary access methods fail. Server Dead-Time: The period during which the switch will not send new authentication requests to a RADIUS server that has failed to respond to a previous request.

  • Page 109

    Syntax: aaa authentication < console | telnet | ssh | web > < enable | login > < radius > For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch’s local passwords):...

  • Page 110: Configure The Switch To Access A Radius Server

    This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 5-17: “Configuring RADIUS Accounting” instead of continuing here. Syntax: [no] radius-server host < ip-address >...

  • Page 111

    For example, suppose you have configured the switch as shown in figure 5-3 and you now need to make the following changes: Change the encryption key for the server at 10.33.18.127 to “source0127”. Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of “source0119”.

  • Page 112: Configure The Switch's Global Radius Parameters

    (This is a general aaa authentication parameter and is not specific to RADIUS.) Global server key: The server key the switch will use for contacts ■ with all RADIUS servers for which there is not a server-specific key configured by radius-server host <...

  • Page 113

    If none of the servers respond, then the switch attempts to use the secondary authentication method configured for the type of access being attempted (console, Telnet, or SSH).

  • Page 114

    For example, suppose that your switch is configured to use three RADIUS servers for authenticating access through Telnet and SSH. Two of these servers use the same encryption key. In this case your plan is to configure the switch with the following global authentication parameters: Allow only two tries to correctly enter username and password.

  • Page 115

    Server IP Addr Port --------------- ----- ----- -------------------------------- 10.33.18.127 1812 10.33.18.119 1812 10.33.18.151 1812 Figure 5-6. Listings of Global RADIUS Parameters Configured In Figure 5-5 Configuring the Switch for RADIUS Authentication Login Enable Secondary Primary None Local None Radius None...

  • Page 116

    RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: “Local” is the authentication option for the access method being used.

  • Page 117: Configuring Radius Accounting, Authentication

    ■ Configure local authentication (a Manager user name and password and, optionally, an Operator user name and password) on the switch. ■ Configure the switch’s Authorized IP Manager feature to allow web browser access only from authorized management stations. (The Authorized IP Manager feature does not interfere with TACACS+ operation.)

  • Page 118

    5-5 before continuing here. RADIUS accounting collects data about user activity and system events and sends it to a RADIUS server when specified events occur on the switch, such as a logoff or a reboot. The switch supports three types of accounting services: Network accounting: Provides records containing the information ■...

  • Page 119: Operating Rules For Radius Accounting, Steps For Configuring Radius Accounting

    RADIUS servers are accessed in the order in which their IP addresses ■ were configured in the switch. Use show radius to view the order. As long as the first server is accessible and responding to authentication requests from the switch, a second or third server will not be accessed.

  • Page 120

    Before you configure the actual accounting parameters, you should first configure the switch to use a RADIUS server. This is the same as the process described on page 5-10. You need to repeat this step here only if you have not...

  • Page 121

    (For a more complete description of the radius-server command and its options, turn to page 5-10.) For example, suppose you want to the switch to use the RADIUS server described below for both authentication and accounting purposes. ■...

  • Page 122: Reports To The Radius Server

    Figure 5-7. Example of Configuring for a RADIUS Server with a Non-Default Accounting UDP Port Number The radius-server command as shown in figure 5-7, above, configures the switch to use a RADIUS server at IP address 10.33.18.151, with a (non-default) UDP accounting port of 1750, and a server-specific key of “source0151”.

  • Page 123

    • The system option (page 5-22) always delivers stop-only operation because the switch sends the accumulated data only when there is a reboot, reload, or accounting on/off event. Syntax: [no] aaa accounting < exec | network | system > < start-stop | stop-only >...

  • Page 124

    Syntax: [no] aaa accounting update periodic < 1 - 525600 > Syntax: [no] aaa accounting suppress null-username To continue the example in figure 5-8, suppose that you wanted the switch to: Send updates every 10 minutes on in-progress accounting sessions.

  • Page 125: Viewing Radius Statistics, General Radius Statistics

    IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Configuring RADIUS Accounting” on page 5-17.)

  • Page 126

    The number of RADIUS packets which were received from this server on the accounting port and dropped for some other reason. Access Requests The number of RADIUS Access-Requests the switch has sent since it was last rebooted. (Does not include retransmissions.) Accounting Requests The number of RADIUS Accounting-Request packets sent.

  • Page 127: Radius Authentication Statistics

    Figure 5-13. Example of RADIUS Authentication Information from a Specific Server Displays the primary and secondary authentication meth- ods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.

  • Page 128: Radius Accounting Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Figure 5-14. Listing the Accounting Configuration in the Switch Figure 5-15. Example of RADIUS Accounting Information for a Specific Server 5-28 Lists configured accounting interval, “Empty User” suppres- sion status, accounting types, methods, and modes.

  • Page 129: Changing Radius-server Access Order

    Figure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.

  • Page 130

    Delete 10.10.10.001 from the list. This opens the first (highest) position in the list. Re-enter 10.10.10.003. Because the switch places a newly entered address in the highest-available position, this address becomes first in the list. Re-enter 10.10.10.001. Because the only position open is the third position, this address becomes last in the list.

  • Page 131: Messages Related To Radius Operation

    A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch. If the server is accessible, then verify that the switch is using the correct encryption key and that the server is correctly configured to receive an authentication request from the switch.

  • Page 132

    RADIUS Authentication and Accounting Messages Related to RADIUS Operation — This page is intentionally unused. — 5-32...

  • Page 133

    General Operating Rules and Notes ....... . 6-8 Configuring the Switch for SSH Operation ......6-9 1.

