ProCurve Switches Access Security Guide Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100 Series Switch 6108 Series...
ProCurve Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100gl Series Switch 6108 Access Security Guide December 2008...
(J8152A) Warranty (J4902A). See the Customer Support/Warranty booklet included with the product. A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.
Product Documentation About Your Switch Manual Set The switch manual set includes the following: Read Me First - a printed guide shipped with your switch. Provides ■ software update information, product notes, and other information. ■ Installation and Getting Started Guide - a printed guide shipped with your switch.
Product Documentation Feature Index For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. (Note that some software features are not supported on all switch models.) Feature 802.1Q VLAN Tagging...
Feature LACP Link LLDP MAC Address Management MAC Lockdown MAC Lockout MAC-based Authentication Monitoring and Analysis Multicast Filtering Network Management Applications (LLDP, SNMP) Passwords Ping Port Configuration Port Security Port Status Port Trunking (LACP) Port-Based Access Control Port-Based Priority (802.1Q) Power over Ethernet (PoE) Quality of Service (QoS) RADIUS Authentication and Accounting...
Product Documentation Feature Source-Port Filters Spanning Tree (STP, RSTP, MSTP) SSH (Secure Shell) Encryption SSL (Secure Socket Layer) Stack Management (Stacking) Syslog System Information TACACS+ Authentication Telnet Access TFTP Time Protocols (TimeP, SNTP) Traffic/Security Filters Troubleshooting VLANs Web-based Authentication Xmodem Management and Advanced Traffic Configuration...
Getting Started Introduction Introduction This Access Security Guide describes how to use ProCurve’s switch security features to protect access to your switch. This guide is intended to support the following switches: ProCurve Series 2600 ■ ProCurve Series 2600-PWR ■ ■...
■ connections, enables the switch to allow or deny traffic between a port and an 802.1X-aware device (supplicant) attempting to access the switch. Also enables the switch to operate as a supplicant for connections to other 802.1X-aware switches. ■ Port Security (page 9-1): Enables a switch port to maintain a unique list of MAC addresses defining which specific devices are allowed to access the network through that port.
General Switch Traffic Security Guidelines Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port.
This guide uses the following conventions for command syntax and displayed information. Feature Descriptions by Model In cases where a software feature is not available in all of the switch models covered by this guide, the section heading specifically indicates which product or product series offer the feature.
Getting Started Conventions Command Prompts In the default configuration, your switch displays one of the following CLI prompts: ProCurve Switch 4104# ProCurve Switch 4108# ProCurve Switch 2626# ProCurve Switch 2650# ProCurve Switch 6108# To simplify recognition, this guide uses ProCurve to represent command prompts for all models.
Sources for More Information For additional information about switch operation and features not covered in this guide, consult the following sources: For information on which product manual to consult on a given ■ software feature, refer to “Product Documentation” on page xi.
Need Only a Quick Start? IP Addressing If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using multiple VLANs, ProCurve recommends that you use the Switch Setup screen to quickly configure IP addressing.
To Set Up and Install the Switch in Your Network I m po r t a n t ! Use the Installation and Getting Started Guide shipped with your switch for the following: Notes, cautions, and warnings related to installing and using the ■...
Getting Started Need Only a Quick Start? — This page is intentionally unused. — 1-10...
Access to the Status and Counters menu, the Event Log, and the CLI*, but no Configuration capabilities. On the Operator level, the configuration menus, Download OS, and Reboot Switch options in the Main Menu are not available. — — page 2-6...
C a u t i o n If the switch has neither a Manager nor an Operator password, anyone having access to the switch through either Telnet, the serial port, or the web browser interface can access the switch with full manager privileges. Also, if you configure only an Operator password, entering the Operator pass- word enables full manager privileges.
After you configure a password, if you subsequently start a new console session, you will be prompted to enter the password. (If you use the CLI or web browser interface to configure an optional username, the switch will prompt you for the username, and then the password.)
If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
The effect of executing the command in figure 2-3 is to remove password protection from the Operator level. (This means that anyone who can access the switch console can gain Operator access without having to enter a user- name or password.)
Passwords could easily be cleared by pressing the Clear button. Someone who has physical access to the switch may be able to erase the passwords (and possibly configure new passwords) and take control of the switch.
As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch. Front-Panel Button Functions The front panel of the switch includes the Reset button and the Clear button. Power Fault Reset Button Figure 2-4.
Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.
Release the Reset button and wait for about one second for the Self-Test LED to start flashing. When the Self-Test LED begins flashing, release the Clear button This process restores the switch configuration to the factory default settings. Configuring Front-Panel Security Using the front-panel-security command from the global configuration context in the CLI you can: •...
Enabled means that pressing the Reset button reboots the switch and also enables the Reset button to be used with the Clear button (page 2-9) to reset the switch to its factory-default configuration. (Default: Enabled.) Password Recovery: Shows whether the switch is configured with the ability to recover a lost password.
Configuring Username and Password Security Front-Panel Security For example, show front-panel-security produces the following output when the switch is configured with the default front-panel security settings. Figure 2-7. The Default Front-Panel Security Settings Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel...
This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. • Specifies whether the switch reboots if the Clear button is pressed. To re-enable password-clear, you must also specify whether to enable or disable the reset-on-clear option.
2-9 replaces the switch’s current startup-config file with the factory-default startup-config file, then reboots the switch, and removes local password protection. This means that anyone who has physical access to the switch could use this button combination to replace the switch’s current configu- ration with the factory-default configuration, and render the switch acces- sible without the need to input a username or password.
Disabling password-recovery requires that factory-reset be enabled, and locks out the ability to recover a lost manager username (if configured) and pass- word on the switch. In this event, there is no way to recover from a lost manager username/password situation without resetting the switch to its factory-default configuration.
If it is disabled, use the front-panel-security factory- reset command to enable it. Press and release the Clear button on the front panel of the switch. Within 60-seconds of pressing the Clear button, enter the following com- mand: Do one of the following after the “CAUTION”...
The user then enters a username and password, which the switch forwards to a RADIUS server for authentication. After authentication, the switch grants access to the secured network. Other than a web browser, the client needs no special supplicant software.
MAC Authentication (MAC-Auth). This method grants access to a secure network by authenticating devices for access to the network. When a device connects to the switch, either by direct link or through the network, the switch forwards the device’s MAC address to the RADIUS server for authentication.
