HP Q.11. (2510-24) Access Security Manual

HP Q.11. (2510-24) Access Security Manual

Procurve 2510 series
Table of Contents

Advertisement

Access Security Guide
2510
ProCurve Switches
XX
Q.11.
(2510-24)
XX
U.11.
(2510-48)
www.procurve.com

Advertisement

Table of Contents
loading

Summary of Contents for HP Q.11. (2510-24)

  • Page 1 Access Security Guide 2510 ProCurve Switches Q.11. (2510-24) U.11. (2510-48) www.procurve.com...
  • Page 3: Access Security Guide

    ProCurve Series 2510 Switches January 2008 Access Security Guide...
  • Page 4 (J9019B) Warranty (J9020A) See the Customer Support/Warranty booklet included with the product. A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.
  • Page 5: Table Of Contents

    About Your Switch Manual Set ........
  • Page 6 Configure the Switch for Web-Based Authentication ... . . 3-18 Configuring MAC Authentication on the Switch ....3-22 Overview .
  • Page 7 Terminology ........... 5-3 Switch Operating Rules for RADIUS ....... 5-4...
  • Page 8 Steps for Configuring and Using SSH for Switch and Client Authentication ......6-6 General Operating Rules and Notes .
  • Page 9 Steps for Configuring and Using SSL for Switch and Client Authentication ........7-5 General Operating Rules and Notes .
  • Page 10 4. Enter the RADIUS Host IP Address(es) ..... . 8-24 5. Enable 802.1X Authentication on the Switch ....8-24 6.
  • Page 11 9 Configuring and Monitoring Port Security Contents ............9-1 Overview .
  • Page 12 Building IP Masks ..........10-9 Configuring One Station Per Authorized Manager IP Entry .
  • Page 13: Product Documentation

    Product Documentation About Your Switch Manual Set The switch manual set includes the following: Read Me First - a printed guide shipped with your switch. Provides ■ software update information, product notes, and other information. ■ Installation and Getting Started Guide - a printed guide shipped with your switch.
  • Page 14: Feature Index

    Product Documentation Feature Index For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. Feature 802.1Q VLAN Tagging 802.1p Priority 802.1X Authentication Authorized IP Managers Config File...
  • Page 15 Feature LLDP MAC Address Management Monitoring and Analysis Multicast Filtering Network Management Applications (LLDP, SNMP) Passwords Ping Port Configuration Port Security Port Status Port Trunking (LACP) Port-Based Access Control Port-Based Priority (802.1Q) Quality of Service (QoS) RADIUS Authentication and Accounting Secure Copy SFTP SNMP...
  • Page 16 Product Documentation Feature Telnet Access TFTP Time Protocols (TimeP, SNTP) Troubleshooting VLANs Xmodem Management and Advanced Traffic Configuration Management Access Security Guide...
  • Page 17 Management Access Security Protection ......1-3 General Switch Traffic Security Guidelines ..... . 1-4 Conventions .
  • Page 18: Getting Started

    Getting Started Introduction Introduction This Access Security Guide describes how to use ProCurve’s switch security features to protect access to your switch. This guide is intended to support the following switches: ProCurve Switch 2510-24 ■ ProCurve Switch 2510-48 ■ For an overview of other product documentation for the above switches, refer to “Product Documentation”...
  • Page 19: Management Access Security Protection

    802.1X-aware device (supplicant) attempting to access the switch. Also enables the switch to operate as a supplicant for connections to other 802.1X-aware switches. Port Security (page 9-1): Enables a switch port to maintain a unique ■...
  • Page 20: General Switch Traffic Security Guidelines

    Authorized IP Managers General Switch Traffic Security Guidelines Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port.
  • Page 21: Conventions

    Conventions This guide uses the following conventions for command syntax and displayed information. Command Syntax Statements Syntax: aaa port-access authenticator < port-list > [ control < authorized | auto | unauthorized >] ■ Vertical bars ( | ) separate alternative, mutually exclusive elements. ■...
  • Page 22: Command Prompts

    Getting Started Conventions Command Prompts In the default configuration, your switch displays the following CLI prompt: ProCurve Switch 2510-24# To simplify recognition, this guide uses ProCurve to represent command prompts for all models. For example: ProCurve# (You can use the hostname command to change the text in the CLI prompt.)
  • Page 23: Sources For More Information

    Sources for More Information For additional information about switch operation and features not covered in this guide, consult the following sources: For information on which product manual to consult on a given ■ software feature, refer to “Product Documentation” on page xi.
  • Page 24: Need Only A Quick Start

    Need Only a Quick Start? IP Addressing If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using multiple VLANs, ProCurve recommends that you use the Switch Setup screen to quickly configure IP addressing.
  • Page 25: To Set Up And Install The Switch In Your Network

    To Set Up and Install the Switch in Your Network Im p o rt a n t! Use the Installation and Getting Started Guide shipped with your switch for the following: ■ Notes, cautions, and warnings related to installing and using the switch ■...
  • Page 26 Getting Started Need Only a Quick Start? 1-10...
  • Page 27: Contents

    Configuring Username and Password Security Contents Overview ............2-2 Configuring Local Password Security .
  • Page 28: Configuring Username And Password Security

    Access to the Status and Counters menu, the Event Log, and the CLI*, but no Configuration capabilities. On the Operator level, the configuration menus, Download OS, and Reboot Switch options in the Main Menu are not available. — — page 2-6...
  • Page 29 C a u ti o n If the switch has neither a Manager nor an Operator password, anyone having access to the switch through either Telnet, the serial port, or the web browser interface can access the switch with full manager privileges. Also, if you configure only an Operator password, entering the Operator pass- word enables full manager privileges.
  • Page 30: Configuring Local Password Security

    After you configure a password, if you subsequently start a new console session, you will be prompted to enter the password. (If you use the CLI or web browser interface to configure an optional username, the switch will prompt you for the username, and then the password.)
  • Page 31: Cli: Setting Passwords And Usernames

    If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
  • Page 32: Web: Setting Passwords And Usernames

    The effect of executing the command in figure 2-3 is to remove password protection from the Operator level. (This means that anyone who can access the switch console can gain Operator access without having to enter a user- name or password.)
  • Page 33: Front-Panel Security

    Passwords could easily be cleared by pressing the Clear button. Someone who has physical access to the switch may be able to erase the passwords (and possibly configure new passwords) and take control of the switch.
  • Page 34: Front-Panel Button Functions

    Clear and/or Reset buttons on the front of the switch. Front-Panel Button Functions ‘ The front panel of the switch includes the Reset button and the Clear button. Clear Button Reset Button Figure 2-4.
  • Page 35 Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.
  • Page 36: Configuring Front-Panel Security

    Release the Reset button and wait for about one second for the Self-Test LED to start flashing. When the Self-Test LED begins flashing, release the Clear button This process restores the switch configuration to the factory default settings. Configuring Front-Panel Security Using the front-panel-security command from the global configuration context in the CLI you can: •...
  • Page 37 Enabled means that pressing the Reset button reboots the switch and also enables the Reset button to be used with the Clear button (page 2-9) to reset the switch to its factory-default configuration. (Default: Enabled.) Password Recovery: Shows whether the switch is configured with the ability to recover a lost password.
  • Page 38 Configuring Username and Password Security Front-Panel Security For example, show front-panel-security produces the following output when the switch is configured with the default front-panel security settings. Figure 2-7. The Default Front-Panel Security Settings Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel...
  • Page 39 This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. • Specifies whether the switch reboots if the Clear button is pressed. To re-enable password-clear, you must also specify whether to enable or disable the reset-on-clear option.
  • Page 40 2-9 replaces the switch’s current startup-config file with the factory-default startup-config file, then reboots the switch, and removes local password protection. This means that anyone who has physical access to the switch could use this button combination to replace the switch’s current configu- ration with the factory-default configuration, and render the switch acces- sible without the need to input a username or password.
  • Page 41: Password Recovery