  • Page 134

    Client Public Key Authentication (Login/Operator Level) with User Password Authentication (Enable/Manager Level). This option uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch.

  • Page 135

    OpenSSH, visit http://www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 6-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.

  • Page 136

    Key Pair: A pair of keys generated by the switch or an SSH client ■ application. Each pair includes a public key, that can be read by anyone and a private key, that is held internally in the switch or by a client. PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted ■...

  • Page 137: Prerequisite For Using Ssh, Public Key Formats

    Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 6-2), then the client program must have the capability to generate or import keys.

  • Page 138

    (Enable) ssh enable tacacs Level ssh enable radius For ssh login public-key, the switch uses client public-key authentication instead of the switch password options for primary authentication. The general steps for configuring SSH include: A. Client Preparation Authenticate...

  • Page 139

    (page 6-9). Generate a public/private key pair on the switch (page 6-10). You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. (You can remove or replace this key pair, if necessary.) Copy the switch’s public key to the SSH clients you want to access...

  • Page 140: General Operating Rules And Notes

    The switch’s own public/private key pair and the (optional) client ■ public key file are stored in the switch’s flash memory and are not affected by reboots or the erase startup-config command. Once you generate a key pair on the switch you should avoid re- ■...

  • Page 141: Configuring The Switch For Ssh Operation, Assign Local Login (operator) And Enable (manager) Password

    At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration. To Configure Local Passwords. You can configure both the Operator and Manager password with one command.

  • Page 142: Generate The Switch's Public And Private Key Pair

    Figure 6-5. Example of Configuring Local Passwords 2. Generate the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.

  • Page 143

    Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be "permanent";...

  • Page 144: Provide The Switch's Public Key To Clients

    If you wish to compare the switch key to the key as stored in your client's known-hosts file, note that the formatting and comments need not match. For version 1 keys, the three numeric values bit size, exponent <e>, and modulus...

  • Page 145

    (laptop, PC, or UNIX workstation), as described below. The public key generated by the switch consists of three parts, separated by one blank space each: Bit Size Exponent <e>...

  • Page 146

    Inserted Size Address Figure 6-9. Example of a Switch Public Key Edited To Include the Switch’s IP Address For more on this topic, refer to the documentation provided with your SSH client application. Displaying the Public Key. The switch provides three options for display- ing its public key.

  • Page 147: Contact Behavior, Enable Ssh On The Switch And Anticipate Ssh Client

    (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host” file. The switch has only one RSA host key. The 'babble' and 'fingerprint' options produce two hashes...

  • Page 148

    See the following Note.) Note When an SSH client connects to the switch for the first time, it is possible for a "man-in-the-middle" attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch.

  • Page 149

    The ip ssh key-size command affects only a per-session, internal server key the switch creates, uses, and discards. This key is not accessible from the user interface. The switch’s public (host) key is a separate, accessible key that is always 896 bits.

  • Page 150: Configure The Switch For Ssh Authentication

    Telnet, SNMP, or the serial port. While web and Telnet access can be restricted by the use of passwords local to the switch, if you are unsure of the security this provides, you may want to disable web-based and/or Telnet access (no web-management and no telnet).

  • Page 151

    This option requires the additional step of copying a client public-key file from a TFTP server into the switch. This means that before you can use this option, you must: Create a key pair on an SSH client.

  • Page 152

    For example, assume that you have a client public-key file named Client- Keys.pub (on a TFTP server at 10.33.18.117) ready for downloading to the switch. For SSH access to the switch you want to allow only clients having a private key that matches a public key found in Client-Keys.pub. For Manager-...

  • Page 153: Use An Ssh Client To Access The Switch, Further Information On Ssh Client Public-key Authentication

    6. Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems" in the Troubleshooting chapter of the Manage- ment and Configuration Guide for your switch.

  • Page 154

    SSH. That is, if you use this feature, only the clients whose public keys are in the client public-key file you store on the switch will have SSH access to the switch over the network.

  • Page 155

    Using client public-key authentication requires these steps: Generate a public/private key pair for each client you want to have SSH access to the switch. This can be a separate key for each client or the same key copied to several clients.

  • Page 156

    <CR><LF>. Spaces are allowed within the key to delimit the key’s components. Note that, unlike the use of the switch’s public key in an SSH client application, the format of a client-public-key used by the switch does not include the client’s IP address.

  • Page 157

    Figure 6-15. Example of Copying and Displaying a Client Public-Key File Containing Two Client Public Keys Replacing or Clearing the Public Key File. The client public-key file remains in the switch’s flash memory even if you erase the startup-config file, reset the switch, or reboot the switch.

  • Page 158

    If an SSH client’s public key matches the switch’s client-public-key ■ file, allow that client access to the switch. If there is not a public-key match, then deny access to that client. If an SSH client’s public key does not have a match in the switch’s ■...

  • Page 159: Messages Related To Ssh Operation

    TCP port. Use the default or select another port number. See “Note on Port Number” on page 6-17. The client key does not exist in the switch. Use copy tftp to download the key from a TFTP server. The public key file you are trying to download has one of the following problems: •...

  • Page 160

    After you execute the crypto key generate ssh [rsa] command, the switch displays this message while it is generating the key. The switch’s key is missing or corrupt. Use the crypto key generate ssh [rsa] command to generate a new key for the switch.

  • Page 161

    General Operating Rules and Notes ....... . 7-6 Configuring the Switch for SSL Operation ......7-7 1.