General Features Web and MAC Authentication on the ProCurve Series 2600, 2600-PWR, and 2800 switches include the following: On a port configured for Web or MAC Authentication, the switch ■ operates as a port-access authenticator using a RADIUS server and the CHAP protocol.
Web-based Authentication When a client connects to a Web-Auth enabled port communication is redi- rected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their credentials.
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches How Web and MAC Authentication Operate Figure 3-2. Progress Message During Authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access.
The max-retries parameter specifies how many times a client may enter their credentials before authentication fails. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out. The max-requests parameter specifies how many authentication attempts may result in a RADIUS server timeout before authentication fails.
A client may not be authenticated due to invalid credentials or a RADIUS server timeout. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out. The max- requests parameter specifies how many authentication attempts may result in a RADIUS server timeout before authentication fails.
Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN.
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Operating Rules and Notes Operating Rules and Notes ■ You can configure one type of authentication on a port. That is, the following authentication types are mutually exclusive on a given port: •...
When a port on the switch is configured for Web or MAC Authentica- ■ tion and is supporting a current session with another device, rebooting the switch invokes a re-authentication of the connection.
General Setup Procedure for Web/MAC Authentication N o t e o n Web / The switch does not allow Web or MAC Authentication and LACP to both be M A C enabled at the same time on the same port. The switch automatically disables A u t h e n t i c a t i on LACP on ports configured for Web or MAC Authentication.
VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100” or “vlan100” to specify the VLAN.
Note that each switch covered by this guide applies a single MAC address to all VLANs configured in the switch. Thus, for a given switch, the MAC address is the same for all VLANs configured on the switch. (Refer to the chapter titled “Static Virtual LANs (VLANs)”...
Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can config- ure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (Refer to “RADIUS Authentication and Accounting” on page 5-1.) [key <...
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring the Switch To Access a RADIUS Server For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server-specific shared secret key of ‘2Pzo22’...
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configure Web Authentication on the switch ports you want to use. specify the base IP address and mask to be used by the switch for temporary DHCP addresses.The lease length for these temporary IP addresses may also be set.
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring Web Authentication Configure the Switch for Web-Based Authentication Command Configuration Level aaa port-access web-based dhcp-addr aaa port-access web-based dhcp-lease [no] aaa port-access web-based [e] < port-list > [auth-vid]...
Web Auth control. When enabled, the switch allows clients to move without requiring a re-authentication. When disabled, the switch does not allow moves and when one does occur, the user will be forced to re- authenticate. At least two ports (from port(s) and to port(s)) must be specified.
This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre- authentication state. (Default: 300 seconds) aaa port-access web-based [e] <...
Syntax: aaa port-access web-based [e] < port-list > [server-timeout <1 - 300>] Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depend- ing on the current max-requests value, the switch sends a new attempt or ends the authentication session.
VLANs are configured on the switch and that the appropriate port assignments have been made. Use the ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support MAC-Auth on the switch.
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configure the Switch for MAC-Based Authentication Command Configuration Level aaa port-access mac-based addr-format [no] aaa port-access mac-based [e] < port-list > [addr-limit] [addr-moves] [auth-vid] [logoff-period] [max-requests] [quiet-period] [reauth-period] [reauthenticate]...
This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre- authentication state. (Default: 300 seconds) aaa port-access mac-based [e] <...
Syntax: aaa port-access mac-based [e] < port-list > [server-timeout <1 - 300>] Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depend- ing on the current max-requests value, the switch sends a new attempt or ends the authentication session.
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of Web-Based Authentication Show Status and Configuration of Web-Based Authentication Command show port-access [ [clients] [config] [config [auth-server]] [config [web-server]] show port-access Syntax: Syntax: Syntax: 3-26 port-list ] web-based...
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-server]] Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of MAC-Based Authentication Syntax: Syntax: Syntax: Syntax: 3-28 show port-access [port-list] mac-based [clients]] Shows the port address, MAC address, session status, and elapsed session time for attached clients on all ports or the specified ports.
TACACS+ server(s) disabled TACACS+ authentication enables you to use a central server to allow or deny access to the switch (and other TACACS-aware devices) in your network. This means that you can use a central database to create multiple unique username/ password sets with associated privilege levels for use by individuals who have reason to access the switch from either the switch’s console port (local...
If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/write) privilege level access.
• • Local Authentication: This method uses username/password pairs configured locally on the switch; one pair each for manager- level and operator-level access to the switch. You can assign local usernames and passwords through the CLI or web browser inter- face.
TACACS+ servers. ProCurve recommends that you use a TACACS+ server application that supports a redundant backup installation. This allows you to configure the switch to use a backup TACACS+ server if it loses access to the first-choice TACACS+ server.
The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation” in the Trouble- shooting chapter of the Management and Configuration Guide for your switch.
When a TACACS+ server authenticates an access request from a switch, Privil ege Levels it includes a privilege level code for the switch to use in determining which privilege level to grant to the terminal requesting access. The switch interprets a privilege level code of “15” as authorization for the Manager (read/write) privilege level access.
TACACS+ server application for console access. Then test the console access. If access problems occur, check for and correct any problems in the switch configuration, and then test console access again. If problems persist, check your TACACS+ server application for mis-configurations or missing data that could affect the console access.
< ip-addr > timeout < 1-255 > Viewing the Switch’s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configured for each type of access. Syntax: This example shows the default authentication configuration.
TACACS+ servers the switch can contact. Syntax: For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a (global) encryption key, show tacacs would produce a listing similar to the...
Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied).
No secondary type of authentication for the specified method/privilege path. (Available only if the primary method of authentication for the access being configured is local.) Note: If you do not specify this parameter in the command line, the switch automatically assigns the secondary method as follows: tacacs •...
*When “local” is the primary option, you can also select “local” as the secondary option. However, in this case, a secondary “local” is meaningless because the switch has only one local level of username/password protection. Caution Regarding During local authentication (which uses passwords configured in the switch...
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server.
If the switch sends an authentication request, but does not receive a response within the period specified by the timeout value, the switch resends the request to the next server in its Server IP Addr list, if any. If the switch still fails to receive a response from any...
TACACS+ servers the switch will attempt to use for authentication. If you configure a global encryption key, the switch uses it only with servers for which you have not also configured a server-specific key. Thus, a global...
Use show tacacs to view the current IP address list. If the first-choice TACACS+ server fails to respond to a request, the switch tries the second address, if any, in the show tacacs list. If the second address also fails, then the switch tries the third address, if any.