    Disabling password-recovery requires that factory-reset be enabled, and locks out the ability to recover a lost manager username (if configured) and pass- word on the switch. In this event, there is no way to recover from a lost manager username/password situation without resetting the switch to its factory-default configuration.
  • Page 42 If it is disabled, use the front-panel-security factory- reset command to enable it. Press and release the Clear button on the front panel of the switch. Within 60-seconds of pressing the Clear button, enter the following com- mand: Do one of the following after the “CAUTION”...
  • Page 43: Password Recovery Process

    To use the password-recovery option to recover a lost password: Note the switch’s base MAC address. It is shown on the label located on the upper right front corner of the switch. Contact your ProCurve Customer Care Center for further assistance.
  • Page 44 You cannot use the same “one-time-use” password if you lose the password a second time. Because the password algorithm is randomized based upon your switch's MAC address, the password will change as soon as you use the “one-time-use” password provided to you by the ProCurve Customer Care Center.
  • Page 45: Web And Mac Authentication

    Configure the Switch for Web-Based Authentication ... . . 3-18 Configuring MAC Authentication on the Switch ....3-22 Overview .
  • Page 46: Overview

    MAC Authentication (MAC-Auth). This method grants access to a secure network by authenticating devices for access to the network. When a device connects to the switch, either by direct link or through the network, the switch forwards the device’s MAC address to the RADIUS server for authentication.
  • Page 47: Client Options

    Client Options Web-Auth and MAC-Auth provide a port-based solution in which a port can belong to one, untagged VLAN at a time. The switch allows 2 clients per port. In the default configuration, the switch blocks access to clients that the RADIUS server does not authenticate.
  • Page 48: General Features

    Overview General Features Web and MAC Authentication includes the following: On a port configured for Web or MAC Authentication, the switch ■ operates as a port-access authenticator using a RADIUS server and the CHAP protocol. Inbound traffic is processed by the switch alone, until authentication occurs.
  • Page 49: How Web And Mac Authentication Operate

    Web-based Authentication When a client connects to a Web-Auth enabled port, communication is redi- rected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their credentials.
  • Page 50 Web and MAC Authentication How Web and MAC Authentication Operate Figure 3-2. Progress Message During Authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access.
  • Page 51 The max-retries parameter specifies how many times a client may enter his credentials before authentication fails. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out. The max-requests parameter specifies how many authentication attempts may result in a RADIUS server timeout before authentication fails.
  • Page 52 A client may not be authenticated due to invalid credentials or a RADIUS server timeout. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out. The max- requests parameter specifies how many authentication attempts may result in a RADIUS server timeout before authentication fails.
  • Page 53: Terminology

    Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN.
  • Page 54: Operating Rules And Notes

    Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ You can configure one type of authentication on a port. That is, the following authentication types are mutually exclusive on a given port: • • • Order of Precedence for Port Access Management (highest to lowest): ■...
  • Page 55 When a port on the switch is configured for Web or MAC Authentica- ■ tion and is supporting a current session with another device, reboo- ting the switch invokes a re-authentication of the connection.
  • Page 56: General Setup Procedure For Web/Mac Authentication

    General Setup Procedure for Web/MAC Authentication N o t e o n We b / The switch does not allow Web or MAC Authentication and LACP to both be M A C enabled at the same time on the same port. The switch automatically disables A u th e n t i ca t i o n LACP on ports configured for Web or MAC Authentication.
  • Page 57 VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100” or “vlan100” to specify the VLAN.
  • Page 58: Additional Information For Configuring The Radius Server To Support Mac Authentication

    Note that each switch covered by this guide applies a single MAC address to all VLANs configured in the switch. Thus, for a given switch, the MAC address is the same for all VLANs configured on the switch. (Refer to the chapter titled “Static Virtual LANs (VLANs)”...
  • Page 59: Configuring The Switch To Access A Radius Server

    Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can config- ure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (Refer to “RADIUS Authentication and Accounting” on page 5-1.) [key <...
  • Page 60 Configuring the Switch To Access a RADIUS Server Syntax: radius-server host < ip-address > key <server-specific key-string> For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server-specific shared secret key of ‘2Pzo22’...
  • Page 61: Configuring Web Authentication

    Client web browsers may not use a proxy server to access the network. Configure Web Authentication on the switch ports you want to use. specify the base IP address and mask to be used by the switch for temporary DHCP addresses.The lease length for these temporary IP addresses may also be set.
  • Page 62: Configure The Switch For Web-Based Authentication

    Web and MAC Authentication Configuring Web Authentication Configure the Switch for Web-Based Authentication Command Configuration Level aaa port-access web-based dhcp-addr aaa port-access web-based dhcp-lease [no] aaa port-access web-based [e] < port-list > [auth-vid] [client-limit] [client-moves] [logoff-period] [max-requests] [max-retries] [quiet-period] [reauth-period]...
  • Page 63 Web Auth control. When enabled, the switch allows clients to move without requiring a re-authentication. When disabled, the switch does not allow moves and when one does occur, the user will be forced to re- authenticate. At least two ports (from port(s) and to port(s)) must be specified.
  • Page 64 This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre- authentication state. (Default: 300 seconds) aaa port-access web-based [e] <...
  • Page 65 Syntax: aaa port-access web-based [e] < port-list > [server-timeout <1 - 300>] Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depend- ing on the current max-requests value, the switch sends a new attempt or ends the authentication session.
  • Page 66: Configuring Mac Authentication On The Switch

    VLANs are configured on the switch and that the appropriate port assignments have been made. Use the ping command in the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support MAC-Auth on the switch.
  • Page 67: Configure The Switch For Mac-Based Authentication

    Configure the Switch for MAC-Based Authentication Command Configuration Level aaa port-access mac-based addr-format [no] aaa port-access mac-based [e] < port-list > [addr-limit] [addr-moves] [auth-vid] [logoff-period] [max-requests] [quiet-period] [reauth-period] [reauthenticate] [server-timeout] [unauth-vid] Syntax: aaa port-access mac-based addr-format <no-delimiter|single-dash|multi-dash|multi-colon> Specifies the MAC address format to be used in the RADIUS request message.
  • Page 68 This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre- authentication state. (Default: 300 seconds) aaa port-access mac-based [e] <...
  • Page 69 Syntax: aaa port-access mac-based [e] < port-list > [server-timeout <1 - 300>] Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depend- ing on the current max-requests value, the switch sends a new attempt or ends the authentication session.
  • Page 70: Show Status And Configuration Of Web-Based Authentication

    Web and MAC Authentication Show Status and Configuration of Web-Based Authentication Show Status and Configuration of Web-Based Authentication Command show port-access [ [clients] [config] [config [auth-server]] [config [web-server]] show port-access Syntax: Syntax: Syntax: 3-26 port-list ] web-based port-list web-based config detail show port-access [port-list] web-based Shows the status of all Web-Authentication enabled ports or the specified ports.
  • Page 71 Show Status and Configuration of Web-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-server]] Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.
  • Page 72: Show Status And Configuration Of Mac-Based Authentication

    Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Show Status and Configuration of MAC-Based Authentication Command show port-access [port-list] mac-based [clients] [config] [config [auth-server]] show port-access port-list mac-based config detail Syntax: Syntax: Syntax: 3-28 show port-access [port-list] mac-based Shows the status of all MAC-Authentication enabled ports or the specified ports.
  • Page 73 Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] mac-based [config [auth-server]] Shows MAC Authentication settings for all ports or the specified ports, along with the Radius server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.
  • Page 74: Show Client Status

    Possible Explanations Connection Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires. Switch only Pending RADIUS request. No network access 1. Invalid credentials supplied. 2. RADIUS Server difficulties. See log file. 3. If unauth-vid is specified it cannot be successfully applied to the port.
  • Page 75: Tacacs+ Authentication

    General Authentication Setup Procedure ......4-5 Configuring TACACS+ on the Switch ......4-8 Before You Begin .
  • Page 76: Overview

    TACACS+ server(s) disabled TACACS+ authentication enables you to use a central server to allow or deny access to the switch (and other TACACS-aware devices) in your network. This means that you can use a central database to create multiple unique username/ password sets with associated privilege levels for use by individuals who have reason to access the switch from either the switch’s console port (local...
  • Page 77: Terminology Used In Tacacs Applications