  • Page 162

    Authentication . This option is a subset of full certificate authentication of the user and host. It occurs only if the switch has SSL enabled. As in figure 7- 1, the switch authenticates itself to SSL enabled web browser. Users on SSL...

  • Page 163

    SSL Server: A ProCurve switch with SSL enabled. ■ ■ Key Pair: Public/private pair of RSA keys generated by switch, of which public portion makes up part of server host certificate and private portion is stored in switch flash (not user accessible).

  • Page 164

    ■ switch (web interface or CLI command: crypto key generate cert [key size] (2) A certificate been generated on the switch (web interface or CLI command: crypto host-cert generate self-signed [arg-list]) and (3) SSL is enabled (web interface or CLI command: web-management ssl).

  • Page 165: Prerequisite For Using Ssl

    Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com- puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for...

  • Page 166

    General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re- generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all manage- ment stations (clients) you previously set up for SSL access to the switch.

  • Page 167: Configuring The Switch For Ssl Operation, Assign Local Login (operator) And Enable (manager) Password

    Password At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration. Configuring Secure Socket Layer (SSL)

  • Page 168

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface refer to the chapter titled “Using the Web Browser Interface”...

  • Page 169: Generate The Switch's Server Host Certificate

    SSL to the switch. (The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client session, and then discarded.)

  • Page 170

    To generate a host certificate from the CLI: Note: If a certificate key pair is already present in the switch, it is not necessary to generate a new key pair when generating a new certificate. The existing key pair may be re-used and the crypto key generate cert command does not have...

  • Page 171: Comments On Certificate Fields

    State name Country code For example, to generate a key and a new host certificate: Figure 7-3. Example of Generating a Self-Signed Server Host certificate on the CLI for the Switch. Certificate Field Descriptions Description This should be the date you desire to begin using the SSL functionality.

  • Page 172

    SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation.

  • Page 173

    Fill in the remaining certificate arguments. (Refer to “Comments on Certificate Fields.” on page 7-11.) vi. Click on the [Apply Changes] key, if selected. Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation button. The SSL configuration [SSL] button to generate new certificate and 7-13...

  • Page 174

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter- face: Figure 7-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface:...

  • Page 175

    This section describes how to install a CA-Signed server host certificate from the web browser interface. (For more information on how to access the web browser interface, refer to the chapter titled “Using the Web Browser Inter- face” in the Management and Configuration Guide for your switch.) 7-15...

  • Page 176

    The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority. The second phase is the actual submission process...

  • Page 177: Behavior

    Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients. After you enable SSL, the switch can authenticate itself to SSL enabled browsers. The no web- management ssl command is used to disable SSL on the switch.

  • Page 178

    Note When an SSL client connects to the switch for the first time, it is possible for a “man-in-the-middle” attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch.

  • Page 179

    Generate a Host certificate if you have not already done so. (Refer to “2. Generate the Switch’s Server Host Certificate” on page 7-9.) Execute the web-management ssl command. To disable SSL on the switch, do either of the following: Execute no web-management ssl. ■...

  • Page 180

    TCP port for SSL connec- tions except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http). Some other reserved TCP ports on the switch are 49, 80, 1506, and 1513.

  • Page 181: Common Errors In Ssl Setup

    You may be using a reserved TCP port. (Refer to “Note on Port Number” on page 7-20.) You may not have SSL enabled (Refer to “3. Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior” on page 7-17.) Your browser may not support SSLv3 or TLSv1 or it may be disabled.

  • Page 182

    Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup — This page is intentionally unused. — 7-22...

  • Page 183

    Authenticator Operation ........8-6 Switch-Port Supplicant Operation ......8-7 Terminology .

  • Page 184: Table Of Contents

    Contents Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches ......8-34 Displaying 802.1X Configuration, Statistics, and Counters .

  • Page 185: Why Use Port-based Access Control?, Overview, General Features, Why Use Port-based Access Control

    EAP or CHAP protocol. Provision for enabling clients that do not have 802.1 supplicant soft- ware to use the switch as a path for downloading the software and initiating the authentication process (802.1X Open VLAN mode). Supplicant implementation using CHAP authentication and indepen- dent username and password configuration on each port.

  • Page 186

    (Refer to “802.1X Open VLAN Mode” on page 8-21.) Authenticating One Switch to Another. 802.1X authentication also enables the switch to operate as a supplicant when connected to a port on another switch running 802.1X authentication.

  • Page 187

    Switch Running 802.1X and Connected as a Supplicant Figure 8-1. Example of an 802.1X Application Accounting . The switch also provides RADIUS Network accounting for 802.1X access. Refer to “RADIUS Authentication and Accounting” on page 5-1. Configuring Port-Based Access Control (802.1X) Switch Running 802.1X and...

  • Page 188: How 802.1x Operates, Authenticator Operation

    If you then connect an 802.1X-aware client (suppli- cant) to the port and attempt to log on: When the switch detects the client on the port, it blocks access to the LAN from that port. The switch responds with an identity request.

  • Page 189: Switch-port Supplicant Operation

    802.1X Supplicant Figure 8-2. Example of Supplicant Operation When port A1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch “B”.

  • Page 190

    Configuring Port-Based Access Control (802.1X) Terminology • Note You can configure a switch port to operate as both a supplicant and an authenticator at the same time. Terminology 802.1X-Aware: Refers to a device that is running either 802.1X authenticator software or 802.1X client software and is capable of interacting with other devices on the basis of the IEEE 802.1X standard.

  • Page 191

    PVID (Port VID): This is the VLAN ID for the untagged VLAN to which an 802.1X port belongs. Static VLAN: A VLAN that has been configured as “permanent” on the switch by using the CLI vlan < vid > command or the Menu interface.