<1 - 255> Specifies how long the switch waits for a TACACS+ server to respond to an authentication request. If the switch does not detect a response within the timeout period, it initiates a new request to the next TACACS+ server in the list. If all TACACS+ servers in the list fail to respond within the timeout period, the switch uses either local authentication (if configured) or denies access (if none configured for local authentication).
Configuring an Encryption Key. Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key. (If the server expects a key, but the switch either does not provide one, or provides an incorrect key, then the authentication attempt will fail.) Use a global encryption key if the same key applies to all TACACS+...
Configuring the Timeout Period. The timeout period specifies how long the switch waits for a response to an authentication request from a TACACS+ server before either sending a new request to the next server in the switch’s Server IP Address list or using the local authentication option. For example,...
After the server receives the username input, the requesting terminal receives a password prompt from the server via the switch. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs: •...
Configuring TACACS+ on the Switch Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentica- tion only if one of these two conditions exists: “Local” is the authentication option for the access method being used.
Thus, on the TACACS+ server side, you have a choice as to how to implement a key. On the switch side, it is necessary only to enter the key parameter so that it exactly matches its counterpart in the server. For information on how to configure a general or individual key in the TACACS+ server, refer to the documentation you received with the application.
10.28.227.87) that has this key is different than the one used for the two servers in the previous example, you will need to assign a server-specific key in the switch that applies only to the designated server: ProCurve(config)# tacacs-server host 10.28.227.87 key...
CLI Message Meaning Connecting to Tacacs server The switch is attempting to contact the TACACS+ server identified in the switch’s server Connecting to secondary The switch was not able to contact the first-choice TACACS+ server, and is now Tacacs server attempting to contact the next (secondary) TACACS+ server identified in the switch’s...
TACACS+ Authentication Configuring TACACS+ on the Switch When TACACS+ is not enabled on the switch—or when the switch’s ■ only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unauthor- ized persons.)
■ Port-Access Note The switch does not support RADIUS security for SNMP (network manage- ment) access or, for the 4100gl and 6108 switches, web browser interface access. For information on blocking unauthorized access through the web browser interface, refer to “Controlling Web Browser Interface Access When Using RADIUS Authentication”...
EAP type, such as MD5-Challenge, Generic Token Card, and TLS (Transport Level Security). Host: See RADIUS Server. NAS (Network Access Server): In this case, a ProCurve switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): RADIUS Client: The device that passes user information to designated RADIUS servers.
RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius (page 5-25). If the first server does not respond, the switch tries the next one, and so-on. (To change the order in which the switch accesses RADIUS servers, refer to “Changing RADIUS-Server Access Order”...
• Determine the IP address(es) of the RADIUS server(s) you want to support the switch. (You can configure the switch for up to three RADIUS servers.) • If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific RADIUS server, select it before beginning the configuration process.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Determine an acceptable timeout period for the switch to wait for a server to respond to a request. ProCurve recommends that you begin with the default (five seconds). • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting.
(Optional) encryption key for use during authentication sessions with a RADIUS server. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server. (Default: null)
(or tacacs) for primary authentication, you must configure local for the secondary method. This prevents the possibility of being com- pletely locked out of the switch in the event that all primary access methods fail. Server Dead-Time: The period during which the switch will not send new authentication requests to a RADIUS server that has failed to respond to a previous request.
Syntax: aaa authentication < console | telnet | ssh | web > < enable | login > < radius > For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch’s local passwords):...
This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 5-17: “Configuring RADIUS Accounting” instead of continuing here. Syntax: [no] radius-server host < ip-address >...
For example, suppose you have configured the switch as shown in figure 5-3 and you now need to make the following changes: Change the encryption key for the server at 10.33.18.127 to “source0127”. Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of “source0119”.
(This is a general aaa authentication parameter and is not specific to RADIUS.) Global server key: The server key the switch will use for contacts ■ with all RADIUS servers for which there is not a server-specific key configured by radius-server host <...
If none of the servers respond, then the switch attempts to use the secondary authentication method configured for the type of access being attempted (console, Telnet, or SSH).
For example, suppose that your switch is configured to use three RADIUS servers for authenticating access through Telnet and SSH. Two of these servers use the same encryption key. In this case your plan is to configure the switch with the following global authentication parameters: Allow only two tries to correctly enter username and password.
Server IP Addr Port --------------- ----- ----- -------------------------------- 10.33.18.127 1812 10.33.18.119 1812 10.33.18.151 1812 Figure 5-6. Listings of Global RADIUS Parameters Configured In Figure 5-5 Configuring the Switch for RADIUS Authentication Login Enable Secondary Primary None Local None Radius None...
RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: “Local” is the authentication option for the access method being used.
■ Configure local authentication (a Manager user name and password and, optionally, an Operator user name and password) on the switch. ■ Configure the switch’s Authorized IP Manager feature to allow web browser access only from authorized management stations. (The Authorized IP Manager feature does not interfere with TACACS+ operation.)
5-5 before continuing here. RADIUS accounting collects data about user activity and system events and sends it to a RADIUS server when specified events occur on the switch, such as a logoff or a reboot. The switch supports three types of accounting services: Network accounting: Provides records containing the information ■...
RADIUS servers are accessed in the order in which their IP addresses ■ were configured in the switch. Use show radius to view the order. As long as the first server is accessible and responding to authentication requests from the switch, a second or third server will not be accessed.
Before you configure the actual accounting parameters, you should first configure the switch to use a RADIUS server. This is the same as the process described on page 5-10. You need to repeat this step here only if you have not...
(For a more complete description of the radius-server command and its options, turn to page 5-10.) For example, suppose you want to the switch to use the RADIUS server described below for both authentication and accounting purposes. ■...
Figure 5-7. Example of Configuring for a RADIUS Server with a Non-Default Accounting UDP Port Number The radius-server command as shown in figure 5-7, above, configures the switch to use a RADIUS server at IP address 10.33.18.151, with a (non-default) UDP accounting port of 1750, and a server-specific key of “source0151”.
• The system option (page 5-22) always delivers stop-only operation because the switch sends the accumulated data only when there is a reboot, reload, or accounting on/off event. Syntax: [no] aaa accounting < exec | network | system > < start-stop | stop-only >...
Syntax: [no] aaa accounting update periodic < 1 - 525600 > Syntax: [no] aaa accounting suppress null-username To continue the example in figure 5-8, suppose that you wanted the switch to: Send updates every 10 minutes on in-progress accounting sessions.
IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Configuring RADIUS Accounting” on page 5-17.)
The number of RADIUS packets which were received from this server on the accounting port and dropped for some other reason. Access Requests The number of RADIUS Access-Requests the switch has sent since it was last rebooted. (Does not include retransmissions.) Accounting Requests The number of RADIUS Accounting-Request packets sent.
Figure 5-13. Example of RADIUS Authentication Information from a Specific Server Displays the primary and secondary authentication meth- ods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Figure 5-14. Listing the Accounting Configuration in the Switch Figure 5-15. Example of RADIUS Accounting Information for a Specific Server 5-28 Lists configured accounting interval, “Empty User” suppres- sion status, accounting types, methods, and modes.
Figure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.
Delete 10.10.10.001 from the list. This opens the first (highest) position in the list. Re-enter 10.10.10.003. Because the switch places a newly entered address in the highest-available position, this address becomes first in the list. Re-enter 10.10.10.001. Because the only position open is the third position, this address becomes last in the list.
A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch. If the server is accessible, then verify that the switch is using the correct encryption key and that the server is correctly configured to receive an authentication request from the switch.
RADIUS Authentication and Accounting Messages Related to RADIUS Operation — This page is intentionally unused. — 5-32...
Client Public Key Authentication (Login/Operator Level) with User Password Authentication (Enable/Manager Level). This option uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch.
OpenSSH, visit http://www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 6-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.
Key Pair: A pair of keys generated by the switch or an SSH client ■ application. Each pair includes a public key, that can be read by anyone and a private key, that is held internally in the switch or by a client. PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted ■...
Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 6-2), then the client program must have the capability to generate or import keys.
(Enable) ssh enable tacacs Level ssh enable radius For ssh login public-key, the switch uses client public-key authentication instead of the switch password options for primary authentication. The general steps for configuring SSH include: A. Client Preparation Authenticate...
(page 6-9). Generate a public/private key pair on the switch (page 6-10). You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. (You can remove or replace this key pair, if necessary.) Copy the switch’s public key to the SSH clients you want to access...
The switch’s own public/private key pair and the (optional) client ■ public key file are stored in the switch’s flash memory and are not affected by reboots or the erase startup-config command. Once you generate a key pair on the switch you should avoid re- ■...
At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration. To Configure Local Passwords. You can configure both the Operator and Manager password with one command.
Figure 6-5. Example of Configuring Local Passwords 2. Generate the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be "permanent";...
If you wish to compare the switch key to the key as stored in your client's known-hosts file, note that the formatting and comments need not match. For version 1 keys, the three numeric values bit size, exponent <e>, and modulus...
(laptop, PC, or UNIX workstation), as described below. The public key generated by the switch consists of three parts, separated by one blank space each: Bit Size Exponent <e>...
Inserted Size Address Figure 6-9. Example of a Switch Public Key Edited To Include the Switch’s IP Address For more on this topic, refer to the documentation provided with your SSH client application. Displaying the Public Key. The switch provides three options for display- ing its public key.
(host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host” file. The switch has only one RSA host key. The 'babble' and 'fingerprint' options produce two hashes...
See the following Note.) Note When an SSH client connects to the switch for the first time, it is possible for a "man-in-the-middle" attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch.
The ip ssh key-size command affects only a per-session, internal server key the switch creates, uses, and discards. This key is not accessible from the user interface. The switch’s public (host) key is a separate, accessible key that is always 896 bits.
Telnet, SNMP, or the serial port. While web and Telnet access can be restricted by the use of passwords local to the switch, if you are unsure of the security this provides, you may want to disable web-based and/or Telnet access (no web-management and no telnet).
This option requires the additional step of copying a client public-key file from a TFTP server into the switch. This means that before you can use this option, you must: Create a key pair on an SSH client.
For example, assume that you have a client public-key file named Client- Keys.pub (on a TFTP server at 10.33.18.117) ready for downloading to the switch. For SSH access to the switch you want to allow only clients having a private key that matches a public key found in Client-Keys.pub. For Manager-...
6. Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems" in the Troubleshooting chapter of the Manage- ment and Configuration Guide for your switch.
SSH. That is, if you use this feature, only the clients whose public keys are in the client public-key file you store on the switch will have SSH access to the switch over the network.
Using client public-key authentication requires these steps: Generate a public/private key pair for each client you want to have SSH access to the switch. This can be a separate key for each client or the same key copied to several clients.
<CR><LF>. Spaces are allowed within the key to delimit the key’s components. Note that, unlike the use of the switch’s public key in an SSH client application, the format of a client-public-key used by the switch does not include the client’s IP address.
Figure 6-15. Example of Copying and Displaying a Client Public-Key File Containing Two Client Public Keys Replacing or Clearing the Public Key File. The client public-key file remains in the switch’s flash memory even if you erase the startup-config file, reset the switch, or reboot the switch.
If an SSH client’s public key matches the switch’s client-public-key ■ file, allow that client access to the switch. If there is not a public-key match, then deny access to that client. If an SSH client’s public key does not have a match in the switch’s ■...
TCP port. Use the default or select another port number. See “Note on Port Number” on page 6-17. The client key does not exist in the switch. Use copy tftp to download the key from a TFTP server. The public key file you are trying to download has one of the following problems: •...
After you execute the crypto key generate ssh [rsa] command, the switch displays this message while it is generating the key. The switch’s key is missing or corrupt. Use the crypto key generate ssh [rsa] command to generate a new key for the switch.
Authentication . This option is a subset of full certificate authentication of the user and host. It occurs only if the switch has SSL enabled. As in figure 7- 1, the switch authenticates itself to SSL enabled web browser. Users on SSL...
SSL Server: A ProCurve switch with SSL enabled. ■ ■ Key Pair: Public/private pair of RSA keys generated by switch, of which public portion makes up part of server host certificate and private portion is stored in switch flash (not user accessible).
■ switch (web interface or CLI command: crypto key generate cert [key size] (2) A certificate been generated on the switch (web interface or CLI command: crypto host-cert generate self-signed [arg-list]) and (3) SSL is enabled (web interface or CLI command: web-management ssl).
Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com- puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for...
General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re- generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all manage- ment stations (clients) you previously set up for SSL access to the switch.
Password At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration. Configuring Secure Socket Layer (SSL)
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface refer to the chapter titled “Using the Web Browser Interface”...