    If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/write) privilege level access.
  • Page 78 • • Local Authentication: This method uses username/password pairs configured locally on the switch; one pair each for manager- level and operator-level access to the switch. You can assign local usernames and passwords through the CLI or web browser inter- face.
  • Page 79: General System Requirements

    TACACS+ servers. ProCurve recommends that you use a TACACS+ server application that supports a redundant backup installation. This allows you to configure the switch to use a backup TACACS+ server if it loses access to the first-choice TACACS+ server.
  • Page 80 The following procedure outlines a general setup procedure. N o t e If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation” in the Trouble- shooting chapter of the Management and Configuration Guide for your switch.
  • Page 81 When a TACACS+ server authenticates an access request from a switch, P ri v i le g e Le v e l s it includes a privilege level code for the switch to use in determining which privilege level to grant to the terminal requesting access. The switch interprets a privilege level code of “15”...
  • Page 82: Configuring Tacacs+ On The Switch

    TACACS+ server application for console access. Then test the console access. If access problems occur, check for and correct any problems in the switch configuration, and then test console access again. If problems persist, check your TACACS+ server application for mis-configurations or missing data that could affect the console access.
  • Page 83: Cli Commands Described In This Section

    < ip-addr > timeout < 1-255 > Viewing the Switch’s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configured for each type of access. Syntax: This example shows the default authentication configuration.
  • Page 84: Viewing The Switch's Current Tacacs+ Server Contact Configuration

    TACACS+ servers the switch can contact. Syntax: For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a (global) encryption key, show tacacs would produce a listing similar to the...
  • Page 85: Configuring The Switch's Authentication Methods

    Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied).
  • Page 86 No secondary type of authentication for the specified method/privilege path. (Available only if the primary method of authentication for the access being configured is local.) Note: If you do not specify this parameter in the command line, the switch automatically assigns the secondary method as follows: tacacs •...
  • Page 87 *When “local” is the primary option, you can also select “local” as the secondary option. However, in this case, a secondary “local” is meaningless because the switch has only one local level of username/password protection. Caution Regarding During local authentication (which uses passwords configured in the switch...
  • Page 88 TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server.
  • Page 89: Configuring The Switch's Tacacs+ Server Access

    If the switch sends an authentication request, but does not receive a response within the period specified by the timeout value, the switch resends the request to the next server in its Server IP Addr list, if any. If the switch still fails to receive a response from any...
  • Page 90 TACACS+ servers the switch will attempt to use for authentication. If you configure a global encryption key, the switch uses it only with servers for which you have not also configured a server-specific key. Thus, a global...
  • Page 91 Use show tacacs to view the current IP address list. If the first-choice TACACS+ server fails to respond to a request, the switch tries the second address, if any, in the show tacacs list. If the second address also fails, then the switch tries the third address, if any.
  • Page 92 <1 - 255> Specifies how long the switch waits for a TACACS+ server to respond to an authentication request. If the switch does not detect a response within the timeout period, it initiates a new request to the next TACACS+ server in the list. If all TACACS+ servers in the list fail to respond within the timeout period, the switch uses either local authentication (if configured) or denies access (if none configured for local authentication).
  • Page 93 Configuring an Encryption Key. Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key. (If the server expects a key, but the switch either does not provide one, or provides an incorrect key, then the authentication attempt will fail.) Use a global encryption key if the same key applies to all TACACS+...
  • Page 94: How Authentication Operates

    Configuring the Timeout Period. The timeout period specifies how long the switch waits for a response to an authentication request from a TACACS+ server before either sending a new request to the next server in the switch’s Server IP Address list or using the local authentication option. For example,...
  • Page 95 After the server receives the username input, the requesting terminal receives a password prompt from the server via the switch. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs: •...
  • Page 96: Local Authentication Process

    Configuring TACACS+ on the Switch Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authenti- cation only if one of these two conditions exists: “Local” is the authentication option for the access method being used.
  • Page 97: Using The Encryption Key

    Thus, on the TACACS+ server side, you have a choice as to how to implement a key. On the switch side, it is necessary only to enter the key parameter so that it exactly matches its counterpart in the server. For information on how to configure a general or individual key in the TACACS+ server, refer to the documentation you received with the application.
  • Page 98: Controlling Web Browser Interface Access When Using Tacacs+ Authentication

    TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in...
  • Page 99: Messages Related To Tacacs+ Operation

    CLI Message Meaning Connecting to Tacacs server The switch is attempting to contact the TACACS+ server identified in the switch’s server Connecting to secondary The switch was not able to contact the first-choice TACACS+ server, and is now Tacacs server attempting to contact the next (secondary) TACACS+ server identified in the switch’s...
  • Page 100 TACACS+ Authentication Configuring TACACS+ on the Switch When TACACS+ is not enabled on the switch—or when the switch’s ■ only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unautho- rized persons.)
  • Page 101: Radius Authentication And Accounting

    Terminology ........... 5-3 Switch Operating Rules for RADIUS ....... 5-4 General RADIUS Setup Procedure .
  • Page 102: Overview

    ■ Port-Access N o t e The switch does not support RADIUS security for SNMP (network manage- ment) access. For information on blocking unauthorized access through the web browser interface, refer to “Controlling Web Browser Interface Access When Using RADIUS Authentication” on page 5-17.
  • Page 103: Terminology

    EAP type, such as MD5-Challenge, Generic Token Card, and TLS (Transport Level Security). Host: See RADIUS Server. NAS (Network Access Server): In this case, a ProCurve switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): RADIUS Client: The device that passes user information to designated RADIUS servers.
  • Page 104: Switch Operating Rules For Radius

    RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius (page 5-25). If the first server does not respond, the switch tries the next one, and so-on. (To change the order in which the switch accesses RADIUS servers, refer to “Changing RADIUS-Server Access Order”...
  • Page 105: General Radius Setup Procedure

    • Determine the IP address(es) of the RADIUS server(s) you want to support the switch. (You can configure the switch for up to three RADIUS servers.) • If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific RADIUS server, select it before beginning the configuration process.
  • Page 106: Configuring The Switch For Radius Authentication

    For any server whose key differs from the global key you are using, you must configure that key in the same command that you use to designate that server’s IP address to the switch.
  • Page 107: Outline Of The Steps For Configuring Radius Authentication

    (Optional) encryption key for use during authentication sessions with a RADIUS server. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server. (Default: null)
  • Page 108: Configure Authentication For The Access Methods You Want Radius To Protect

    (or tacacs) for primary authentication, you must configure local for the secondary method. This prevents the possibility of being com- pletely locked out of the switch in the event that all primary access methods fail. out on a server that is unavailable. If you want to use this feature, select a dead-time period of 1 to 1440 minutes.
  • Page 109 Syntax: aaa authentication < console | telnet | ssh | web > < enable | login > < radius > For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch’s local passwords):...
  • Page 110: Configure The Switch To Access A Radius Server

    This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. N o t e If you want to configure RADIUS accounting on the switch, go to page 5-17: “Configuring RADIUS Accounting” instead of continuing here. Syntax: [no] radius-server host < ip-address >...
  • Page 111 For example, suppose you have configured the switch as shown in figure 5-3 and you now need to make the following changes: Change the encryption key for the server at 10.33.18.127 to “source0127”. Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of “source0119”.
  • Page 112: Configure The Switch's Global Radius Parameters

    (This is a general aaa authentication parameter and is not specific to RADIUS.) Global server key: The server key the switch will use for contacts ■ with all RADIUS servers for which there is not a server-specific key configured by radius-server host <...
  • Page 113 If none of the servers respond, then the switch attempts to use the secondary authentication method configured for the type of access being attempted (console, Telnet, or SSH).
  • Page 114 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose that your switch is configured to use three RADIUS servers for authenticating access through Telnet and SSH. Two of these servers use the same encryption key. In this case your plan is to configure the switch with the following global authentication parameters: Allow only two tries to correctly enter username and password.
  • Page 115 Server IP Addr Port --------------- ----- ----- -------------------------------- 10.33.18.127 1812 10.33.18.119 1812 10.33.18.151 1812 Figure 5-6. Listings of Global RADIUS Parameters Configured In Figure 5-5 Configuring the Switch for RADIUS Authentication Login Enable Secondary Primary None Local None Radius None...
  • Page 116: Local Authentication Process

    RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: “Local” is the authentication option for the access method being used.
  • Page 117: Controlling Web Browser Interface Access When Using Radius Authentication

    ■ Configure local authentication (a Manager user name and password and, optionally, an Operator user name and password) on the switch. ■ Configure the switch’s Authorized IP Manager feature to allow web browser access only from authorized management stations. (The Authorized IP Manager feature does not interfere with TACACS+ operation.)
  • Page 118 5-5 before continuing here. RADIUS accounting collects data about user activity and system events and sends it to a RADIUS server when specified events occur on the switch, such as a logoff or a reboot. The switch supports three types of accounting services: Network accounting: Provides records containing the information ■...
  • Page 119: Operating Rules For Radius Accounting

    RADIUS servers are accessed in the order in which their IP addresses ■ were configured in the switch. Use show radius to view the order. As long as the first server is accessible and responding to authentication requests from the switch, a second or third server will not be accessed.
  • Page 120 Before you configure the actual accounting parameters, you should first configure the switch to use a RADIUS server. This is the same as the process described on page 5-10. You need to repeat this step here only if you have not...
  • Page 121 (For a more complete description of the radius-server command and its options, turn to page 5-10.) For example, suppose you want to the switch to use the RADIUS server described below for both authentication and accounting purposes. ■...
  • Page 122: Reports To The Radius Server

    Figure 5-7. Example of Configuring for a RADIUS Server with a Non-Default Accounting UDP Port Number The radius-server command as shown in figure 5-7, above, configures the switch to use a RADIUS server at IP address 10.33.18.151, with a (non-default) UDP accounting port of 1750, and a server-specific key of “source0151”.
  • Page 123 • The system option (page 5-22) always delivers stop-only operation because the switch sends the accumulated data only when there is a reboot, reload, or accounting on/off event. Syntax: [no] aaa accounting < exec | network | system > < start-stop | stop-only >...
  • Page 124 Syntax: [no] aaa accounting update periodic < 1 - 525600 > Syntax: [no] aaa accounting suppress null-username To continue the example in figure 5-8, suppose that you wanted the switch to: Send updates every 10 minutes on in-progress accounting sessions.
  • Page 125: Viewing Radius Statistics

    IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Configuring RADIUS Accounting” on page 5-17.) Figure 5-10.
  • Page 126 RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 5-11. RADIUS Server Information From the Show Radius Host Command 5-26...
  • Page 127 The number of RADIUS packets which were received from this server on the accounting port and dropped for some other reason. Access Requests The number of RADIUS Access-Requests the switch has sent since it was last rebooted. (Does not include retransmissions.) Accounting Requests The number of RADIUS Accounting-Request packets sent.
  • Page 128: Radius Authentication Statistics

    5-28 Displays the primary and secondary authentication meth- ods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.
  • Page 129: Radius Accounting Statistics

    Lists accounting statistics for the RADIUS server(s) config- ured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch. Figure 5-14. Listing the Accounting Configuration in the Switch Figure 5-15.
  • Page 130: Changing Radius-Server Access Order

    Figure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.
  • Page 131 Delete 10.10.10.001 from the list. This opens the first (highest) position in the list. Re-enter 10.10.10.003. Because the switch places a newly entered address in the highest-available position, this address becomes first in the list. Re-enter 10.10.10.001. Because the only position open is the third position, this address becomes last in the list.
  • Page 132: Messages Related To Radius Operation

    A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch. If the server is accessible, then verify that the switch is using the correct encryption key and that the server is correctly configured to receive an authentication request from the switch.
  • Page 133: Configuring Secure Shell (Ssh)

    Steps for Configuring and Using SSH for Switch and Client Authentication ......6-6 General Operating Rules and Notes .
  • Page 134: Overview

    Client Public Key Authentication (Login/Operator Level) with User Password Authentication (Enable/Manager Level). This option uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch.
  • Page 135 OpenSSH, visit www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 6-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.
  • Page 136: Terminology

    Key Pair: A pair of keys generated by the switch or an SSH client ■ application. Each pair includes a public key, that can be read by anyone and a private key, that is held internally in the switch or by a client. PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted ■...
  • Page 137: Prerequisite For Using Ssh

    Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 6-2), then the client program must have the capability to generate or import keys.
  • Page 138: Steps For Configuring And Using Ssh For Switch And Client Authentication

    (Enable) ssh enable tacacs Level ssh enable radius For ssh login public-key, the switch uses client public-key authentication instead of the switch password options for primary authentication. The general steps for configuring SSH include: A. Client Preparation Authenticate...
  • Page 139 (page 6-9). Generate a public/private key pair on the switch (page 6-10). You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. (You can remove or replace this key pair, if necessary.) Copy the switch’s public key to the SSH clients you want to access...
  • Page 140: General Operating Rules And Notes

    The switch’s own public/private key pair and the (optional) client ■ public key file are stored in the switch’s flash memory and are not affected by reboots or the erase startup-config command. Once you generate a key pair on the switch you should avoid re- ■...
  • Page 141: Configuring The Switch For Ssh Operation

    At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration. To Configure Local Passwords. You can configure both the Operator and Manager password with one command.
  • Page 142: Generate The Switch's Public And Private Key Pair

    Figure 6-5. Example of Configuring Local Passwords 2. Generate the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
  • Page 143 N o t e s When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be "permanent";...
  • Page 144: Provide The Switch's Public Key To Clients

    If you wish to compare the switch key to the key as stored in your client's known-hosts file, note that the formatting and comments need not match. For version 1 keys, the three numeric values bit size, exponent <e>, and modulus...
  • Page 145 (laptop, PC, or UNIX workstation), as described below. The public key generated by the switch consists of three parts, separated by one blank space each: Bit Size Exponent <e>...
  • Page 146 Inserted Size Address Figure 6-9. Example of a Switch Public Key Edited To Include the Switch’s IP Address For more on this topic, refer to the documentation provided with your SSH client application. Displaying the Public Key. The switch provides three options for display- ing its public key.
  • Page 147: Enable Ssh On The Switch And Anticipate Ssh Client Contact Behavior

    (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host” file. The switch has only one RSA host key. The 'babble' and 'fingerprint' options produce two hashes...
  • Page 148 See the following Note.) N o t e When an SSH client connects to the switch for the first time, it is possible for a "man-in-the-middle" attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch.
  • Page 149 The SSH login timeout value (default: 120 seconds). Enables SSH on the switch. Lists the current SSH configuration and status. The switch uses these settings internally for transactions with clients. See the Caution on page 6-18. With SSH running, the switch allows one console session and up to three other sessions (SSH and/or Telnet).
  • Page 150: Configure The Switch For Ssh Authentication

    Telnet, SNMP, or the serial port. While web and Telnet access can be restricted by the use of passwords local to the switch, if you are unsure of the security this provides, you may want to disable web-based and/or Telnet access (no web-management and no telnet).
  • Page 151 This option requires the additional step of copying a client public-key file from a TFTP server into the switch. This means that before you can use this option, you must: Create a key pair on an SSH client.
  • Page 152 For example, assume that you have a client public-key file named Client- Keys.pub (on a TFTP server at 10.33.18.117) ready for downloading to the switch. For SSH access to the switch you want to allow only clients having a private key that matches a public key found in Client-Keys.pub. For Manager-...
  • Page 153 Figure 6-13 shows how to check the results of the above commands. Client Key Index Number Figure 6-13. SSH Configuration and Client-Public-Key Listing From Figure 6-12 Configuring the Switch for SSH Operation Configures Manager user- name and password. Configures the primary and...
  • Page 154: Use An Ssh Client To Access The Switch