  • Page 192

    Configuring Port-Based Access Control (802.1X) General Operating Rules and Notes member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unau- thorized-Client VLAN.

  • Page 193

    If a client already has access to a switch port when you configure the ■ port for 802.1X authenticator operation, the port will block the client from further network access until it can be authenticated. ■ On a port configured for 802.1X with RADIUS authentication, if the RADIUS server specifies a VLAN for the supplicant and the port is a trunk member, the port will be blocked.

  • Page 194: General Setup Procedure For Port-based Access Control (802.1x)

    Access Control (802.1X) Do These Steps Before You Configure 802.1X Operation Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, ProCurve recommends that you use a local username and password pair at least until your other security measures are in place.)

  • Page 195: Overview: Configuring 802.1x Authentication On The Switch

    On the ports you will use as authenticators, either accept the default 802.1X settings or change them, as necessary. Note that, by default, the port-control parameter is set to auto for all ports on the switch. This requires a client to support 802.1X authentication and to provide valid credentials to get network access.

  • Page 196

    802.1X port. See page 8-32. If you want a port on the switch to operate as a supplicant in a connection with a port operating as an 802.1X authenticator on another device, then configure the supplicant operation.

  • Page 197: Configuring Switch Ports As 802.1x Authenticators, Enable 802.1x Authentication On Selected Ports

    8-13 to activate 802.1X authentication on the switch.) Note When you enable 802.1X authentication on a port, the switch automatically disables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can config- ure it for 802.1X authentication.

  • Page 198

    To activate configured 802.1X operation, you must enable 802.1X authentication. Refer to “5. Enable 802.1X Authentication on the switch” on page 8-13. [control < authorized | auto | unauthorized >] Controls authentication mode on the specified port: authorized: Also termed Force Authorized.

  • Page 199

    Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Sets the period of time the switch waits for a supplicant response to an EAP re quest. If the supplicant does not respond within the configured time frame, the session times out.

  • Page 200

    Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 8-18 Configures an existing, static VLAN to be the Autho- rized-Client VLAN. Refer to “802.1X Open VLAN Mode” on page 8-21. aaa port-access authenticator < port-list > (Syntax Continued)

  • Page 201: Configure The 802.1x Authentication Method

    3. Configure the 802.1X Authentication Method This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenti- cator. Syntax: For example, to enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers: Figure 8-3.

  • Page 202: Enter The Radius Host Ip Address(es), Enable 802.1x Authentication On The Switch

    4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, refer to “RADIUS Authentication and...

  • Page 203: X Open Vlan Mode, Introduction

    802.1X Open VLAN Mode 802.1X Authentication Commands 802.1X Supplicant Commands 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator [e] < port-list > [auth-vid < vlan-id >] [unauth-vid < vlan-id >] 802.1X-Related Show Commands RADIUS server configuration This section describes how to use the 802.1X Open VLAN mode to configure unauthorized-client and authorized-client VLANs on ports configured as 802.1X authenticators.

  • Page 204: Use Models For 802.1x Open Vlan Modes

    You can apply the 802.1X Open VLAN mode in more than one way. Depending on your use, you will need to create one or two static VLANs on the switch for exclusive use by per-port 802.1X Open VLAN mode authentication: Unauthorized-Client VLAN: Configure this VLAN when unauthen- ■...

  • Page 205

    Table 8-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration No Open VLAN mode: Open VLAN mode with both of the following configured: Unauthorized-Client VLAN Authorized-Client VLAN Configuring Port-Based Access Control (802.1X) Port Response The port automatically blocks a client that cannot initiate an authentication session.

  • Page 206

    If the port is statically configured as an untagged member of another VLAN, the switch temporarily removes the port from membership in this other VLAN while membership in the Unauthorized-Client VLAN exists.

  • Page 207

    Configuring Port-Based Access Control (802.1X) Rule These must be configured on the switch before you configure an 802.1X authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.) If the RADIUS server specifies a VLAN for an authenticated supplicant connected to an 802.1X authenticator port, this VLAN assignment...

  • Page 208

    However, in this case, you can improve security between authen- ticator ports by using the switch’s Source-Port filter feature. For example, if you are using ports B1 and B2 as authenticator ports on the same Unauthor- ized-Client VLAN, you can configure a Source-Port filter on B1 to drop all packets from B2 and the reverse.

  • Page 209: Setting Up And Configuring 802.1x Open Vlan Mode

    ■ A client must either have a valid IP address configured before connecting to the switch, or download one through the Unauthorized- Client VLAN from a DHCP server. In the latter case, you will need to provide DHCP services on the Unauthorized-Client VLAN.

  • Page 210

    802.1X authenticators. (The RADIUS server should not be on the Unauthorized-Client VLAN.) Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges.

  • Page 211

    Note If you want to implement the optional port security feature on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected. Then refer to “Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices”...

  • Page 212

    Configures ports A10 - A20 as 802.1 authenticator ports. ProCurve(config)# radius host 10.28.127.101 key rad4all Configures the switch to look for a RADIUS server with an IP address of 10.28.127.101 and an encryption key of rad4all. ProCurve(config)# aaa port-access authenticator e a10-a20 unauth-vid 80 Configures ports A10 - A20 to use VLAN 80 as the Unauthorized-Client VLAN.

  • Page 213: X Open Vlan Operating Notes

    ■ While an Unauthorized-Client VLAN is in use on a port, the switch temporarily removes the port from any other statically configured VLAN for which that port is configured as a member. Note that the Menu interface will still display the port’s statically configured...

