RFC-2868 - RADIUS Attributes for Tunnel Protocol Support
RFC-2618 - RADIUS Authentication Client MIB
RFC-2866 - RADIUS Accounting
RFC-2620 - RADIUS Accounting Client MIB
2.5.3 TACACS+ Authentication
The HP ProCurve Switch 5300xl Series supports TACACS+ as an authentication means for switch
telnet or console port access. The switches support two levels of access: if the user/password
combination listed on the TACACS+ server is given a privilege level of 15 the user has Manager access
(read/write) to the switch. A privilege level of 14 or lower will restrict the user to Operator status (read
Backup TACACS+ servers can be configured providing multiple TACACS+ server access in case the
primary TACACS+ server is unavailable for any reason.
2.5.4 Port Security - MAC Lockdown
The 802.1x standard provides logical security to the network based on a user. There are many times,
however, when physical access limitations are desired. The Port Security - MAC Lockdown feature
limits physical access to a particular port on the switch by one of two methods: a particular list of MAC
addresses (up to 8 addresses per port can be configured), or to the first MAC address the switch sees
on that port. While this solution doesn't help with a switch port that legitimately sees a large number of
MAC addresses, such as in a conference room, it does provide security to a port used by a shared PC or
dedicated PC by locking out other PCs that try to access the switch port, even when the port is
network enabled through 802.1x.
The Port Security feature can be set to send an SNMP trap to a management station when such a
violation occurs. It can also be set to completely disable the switch port (requiring the network
manager to re-enable the port before use), a feature for use in high security environments, or an
environment subject to potential hacking, such as a college dorm room.
2.5.5 Secure Shell – SSHv2
Secure Shell is an application very similar to telnet except that it encrypts the dialog so that in-band
CLI sessions can be kept private over the network. Encryption is done through the use of public/private
key pairs, one pair for host authentication and one pair for each SSH session that is initiated.
The host key pair is used to authenticate the SSH client and switch to each other. The host key pair is
stored in flash, so is not lost on reboot, power-cycle or by clearing the config file. Although not
necessary or recommended, a new host key pair can be generated through the CLI.
The session key pair is used to authenticate the SSH session. A new key pair is used for each SSH
session. Keys are kept in RAM and are lost on power-cycle or reboot. When the HP ProCurve
Switch 5300xl Series is rebooted, new session key pairs are generated. With a key pair taking about 12
seconds to generate, 10 keys are generated on boot up and placed in a cache to prevent delays when
starting up SSH sessions rapidly in succession. Filling this key cache takes about 2 minutes and is CPU
intensive. To keep this process from affecting other switch functions, it is designated low priority for
the CPU. Because the CPU is doing many things at boot up, key pair generation doesn't start until
about one minute after boot up. This means that an SSH session, waiting for the first session key pair
generation, cannot be established until a little over a minute after boot up.
The HP ProCurve Switch 5300xl Series support both SSHv1 and SSHv2 clients. SSHv2 provides an
additional level of security in that the public key negotiation is accomplished via a Diffie-Hellman
exchange that is not done under SSHv1.
© Hewlett-Packard Co. 2002, 2003
HP ProCurve Switch 5300xl Series Reviewer's Guide
Rev 1.1 – 2/11/2003
Page 22 of 35