SSL to the switch. (The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client session, and then discarded.)
To generate a host certificate from the CLI: Note: If a certificate key pair is already present in the switch, it is not necessary to generate a new key pair when generating a new certificate. The existing key pair may be re-used and the crypto key generate cert command does not have...
State name Country code For example, to generate a key and a new host certificate: Figure 7-3. Example of Generating a Self-Signed Server Host certificate on the CLI for the Switch. Certificate Field Descriptions Description This should be the date you desire to begin using the SSL functionality.
SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation.
Fill in the remaining certificate arguments. (Refer to “Comments on Certificate Fields.” on page 7-11.) vi. Click on the [Apply Changes] key, if selected. Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation button. The SSL configuration [SSL] button to generate new certificate and 7-13...
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter- face: Figure 7-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface:...
This section describes how to install a CA-Signed server host certificate from the web browser interface. (For more information on how to access the web browser interface, refer to the chapter titled “Using the Web Browser Inter- face” in the Management and Configuration Guide for your switch.) 7-15...
The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority. The second phase is the actual submission process...
Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients. After you enable SSL, the switch can authenticate itself to SSL enabled browsers. The no web- management ssl command is used to disable SSL on the switch.
Note When an SSL client connects to the switch for the first time, it is possible for a “man-in-the-middle” attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch.
Generate a Host certificate if you have not already done so. (Refer to “2. Generate the Switch’s Server Host Certificate” on page 7-9.) Execute the web-management ssl command. To disable SSL on the switch, do either of the following: Execute no web-management ssl. ■...
TCP port for SSL connec- tions except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http). Some other reserved TCP ports on the switch are 49, 80, 1506, and 1513.
You may be using a reserved TCP port. (Refer to “Note on Port Number” on page 7-20.) You may not have SSL enabled (Refer to “3. Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior” on page 7-17.) Your browser may not support SSLv3 or TLSv1 or it may be disabled.
Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup — This page is intentionally unused. — 7-22...
EAP or CHAP protocol. Provision for enabling clients that do not have 802.1 supplicant soft- ware to use the switch as a path for downloading the software and initiating the authentication process (802.1X Open VLAN mode). Supplicant implementation using CHAP authentication and indepen- dent username and password configuration on each port.
(Refer to “802.1X Open VLAN Mode” on page 8-21.) Authenticating One Switch to Another. 802.1X authentication also enables the switch to operate as a supplicant when connected to a port on another switch running 802.1X authentication.
Switch Running 802.1X and Connected as a Supplicant Figure 8-1. Example of an 802.1X Application Accounting . The switch also provides RADIUS Network accounting for 802.1X access. Refer to “RADIUS Authentication and Accounting” on page 5-1. Configuring Port-Based Access Control (802.1X) Switch Running 802.1X and...
If you then connect an 802.1X-aware client (suppli- cant) to the port and attempt to log on: When the switch detects the client on the port, it blocks access to the LAN from that port. The switch responds with an identity request.
802.1X Supplicant Figure 8-2. Example of Supplicant Operation When port A1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch “B”.
Configuring Port-Based Access Control (802.1X) Terminology • Note You can configure a switch port to operate as both a supplicant and an authenticator at the same time. Terminology 802.1X-Aware: Refers to a device that is running either 802.1X authenticator software or 802.1X client software and is capable of interacting with other devices on the basis of the IEEE 802.1X standard.
PVID (Port VID): This is the VLAN ID for the untagged VLAN to which an 802.1X port belongs. Static VLAN: A VLAN that has been configured as “permanent” on the switch by using the CLI vlan < vid > command or the Menu interface.
Configuring Port-Based Access Control (802.1X) General Operating Rules and Notes member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unau- thorized-Client VLAN.
If a client already has access to a switch port when you configure the ■ port for 802.1X authenticator operation, the port will block the client from further network access until it can be authenticated. ■ On a port configured for 802.1X with RADIUS authentication, if the RADIUS server specifies a VLAN for the supplicant and the port is a trunk member, the port will be blocked.
Access Control (802.1X) Do These Steps Before You Configure 802.1X Operation Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, ProCurve recommends that you use a local username and password pair at least until your other security measures are in place.)
On the ports you will use as authenticators, either accept the default 802.1X settings or change them, as necessary. Note that, by default, the port-control parameter is set to auto for all ports on the switch. This requires a client to support 802.1X authentication and to provide valid credentials to get network access.
802.1X port. See page 8-32. If you want a port on the switch to operate as a supplicant in a connection with a port operating as an 802.1X authenticator on another device, then configure the supplicant operation.
8-13 to activate 802.1X authentication on the switch.) Note When you enable 802.1X authentication on a port, the switch automatically disables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can config- ure it for 802.1X authentication.
To activate configured 802.1X operation, you must enable 802.1X authentication. Refer to “5. Enable 802.1X Authentication on the switch” on page 8-13. [control < authorized | auto | unauthorized >] Controls authentication mode on the specified port: authorized: Also termed Force Authorized.
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Sets the period of time the switch waits for a supplicant response to an EAP re quest. If the supplicant does not respond within the configured time frame, the session times out.
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 8-18 Configures an existing, static VLAN to be the Autho- rized-Client VLAN. Refer to “802.1X Open VLAN Mode” on page 8-21. aaa port-access authenticator < port-list > (Syntax Continued)
3. Configure the 802.1X Authentication Method This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenti- cator. Syntax: For example, to enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers: Figure 8-3.
4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, refer to “RADIUS Authentication and...
802.1X Open VLAN Mode 802.1X Authentication Commands 802.1X Supplicant Commands 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator [e] < port-list > [auth-vid < vlan-id >] [unauth-vid < vlan-id >] 802.1X-Related Show Commands RADIUS server configuration This section describes how to use the 802.1X Open VLAN mode to configure unauthorized-client and authorized-client VLANs on ports configured as 802.1X authenticators.
You can apply the 802.1X Open VLAN mode in more than one way. Depending on your use, you will need to create one or two static VLANs on the switch for exclusive use by per-port 802.1X Open VLAN mode authentication: Unauthorized-Client VLAN: Configure this VLAN when unauthen- ■...
Table 8-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration No Open VLAN mode: Open VLAN mode with both of the following configured: Unauthorized-Client VLAN Authorized-Client VLAN Configuring Port-Based Access Control (802.1X) Port Response The port automatically blocks a client that cannot initiate an authentication session.