  • Page 214: X Devices

    Configuring Port-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices If an authenticated client loses authentication during a session in ■ 802.1X Open VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client VLAN configured, then the client loses access to the port until it can reauthenticate itself.

  • Page 215

    Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices N o t e o n If the port’s 802.1X authenticator control mode is configured to authorized (as B l o c k i n g a N o n - shown below, instead of auto), then the first source MAC address from any 80 2 .

  • Page 216: To Other Switches

    802.1X-Related Show Commands RADIUS server configuration You can configure a switch port to operate as a supplicant in a connection to a port on another 802.1X-aware switch to provide security on links between 802.1X-aware switches. (Note that a port can operate as both an authenticator and a supplicant.)

  • Page 217

    Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches When port A1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch “B”.

  • Page 218

    Configuring Port-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring a Supplicant Switch Port. Note that you must enable suppli- cant operation on a port before you can change the supplicant configuration.

  • Page 219

    Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [auth-timeout < 1 - 300 >] Sets the period of time the port waits to receive a challenge from the authenticator. If the request times...

  • Page 220: Displaying 802.1x Configuration, Statistics, And Counters, Show Commands For Port-access Authenticator

    802.1X authentication. The Authenticator Backend State in this data refers to the switch’s interaction with the authentication server. • With < port-list > only, same as above, but limits port status to only the specified port. Does not display data for a specified port that is not enabled as an authenticator.

  • Page 221

    Also, for each port, the “User” column lists the user name the supplicant included in its response packet. (For the switch, this is the identity setting included in the supplicant command—page 8-36.) Does not display data for a specified port that is not enabled as an authenticator.

  • Page 222: Viewing 802.1x Open Vlan Mode Status

    Figure 8-5 shows an example of show port-access authenticator output, and table 8-1 describes the data that this command displays. Figure 8-6 shows related VLAN data that can help you to see how the switch is using statically configured VLANs to support 802.1X operation.

  • Page 223

    This is the default state for access control. Disconnected: No client is connected to the port. Authenticator Idle: The switch is not currently interacting with the RADIUS authentication server. Other states Backend State (Request, Response, Success, Fail, Timeout, and Initialize) may appear temporarily to indicate interaction with a RADIUS server.

  • Page 224

    Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Status Indicator Meaning Unauthorized VLAN < vlan-id >: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated port. 0: No unauthorized VLAN has been configured for the indicated port. <...

  • Page 225: Show Commands For Port-access Supplicant

    [[e] < port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list > ports configured on the switch as supplicants. The Supplicant State can include the following: Connecting - Starting authentication.

  • Page 226: How Radius/802.1x Authentication Affects Vlan Operation

    RADIUS application.) The static VLAN to which a RADIUS server assigns a client must already exist on the switch. If it does not exist or is a dynamic VLAN (created by GVRP), authentication fails. Also, for the session to proceed, the port must be an untagged member of the required VLAN.

  • Page 227

    For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Figure 8-7. Example of an Active VLAN Configuration In figure 8-7, if RADIUS authorizes an 802.1X client on port 2 with the requirement that the client use VLAN 22, then: ■...

  • Page 228

    Configuring Port-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Figure 8-8. The Active Configuration for VLAN 22 Temporarily Changes for the 802.1X Session ■ With the preceding in mind, since (static) VLAN 33 is configured as untagged on port A2 (see figure 8-7), and since a port can be untagged on only one VLAN, port A2 loses access to VLAN 33 for the duration of the 802.1X session involving VLAN 22.

  • Page 229

    VLAN assignment causes the switch to disable a configured (untagged) static VLAN assignment on the port, then the disabled VLAN assignment is not advertised. When the 802.1X session ends, the switch: ■ Eliminates and ceases to advertise the temporary VLAN assignment.

  • Page 230: Messages Related To 802.1x Operation

    LACP configuration, displays a notice that LACP is disabled on the port(s), and enables 802.1X on that port. Also, the switch will not allow you to configure LACP on a port on which port access (802.1X) is enabled.

  • Page 231

    Configuring and Monitoring Port Security Contents Contents ............9-1 Overview .

  • Page 232: Basic Operation, Overview

    Configuring Port Security Intrusion Alerts and Alert Flags Using Port Security, you can configure each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port. This enables individual ports to detect, prevent, and log attempts by unauthorized devices to communicate through the switch.

  • Page 233: Blocking Unauthorized Traffic

    Guide for your switch.) Blocking Unauthorized Traffic Unless you configure the switch to disable a port on which a security violation is detected, the switch security measures block unauthorized traffic without disabling the port. This implementation enables you to apply the security...

  • Page 234: Trunk Group Exclusion

    Port security does not operate on either a static or dynamic trunk group. If you configure port security on one or more ports that are later added to a trunk group, the switch will reset the port security parameters for those ports to the factory-default configuration. (Ports configured for either Active or Passive LACP, and which are not members of a trunk, can be configured for port security.)

  • Page 235: Planning Port Security

    (For example, if you allow three devices on a given port, but specify only one MAC address for that port, do you want the switch to automatically accept the first two additional devices it detects, or not?) d.

  • Page 236: Port Security Command Options And Operation

    Port Security Commands Used in This Section show port-security port-security < [ethernet] port-list > [clear-intrusion-flag] no port-security This section describes the CLI port security command and how the switch acquires and maintains authorized addresses. Note Use the global configuration level to execute port-security configuration commands. 9-11...

  • Page 237

    Addresses learned this way appear in the switch and port address tables and age out according to MAC Age Interval tion screen of the Menu interface or the show system-...