    6. Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems" in the Troubleshooting chapter of the Manage- ment and Configuration Guide for your switch.
  • Page 155: Further Information On Ssh Client Public-Key Authentication

    SSH clients. To provide the optional, opposite service—client public-key authentication to the switch— you can configure the switch to store up to ten RSA or DSA public keys for authenticating clients. This requires storing an ASCII version of each client’s public key (without babble conversion, or fingerprint conversion) in a client public-key file that you create and TFTP-copy to the switch.
  • Page 156 Using client public-key authentication requires these steps: Generate a public/private key pair for each client you want to have SSH access to the switch. This can be a separate key for each client or the same key copied to several clients.
  • Page 157 <CR><LF>. Spaces are allowed within the key to delimit the key’s components. Note that, unlike the use of the switch’s public key in an SSH client application, the format of a client-public-key used by the switch does not include the client’s IP address.
  • Page 158 A copy of each client public key (up to ten) stored in a single text file ■ or individual on a TFTP server to which the switch has access. Terminate all client public-keys in the file except the last one with a <CR><LF>.
  • Page 159 If an SSH client’s public key matches the switch’s client-public-key ■ file, allow that client access to the switch. If there is not a public-key match, then deny access to that client. If an SSH client’s public key does not have a match in the switch’s ■...
  • Page 160 C a u ti o n To enable client public-key authentication to block SSH clients whose public keys are not in the client-public-key file copied into the switch, you must configure the Login Secondary as none. Otherwise, the switch allows such clients to attempt access using the switch’s Operator password.
  • Page 161: Messages Related To Ssh Operation

    TCP port. Use the default or select another port number. See “Note on Port Number” on page 6-17. The client key does not exist in the switch. Use copy tftp to download the key from a TFTP server. The public key file you are trying to download has one of the following problems: •...
  • Page 162 After you execute the crypto key generate ssh [rsa] command, the switch displays this message while it is generating the key. The switch’s key is missing or corrupt. Use the crypto key generate ssh [rsa] command to generate a new key for the switch.
  • Page 163: Configuring Secure Socket Layer (Ssl)

    Steps for Configuring and Using SSL for Switch and Client Authentication ........7-5 General Operating Rules and Notes .
  • Page 164: Overview

    Authentication . This option is a subset of full certificate authentication of the user and host. It occurs only if the switch has SSL enabled. As in figure 7- 1, the switch authenticates itself to SSL enabled web browser. Users on SSL...
  • Page 165: Terminology

    SSL Server: A ProCurve switch with SSL enabled. ■ ■ Key Pair: Public/private pair of RSA keys generated by switch, of which public portion makes up part of server host certificate and private portion is stored in switch flash (not user accessible).
  • Page 166 ■ switch (web interface or CLI command: crypto key generate cert [key size] (2) A certificate been generated on the switch (web interface or CLI command: crypto host-cert generate self-signed [arg-list]) and (3) SSL is enabled (web interface or CLI command: web-management ssl).
  • Page 167: Prerequisite For Using Ssl

    Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com- puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for...
  • Page 168: General Operating Rules And Notes

    General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re- generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all manage- ment stations (clients) you previously set up for SSL access to the switch.
  • Page 169: Assign Local Login (Operator) And Enable (Manager) Password

    Password At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration. Configuring Secure Socket Layer (SSL)
  • Page 170: Generate The Switch's Server Host Certificate

    2. Generate the Switch’s Server Host Certificate You must generate a server certificate on the switch before enabling SSL. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying...
  • Page 171 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes to connect via SSL to the switch. (The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client session, and then discarded.) The server certificate is stored in the switch’s flash memory.
  • Page 172 To generate a host certificate from the CLI: N o t e : If a certificate key pair is already present in the switch, it is not necessary to generate a new key pair when generating a new certificate. The existing key...
  • Page 173 Country code For example, to generate a key and a new host certificate: Figure 7-3. Example of Generating a Self-Signed Server Host certificate on the CLI for the Switch. N o t e s “Zeroizing” the switch’s server host certificate or key automatically disables SSL (sets web-management ssl to No).
  • Page 174 “Using the Web Browser Interface” in the Management and Configuration Guide for your switch. To generate a self signed host certificate from the web browser interface: 7-12 Displays switch’s host certificate Show host certificate command...
  • Page 175 N o t e When generating a self-signed host certificate, if no key is present and the current option is selected in the RSA key size box and error will be generated. New key generation can take up to two minutes if the key queue is empty. Select the Security tab then the screen is divided into two halves.
  • Page 176 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes For example, to generate a new host certificate via the web browsers inter- face: Figure 7-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface: Proceed to the Security tab Then the 7-14...
  • Page 177 The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority. The second phase is the actual submission process...
  • Page 178 (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL.
  • Page 179: Enable Ssl On The Switch And Anticipate Ssl Browser Contact Behavior

    Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients. After you enable SSL, the switch can authenticate itself to SSL enabled browsers. The no web- management ssl command is used to disable SSL on the switch.
  • Page 180 N o t e When an SSL client connects to the switch for the first time, it is possible for a “man-in-the-middle” attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch.
  • Page 181 Generate a Host certificate if you have not already done so. (Refer to “2. Generate the Switch’s Server Host Certificate” on page 7-8.) Execute the web-management ssl command. To disable SSL on the switch, do either of the following: Execute no web-management ssl. ■...
  • Page 182 TCP port for SSL connec- tions except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http). Some other reserved TCP ports on the switch are 49, 80, 1506, and 1513.
  • Page 183: Common Errors In Ssl Setup

    You may be using a reserved TCP port. (Refer to “Note on Port Number” on page 7-20.) You may not have SSL enabled (Refer to “3. Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior” on page 7-17.) Your browser may not support SSLv3 or TLSv1 or it may be disabled.
  • Page 184 Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup 7-22...
  • Page 185: Configuring Port-Based And Client-Based Access Control (802.1X)

    Example of the Authentication Process ......8-9 Switch-Port Supplicant Operation ......8-10 General Operating Rules and Notes .
  • Page 186 Only 802.1X Devices ..........8-39 Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches .
  • Page 187: Overview

    Authentication of 802.1X clients using a RADIUS server and either the EAP or CHAP protocol. Provision for enabling clients that do not have 802.1 supplicant soft- ware to use the switch as a path for downloading the software and initiating the authentication process (802.1X Open VLAN mode). Overview...
  • Page 188: User Authentication Methods

    Use of Show commands to display session counters. User Authentication Methods The switch offers two methods for using 802.1X access control. Generally, the “Port Based” method supports one 802.1X-authenticated client on a port, which opens the port to an unlimited number of clients. The “Client-Based”...
  • Page 189 2 authenticated clients. Authenticating Users. Port-Based Access Control (802.1X) provides switch-level security that allows LAN access only to users who enter the authorized RADIUS username and password on 802.1X-capable clients (sup- plicants). This simplifies security management by allowing you to control...
  • Page 190 (Refer to “802.1X Open VLAN Mode” on page 8-26.) Authenticating One Switch to Another. 802.1X authentication also enables the switch to operate as a supplicant when connected to a port on another switch running 802.1X authentication. 802.1X-Aware...
  • Page 191: Terminology

    Authentication Server: The entity providing an authentication service to the switch when the switch is configured to operate as an authenticator. In the case of a switch running 802.1X, this is a RADIUS server (unless local authentication is used, in which case the switch performs this function using its own username and password for authenticating a supplicant).
  • Page 192 Authorized-Client VLAN. See also “Untagged Membership in a VLAN”. Unauthorized-Client VLAN: A conventional, static VLAN statically config- ured on the switch. It is used to provide access to a client prior to authentication, and is sometimes termed a guest VLAN. It should be set...
  • Page 193 Unauthorized-Client VLAN.) A port configured to use a given Unauthorized-Client VLAN does not have to be statically configured as a member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unauthorized-Client VLAN.
  • Page 194: General 802.1X Authenticator Operation

    If you then connect an 802.1X-aware client (supplicant) to the port and attempt to log on: When the switch detects the client on the port, it blocks access to the LAN from that port. The switch responds with an identity request.
  • Page 195: Switch-Port Supplicant Operation

    802.1X Supplicant Figure 8-2. Example of Supplicant Operation When port A1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch “B”.
  • Page 196: General Operating Rules And Notes

    • • N o t e You can configure a switch port to operate as both a supplicant and an authenticator at the same time. General Operating Rules and Notes In the client-based mode, when there is an authenticated client on a port, ■...
  • Page 197 ■ If a port on switch “A” is configured as an 802.1X supplicant and is connected to a port on another switch, “B”, that is not 802.1X-aware, access to switch “B” will occur without 802.1X security protection.
  • Page 198: General Setup Procedure For 802.1X Access Control

    Access Control Do These Steps Before You Configure 802.1X Operation Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, ProCurve recommends that you use a local username and password pair at least until your other security measures are in place.)
  • Page 199: Overview: Configuring 802.1X Authentication On The Switch

    On the ports you will use as authenticators, either accept the default 802.1X settings or change them, as necessary. Note that, by default, the port-control parameter is set to auto for all ports on the switch. This requires a client to support 802.1X authentication and to provide valid credentials to get network access.
  • Page 200 802.1X port. See page 8-40. If you want a port on the switch to operate as a supplicant in a connection with a port operating as an 802.1X authenticator on another device, then configure the supplicant operation.
  • Page 201: Enable 802.1X Authentication On Selected Ports

    8-15 to activate 802.1X authentication on the switch.) N o t e When you enable 802.1X authentication on a port, the switch automatically disables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can config- ure it for 802.1X authentication.
  • Page 202 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators A. Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based Authentication Syntax: B. Specify Client-Based or Return to Port-Based 802.1X Authentication Client-Based 802.1X Authentication. Syntax: 8-18 [ no ] aaa port-access authenticator <...
  • Page 203 ProCurve(config)# aaa port-access authenticator a13-a15 Figure 8-4. Example of Configuring Port-Based 802.1X Authentication Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators no aaa port-access authenticator client-limit Used to convert a port from client-based authentication to port-based authentication, which is the default setting for ports on which authentication is enabled.
  • Page 204: Reconfigure Settings For Port-Access

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 2. Reconfigure Settings for Port-Access The commands in this section are initially set by default and can be reconfig- ured as needed. Syntax: 8-20 aaa port-access authenticator < port-list >...
  • Page 205 EAPOL PDU during an authentication session. (Default: 30 seconds) [supplicant-timeout < 1 - 300 >] Sets the period of time the switch waits for a supplicant response to an EAP request. If the supplicant does not respond within the configured time frame, the session times out.
  • Page 206 Refer to “802.1X Open VLAN Mode” on page 8-26. [logoff-period]< 1 - 999999999 > Configures the period of time the switch waits for client activity before removing an inactive client from the port. (Default: 300 seconds) [auth-vid <...
  • Page 207: Configure The 802.1X Authentication Method

    3. Configure the 802.1X Authentication Method This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenti- cator. Syntax: For example, to enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers: Figure 8-5.
  • Page 208: Enter The Radius Host Ip Address(Es)

    4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, refer to “RADIUS Authentication and...
  • Page 209: Optionally Resetting Authenticator Operation

    This happens only on ports configured with control auto and actively operating as 802.1X authenticators. [reauthenticate] On the specified ports, forces reauthentication (unless the authenticator is in “HELD” state). [clear-statistics] On the specified ports, clears authenticator statistics counters. Configuring Switch Ports as 802.1X Authenticators 8-25...
  • Page 210: 802.1X Open Vlan Mode

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands 802.1X Supplicant Commands 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator [e] < port-list > [auth-vid < vlan-id >] [unauth-vid < vlan-id >] 802.1X-Related Show Commands RADIUS server configuration Introduction...
  • Page 211: Vlan Membership Priorities

    RADIUS server during authentication. 2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the VLAN entered in the port’s 802.1X configuration as an Authorized-Client VLAN, if config- ured.
  • Page 212: Use Models For 802.1X Open Vlan Modes

    You can apply the 802.1X Open VLAN mode in more than one way. Depending on your use, you will need to create one or two static VLANs on the switch for exclusive use by per-port 802.1X Open VLAN mode authentication: ■...
  • Page 213 Table 8-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration No Open VLAN mode: Open VLAN mode with both of the following configured: Unauthorized-Client VLAN Authorized-Client VLAN Configuring Port-Based and Client-Based Access Control (802.1X) Port Response The port automatically blocks a client that cannot initiate an authentication session.
  • Page 214 If the port is statically configured as an untagged member of another VLAN, the switch temporarily removes the port from membership in this other VLAN while membership in the Unauthorized-Client VLAN exists.
  • Page 215: Operating Rules For Authorized-Client And Unauthorized-Client Vlans

    After the client disconnects, the port returns to tagged membership in that VLAN. Rule These must be configured on the switch before you configure an 802.1X authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.) If the RADIUS server specifies a VLAN for an authenticated supplicant connected to an 802.1X authenticator port, this VLAN assignment...
  • Page 216 While the Authorized-Client VLAN is in use, the port does not have access to the statically configured, untagged VLAN. • When the authenticated client disconnects, the switch removes the port from the Authorized-Client VLAN and moves it back to the untagged membership in the statically configured VLAN.
  • Page 217 VLAN as any other previously authenticated clients that are currently using the port. Thus, an Unauthorized-Client VLAN configured on a switch port that allows multiple 802.1X clients cannot be used if there is already an authenticated client using the port on another VLAN.
  • Page 218: Setting Up And Configuring 802.1X Open Vlan Mode

    Before you configure the 802.1X Open VLAN mode on a port: ■ Statically configure an “Unauthorized-Client VLAN” in the switch. The only ports that should belong to this VLAN are ports offering services and access you want available to unauthenticated clients. (802.1X authenticator ports do not have to be members of this VLAN.)
  • Page 219 802.1X authenticators. (The RADIUS server should not be on the Unauthorized-Client VLAN.) Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges.
  • Page 220 8-36 aaa authentication port-access < local | eap-radius | chap-radius > Determines the type of RADIUS authentication to use. local: Use the switch’s local username and password for supplicant authentication (the default). eap-radiusUse EAP-RADIUS authentication. (Refer to the documentation for your RADIUS server.) chap-radiusUse CHAP-RADIUS (MD5) authentication.
  • Page 221 N o t e If you want to implement the optional port security feature on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected. Then refer to “Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices”...
  • Page 222: 802.1X Open Vlan Operating Notes

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Configures the switch to look for a RADIUS server with an IP address of 10.28.127.101 and an encryption key of rad4all. ProCurve(config)# aaa port-access authenticator e a10-a20 unauth-vid 80 Configures ports A10 - A20 to use VLAN 80 as the Unauthorized-Client VLAN.
  • Page 223 Configuring Port-Based and Client-Based Access Control (802.1X) RADIUS-assigned VLAN, then an authenticated client without tagged VLAN capability can access only a statically configured, untagged VLAN on that port.) When a client’s authentication attempt on an Unauthorized-Client ■ VLAN fails, the port remains a member of the Unauthorized-Client VLAN until the client disconnects from the port.
  • Page 224: Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices

    Configuring Port-Based and Client-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices If you use port-security on authenticator ports, you can configure it to learn only the MAC address of the first 802.1X-aware device detected on the port.
  • Page 225 Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices N o t e o n If the port’s 802.1X authenticator control mode is configured to authorized (as B lo c k i n g a N o n - shown below, instead of auto), then the first source MAC address from any 8 02 .
  • Page 226: Configuring Switch Ports To Operate As Supplicants For 802.1X Connections To Other Switches

    802.1X-Related Show Commands RADIUS server configuration You can configure a switch port to operate as a supplicant in a connection to a port on another 802.1X-aware switch to provide security on links between 802.1X-aware switches. (A port can operate as both an authenticator and a supplicant.)
  • Page 227 802.1X Supplicant Figure 8-6. Example of Supplicant Operation When port A1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch “B”.
  • Page 228 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches • Supplicant Port Configuration Enabling a Switch Port To Operate as a Supplicant. You can configure one or more switch ports to operate as supplicants for point-to-point links to 802.1X-aware ports on other switches.
  • Page 229 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches [identity < username >] Sets the username and password to pass to the authen- ticator port when a challenge-request packet is received from the authenticator port in response to an authen- tication request.
  • Page 230 Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 8-46 [start-period < 1 - 300 >] Sets the time period between Start packet retransmis- sions. That is, after a supplicant sends a start packet, it waits during the start-period for a response.
  • Page 231: Displaying 802.1X Configuration, Statistics, And Counters

    802.1X authentication. The Authenticator Backend State in this data refers to the switch’s interaction with the authentication server. • With < port-list > only, same as above, but limits port status to only the specified port. Does not display data for a specified port that is not enabled as an authenticator.
  • Page 232 Also, for each port, the “User” column lists the user name the supplicant included in its response packet. (For the switch, this is the identity setting included in the supplicant command—page 8-44.) Does not display data for a specified port that is not enabled as an authenticator.
  • Page 233 Period of time (in seconds) that the port waits to retransmit the next EAPOL PDU during an authentication session. Supplicant Timeout Period of time (in seconds) that the switch waits for a supplicant response to an EAP request. Server Timeout Period of time (in seconds) that the switch waits for a server response to an authentication request.
  • Page 234: Viewing 802.1X Open Vlan Mode Status

    Figure 8-8 shows an example of show port-access authenticator output, and table 8-3 describes the data that this command displays. Figure 8-9 shows related VLAN data that can help you to see how the switch is using statically configured VLANs to support 802.1X operation.
  • Page 235 This is the default state for access control. Disconnected: No client is connected to the port. Authenticator Idle: The switch is not currently interacting with the RADIUS authentication server. Other states Backend State (Request, Response, Success, Fail, Timeout, and Initialize) may appear temporarily to indicate interaction with a RADIUS server.
  • Page 236 Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 8-3. Open VLAN Mode Status Status Indicator Meaning Unauthorized VLAN < vlan-id >: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated port.
  • Page 237: Show Commands For Port-Access Supplicant

    [[e] < port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list > ports configured on the switch as supplicants. The Supplicant State can include the following: Connecting - Starting authentication.
  • Page 238: How Radius/802.1X Authentication Affects Vlan Operation

    RADIUS application.) The static VLAN to which a RADIUS server assigns a client must already exist on the switch. If it does not exist or is a dynamic VLAN (created by GVRP), authentication fails. Also, for the session to proceed, the port must be an untagged member of the required VLAN.
  • Page 239 For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Figure 8-10. Example of an Active VLAN Configuration In figure 8-10, if RADIUS authorizes an 802.1X client on port 2 with the requirement that the client use VLAN 22, then: ■...
  • Page 240 Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Figure 8-11. The Active Configuration for VLAN 22 Temporarily Changes for the 802.1X Session ■ With the preceding in mind, since (static) VLAN 33 is configured as untagged on port A2 (see figure 8-10), and since a port can be untagged on only one VLAN, port A2 loses access to VLAN 33 for the duration of the 802.1X session involving VLAN 22.
  • Page 241 VLAN assignment causes the switch to disable a configured (untagged) static VLAN assignment on the port, then the disabled VLAN assignment is not advertised. When the 802.1X session ends, the switch: ■ Eliminates and ceases to advertise the temporary VLAN assignment.
  • Page 242: Messages Related To 802.1X Operation

    LACP is disabled on the port(s), and enables 802.1X on that port. Also, the switch will not allow you to configure LACP on a port on which port access (802.1X) is enabled. authenticator e 10...
  • Page 243: Contents

    Configuring and Monitoring Port Security Contents Overview ............9-2 Basic Operation .
  • Page 244: Configuring And Monitoring Port Security

    Configuring Port Security Intrusion Alerts and Alert Flags Using Port Security, you can configure each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port. This enables individual ports to detect, prevent, and log attempts by unauthorized devices to communicate through the switch.
  • Page 245: Blocking Unauthorized Traffic

    Guide for your switch.) Blocking Unauthorized Traffic Unless you configure the switch to disable a port on which a security violation is detected, the switch security measures block unauthorized traffic without disabling the port. This implementation enables you to apply the security...
  • Page 246: Trunk Group Exclusion

    Port security does not operate on either a static or dynamic trunk group. If you configure port security on one or more ports that are later added to a trunk group, the switch will reset the port security parameters for those ports to the factory-default configuration. (Ports configured for either Active or Passive LACP, and which are not members of a trunk, can be configured for port security.)
  • Page 247: Planning Port Security

    (For example, if you allow three devices on a given port, but specify only one MAC address for that port, do you want the switch to automatically accept the first two additional devices it detects, or not?) d.
  • Page 248: Port Security Command Options And Operation

    < [ethernet] port-list > [clear-intrusion-flag] no port-security This section describes the CLI port security command and how the switch acquires and maintains authorized addresses. N o t e Use the global configuration level to execute port-security configuration commands.
  • Page 249 Addresses learned this way appear in the switch and port address tables and age out according to MAC Age Interval tion screen of the Menu interface or the show system-...
  • Page 250 Configured: The static-configured option operates the same as the static-learn option on the preceding page, except that it does not allow the switch to accept non-specified addresses to reach the address limit. Thus, if you configure an address limit of 3, but only configure two MAC addresses, the switch will handle as intruders all non- specified MAC addresses it detects.
  • Page 251 • Learn mode is set to learn-mode continuous and there is a MAC address change on a port. none (the default): Prevents an SNMP trap from being sent. send alarm: Causes the switch to send an SNMP trap to a network management station. send-disable: Available only with learn-mode configured and learn-mode static.
  • Page 252: Retention Of Static Mac Addresses

    Learned MAC Addresses In the following two cases, a port in Static learn mode (learn-mode static) retains a learned MAC address even if you later reboot the switch or disable port security for that port: The port learns a MAC address after you configure the port with learn- ■...
  • Page 253 With port numbers included in the command, show port-security displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the spec- ified ports on a switch. The following example lists the full port security configuration for a single port: Figure 9-3.
  • Page 254: Configuring Port Security

    Configuring and Monitoring Port Security Port Security Command Options and Operation The following command example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string: ProCurve(config)# show port-security A1-A3,A6,A8 Configuring Port Security Using the CLI, you can:...
  • Page 255 If you manually configure authorized devices (MAC addresses) and/or an alarm action on a port, those settings remain unless you either manually change them or reset the switch to its factory-default configuration. You can “turn off” device authorization on a port by configuring the port to continuous Learn Mode, but subsequently reconfiguring the port to static Learn Mode restores the configured device authorization.
  • Page 256 Configuring and Monitoring Port Security Port Security Command Options and Operation mined by the current address-limit value). For example, suppose port A1 allows two authorized devices, but has only one device in its Authorized Address list: Although the Address Limit is set to 2, only one device has been authorized for this port.
  • Page 257 Configuring and Monitoring Port Security Port Security Command Options and Operation N o t e The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. If you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode.
  • Page 258 Address Limit value by 1, then remove the unwanted device. N o t e When you have configured the switch for learn-mode static operation, you can reduce the address limit below the number of currently authorized addresses on a port. This enables you to subsequently remove a device from the “Autho- rized”...
  • Page 259: Web: Displaying And Configuring Port Security Features

    Alert Flags Notice of Security Violations When the switch detects an intrusion on a port, it sets an “alert flag” for that port and makes the intrusion information available as described below. While the switch can detect additional intrusions for the same port, it does not list the next chronological intrusion for that port in the Intrusion Log until the alert flag for that port has been reset.
  • Page 260: How The Intrusion Log Operates

    • How the Intrusion Log Operates When the switch detects an intrusion attempt on a port, it enters a record of this event in the Intrusion Log. No further intrusion attempts on that port will appear in the Log until you acknowledge the earlier intrusion event by reset- ting the alert flag.
  • Page 261: Keeping The Intrusion Log Current By Resetting Alert Flags

    On a given port, if the intrusion action is to send an SNMP trap and then disable S e n d -D i s a b le the port (send-disable), and then an intruder is detected on the port, the switch O p e ra t i o n sends an SNMP trap, sets the port’s alert flag, and disables the port.
  • Page 262 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen. From the Main Menu select: 1.
  • Page 263 Note also that the “prior to” text in the record for the earliest intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset. To acknowledge the most recent intrusion entry on port A3 and enable the switch to enter a subsequently detected intrusion on this port, type (for Reset alert flags).
  • Page 264 “Operating Notes for Port Security” on page 9-25.) Syntax: show interfaces brief In the following example, executing show interfaces brief lists the switch’s port status, which indicates an intrusion alert on port A1. Figure 9-11. Example of an Unacknowledged Intrusion Alert in a Port Status Display If you wanted to see the details of the intrusion, you would then enter the show port-security intrusion-log command.
  • Page 265 20 intrusion records, and deletes intrusion records only when the log becomes full and new intrusions are subsequently added.) The “prior to” text in the record for the third intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.
  • Page 266: Using The Event Log To Find Intrusion Alerts

    Next page and Prev page to review the Event Log contents. For More Event Log Information. See “Using the Event Log To Identify Problem Sources” in the “Troubleshooting” chapter of the Management and Configuration Guide for your switch. 9-24 ” is the severity level of the log entry and...
  • Page 267: Web: Checking For Intrusions, Listing Intrusion Alerts, And Resetting Alert Flags

    MAC address, and not your PC or workstation MAC address, and interprets your connection as unauthorized. “Prior To” Entries in the Intrusion Log. If you reset the switch (using the Reset button, Device Reset, or Reboot Switch), the Intrusion Log will list the time of all currently logged intrusions as “prior to”...
  • Page 268 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configure LACP on a port on which port security is enabled. For example: ProCurve(config)# int e a17 lacp passive Error configuring port A17: LACP and port security cannot be run together.
  • Page 269: Configuring Protected Ports

    To achieve this control, you can use the protected-ports command. The command applies per-port, and filters the outbound traffic from a port. This allows the configuration of two port groups on a switch—protected ports and unprotected ports. The ports have these characteristics: ■...
  • Page 270 If you display the running config file (show running-config) you will see the ports that have been selected as protected ports. ProCurve(config)# show running-config Running configuration: ; J9019B Configuration Editor; Created on release #Q.11.XX hostname "ProCurve Switch 2510-24" snmp-server community "public" Unrestricted vlan 1 name "DEFAULT_VLAN" untagged 1-26...
  • Page 271: Configuring Multiple Stations Per Authorized Manager Ip Entry

    Using Authorized IP Managers Contents Overview ........... . . 10-2 Configuration Options .
  • Page 272: Using Authorized Ip Managers

    Notes The Authorized IP Managers feature uses IP addresses and masks to deter- mine which stations (PCs or workstations) can access the switch through the network. This covers access through the following means: Also, when configured in the switch, the Authorized IP Managers feature takes precedence over local passwords, TACACS+, RADIUS, Port-Based Access Control (802.1X), and Port Security.
  • Page 273: Configuration Options

    Console (RS-232) port. Also, if an authorized station "spoofs" an authorized IP address, it can gain manage- ment access to the switch even though a duplicate IP address condition exists. For these reasons, you should enhance your network’s security by keeping...
  • Page 274: Defining Authorized Management Stations

    Authorized Manager IP value, specify an IP Mask, and select either Manager or Operator for the Access Level. The IP Mask determines how the Authorized Manager IP value is used to allow or deny access to the switch by a manage- ment station.
  • Page 275: Menu: Viewing And Configuring Ip Authorized Managers

    N o t e The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch. This mask serves a different purpose than IP subnet masks and is applied in a different manner.
  • Page 276: Cli: Viewing And Configuring Authorized Ip Managers

    <ip-address> <ip-mask-bits> [access <operator | manager>] Listing the Switch’s Current Authorized IP Manager(s) Use the show ip authorized-managers command to list IP stations authorized to access the switch. For example: 10-6 2. Enter an Authorized Manager IP address here.
  • Page 277: Configuring Ip Authorized Managers For The Switch

    Figure 10-3. Example of the Show IP Authorized-Manager Display The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: 255.255.255.252 10.28.227.100 through 103 255.255.255.254 10.28.227.104 through 105 255.255.255.255...
  • Page 278 ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager If you omit the <mask bits> when adding a new authorized manager, the switch automatically uses 255.255.255.255 for the mask. If you do not specify either Manager or Operator access, the switch automatically assigns the Manager access.
  • Page 279: Web: Configuring Ip Authorized Managers

    For web-based help on how to use the web browser interface screen, click on button provided on the web browser screen. Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network.
  • Page 280: Configuring Multiple Stations Per Authorized Manager Ip Entry

    The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access. As described above, that...
  • Page 281 (0) in the 4th octet of the mask allows any value between 0 and 255 in that octet of the corresponding IP address. This mask allows switch access to any device having an IP address of 10.28.227.xxx, where xxx is any value from 0 to 255.
  • Page 282: Additional Examples For Authorizing Multiple Stations

    This is because switch access through a web proxy server requires that you first add the web proxy server to the Authorized Manager IP list.
  • Page 283 Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions” list in the web browser interface you are using on the authorized station.
  • Page 284 Using Authorized IP Managers Operating Notes 10-14...
  • Page 285 Index Numerics 3DES … 6-3, 7-3 802.1X See port-based access control. … 8-1 802.1X access control authentication methods … 8-4 authentication, client-based … 8-4 authenticator … 8-17 client-based access … 8-4 See also port based client authentication … 8-4 client limit … 8-3, 8-4, 8-41 client-limit, enable …...
  • Page 286 VLAN use, multiple clients … 8-7 aaa authentication … 4-8 aaa port-access See Web or MAC Authentication. access levels, authorized IP managers … 10-3 accounting See RADIUS. address authorized for port security … 9-3 authentication See TACACS. authorized addresses for IP management security … 10-4 for port security …...
  • Page 287 … 3-4 client status … 3-30 configuration commands … 3-23 configuring on the switch … 3-22 switch for RADIUS access … 3-15 the RADIUS server … 3-14 features … 3-4 general setup … 3-12 LACP not allowed … 3-11 rules of operation …...
  • Page 288 RADIUS accounting … 5-2, 5-17 accounting, configuration outline … 5-19 accounting, configure server access … 5-20 accounting, configure types on switch … 5-22 accounting, exec … 5-18, 5-22 accounting, interim updating … 5-24 accounting, network … 5-22 accounting, operating rules … 5-19 accounting, server failure …...
  • Page 289 … 9-17 security, password See SSH. setting a password … 2-4 setup screen … 1-8 authenticating switch to client … 6-3 authentication, client public key … 6-2 authentication, user password … 6-2 caution, restricting access … 6-20 caution, security … 6-18 CLI commands …...
  • Page 290 NAS … 4-3 overview … 1-2 precautions … 4-5 preparing to configure … 4-8 6 – Index preventing switch lockout … 4-15 privilege level code … 4-7 server access … 4-15 server priority … 4-18 setup, general … 4-5 show authentication … 4-8 system requirements …...
  • Page 291 … 3-30 configuration commands … 3-18 configuring on the switch … 3-17 switch for RADIUS access … 3-15 features … 3-4 general setup … 3-12 LACP not allowed … 3-11 redirect URL … 3-9 rules of operation … 3-10 show status and configuration …...
  • Page 292 8 – Index...
  • Page 294 Technical information in this document is subject to change without notice. © Copyright 2008 Hewlett-Packard Development Company, L.P. All rights reserved. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws. January 2008 Manual Part Number 5991-4763...

This manual is also suitable for:

U.11. (2510-48)Procurve 2510-24Procurve 2510-48

Table of Contents