If the port is statically configured as an untagged member of another VLAN, the switch temporarily removes the port from membership in this other VLAN while membership in the Unauthorized-Client VLAN exists.
Configuring Port-Based Access Control (802.1X) Rule These must be configured on the switch before you configure an 802.1X authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.) If the RADIUS server specifies a VLAN for an authenticated supplicant connected to an 802.1X authenticator port, this VLAN assignment...
However, in this case, you can improve security between authen- ticator ports by using the switch’s Source-Port filter feature. For example, if you are using ports B1 and B2 as authenticator ports on the same Unauthor- ized-Client VLAN, you can configure a Source-Port filter on B1 to drop all packets from B2 and the reverse.
■ A client must either have a valid IP address configured before connecting to the switch, or download one through the Unauthorized- Client VLAN from a DHCP server. In the latter case, you will need to provide DHCP services on the Unauthorized-Client VLAN.
802.1X authenticators. (The RADIUS server should not be on the Unauthorized-Client VLAN.) Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges.
Note If you want to implement the optional port security feature on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected. Then refer to “Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices”...
Configures ports A10 - A20 as 802.1 authenticator ports. ProCurve(config)# radius host 10.28.127.101 key rad4all Configures the switch to look for a RADIUS server with an IP address of 10.28.127.101 and an encryption key of rad4all. ProCurve(config)# aaa port-access authenticator e a10-a20 unauth-vid 80 Configures ports A10 - A20 to use VLAN 80 as the Unauthorized-Client VLAN.
■ While an Unauthorized-Client VLAN is in use on a port, the switch temporarily removes the port from any other statically configured VLAN for which that port is configured as a member. Note that the Menu interface will still display the port’s statically configured...
Configuring Port-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices If an authenticated client loses authentication during a session in ■ 802.1X Open VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client VLAN configured, then the client loses access to the port until it can reauthenticate itself.
Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices N o t e o n If the port’s 802.1X authenticator control mode is configured to authorized (as B l o c k i n g a N o n - shown below, instead of auto), then the first source MAC address from any 80 2 .
802.1X-Related Show Commands RADIUS server configuration You can configure a switch port to operate as a supplicant in a connection to a port on another 802.1X-aware switch to provide security on links between 802.1X-aware switches. (Note that a port can operate as both an authenticator and a supplicant.)
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches When port A1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch “B”.
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring a Supplicant Switch Port. Note that you must enable suppli- cant operation on a port before you can change the supplicant configuration.
Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [auth-timeout < 1 - 300 >] Sets the period of time the port waits to receive a challenge from the authenticator. If the request times...
802.1X authentication. The Authenticator Backend State in this data refers to the switch’s interaction with the authentication server. • With < port-list > only, same as above, but limits port status to only the specified port. Does not display data for a specified port that is not enabled as an authenticator.
Also, for each port, the “User” column lists the user name the supplicant included in its response packet. (For the switch, this is the identity setting included in the supplicant command—page 8-36.) Does not display data for a specified port that is not enabled as an authenticator.
Figure 8-5 shows an example of show port-access authenticator output, and table 8-1 describes the data that this command displays. Figure 8-6 shows related VLAN data that can help you to see how the switch is using statically configured VLANs to support 802.1X operation.
This is the default state for access control. Disconnected: No client is connected to the port. Authenticator Idle: The switch is not currently interacting with the RADIUS authentication server. Other states Backend State (Request, Response, Success, Fail, Timeout, and Initialize) may appear temporarily to indicate interaction with a RADIUS server.
Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Status Indicator Meaning Unauthorized VLAN < vlan-id >: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated port. 0: No unauthorized VLAN has been configured for the indicated port. <...
[[e] < port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list > ports configured on the switch as supplicants. The Supplicant State can include the following: Connecting - Starting authentication.
RADIUS application.) The static VLAN to which a RADIUS server assigns a client must already exist on the switch. If it does not exist or is a dynamic VLAN (created by GVRP), authentication fails. Also, for the session to proceed, the port must be an untagged member of the required VLAN.
For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Figure 8-7. Example of an Active VLAN Configuration In figure 8-7, if RADIUS authorizes an 802.1X client on port 2 with the requirement that the client use VLAN 22, then: ■...
Configuring Port-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Figure 8-8. The Active Configuration for VLAN 22 Temporarily Changes for the 802.1X Session ■ With the preceding in mind, since (static) VLAN 33 is configured as untagged on port A2 (see figure 8-7), and since a port can be untagged on only one VLAN, port A2 loses access to VLAN 33 for the duration of the 802.1X session involving VLAN 22.
VLAN assignment causes the switch to disable a configured (untagged) static VLAN assignment on the port, then the disabled VLAN assignment is not advertised. When the 802.1X session ends, the switch: ■ Eliminates and ceases to advertise the temporary VLAN assignment.
LACP configuration, displays a notice that LACP is disabled on the port(s), and enables 802.1X on that port. Also, the switch will not allow you to configure LACP on a port on which port access (802.1X) is enabled.
Configuring Port Security Intrusion Alerts and Alert Flags Using Port Security, you can configure each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port. This enables individual ports to detect, prevent, and log attempts by unauthorized devices to communicate through the switch.
Guide for your switch.) Blocking Unauthorized Traffic Unless you configure the switch to disable a port on which a security violation is detected, the switch security measures block unauthorized traffic without disabling the port. This implementation enables you to apply the security...
Port security does not operate on either a static or dynamic trunk group. If you configure port security on one or more ports that are later added to a trunk group, the switch will reset the port security parameters for those ports to the factory-default configuration. (Ports configured for either Active or Passive LACP, and which are not members of a trunk, can be configured for port security.)
(For example, if you allow three devices on a given port, but specify only one MAC address for that port, do you want the switch to automatically accept the first two additional devices it detects, or not?) d.
Port Security Commands Used in This Section show port-security port-security < [ethernet] port-list > [clear-intrusion-flag] no port-security This section describes the CLI port security command and how the switch acquires and maintains authorized addresses. Note Use the global configuration level to execute port-security configuration commands. 9-11...
Addresses learned this way appear in the switch and port address tables and age out according to MAC Age Interval tion screen of the Menu interface or the show system-...
MAC addresses it detects. Note: As of September, 2003, this option is available in the ProCurve Switch 2600 Series and the Switch 6108 running software release H.07.30 (or greater), and the ProCurve Switch 2800 Series. For availability in other switch products, refer to the latest release notes for such products on the ProCurve Networking website.
• Learn mode is set to learn-mode continuous and there is a MAC address change on a port. none (the default): Prevents an SNMP trap from being sent. send alarm: Causes the switch to send an SNMP trap to a network management station. send-disable: Available only with learn-mode configured and learn-mode static.
Learned MAC Addresses In the following two cases, a port in Static learn mode (learn-mode static) retains a learned MAC address even if you later reboot the switch or disable port security for that port: The port learns a MAC address after you configure the port with learn- ■...
With port numbers included in the command, show port-security displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the spec- ified ports on a switch. The following example lists the full port security configuration for a single port: Figure 9-3.
Configuring and Monitoring Port Security Port Security Command Options and Operation The following command example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string: ProCurve(config)# show port-security A1-A3,A6,A8 Configuring Port Security Using the CLI, you can:...
If you manually configure authorized devices (MAC addresses) and/or an alarm action on a port, those settings remain unless you either manually change them or reset the switch to its factory-default configuration. You can “turn off” device authorization on a port by configuring the port to continuous Learn Mode, but subsequently reconfiguring the port to static Learn Mode restores the configured device authorization.
Configuring and Monitoring Port Security Port Security Command Options and Operation Although the Address Limit is set to 2, only one device has been authorized for this port. In this case you can add another without having to also increase the Address Limit.
Configuring and Monitoring Port Security Port Security Command Options and Operation If you are adding a device (MAC address) to a port on which the Authorized Addresses list is already full (as controlled by the port’s current Address Limit setting), then you must increase the Address Limit in order to add the device, even if you want to replace one device with another.
Address Limit value by 1, then remove the unwanted device. Note When you have configured the switch for learn-mode static operation, you can reduce the address limit below the number of currently authorized addresses on a port. This enables you to subsequently remove a device from the “Autho- rized”...
Syntax: [no] static-mac < mac-addr > vlan < vid > interface < port-number > You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you do not specify a VLAN ID (VID) the switch inserts a VID of “1”.
They can send, but will not receive data if that data must go through the locked down switch. Please note that if the device moves to a distant part of the network where data sent to its MAC address never goes through the locked down switch, it may be possible for the device to have full two-way communication.
MAC addresses and which ports they are allowed to use (only one port per MAC Address on the same switch in the case of MAC Lockdown). (You can still use the port for other MAC addresses, but you cannot use the locked down MAC address on other ports.)
Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.
As we have seen, MAC Lockdown can help prevent this type of hijacking by making sure that all traffic to a specific MAC address goes only to the proper port on a switch which is supposed to be connected to the real device bearing that MAC address.
This means each switch has only one path by which data can travel to Server A. You can use MAC Lockdown to specify that all traffic intended for Server A’s MAC Address must...
Using MAC Lockdown still does not protect against a hijacker within the core! In order to protect against someone spoofing the MAC Address for Server A inside the Core Network, you would have to lock down each and every switch inside the Core Network as well, not just on the edge.
Figure 9-10. Connectivity Problems Using MAC Lockdown with Multiple Paths The resultant connectivity issues would prevent you from locking down Server A to Switch 1. And when you remove the MAC Lockdown from Switch 1 (to prevent broadcast storms or other connectivity issues), you then open the network to security problems.
You can think of MAC Lockout as a simple blacklist. The MAC address is locked out on the switch and on all VLANs. No data goes out or in from the blacklisted MAC address to a switch using MAC Lockout.
If a particular MAC address can be identified as unwanted on the switch then that MAC Address can be disallowed on all ports on that switch with a single command. You don’t have to configure every single port—just perform the command on the switch and it is effective for all ports.
MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in conjunction with port-security. You can use MAC Lockout to lock out a single address—deny access to a specific...
Defines the subnet and related IP addresses allowed for incoming traffic on the port. The following example prevents traffic from all IP addresses other than those specified in subnet 192.168.0.1/24 from entering the switch on interface 1. ProCurve Switch 2626 (config) # interface 1 ProCurve Switch 2626 (eth-1) # ip-lockdown 192.168.0.1/24...
Alert Flags Notice of Security Violations When the switch detects an intrusion on a port, it sets an “alert flag” for that port and makes the intrusion information available as described below. While the switch can detect additional intrusions for the same port, it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset.
• How the Intrusion Log Operates When the switch detects an intrusion attempt on a port, it enters a record of this event in the Intrusion Log. No further intrusion attempts on that port will appear in the Log until you acknowledge the earlier intrusion event by reset- ting the alert flag.
On a given port, if the intrusion action is to send an SNMP trap and then disable S e n d - D i s a b l e the port (send-disable), and then an intruder is detected on the port, the switch O p e r a t i o n sends an SNMP trap, sets the port’s alert flag, and disables the port.
A1, the alert flag for the intru- sion on port A1 has already been reset. Since the switch can show only one uncleared intrusion per port, the older intrusion for port A3 in this example has also been previously reset.
Note also that the “prior to” text in the record for the earliest intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset. To acknowledge the most recent intrusion entry on port A3 and enable...
“Operating Notes for Port Security” on page 9-37.) Syntax: show interfaces brief In the following example, executing show interfaces brief lists the switch’s port status, which indicates an intrusion alert on port A1. Figure 9-16. Example of an Unacknowledged Intrusion Alert in a Port Status Display If you wanted to see the details of the intrusion, you would then enter the show port-security intrusion-log command.
20 intrusion records, and deletes intrusion records only when the log becomes full and new intrusions are subsequently added.) The “prior to” text in the record for the third intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.
Next page and Prev page to review the Event Log contents. For More Event Log Information. See “Using the Event Log To Identify Problem Sources” in the “Troubleshooting” chapter of the Management and Configuration Guide for your switch. Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags Check the Alert Log by clicking on the Status tab and the If there is a “Security Violation”...
MAC address, and not your PC or workstation MAC address, and interprets your connection as unauthorized. “Prior To” Entries in the Intrusion Log. If you reset the switch (using the Reset button, Device Reset, or Reboot Switch), the Intrusion Log will list the time of all currently logged intrusions as “prior to”...
2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configure LACP on a port on which port security is enabled. For example: ProCurve(config)# int e a17 lacp passive Error configuring port A17: LACP and port security cannot be run together.
Refer to “Config- uring a Filter on a Port Trunk” on page 10-6. When you create a source port filter, all ports or port trunks on the switch appear as destinations on the list for that filter. The switch automatically forwards traffic to the ports and/or trunks you do not specifically configure to drop traffic.
IP addresses configured on the same VLAN (multinetting), and routing is enabled on the switch, then a single port or trunk can be both the source and destination of packets moving between subnets in that same VLAN. In this...
Creates or deletes the source port filter assigned to < source-port-number >. If you create a source-port filter without specifying a drop or forward action, the switch automatically creates a filter with a forward action from the designated source to all destinations on the switch.
For example, if you create a filter on port 5, then create a trunk with ports 5 and 6, and display the results, you would see the following: Figure 10-3. Example of Switch Response to Adding a Filtered Source Port to a Trunk 10-6...
IDX: An automatically assigned index number used to identify the filter for a detailed information listing. A filter retains its assigned IDX number for as long as the filter exists in the switch. The switch assigns the lowest available IDX number to a new filter. This can result in a newer filter having a lower IDX number than an older filter if a previous (source-port) filter deletion created a gap in the filter listing.
Figure 10-4. Example of Listing Filters and the Details of a Specific Filter Filter Indexing The switch automatically assigns each new source-port filter to the lowest- available index (IDX) number. If there are no filters currently configured, and you create three filters in succession, they will have index numbers 1 - 3.
Using Source-Port Filters Editing a Source-Port Filter The switch includes in one filter the action(s) for all destination ports and/or trunks configured for a given source port. Thus, if a source-port filter already exists and you want to change the currently configured action for some destination ports or trunks, use the filter source-port command to update the existing filter.
This can make it easier to configure and manage source-port filters on your switch. The commands to define, configure, apply, and display the status of named source-port filters are described below.
For example, on a 26-port switch, to configure the named source-port filter web-only to drop any traffic except that for destination ports 1 and 2, the...
A company wants to manage traffic to the Internet and its accounting server on a 26-port switch. Their network is pictured in Figure 6. Switch port 1 connects to a router that provides connectivity to a WAN and the Internet.
ProCurve Switch 2626(config)# Applying Example Named Source-Port Filters. Once the named source-port filters have been defined and configured we now apply them to the switch ports. ProCurve(config)# filter source-port 2-6,8,9,12-26 named-filter web-only ProCurve(config)# filter source-port 7,10,11 named-filter accounting ProCurve(config)# filter source-port 1 named-filter no-incoming-web ProCurve(config)# The show filter command shows what ports have filters applied.
A filter retains its assigned IDX number for as long as the filter exists in the switch. The switch assigns the lowest available IDX number to a new filter. This can result in a newer filter...
Using the IDX value in the show filter command, we can see how traffic is filtered on a specific port (Value).The two outputs below show a non- accounting and an accounting switch port. ProCurve(config)# show filter 4 Traffic/Security Filters Filter Type : Source Port...
1. Accounting Workstations may only send traffic to the Accounting Server. 2. No Internet traffic may be sent to the Accounting Server or Workstations. 3 All other switch ports may only send traffic to Port 1. Accounting Workstation 1 Accounting Workstation 2...
ProCurve(config)# We next apply the updated named source-port filters to the appropriate switch ports. As a port can only have one source-port filter (named or not named), before applying the new named source-port filters we first remove the existing source-port filters on the port.
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters — This page is intentionally unused. — 10-18...
Notes The Authorized IP Managers feature uses IP addresses and masks to deter- mine which stations (PCs or workstations) can access the switch through the network. This covers access through the following means: Also, when configured in the switch, the Authorized IP Managers feature takes precedence over local passwords, TACACS+, RADIUS, Port-Based Access Control (802.1X), and Port Security.
Console (RS-232) port. Also, if an authorized station "spoofs" an authorized IP address, it can gain manage- ment access to the switch even though a duplicate IP address condition exists. For these reasons, you should enhance your network’s security by keeping...
Authorized Manager IP value, specify an IP Mask, and select either Manager or Operator for the Access Level. The IP Mask determines how the Authorized Manager IP value is used to allow or deny access to the switch by a manage- ment station.
Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch. This mask serves a different purpose than IP subnet masks and is applied in a different manner. Menu: Viewing and Configuring IP Authorized...
<ip-address> <ip-mask-bits> [access <operator | manager>] Listing the Switch’s Current Authorized IP Manager(s) Use the show ip authorized-managers command to list IP stations authorized to access the switch. For example: 11-6 2. Enter an Authorized Manager IP address here.
Figure 11-3. Example of the Show IP Authorized-Manager Display The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: 255.255.255.252 10.28.227.100 through 103 255.255.255.254 10.28.227.104 through 105 255.255.255.255...
ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager If you omit the <mask bits> when adding a new authorized manager, the switch automatically uses 255.255.255.255 for the mask. If you do not specify either Manager or Operator access, the switch automatically assigns the Manager access.
For web-based help on how to use the web browser interface screen, click on button provided on the web browser screen. Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network.
The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access. As described above, that...
Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions” list in the web browser interface you are using on the authorized station.
Index Numerics 3DES … 6-3, 7-3 802.1X See port-based access control. … 8-1 aaa authentication … 4-8 aaa port-access See Web or MAC Authentication. access levels, authorized IP managers … 11-3 accounting See RADIUS. address authorized for port security … 9-3 authentication See TACACS.
… 3-4 client status … 3-29 configuration commands … 3-23 configuring on the switch … 3-22 switch for RADIUS access … 3-15 the RADIUS server … 3-14 features … 3-4 general setup … 3-12 LACP not allowed … 3-11 rules of operation …...
RADIUS server … 5-9 commands, accounting … 5-17 commands, switch … 5-6 configuration outline … 5-7 configure server access … 5-10 configuring switch global parameters … 5-12 general setup … 5-5 local authentication … 5-9 MD5 … 5-4 messages … 5-31 network accounting …...
… 4-25 NAS … 4-3 overview … 1-2 precautions … 4-5 preparing to configure … 4-8 preventing switch lockout … 4-15 privilege level code … 4-7 server access … 4-15 server priority … 4-18 setup, general … 4-5 show authentication … 4-8 system requirements …...
… 3-4 client status … 3-29 configuration commands … 3-18 configuring on the switch … 3-17 switch for RADIUS access … 3-15 features … 3-4 general setup … 3-12 LACP not allowed … 3-11 redirect URL … 3-9 rules of operation … 3-10 show status and configuration …...
— This page is intentionally unused. —...