  • Page 238

    MAC addresses it detects. Note: As of September, 2003, this option is available in the ProCurve Switch 2600 Series and the Switch 6108 running software release H.07.30 (or greater), and the ProCurve Switch 2800 Series. For availability in other switch products, refer to the latest release notes for such products on the ProCurve Networking website.

  • Page 239

    • Learn mode is set to learn-mode continuous and there is a MAC address change on a port. none (the default): Prevents an SNMP trap from being sent. send alarm: Causes the switch to send an SNMP trap to a network management station. send-disable: Available only with learn-mode configured and learn-mode static.

  • Page 240: Retention Of Static Mac Addresses, Displaying Current Port Security Settings

    Learned MAC Addresses In the following two cases, a port in Static learn mode (learn-mode static) retains a learned MAC address even if you later reboot the switch or disable port security for that port: The port learns a MAC address after you configure the port with learn- ■...

  • Page 241

    With port numbers included in the command, show port-security displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the spec- ified ports on a switch. The following example lists the full port security configuration for a single port: Figure 9-3.

  • Page 242: Configuring Port Security

    Configuring and Monitoring Port Security Port Security Command Options and Operation The following command example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string: ProCurve(config)# show port-security A1-A3,A6,A8 Configuring Port Security Using the CLI, you can:...

  • Page 243

    If you manually configure authorized devices (MAC addresses) and/or an alarm action on a port, those settings remain unless you either manually change them or reset the switch to its factory-default configuration. You can “turn off” device authorization on a port by configuring the port to continuous Learn Mode, but subsequently reconfiguring the port to static Learn Mode restores the configured device authorization.

  • Page 244

    Configuring and Monitoring Port Security Port Security Command Options and Operation Although the Address Limit is set to 2, only one device has been authorized for this port. In this case you can add another without having to also increase the Address Limit.

  • Page 245

    Configuring and Monitoring Port Security Port Security Command Options and Operation If you are adding a device (MAC address) to a port on which the Authorized Addresses list is already full (as controlled by the port’s current Address Limit setting), then you must increase the Address Limit in order to add the device, even if you want to replace one device with another.

  • Page 246

    Address Limit value by 1, then remove the unwanted device. Note When you have configured the switch for learn-mode static operation, you can reduce the address limit below the number of currently authorized addresses on a port. This enables you to subsequently remove a device from the “Autho- rized”...

  • Page 247: Mac Lockdown

    Syntax: [no] static-mac < mac-addr > vlan < vid > interface < port-number > You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you do not specify a VLAN ID (VID) the switch inserts a VID of “1”.

  • Page 248

    They can send, but will not receive data if that data must go through the locked down switch. Please note that if the device moves to a distant part of the network where data sent to its MAC address never goes through the locked down switch, it may be possible for the device to have full two-way communication.

  • Page 249: Differences Between Mac Lockdown And Port Security

    MAC addresses and which ports they are allowed to use (only one port per MAC Address on the same switch in the case of MAC Lockdown). (You can still use the port for other MAC addresses, but you cannot use the locked down MAC address on other ports.)

  • Page 250

    Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.

  • Page 251: Deploying Mac Lockdown

    As we have seen, MAC Lockdown can help prevent this type of hijacking by making sure that all traffic to a specific MAC address goes only to the proper port on a switch which is supposed to be connected to the real device bearing that MAC address.

  • Page 252

    This means each switch has only one path by which data can travel to Server A. You can use MAC Lockdown to specify that all traffic intended for Server A’s MAC Address must...

  • Page 253

    Using MAC Lockdown still does not protect against a hijacker within the core! In order to protect against someone spoofing the MAC Address for Server A inside the Core Network, you would have to lock down each and every switch inside the Core Network as well, not just on the edge.

  • Page 254

    Figure 9-10. Connectivity Problems Using MAC Lockdown with Multiple Paths The resultant connectivity issues would prevent you from locking down Server A to Switch 1. And when you remove the MAC Lockdown from Switch 1 (to prevent broadcast storms or other connectivity issues), you then open the network to security problems.

  • Page 255: Mac Lockout

    You can think of MAC Lockout as a simple blacklist. The MAC address is locked out on the switch and on all VLANs. No data goes out or in from the blacklisted MAC address to a switch using MAC Lockout.

  • Page 256

    If a particular MAC address can be identified as unwanted on the switch then that MAC Address can be disallowed on all ports on that switch with a single command. You don’t have to configure every single port—just perform the command on the switch and it is effective for all ports.

  • Page 257: Port Security And Mac Lockout

    MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in conjunction with port-security. You can use MAC Lockout to lock out a single address—deny access to a specific...

  • Page 258: Ip Lockdown

    Defines the subnet and related IP addresses allowed for incoming traffic on the port. The following example prevents traffic from all IP addresses other than those specified in subnet 192.168.0.1/24 from entering the switch on interface 1. ProCurve Switch 2626 (config) # interface 1 ProCurve Switch 2626 (eth-1) # ip-lockdown 192.168.0.1/24...

  • Page 259: Web: Displaying And Configuring Port Security Features, Reading Intrusion Alerts And Resetting Alert Flags

    Alert Flags Notice of Security Violations When the switch detects an intrusion on a port, it sets an “alert flag” for that port and makes the intrusion information available as described below. While the switch can detect additional intrusions for the same port, it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset.

  • Page 260: How The Intrusion Log Operates

    • How the Intrusion Log Operates When the switch detects an intrusion attempt on a port, it enters a record of this event in the Intrusion Log. No further intrusion attempts on that port will appear in the Log until you acknowledge the earlier intrusion event by reset- ting the alert flag.

  • Page 261: Keeping The Intrusion Log Current By Resetting Alert Flags

    On a given port, if the intrusion action is to send an SNMP trap and then disable S e n d - D i s a b l e the port (send-disable), and then an intruder is detected on the port, the switch O p e r a t i o n sends an SNMP trap, sets the port’s alert flag, and disables the port.

  • Page 262

    A1, the alert flag for the intru- sion on port A1 has already been reset. Since the switch can show only one uncleared intrusion per port, the older intrusion for port A3 in this example has also been previously reset.

  • Page 263

    Note also that the “prior to” text in the record for the earliest intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset. To acknowledge the most recent intrusion entry on port A3 and enable...

  • Page 264

    “Operating Notes for Port Security” on page 9-37.) Syntax: show interfaces brief In the following example, executing show interfaces brief lists the switch’s port status, which indicates an intrusion alert on port A1. Figure 9-16. Example of an Unacknowledged Intrusion Alert in a Port Status Display If you wanted to see the details of the intrusion, you would then enter the show port-security intrusion-log command.

  • Page 265

    20 intrusion records, and deletes intrusion records only when the log becomes full and new intrusions are subsequently added.) The “prior to” text in the record for the third intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.

  • Page 266: Using The Event Log To Find Intrusion Alerts, Alert Flags

    Next page and Prev page to review the Event Log contents. For More Event Log Information. See “Using the Event Log To Identify Problem Sources” in the “Troubleshooting” chapter of the Management and Configuration Guide for your switch. Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags Check the Alert Log by clicking on the Status tab and the If there is a “Security Violation”...

  • Page 267: Operating Notes For Port Security

    MAC address, and not your PC or workstation MAC address, and interprets your connection as unauthorized. “Prior To” Entries in the Intrusion Log. If you reset the switch (using the Reset button, Device Reset, or Reboot Switch), the Intrusion Log will list the time of all currently logged intrusions as “prior to”...

  • Page 268

    2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configure LACP on a port on which port security is enabled. For example: ProCurve(config)# int e a17 lacp passive Error configuring port A17: LACP and port security cannot be run together.

  • Page 269

    Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Contents Contents ............10-1 Overview .

  • Page 270

    Refer to “Config- uring a Filter on a Port Trunk” on page 10-6. When you create a source port filter, all ports or port trunks on the switch appear as destinations on the list for that filter. The switch automatically forwards traffic to the ports and/or trunks you do not specifically configure to drop traffic.

  • Page 271

    IP addresses configured on the same VLAN (multinetting), and routing is enabled on the switch, then a single port or trunk can be both the source and destination of packets moving between subnets in that same VLAN. In this...

  • Page 272: Using Source-port Filters, Operating Rules For Source-port Filters

    "drop" action. Thus, it is not necessary to configure a source-port filter for traffic you want the switch to forward unless the filter was previously configured to drop the desired traffic.

  • Page 273: Configuring A Source-port Filter

    Creates or deletes the source port filter assigned to < source-port-number >. If you create a source-port filter without specifying a drop or forward action, the switch automatically creates a filter with a forward action from the designated source to all destinations on the switch.

  • Page 274

    For example, if you create a filter on port 5, then create a trunk with ports 5 and 6, and display the results, you would see the following: Figure 10-3. Example of Switch Response to Adding a Filtered Source Port to a Trunk 10-6...

  • Page 275: Viewing A Source-port Filter

    IDX: An automatically assigned index number used to identify the filter for a detailed information listing. A filter retains its assigned IDX number for as long as the filter exists in the switch. The switch assigns the lowest available IDX number to a new filter. This can result in a newer filter having a lower IDX number than an older filter if a previous (source-port) filter deletion created a gap in the filter listing.

  • Page 276: Filter Indexing

    Figure 10-4. Example of Listing Filters and the Details of a Specific Filter Filter Indexing The switch automatically assigns each new source-port filter to the lowest- available index (IDX) number. If there are no filters currently configured, and you create three filters in succession, they will have index numbers 1 - 3.

  • Page 277: Editing A Source-port Filter

    Using Source-Port Filters Editing a Source-Port Filter The switch includes in one filter the action(s) for all destination ports and/or trunks configured for a given source port. Thus, if a source-port filter already exists and you want to change the currently configured action for some destination ports or trunks, use the filter source-port command to update the existing filter.

  • Page 278: Using Named Source-port Filters

    This can make it easier to configure and manage source-port filters on your switch. The commands to define, configure, apply, and display the status of named source-port filters are described below.

  • Page 279

    For example, on a 26-port switch, to configure the named source-port filter web-only to drop any traffic except that for destination ports 1 and 2, the...

  • Page 280

    A company wants to manage traffic to the Internet and its accounting server on a 26-port switch. Their network is pictured in Figure 6. Switch port 1 connects to a router that provides connectivity to a WAN and the Internet.

  • Page 281

    ProCurve Switch 2626(config)# Applying Example Named Source-Port Filters. Once the named source-port filters have been defined and configured we now apply them to the switch ports. ProCurve(config)# filter source-port 2-6,8,9,12-26 named-filter web-only ProCurve(config)# filter source-port 7,10,11 named-filter accounting ProCurve(config)# filter source-port 1 named-filter no-incoming-web ProCurve(config)# The show filter command shows what ports have filters applied.

  • Page 282

    A filter retains its assigned IDX number for as long as the filter exists in the switch. The switch assigns the lowest available IDX number to a new filter. This can result in a newer filter...

  • Page 283

    Using the IDX value in the show filter command, we can see how traffic is filtered on a specific port (Value).The two outputs below show a non- accounting and an accounting switch port. ProCurve(config)# show filter 4 Traffic/Security Filters Filter Type : Source Port...

  • Page 284

    1. Accounting Workstations may only send traffic to the Accounting Server. 2. No Internet traffic may be sent to the Accounting Server or Workstations. 3 All other switch ports may only send traffic to Port 1. Accounting Workstation 1 Accounting Workstation 2...

  • Page 285

    ProCurve(config)# We next apply the updated named source-port filters to the appropriate switch ports. As a port can only have one source-port filter (named or not named), before applying the new named source-port filters we first remove the existing source-port filters on the port.

  • Page 286

    Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters — This page is intentionally unused. — 10-18...

  • Page 287

    Using Authorized IP Managers Contents Overview ........... . . 11-2 Configuration Options .

  • Page 288

    Notes The Authorized IP Managers feature uses IP addresses and masks to deter- mine which stations (PCs or workstations) can access the switch through the network. This covers access through the following means: Also, when configured in the switch, the Authorized IP Managers feature takes precedence over local passwords, TACACS+, RADIUS, Port-Based Access Control (802.1X), and Port Security.

  • Page 289: Configuration Options, Access Levels

    Console (RS-232) port. Also, if an authorized station "spoofs" an authorized IP address, it can gain manage- ment access to the switch even though a duplicate IP address condition exists. For these reasons, you should enhance your network’s security by keeping...

  • Page 290: Defining Authorized Management Stations, Overview Of Ip Mask Operation

    Authorized Manager IP value, specify an IP Mask, and select either Manager or Operator for the Access Level. The IP Mask determines how the Authorized Manager IP value is used to allow or deny access to the switch by a manage- ment station.

  • Page 291: Menu: Viewing And Configuring Ip Authorized Managers

    Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch. This mask serves a different purpose than IP subnet masks and is applied in a different manner. Menu: Viewing and Configuring IP Authorized...

  • Page 292: Cli: Viewing And Configuring Authorized Ip Managers

    <ip-address> <ip-mask-bits> [access <operator | manager>] Listing the Switch’s Current Authorized IP Manager(s) Use the show ip authorized-managers command to list IP stations authorized to access the switch. For example: 11-6 2. Enter an Authorized Manager IP address here.

  • Page 293: Configuring Ip Authorized Managers For The Switch

    Figure 11-3. Example of the Show IP Authorized-Manager Display The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: 255.255.255.252 10.28.227.100 through 103 255.255.255.254 10.28.227.104 through 105 255.255.255.255...

  • Page 294

    ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager If you omit the <mask bits> when adding a new authorized manager, the switch automatically uses 255.255.255.255 for the mask. If you do not specify either Manager or Operator access, the switch automatically assigns the Manager access.

  • Page 295: Web: Configuring Ip Authorized Managers, Building Ip Masks

    For web-based help on how to use the web browser interface screen, click on button provided on the web browser screen. Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network.

  • Page 296: Configuring Multiple Stations Per Authorized Manager Ip Entry

    The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access. As described above, that...

  • Page 297: Additional Examples For Authorizing Multiple Stations

    “on” or “off”. In this example, in order for a station to be authorized to access the switch: • The first three octets of the station’s IP address must match the Authorized IP Address.

  • Page 298: Operating Notes

    Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions” list in the web browser interface you are using on the authorized station.

  • Page 299

    Index Numerics 3DES … 6-3, 7-3 802.1X See port-based access control. … 8-1 aaa authentication … 4-8 aaa port-access See Web or MAC Authentication. access levels, authorized IP managers … 11-3 accounting See RADIUS. address authorized for port security … 9-3 authentication See TACACS.

  • Page 300

    … 3-4 client status … 3-29 configuration commands … 3-23 configuring on the switch … 3-22 switch for RADIUS access … 3-15 the RADIUS server … 3-14 features … 3-4 general setup … 3-12 LACP not allowed … 3-11 rules of operation …...

  • Page 301

    RADIUS accounting … 5-2, 5-17 accounting, configuration outline … 5-19 accounting, configure server access … 5-20 accounting, configure types on switch … 5-22 accounting, exec … 5-18, 5-22 accounting, interim updating … 5-24 accounting, network … 5-22 accounting, operating rules … 5-19 accounting, server failure …...

  • Page 302

    RADIUS server … 5-9 commands, accounting … 5-17 commands, switch … 5-6 configuration outline … 5-7 configure server access … 5-10 configuring switch global parameters … 5-12 general setup … 5-5 local authentication … 5-9 MD5 … 5-4 messages … 5-31 network accounting …...

  • Page 303

    … 4-25 NAS … 4-3 overview … 1-2 precautions … 4-5 preparing to configure … 4-8 preventing switch lockout … 4-15 privilege level code … 4-7 server access … 4-15 server priority … 4-18 setup, general … 4-5 show authentication … 4-8 system requirements …...

  • Page 304

    … 3-4 client status … 3-29 configuration commands … 3-18 configuring on the switch … 3-17 switch for RADIUS access … 3-15 features … 3-4 general setup … 3-12 LACP not allowed … 3-11 redirect URL … 3-9 rules of operation … 3-10 show status and configuration …...

  • Page 305

    — This page is intentionally unused. —...

  • Page 306

    © 2000 - 2008 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice. December 2008 Manual Part Number 5990-6024...

Comments to this Manuals

Symbols: 0
Latest comments: