Page of 318
Download Print This PagePrint Bookmark Comment

HP Q.11.XX Manual

Procurve switches.
Hide thumbs
Access Security Guide
2510
ProCurve Switches
Q.11.
(2510-24)
U.11.
(2510-48)
www.procurve.com

Advertising

   Related Manuals for HP Q.11.XX

   Summary of Contents for HP Q.11.XX

  • Page 1

    Access Security Guide 2510 ProCurve Switches Q.11. (2510-24) U.11. (2510-48) www.procurve.com...

  • Page 3

    ProCurve Series 2510 Switches July 2008 Access Security Guide...

  • Page 4

    Windows NT®, Windows®, and MS Windows® are US Hewlett-Packard products and replacement parts can be registered trademarks of Microsoft Corporation. obtained from your HP Sales and Service Office or authorized dealer. Software Credits SSH on ProCurve Switches is based on the OpenSSH software toolkit.

  • Page 5: Table Of Contents, Getting Started, Configuring Username And Password Security

    Contents Product Documentation About Your Switch Manual Set ........xi Feature Index .

  • Page 6: Table Of Contents, Web And Mac Authentication

    Front-Panel Security ..........2-7 When Security Is Important .

  • Page 7: Table Of Contents, Tacacs+ Authentication

    4 TACACS+ Authentication Contents ............4-1 Overview .

  • Page 8: Table Of Contents, Configuring Secure Shell (ssh)

    Configuring the Switch for RADIUS Authentication ....5-6 Outline of the Steps for Configuring RADIUS Authentication ..5-7 1.

  • Page 9: Table Of Contents, Access Control (802.1x)

    Configuring the Switch for SSH Operation ......6-9 1. Assign Local Login (Operator) and Enable (Manager) Password . 6-9 2.

  • Page 10: Table Of Contents

    Terminology ........... 8-7 General 802.1X Authenticator Operation .

  • Page 11: Table Of Contents, Configuring And Monitoring Port Security

    9 Configuring and Monitoring Port Security Contents ............9-1 Overview .

  • Page 12: Table Of Contents, Using Authorized Ip Managers

    10 Using Authorized IP Managers Contents ............10-1 Overview .

  • Page 13: Product Documentation

    Product Documentation About Your Switch Manual Set The switch manual set includes the following: Read Me First - a printed guide shipped with your switch. Provides ■ software update information, product notes, and other information. ■ Installation and Getting Started Guide - a printed guide shipped with your switch.

  • Page 14

    Product Documentation Feature Index For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. Feature Management and Advanced Traffic Access Security Configuration Management Guide 802.1Q VLAN Tagging 802.1p Priority 802.1X Authentication Authorized IP Managers...

  • Page 15

    Product Documentation Feature Management and Advanced Traffic Access Security Configuration Management Guide LLDP MAC Address Management MAC Lockdown MAC Lockout MAC-based Authentication Monitoring and Analysis Multicast Filtering Network Management Applications (LLDP, SNMP) Passwords Ping Port Configuration Port Security Port Status Port Trunking (LACP) Port-Based Access Control Port-Based Priority (802.1Q)

  • Page 16

    Product Documentation Feature Management and Advanced Traffic Access Security Configuration Management Guide Syslog System Information TACACS+ Authentication Telnet Access TFTP Time Protocols (TimeP, SNTP) Troubleshooting VLANs Xmodem...

  • Page 17: Contents

    Getting Started Contents Introduction ........... 1-2 Overview of Access Security Features .

  • Page 18: Introduction, Overview Of Access Security Features, Overview Of Access Security Features

    Getting Started Introduction Introduction This Access Security Guide describes how to use ProCurve’s switch security features to protect access to your switch. This guide is intended to support the following switches: ProCurve Switch 2510-24 ■ ProCurve Switch 2510-48 ■ For an overview of other product documentation for the above switches, refer to “Product Documentation”...

  • Page 19: Management Access Security Protection

    Getting Started Overview of Access Security Features Port-Based Access Control (802.1X) (page 8-1): On point-to-point ■ connections, enables the switch to allow or deny traffic between a port and an 802.1X-aware device (supplicant) attempting to access the switch. Also enables the switch to operate as a supplicant for connections to other 802.1X-aware switches.

  • Page 20: General Switch Traffic Security Guidelines

    Getting Started Overview of Access Security Features Table 1-1. Management Access Security Protection Security Feature Offers Protection Against Unauthorized Client Access to Offers Protection Switch Management Features Against Unauthorized Client Connection Telnet SNMP Access to the (Net Mgmt) Browser Client Network Local Manager and Operator PtP:...

  • Page 21: Conventions, Command Syntax Statements, Command Syntax Statements

    Getting Started Conventions Conventions This guide uses the following conventions for command syntax and displayed information. Command Syntax Statements Syntax: aaa port-access authenticator < port-list > [ control < authorized | auto | unauthorized >] ■ Vertical bars ( | ) separate alternative, mutually exclusive elements. ■...

  • Page 22: Command Prompts, Screen Simulations, Port Identity Examples, Screen Simulations, Port Identity Examples

    Getting Started Conventions Command Prompts In the default configuration, your switch displays a CLI prompt similar to: ProCurve Switch 2510-24# To simplify recognition, this guide uses ProCurve to represent command prompts for all models. For example: ProCurve# (You can use the hostname command to change the text in the CLI prompt.) Screen Simulations Figures containing simulated screen text and command output look similar to this:...

  • Page 23: Sources For More Information

    Getting Started Sources for More Information Sources for More Information For additional information about switch operation and features not covered in this guide, consult the following sources: For information on which product manual to consult on a given ■ software feature, refer to “Product Documentation” on page xi. Note For the latest version of all ProCurve switch documentation, including release notes covering recently added features, visit the ProCurve...

  • Page 24: Need Only A Quick Start?, Need Only A Quick Start, Ip Addressing

    Getting Started Need Only a Quick Start? For information on a specific command in the CLI, type the command ■ name followed by “help”. For example: Figure 1-3. Getting Help in the CLI ■ For information on specific features in the Web browser interface, use the online help.

  • Page 25: To Set Up And Install The Switch In Your Network

    Getting Started Need Only a Quick Start? To Set Up and Install the Switch in Your Network I m po r t a n t ! Use the Installation Guide for your switch for the following: ■ Notes, cautions, and warnings related to installing and using the switch ■...

  • Page 26

    Getting Started Need Only a Quick Start? 1-10...

  • Page 27

    Configuring Username and Password Security Contents Overview ............2-2 Configuring Local Password Security .

  • Page 28: Overview

    Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames none — — page 2-6 Set a Password none page 2-4 page 2-5 page 2-6 Delete Password Protection page 2-4 page 2-6 page 2-6 Show front-panel-security — page 1-13 —...

  • Page 29

    Configuring Username and Password Security Overview To configure password security: Set a Manager password pair (and an Operator password pair, if applica- ble for your system). Exit from the current console session. A Manager password pair will now be needed for full access to the console. If you do steps 1 and 2, above, then the next time a console session is started for either the menu interface or the CLI, a prompt appears for a password.

  • Page 30: Configuring Local Password Security, Menu: Setting Passwords, Menu: Setting Passwords

    Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the Web browser interface. From the Main Menu select: 3.

  • Page 31: Cli: Setting Passwords And Usernames

    Configuring Username and Password Security Configuring Local Password Security If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter. If you do not have physical access to the switch, you will need Manager-Level access: Enter the console at the Manager level.

  • Page 32: Web: Setting Passwords And Usernames

    Configuring Username and Password Security Configuring Local Password Security To Remove Password Protection. Removing password protection means to eliminate password security. This command prompts you to verify that you want to remove one or both passwords, then clears the indicated password(s). (This command also clears the username associated with a password you are removing.) For example, to remove the Operator password (and username, if assigned) from the switch, you would do the following:...

  • Page 33: Front-panel Security, When Security Is Important, When Security Is Important

    Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together).

  • Page 34: Front-panel Button Functions ', Front-panel Button Functions, Front-panel Button Functions

    Configuring Username and Password Security Front-Panel Security As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch. Front-Panel Button Functions ‘ The front panel of the switch includes the Reset button and the Clear button.

  • Page 35

    Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.

  • Page 36: Configuring Front-panel Security

    Configuring Username and Password Security Front-Panel Security Release the Reset button and wait for about one second for the Self-Test LED to start flashing. Reset Clear Self Test When the Self-Test LED begins flashing, release the Clear button Reset Clear Self Test This process restores the switch configuration to the factory default settings.

  • Page 37

    Configuring Username and Password Security Front-Panel Security • Modify the operation of the Reset+Clear combination (page 2-9) so that the switch still reboots, but does not restore the switch’s factory default configuration settings. (Use of the Reset button alone, to simply reboot the switch, is not affected.) •...

  • Page 38

    Configuring Username and Password Security Front-Panel Security For example, show front-panel-security produces the following output when the switch is configured with the default front-panel security settings. Figure 2-7. The Default Front-Panel Security Settings Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel Syntax: no front-panel-security password-clear In the factory-default configuration, pressing the Clear button...

  • Page 39

    Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel.

  • Page 40

    Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on- clear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-9. Example of Re-Enabling the Clear Button’s Default Operation Changing the Operation of the Reset+Clear Combination In their default configuration, using the Reset+Clear buttons in the combina- tion described under “Restoring the Factory Default Configuration”...

  • Page 41: Password Recovery

    Configuring Username and Password Security Front-Panel Security The command to disable the factory-reset operation produces this caution. To complete the command, press [Y]. To abort the command, press [N]. Completes the command to disable the factory reset option. Displays the current front- panel-security configuration, with Factory Reset disabled.

  • Page 42

    Configuring Username and Password Security Front-Panel Security Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form of the command) disables the ability to recover a lost password. When this feature is enabled, the switch allows management access through the password recovery process described below. This provides a method for recovering from a lost manager username (if configured) and password.

  • Page 43: Password Recovery Process

    Configuring Username and Password Security Front-Panel Security Figure 2-11. Example of the Steps for Disabling Password-Recovery Password Recovery Process If you have lost the switch’s manager username/password, but password- recovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by ProCurve.

  • Page 44

    Configuring Username and Password Security Front-Panel Security N o t e The alternate password provided by the ProCurve Customer Care Center is valid only for a single login attempt. You cannot use the same “one-time-use” password if you lose the password a second time.

  • Page 45

    Web and MAC Authentication Contents Overview ............3-2 Client Options .

  • Page 46

    Web and MAC Authentication Overview Overview Feature Default Menu Configure Web Authentication — 3-17 — Configure MAC Authentication — 3-22 — Display Web Authentication Status and Configuration — 3-26 — Display MAC Authentication Status and Configuration — 3-28 — Web and MAC Authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access.

  • Page 47: Client Options

    Web and MAC Authentication Overview password, and grants or denies network access in the same way that it does for clients capable of interactive logons. (The process does not use either a client device configuration or a logon session.) MAC authentication is well- suited for clients that are not capable of providing interactive logons, such as telephones, printers, and wireless access points.

  • Page 48: General Features

    Web and MAC Authentication Overview General Features Web and MAC Authentication includes the following: On a port configured for Web or MAC Authentication, the switch ■ operates as a port-access authenticator using a RADIUS server and CHAP (Challenge Handshake AuthenticationProtocol). Inbound traffic is processed by the switch alone, until authentication occurs.

  • Page 49: How Web And Mac Authentication Operate, Authenticator Operation, Authenticator Operation

    Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Authenticator Operation Before gaining access to the network clients first present their authentication credentials to the switch. The switch then verifies the supplied credentials with a RADIUS authentication server.

  • Page 50

    Web and MAC Authentication How Web and MAC Authentication Operate Figure 3-2. Progress Message During Authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access.

  • Page 51

    Web and MAC Authentication How Web and MAC Authentication Operate moves have not been enabled (client-moves) on the ports, the session ends and the client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port’s VLAN memberships made while it is an authorized port take affect at the end of the session.

  • Page 52

    Web and MAC Authentication How Web and MAC Authentication Operate If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked. The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate).

  • Page 53: Terminology

    Web and MAC Authentication Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN.

  • Page 54: Operating Rules And Notes

    Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ You can configure one type of authentication on a port. That is, the following authentication types are mutually exclusive on a given port: • Web Authentication • MAC Authentication •...

  • Page 55

    Web and MAC Authentication Operating Rules and Notes If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (if configured) and temporarily drops all other VLAN memberships. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.

  • Page 56: General Setup Procedure For Web/mac Authentication, Do These Steps Before You Configure Web/mac Authentication

    Web and MAC Authentication General Setup Procedure for Web/MAC Authentication N o t e o n Web / The switch does not allow Web or MAC Authentication and LACP to both be M A C enabled at the same time on the same port. The switch automatically disables A u t h e n t i c a t i on LACP on ports configured for Web or MAC Authentication.

  • Page 57

    Web and MAC Authentication General Setup Procedure for Web/MAC Authentication If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN” for an authenticated client session on a port, then the port’s VLAN membership remains unchanged during authenticated client ses- sions.

  • Page 58: Server To Support Mac Authentication

    Web and MAC Authentication General Setup Procedure for Web/MAC Authentication Additional Information for Configuring the RADIUS Server To Support MAC Authentication On the RADIUS server, configure the client device authentication in the same way that you would any other client, except: Configure the client device’s (hexadecimal) MAC address as both ■...

  • Page 59: Configuring The Switch To Access A Radius Server

    Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Configuring the Switch To Access a RADIUS Server RADIUS Server Configuration Commands radius-server [host < p-address>] below [key < global-key-string >] below radius-server host < p-address> key <server-specific key-string> 3-16 This section describes the minimal commands for configuring a RADIUS server to support Web-Auth and MAC Auth.

  • Page 60

    Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Syntax: radius-server host < ip-address > key <server-specific key-string> [no] radius-server host < ip-address > key Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the speci- fied server.

  • Page 61: Configuring Web Authentication

    Web and MAC Authentication Configuring Web Authentication Configuring Web Authentication Overview If you have not already done so, configure a local username and password pair on the switch. Identify or create a redirect URL for use by authenticated clients. ProCurve recommends that you provide a redirect URL when using Web Authentication.

  • Page 62: Configure The Switch For Web-based Authentication

    Web and MAC Authentication Configuring Web Authentication Configure the Switch for Web-Based Authentication Command Page Configuration Level aaa port-access web-based dhcp-addr 3-18 aaa port-access web-based dhcp-lease 3-18 [no] aaa port-access web-based [e] < port-list > 3-19 [auth-vid] 3-19 [client-limit] 3-19 [client-moves] 3-19 [logoff-period]...

  • Page 63

    Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based [e] < port-list> Enables Web-based authentication on the specified ports. Use the no form of the command to disable Web- based authentication on the specified ports. Syntax: aaa port-access web-based [e] < port-list> [auth-vid <vid>] no aaa port-access web-based [e] <...

  • Page 64

    Web and MAC Authentication Configuring Web Authentication aaa port-access web-based [e] < port-list > Syntax: [logoff-period] <60-9999999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense.

  • Page 65

    Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based [e] < port-list > [redirect-url <url>] no aaa port-access web-based [e] < port-list > [redirect-url] Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5.

  • Page 66: Configuring Mac Authentication On The Switch

    Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access web-based [e] < port-list > [unauth-vid <vid>] no aaa port-access web-based [e] < port-list > [unauth-vid] Specifies the VLAN to use for a client that fails authen- tication.

  • Page 67: Configure The Switch For Mac-based Authentication

    Web and MAC Authentication Configuring MAC Authentication on the Switch Configure the Switch for MAC-Based Authentication Command Page Configuration Level aaa port-access mac-based addr-format 3-23 [no] aaa port-access mac-based [e] < port-list > 3-23 [addr-limit] 3-24 [addr-moves] 3-24 [auth-vid] 3-24 [logoff-period] 3-24 [max-requests]...

  • Page 68

    Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-2>] Specifies the maximum number of authenticated MACs to allow on the port. (Default: 1) Syntax: [no] aaa port-access mac-based [e] < port-list > [addr-moves] Allows client moves between the specified ports under MAC Auth control.

  • Page 69

    Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [quiet-period <1 - 65535>] Specifies the time period, in seconds, the switch should wait before attempting an authentication request for a MAC address that failed authentication. (Default: 60 seconds) Syntax: aaa port-access mac-based [e] <...

  • Page 70: Show Status And Configuration Of Web-based Authentication

    Web and MAC Authentication Show Status and Configuration of Web-Based Authentication Show Status and Configuration of Web-Based Authentication Command Page port-list show port-access [ ] web-based 3-26 [clients] 3-26 [config] 3-26 [config [auth-server]] 3-27 [config [web-server]] 3-27 port-list show port-access web-based config detail 3-27 Syntax:...

  • Page 71

    Web and MAC Authentication Show Status and Configuration of Web-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-server]] Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.

  • Page 72: Show Status And Configuration Of Mac-based Authentication

    Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Show Status and Configuration of MAC-Based Authentication Command Page show port-access [port-list] mac-based 3-28 [clients] 3-28 [config] 3-28 [config [auth-server]] 3-29 show port-access port-list mac-based config detail 3-29 Syntax: show port-access [port-list] mac-based Shows the status of all MAC-Authentication enabled ports or the specified ports.

  • Page 73

    Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] mac-based [config [auth-server]] Shows MAC Authentication settings for all ports or the specified ports, along with the Radius server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.

  • Page 74: Show Client Status

    Web and MAC Authentication Show Client Status Show Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Possible Explanations Connection authenticated Authorized VLAN Client authenticated.

  • Page 75

    TACACS+ Authentication Contents Overview ............4-2 Terminology Used in TACACS+ Applications: .

  • Page 76

    TACACS+ Authentication Configuring TACACS+ on the Switch Overview Feature Default Menu view the switch’s authentication configuration — page 4-9 — view the switch’s TACACS+ server contact — page — configuration 4-10 configure the switch’s authentication methods disabled — page — 4-11 configure the switch to contact TACACS+ server(s) disabled —...

  • Page 77: Terminology Used In Tacacs+ Applications:, Terminology Used In Tacacs+ Applications, Terminology Used In Tacacs+ Applications

    TACACS+ Authentication Configuring TACACS+ on the Switch with TACACS+ configured, the switch first tries to contact a designated TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so.

  • Page 78

    TACACS+ Authentication Configuring TACACS+ on the Switch • Local Authentication: This method uses username/password pairs configured locally on the switch; one pair each for manager- level and operator-level access to the switch. You can assign local usernames and passwords through the CLI or Web browser inter- face.

  • Page 79: General System Requirements, General Authentication Setup Procedure, General Authentication Setup Procedure

    TACACS+ Authentication Configuring TACACS+ on the Switch General System Requirements To use TACACS+ authentication, you need the following: A TACACS+ server application installed and configured on one or ■ more servers or management stations in your network. (There are several TACACS+ software packages available.) A switch configured for TACACS+ authentication, with access to one ■...

  • Page 80

    TACACS+ Authentication Configuring TACACS+ on the Switch other access type (console, in this case) open in case the remote (Telnet/SSH) access fails due to a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation”...

  • Page 81

    TACACS+ Authentication Configuring TACACS+ on the Switch N o t e o n When a TACACS+ server authenticates an access request from a switch, Privil ege Levels it includes a privilege level code for the switch to use in determining which privilege level to grant to the terminal requesting access.

  • Page 82: Configuring Tacacs+ On The Switch, Before You Begin, Before You Begin

    TACACS+ Authentication Configuring TACACS+ on the Switch check the configuration in your TACACS+ server application for mis- configurations or missing data that could affect the server’s interopera- tion with the switch. After your testing shows that Telnet access using the TACACS+ server is working properly, configure your TACACS+ server application for console access.

  • Page 83: Cli Commands Described In This Section, Viewing The Switch's Current Authentication Configuration

    TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs 4-10 aaa authentication pages 4-11 through 4-15 console telnet num-attempts <1-10 > tacacs-server pages 4-18 host < ip-addr > pages 4-18 4-22 timeout <...

  • Page 84: Contact Configuration

    TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. show tacacs Syntax: For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a...

  • Page 85: Configuring The Switch's Tacacs+ Authentication Methods

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Authentication Methods The aaa authentication command configures TACACS+ access control for the following access methods: Console ■ ■ Telnet ■ The command specifies whether to use a TACACS+ server or the switch’s local authentication, or no authentication in some situations (meaning that if the primary method fails, authentication is denied).

  • Page 86

    TACACS+ Authentication Configuring TACACS+ on the Switch < local | tacacs | radius > Specifies the primary authentication method, depending on the access method: local — Authenticates with the Manager and Operator password you configure in the switch. tacacs — Authenticates with a password and other data configured on a TACACS+ server.

  • Page 87

    TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-1. AAA Authentication Parameters Name Default Range Function console, Telnet, Specifies the access method used when authenticating. TACACS+ SSH, web , authentication only uses the console, Telnet or SSH access methods. port-access, mac-based*, * 2510-48 only web-based*...

  • Page 88

    TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Console — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console —...

  • Page 89

    TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server.

  • Page 90

    TACACS+ Authentication Configuring TACACS+ on the Switch password. The TACACS+ server returns the allowed privilege level to the switch. You are placed directly into Operator or Manager mode, depending on your privilege level. ProCurve(config)# aaa authentication login privilege-mode The no version of the above command disables TACACS+ single login capa- bility.

  • Page 91

    TACACS+ Authentication Configuring TACACS+ on the Switch Check the Privilege level box and set the privilege level to 15 to allow “root” privileges. This allows you to use the single login option. Figure 4-5. The Shell Section of the TACACS+ Server User Setup 4-17...

  • Page 92: Configuring The Switch's Tacacs+ Server Access

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these parameters: The host IP address(es) for up to three TACACS+ servers; one first- ■ choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server.

  • Page 93

    TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > key-string [key < >] Adds a TACACS+ server and optionally assigns a server- specific encryption key. [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its server-specific encryption key, if any).

  • Page 94

    TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-3. Details on Configuring TACACS Servers and Keys Name Default Range tacacs-server host <ip-addr> none This command specifies the IP address of a device running a TACACS+ server application. Optionally, it can also specify the unique, per-server encryption key to use when each assigned server has its own, unique key.

  • Page 95

    TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range [ key <key-string> ] none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server”...

  • Page 96

    TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-7. Example of the Switch After Assigning a Different “First-Choice” Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.

  • Page 97: How Authentication Operates, General Authentication Process Using A Tacacs+ Server

    TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs-server host 10.28.227.104 Note...

  • Page 98

    TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-8. Using a TACACS+ Server for Authentication Using figure 4-8, above, after either switch detects an operator’s logon request from a remote or directly connected terminal, the following events occur: The switch queries the first-choice TACACS+ server for authentication of the request.

  • Page 99: Local Authentication Process

    TACACS+ Authentication Configuring TACACS+ on the Switch Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentica- tion only if one of these two conditions exists: “Local” is the authentication option for the access method being used. ■...

  • Page 100: Using The Encryption Key

    TACACS+ Authentication Configuring TACACS+ on the Switch Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “secret key”, or “secret”) helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.

  • Page 101: Authentication, Controlling Web Browser Interface Access When Using Tacacs

    TACACS+ Authentication Configuring TACACS+ on the Switch For example, you would use the next command to configure a global encryp- tion key in the switch to match a key entered as in two target north40campus TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch: ProCurve(config)# tacacs-server key north40campus...

  • Page 102: Messages Related To Tacacs+ Operation

    TACACS+ Authentication Configuring TACACS+ on the Switch Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa- tion on such messages, refer to the documentation you received with the application.

  • Page 103

    TACACS+ Authentication Configuring TACACS+ on the Switch When TACACS+ is not enabled on the switch—or when the switch’s ■ only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unauthor- ized persons.) 4-29...

  • Page 104

    TACACS+ Authentication Configuring TACACS+ on the Switch 4-30...

  • Page 105

    RADIUS Authentication, Authorization and Accounting Contents Overview ............5-2 Terminology .

  • Page 106

    RADIUS Authentication, Authorization and Accounting Overview Overview Feature Default Menu Configuring RADIUS Authentication None Configuring RADIUS Accounting None 5-25 Viewing RADIUS Statistics 5-32 RADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one primary server and one or two backups) and maintain separate authentication and accounting for each RADIUS server employed.

  • Page 107

    RADIUS Authentication, Authorization and Accounting Terminology Terminology CHAP (Challenge-Handshake Authentication Protocol): A challenge- response authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a challenge from a RADIUS server. EAP (Extensible Authentication Protocol): A general PPP authentication protocol that supports multiple authentication mechanisms.

  • Page 108: Switch Operating Rules For Radius

    RADIUS Authentication, Authorization and Accounting Switch Operating Rules for RADIUS Switch Operating Rules for RADIUS ■ You must have at least one RADIUS server accessible to the switch. The switch supports authentication and accounting using up to three ■ RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius (page 5-32).

  • Page 109: General Radius Setup Procedure

    RADIUS Authentication, Authorization and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: Configure one to three RADIUS servers to support the switch. (That is, one primary server and one or two backups.) Refer to the documentation provided with the RADIUS server application. Before configuring the switch, collect the information outlined below.

  • Page 110: Configuring The Switch For Radius Authentication

    RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication • Determine whether you can use one, global encryption key for all RADIUS servers or if unique keys will be required for specific servers. With multiple RADIUS servers, if one key applies to two or more of these servers, then you can configure this key as the global encryption key.

  • Page 111: Outline Of The Steps For Configuring Radius Authentication

    RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: Configure RADIUS authentication for controlling access through one or more of the following •...

  • Page 112: You Want Radius To Protect, Configure Authentication For The Access Methods

    RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication out on a server that is unavailable. If you want to use this feature, select a dead-time period of 1 to 1440 minutes. (Default: 0—disabled; range: 1 - 1440 minutes.) If your first-choice server was initially unavailable, but then becomes available before the dead-time expires, you can nullify the dead-time by resetting it to zero and then trying to log on again.

  • Page 113

    RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa authentication < console | telnet | ssh | web > < enable | login > < radius > Configures RADIUS as the primary password authentication method for console, Telnet, SSH and/or the Web browser interface. (The default primary <...

  • Page 114: Configure The Switch To Access A Radius Server

    RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 5-25: “Configuring RADIUS Accounting”...

  • Page 115

    RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have configured the switch as shown in figure 5-3 and you now need to make the following changes: Change the encryption key for the server at 10.33.18.127 to “source0127”. Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of “source0119”.

  • Page 116: Configure The Switch's Global Radius Parameters

    RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch’s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters: Number of login attempts: In a given session, specifies how many ■...

  • Page 117

    RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa authentication num-attempts < 1 - 10 > Specifies how many tries for entering the correct user- name and password before shutting down the session due to input errors. (Default: 3; Range: 1 - 10). [no] radius-server key <...

  • Page 118

    RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication For example, suppose that your switch is configured to use three RADIUS servers for authenticating access through Telnet and SSH. Two of these servers use the same encryption key. In this case your plan is to configure the switch with the following global authentication parameters: Allow only two tries to correctly enter username and password.

  • Page 119

    RADIUS Authentication, Authorization and Accounting Configuring the Switch for RADIUS Authentication ProCurve# show authentication Status and Counters - Authentication Information After two attempts failing due Login Attempts : 2 to username or password Respect Privilege : Disabled entry errors, the switch will terminate the session.

  • Page 120

    RADIUS Authentication, Authorization and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: “Local” is the authentication option for the access method being used. ■...

  • Page 121

    RADIUS Authentication, Authorization and Accounting Controlling Web Browser Interface Access When Using RADIUS Authentication Controlling Web Browser Interface Access When Using RADIUS Authentication To prevent unauthorized access through the Web browser interface, do one or more of the following: ■ Configure local authentication (a Manager user name and password and, optionally, an Operator user name and password) on the switch.

  • Page 122: Enabling Authorization

    RADIUS Authentication, Authorization and Accounting Commands Authorization Note The commands authorization will only be executed for commands entered from Telnet, SSH, or console sessions. The Web management interface is not supported. By default, all users may execute a minimal set of commands regardless of their authorization status, for example, “exit”...

  • Page 123: Displaying Authorization Information, Configuring Commands Authorization On A Radius Server

    Configuring Commands Authorization on a RADIUS Server Using Vendor Specific Attributes (VSAs) Some RADIUS-based features implemented on ProCurve switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access- Accept packets sent to the switch may contain the vendor-specific informa- tion.

  • Page 124

    (those that are available by default to any user). You must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.

  • Page 125: Example Configuration On Cisco Secure Acs For Ms Windows

    The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps. Create a dictionary file (for example, hp.ini) containing the HP VSA definitions, as shown in the example below. ;[User Defined Vendor] ;...

  • Page 126

    Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils> csutil -addudv 0 hp.ini The zero (0) is the slot number.

  • Page 127

    4 (100 in the example). Restart all Cisco services. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry. In the Authenticate Using field choose RADIUS(HP) as an option for the type of security control protocol.

  • Page 128: Example Configuration Using Freeradius

    Find the location of the dictionary files used by FreeRADIUS (try /usr/ local/share/freeradius). Copy dictionary.hp to that location. Open the existing dictionary file and add this entry: $ INCLUDE dictionary.hp You can now use HP VSAs with other attributes when configuring user entries. 5-24...

  • Page 129: Configuring Radius Accounting

    RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 5-28 [acct-port < port-number >] 5-28 [key < key-string >] 5-28 [no] aaa accounting < exec | network | system > 5-31 <...

  • Page 130: Operating Rules For Radius Accounting

    RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting (For 802.1X information for the switch, refer to “Configuring Port-Based and Client-Based Access Control (802.1X)” on page 8-1.) Exec accounting: Provides records holding the information listed ■ below about login sessions (console, Telnet, and SSH) on the switch: •...

  • Page 131: Steps For Configuring Radius Accounting

    RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting If access to a RADIUS server fails during a session, but after the client ■ has been authenticated, the switch continues to assume the server is available to receive accounting data. Thus, if server access fails during a session, it will not receive accounting data transmitted from the switch.

  • Page 132

    RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting 1. Configure the Switch To Access a RADIUS Server Before you configure the actual accounting parameters, you should first configure the switch to use a RADIUS server. This is the same as the process described on page 5-10.

  • Page 133: Reports To The Radius Server

    RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting Because the radius-server command includes an acct-port element with a non- default 1750, the switch assigns this value to the accounting port UDP port numbers. Because auth-port was not included in the command, the authentication UDP port is set to the default 1812.

  • Page 134

    RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting Determine how you want the switch to send accounting data to a RADIUS server: Start-Stop: ■ • Send a start record accounting notice at the beginning of the account- ing session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type (Network, Exec, or System).

  • Page 135: Updating Options

    RADIUS Authentication, Authorization and Accounting Configuring RADIUS Accounting For example, to configure RADIUS accounting on the switch with start-stop for exec functions and stop-only for system functions: Configures exec and system accounting and controls. Summarizes the switch’s accounting configuration. Exec and System accounting are active.

  • Page 136: Viewing Radius Statistics, General Radius Statistics, General Radius Statistics

    RADIUS Authentication, Authorization and Accounting Viewing RADIUS Statistics • Update Period • Suppress Unknown User Figure 5-10. Example of Optional Accounting Update Period and Accounting Suppression on Unknown User Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses.

  • Page 137

    RADIUS Authentication, Authorization and Accounting Viewing RADIUS Statistics Figure 5-12. RADIUS Server Information From the Show Radius Host Command 5-33...

  • Page 138

    RADIUS Authentication, Authorization and Accounting Viewing RADIUS Statistics Table 5-2. Values for Show Radius Host Output (Figure 5-12) Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server. Pending Requests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.

  • Page 139: Radius Authentication Statistics

    RADIUS Authentication, Authorization and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Syntax: show authentication Displays the primary and secondary authentication meth- ods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.

  • Page 140: Radius Accounting Statistics

    RADIUS Authentication, Authorization and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres- sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config- ured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch.

  • Page 141: Changing Radius-server Access Order

    RADIUS Authentication, Authorization and Accounting Changing RADIUS-Server Access Order Figure 5-17. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.

  • Page 142

    RADIUS Authentication, Authorization and Accounting Changing RADIUS-Server Access Order To exchange the positions of the addresses so that the server at 10.10.10.003 will be the first choice and the server at 10.10.10.001 will be the last, you would do the following: Delete 10.10.10.003 from the list.

  • Page 143: Messages Related To Radius Operation

    RADIUS Authentication, Authorization and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning A designated RADIUS server is not responding to an Can’t reach RADIUS server < x.x.x.x >. authentication request. Try pinging the server to determine whether it is accessible to the switch.

  • Page 144

    RADIUS Authentication, Authorization and Accounting Messages Related to RADIUS Operation 5-40...

  • Page 145

    Configuring Secure Shell (SSH) Contents Overview ............6-2 Terminology .

  • Page 146

    Configuring Secure Shell (SSH) Overview Overview Feature Default Menu Generating a public/private key pair on the switch page 6-10 Using the switch’s public key page 6-12 Enabling SSH Disabled page 6-15 Enabling client public-key authentication Disabled pages 6-19, 6-22 Enabling user authentication Disabled page 6-19 The ProCurve switches covered in this guide use Secure Shell version 2...

  • Page 147

    Configuring Secure Shell (SSH) Overview Note SSH in the ProCurve switch is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http://www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 6-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.

  • Page 148

    Configuring Secure Shell (SSH) Terminology Terminology ■ SSH Server: A ProCurve switch with SSH enabled. Key Pair: A pair of keys generated by the switch or an SSH client ■ application. Each pair includes a public key, that can be read by anyone and a private key, that is held internally in the switch or by a client.

  • Page 149: Prerequisite For Using Ssh, Public Key Formats, Public Key Formats

    Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 6-2), then the client program must have the capability to generate or import keys.

  • Page 150

    Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Table 6-1. SSH Options Switch Primary SSH Authenticate Authenticate Primary Switch Secondary Switch Access Authentication Switch Public Key Client Public Key Password Password Level to SSH Clients? to the Switch? Authentication Authentication...

  • Page 151

    Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation Assign a login (Operator) and enable (Manager) password on the switch (page 6-9). Generate a public/private key pair on the switch (page 6-10). You need to do this only once.

  • Page 152: General Operating Rules And Notes

    Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store ten client key pairs. The switch’s own public/private key pair and the (optional) client ■...

  • Page 153: Configuring The Switch For Ssh Operation

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 6-17 show crypto client-public-key [<manager | operator>] [keylist-str] 6-25 [< babble | fingerprint >] show crypto host-public-key [< babble | fingerprint >] 6-14 show authentication 6-21...

  • Page 154: Generate The Switch's Public And Private Key Pair

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-4. Example of Configuring Local Passwords 2. Generate the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.

  • Page 155

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation To Generate or Erase the Switch’s Public/Private RSA Host Key Pair. Because the host key pair is stored in flash instead of the running-config file, it is not necessary to use write memory to save the key pair. Erasing the key pair automatically disables SSH.

  • Page 156: Provide The Switch's Public Key To Clients

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch Version 1 and Version 2 Views of Same Host Public Key Figure 6-5. Example of Generating a Public/Private Host Key Pair for the Switch The 'show crypto host-public-key' displays data in two different formats because your client may store it in either of these formats after learning the key.

  • Page 157

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below. The public key generated by the switch consists of three parts, separated by one blank space each: Bit Size Exponent <e>...

  • Page 158

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Modulus <n>...

  • Page 159: Client Contact Behavior, Enable Ssh On The Switch And Anticipate Ssh

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 6-9. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 6-9 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host”...

  • Page 160

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you have not copied the switch’s public key into the client, your client’s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing.

  • Page 161

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (default: 22). Important: See “Note on Port Number” on page 6-17. [timeout < 5 - 120 >] The SSH login timeout value (default: 120 seconds).

  • Page 162: Configure The Switch For Ssh Authentication

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation C a u t i o n Protect your private key file from access by anyone other than yourself. If someone can access your private key file, they can then penetrate SSH security on the switch by appearing to be you.

  • Page 163

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option A: Configuring SSH Access for Password-Only SSH Authentication. When configured with this option, the switch uses its pub- lic key to authenticate itself to a client, but uses only passwords for client authentication.

  • Page 164

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation With steps 1 - 3, above, completed and SSH properly configured on the switch, if an SSH client contacts the switch, login authentication automatically occurs first, using the switch and client public-keys. After the client gains login access, the switch controls client access to the manager level by requiring the passwords configured earlier by the aaa authentication ssh enable command.

  • Page 165

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configures Manager user- Configures the name and password. switch to allow SSH access only a client whose public key matches one of the keys in the public key file Configures the primary and secondary password methods for Copies a public key file Manager (enable) access.

  • Page 166: Use An Ssh Client To Access The Switch, Further Information On Ssh Client Public-key Authentication

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 6. Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems"...

  • Page 167

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication If you enable client public-key authentication, the following events occur when a client tries to access the switch using SSH: The client sends its public key to the switch with a request for authenti- cation.

  • Page 168

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication To Create a Client-Public-Key Text File. These steps describe how to copy client-public-keys into the switch for RSA challenge-response authenti- cation, and require an understanding of how to use your SSH client applica- tion.

  • Page 169

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Copy the client’s public key into a text file (filename.txt). (For example, you can use the Notepad editor included with the Microsoft® Windows® software. If you want several clients to use client public-key authentica- tion, copy a public key for each of these clients (up to ten) into the file.

  • Page 170

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The keylist-str option allows you to select keys to display (a comma-delimited list). The babble option converts the key data to phonetic hashes that are easier for visual comparisons. The fingerprint option converts the key data to hexadec- imal hashes that are for the same purpose.

  • Page 171

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Enabling Client Public-Key Authentication. After you TFTP a client- public-key file into the switch (described above), you can configure the switch to allow the following: If an SSH client’s public key matches an entry in the switch’s client- ■...

  • Page 172: Messages Related To Ssh Operation

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning Indicates an error in communicating with the tftp server or 00000K Peer unreachable. not finding the file to download. Causes include such factors • Incorrect IP configuration on the switch •...

  • Page 173

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning After you execute the crypto key generate ssh [rsa] Generating new RSA host key. If the command, the switch displays this message while it cache is depleted, this could take is generating the key.

  • Page 174

    Configuring Secure Shell (SSH) Messages Related to SSH Operation 6-30...

  • Page 175

    Configuring Secure Socket Layer (SSL) Contents Overview ............7-2 Terminology .

  • Page 176

    Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu Generating a Self Signed Certificate on the switch page 7-8 page 7-12 Generating a Certificate Request on the switch page 7-15 Enabling SSL Disabled page 7-17 page 7-19 The ProCurve switches covered by this manual use Secure Socket Layer Version 3 (SSLv3) and support for Transport Layer Security(TLSv1) to provide remote web access to the switches via encrypted paths between the switch and management station clients capable of SSL/TLS operation.

  • Page 177

    Configuring Secure Socket Layer (SSL) Terminology 1. Switch-to-Client SSL Cert. SSL Client ProCurve Browser Switch 2. User-to-Switch (login password and (SSL enable password authentication) Server) options: – Local – TACACS+ – RADIUS Figure 7-1. Switch/User Authentication SSL on the ProCurve switches supports these data encryption methods: ■...

  • Page 178

    Configuring Secure Socket Layer (SSL) Terminology Self-Signed Certificate: A certificate not verified by a third-party ■ certificate authority (CA). Self-signed certificates provide a reduced level of security compared to a CA-signed certificate. CA-Signed Certificate: A certificate verified by a third party certif- ■...

  • Page 179: Prerequisite For Using Ssl

    Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com- puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include:...

  • Page 180

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re- generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all manage- ment stations (clients) you previously set up for SSL access to the switch.

  • Page 181: Assign Local Login (operator) And Enable (manager) Password

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 7-19 show config page 7-19 show crypto host-cert page 7-12 crypto key generate cert [rsa] <512 | 768 |1024> page 7-10 zeroize cert page 7-10...

  • Page 182: Generate The Switch's Server Host Certificate

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface refer to the chapter titled “Using the Web Browser Interface”...

  • Page 183

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes to connect via SSL to the switch. (The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client session, and then discarded.) The server certificate is stored in the switch’s flash memory.

  • Page 184

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes CLI commands used to generate a Server Host Certificate. Syntax: crypto key generate cert [rsa] < 512 | 768 |1024 > Generates a key pair for use in the certificate. crypto key zeroize cert Erases the switch’s certificate key and disables SSL opera- tion.

  • Page 185

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Table 7-1. Certificate Field Descriptions Field Name Description Valid Start Date This should be the date you desire to begin using the SSL functionality. Valid End Date This can be any future date, however good security practices would suggest a valid duration of about one year between updates of passwords and keys.

  • Page 186

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes CLI Command to view host certificates. Syntax: show crypto host-cert Displays switch’s host certificate To view the current host certificate from the CLI you use the show crypto host-cert command. For example, to display the new server host certificate: Show host certificate command Figure 7-4.

  • Page 187

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Select the Security tab then the button. The SSL configuration [SSL] screen is divided into two halves. The left half is used for creating a new certificate key pair and (self-signed / CA-signed) certificate. The right half displays information on the currently installed certificate.

  • Page 188

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes For example, to generate a new host certificate via the web browsers inter- face: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments Figure 7-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface: Select the Security tab Select the...

  • Page 189

    Configuring Secure Socket Layer (SSL) Current SSL Host Certificate General Operating Rules and Notes Current SSL Host Certificate Figure 7-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web Browser Interface This section describes how to install a CA-Signed server host certificate from the web browser interface.

  • Page 190

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes that involves having the certificate authority verify the certificate request and then digitally signing the request to generate a certificate response (the usable server host certificate). The third phase is the download phase consisting of pasting to the switch web server the certificate response, which is then validated by the switch and put into use by enabling SSL.

  • Page 191: Browser Contact Behavior, Enable Ssl On The Switch And Anticipate Ssl

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE----- MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMBIGA1UEChMLT3Bwb3J0dW5pdGkxGDAW BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0+aMcXgVruVixw/xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B Figure 7-7. Example of a Certificate Request and Reply 3. Enable SSL on the Switch and Anticipate SSL Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients.

  • Page 192

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Note Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generate the Switch’s Server Host Certificate” on page 7-8. When configured for SSL, the switch uses its host certificate to authenticate itself to SSL clients, however unless you disable the standard web browser interface with the no web-management command it will be still available for...

  • Page 193

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Using the CLI interface to enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443).

  • Page 194

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes Enable SSL and Port number selection Figure 7-8. Using the web browser interface to enable SSL and select TCP port number N o t e o n P o r t ProCurve recommends using the default IP port number (443).

  • Page 195: Common Errors In Ssl Setup

    Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup Common Errors in SSL Setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 7-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host...

  • Page 196

    Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup 7-22...

  • Page 197

    Configuring Port-Based and Client-Based Access Control (802.1X) Contents Overview ............8-3 Why Use Port-Based or Client-Based Access Control? .

  • Page 198: Table Of Contents

    Configuring Port-Based and Client-Based Access Control (802.1X) Contents Setting Up and Configuring 802.1X Open VLAN Mode ... . 8-34 802.1X Open VLAN Operating Notes ......8-38 Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices .

  • Page 199

    Configuring Port-Based and Client-Based Access Control (802.1X) Overview Overview Feature Default Menu Configuring Switch Ports as 802.1X Authenticators Disabled page 8-17 Configuring 802.1X Open VLAN Mode Disabled page 8-26 Configuring Switch Ports to Operate as 802.1X Supplicants Disabled page 8-42 Displaying 802.1X Configuration, Statistics, and Counters page 8-47 How 802.1X Affects VLAN Operation...

  • Page 200: User Authentication Methods

    Configuring Port-Based and Client-Based Access Control (802.1X) Overview Client-Based access control option with support for up to 2 authenticated clients per-port. Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication.

  • Page 201

    Configuring Port-Based and Client-Based Access Control (802.1X) Overview 802.1X Port-Based Access Control 802.1X port-based access control provides port-level security that allows LAN access only on ports where a single 802.1X-capable client (supplicant) has entered authorized RADIUS user credentials. For reasons outlined below, this option is recommended for applications where only one client at a time can connect to the port.

  • Page 202

    Configuring Port-Based and Client-Based Access Control (802.1X) Overview access from a master database in a single server (although you can use up to three RADIUS servers to provide backups in case access to the primary server fails). It also means a user can enter the same username and password pair for authentication, regardless of which switch is the access point into the LAN.

  • Page 203

    Configuring Port-Based and Client-Based Access Control (802.1X) Terminology Terminology 802.1X-Aware: Refers to a device that is running either 802.1X authenticator software or 802.1X client software and is capable of interacting with other devices on the basis of the IEEE 802.1X standard. Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static VLAN previously configured on the switch by the System Administrator.

  • Page 204

    Configuring Port-Based and Client-Based Access Control (802.1X) Terminology as defined in the EAPOL: Extensible Authentication Protocol Over LAN, 802.1X standard Friendly Client: A client that does not pose a security risk if given access to the switch and your network. MD5: An algorithm for calculating a unique digital signature over a stream of bytes.

  • Page 205

    Configuring Port-Based and Client-Based Access Control (802.1X) Terminology designate as the Unauthorized-Client VLAN.) A port configured to use a given Unauthorized-Client VLAN does not have to be statically configured as a member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unauthorized-Client VLAN.

  • Page 206: Example Of The Authentication Process, General 802.1x Authenticator Operation, General 802.1x Authenticator Operation

    Configuring Port-Based and Client-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This operation provides security on a direct, point-to-point link between a single client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode”...

  • Page 207: Switch-port Supplicant Operation, Switch-port Supplicant Operation

    Configuring Port-Based and Client-Based Access Control (802.1X) General 802.1X Authenticator Operation ii. If the client is successfully authenticated and authorized to con- nect to the network, then the switch allows access to the client. Otherwise, access is denied and the port remains blocked. Switch-Port Supplicant Operation This operation provides security on links between 802.1X-aware switches.

  • Page 208

    Configuring Port-Based and Client-Based Access Control (802.1X) General Operating Rules and Notes Port A1 replies with an MD5 hash response based on its username and password or other unique credentials. Switch “B” forwards this response to the RADIUS server. The RADIUS server then analyzes the response and sends either a “suc- cess”...

  • Page 209

    Configuring Port-Based and Client-Based Access Control (802.1X) General Operating Rules and Notes port. If another client uses an 802.1X supplicant application to access the opened port, then a re-authentication occurs using the RADIUS configuration response for the latest client to authenticate. To control access by all clients, use the client-based method.

  • Page 210: General Setup Procedure For 802.1x Access Control, Do These Steps Before You Configure 802.1x Operation

    Configuring Port-Based and Client-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Access Control Do These Steps Before You Configure 802.1X Operation Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels.

  • Page 211: Overview: Configuring 802.1x Authentication On The Switch, Overview: Configuring 802.1x Authentication On The Switch

    Configuring Port-Based and Client-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802.1X Authentication on the Switch This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to “RADIUS Authentication, Authori- zation and Accounting”...

  • Page 212

    Configuring Port-Based and Client-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control If you are using Port Security on the switch, configure the switch to allow only 802.1X access on ports configured for 802.1X operation, and (if desired) the action to take if an unauthorized device attempts access through an 802.1X port.

  • Page 213: Configuring Switch Ports As 802.1x Authenticators, Enable 802.1x Authentication On Selected Ports

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Configuring Switch Ports as 802.1X Authenticators 802.1X Authentication Commands Page [no] aaa port-access authenticator < [ethernet] < port-list > 8-17 [control | quiet-period | tx-period | client-limit | supplicant-timeout | 8-18 server-timeout | logoff-period | max-requests | reauth-period | auth-vid | unauth-vid | initialize | reauthenticate | clear-statistics]...

  • Page 214

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators A. Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based Authentication Syntax: [ no ] aaa port-access authenticator < port-list > Enables specified ports to operate as 802.1X authenticators and enables port-based authentication.

  • Page 215

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Port-Based 802.1X Authentication. no aaa port-access authenticator client-limit Used to convert a port from client-based authentication to port-based authentication, which is the default setting for ports on which authentication is enabled. (Executing aaa port-access authenticator <...

  • Page 216: Reconfigure Settings For Port-access, Reconfigure Settings For Port-access

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 2. Reconfigure Settings for Port-Access The commands in this section are initially set by default and can be reconfig- ured as needed. Syntax: aaa port-access authenticator < port-list > [control <...

  • Page 217

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page).

  • Page 218

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid <...

  • Page 219: Configure The 802.1x Authentication Method, Configure The 802.1x Authentication Method

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenti- cator.

  • Page 220: Enter The Radius Host Ip Address(es), Enable 802.1x Authentication On The Switch

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands.

  • Page 221: Optionally Resetting Authenticator Operation

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optionally Resetting Authenticator Operation After authentication has begun operating, these commands can be used to reset authentication and related statistics on specific ports. Syntax: aaa port-access authenticator < port-list > [initialize] On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process.

  • Page 222: X Open Vlan Mode

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 8-17 802.1X Supplicant Commands page 8-44 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator [e] < port-list > page 8-37 [auth-vid <...

  • Page 223: Vlan Membership Priorities

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports configured to allow multiple sessions using 802.1X client-based access control, all clients must use the same untagged VLAN. On a given port where there are no currently active, authenticated clients, the first authenti- cated client determines the untagged VLAN in which the port will operate for all subsequent, overlapping client sessions.

  • Page 224: Use Models For 802.1x Open Vlan Modes, Use Models For 802.1x Open Vlan Modes

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Note After client authentication, the port resumes membership in any tagged VLANs for which it is configured. If the port belongs to a tagged VLAN used for 1 or 2 above, then it operates as an untagged member of that VLAN while the client is connected.

  • Page 225

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 8-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN •...

  • Page 226

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 8-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN.

  • Page 227

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 8-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session.

  • Page 228

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Temporary VLAN Membership During • Port membership in a VLAN assigned to operate as the Unauthorized-Client VLAN is temporary, and ends when the client a Client Session receives authentication or the client disconnects from the port, whichever is first.

  • Page 229

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule IP Addressing for a Client Connected A client can either acquire an IP address from a DHCP server or have to a Port Configured for 802.x Open a preconfigured, manual IP address before connecting to the switch.

  • Page 230: Setting Up And Configuring 802.1x Open Vlan Mode

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode N o t e If you use the same VLAN as the Unauthorized-Client VLAN for all authenti- cator ports, unauthenticated clients on different ports can communicate with each other. Setting Up and Configuring 802.1X Open VLAN Mode Preparation.

  • Page 231

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode A client must either have a valid IP address configured before ■ connecting to the switch, or download one through the Unauthorized- Client VLAN from a DHCP server. In the latter case, you will need to provide DHCP services on the Unauthorized-Client VLAN.

  • Page 232

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Configure the 802.1X authentication type. Options include: Syntax: aaa authentication port-access < local | eap-radius | chap-radius > Determines the type of RADIUS authentication to use. local: Use the switch’s local username and password for supplicant authentication (the default).

  • Page 233

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Note If you want to implement the optional port security feature on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected. Then refer to “Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices”...

  • Page 234: X Open Vlan Operating Notes

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode Configures the switch to look for a RADIUS server with an IP address of 10.28.127.101 and an encryption key of rad4all. ProCurve(config)# aaa port-access authenticator e a10-a20 unauth-vid 80 Configures ports A10 - A20 to use VLAN 80 as the Unauthorized-Client VLAN.

  • Page 235

    Configuring Port-Based and Client-Based Access Control (802.1X) 802.1X Open VLAN Mode RADIUS-assigned VLAN, then an authenticated client without tagged VLAN capability can access only a statically configured, untagged VLAN on that port.) When a client’s authentication attempt on an Unauthorized-Client ■...

  • Page 236: Option For Authenticator Ports: Configure Port-security To Allow, Only 802.1x Devices

    Configuring Port-Based and Client-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices If you use port-security on authenticator ports, you can configure it to learn only the MAC address of the first 802.1X-aware device detected on the port.

  • Page 237

    Configuring Port-Based and Client-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices N o t e o n If the port’s 802.1X authenticator control mode is configured to authorized (as B l o c k i n g a N o n - shown below, instead of auto), then the first source MAC address from any 80 2 .

  • Page 238

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configure the port access type. Syntax: aaa port-access auth < port-list > client-limit < 1 - 8> Configures client-based 802.1X authentication on the specified ports and sets the number of authenticated devices the port is allowed to learn.

  • Page 239

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Switch “A” has port A1 configured for 802.1X supplicant operation ■ You want to connect port A1 on switch “A” to port B5 on switch “B”. ■...

  • Page 240

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches • A “failure” response continues the block on port B5 and causes port A1 to wait for the “held-time” period before trying again to achieve authentication through port B5.

  • Page 241

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches [identity < username >] Sets the username and password to pass to the authen- ticator port when a challenge-request packet is received from the authenticator port in response to an authen- tication request.

  • Page 242

    Configuring Port-Based and Client-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches [start-period < 1 - 300 >] Sets the time period between Start packet retransmis- sions. That is, after a supplicant sends a start packet, it waits during the start-period for a response.

  • Page 243: Displaying 802.1x Configuration, Statistics, And Counters, Show Commands For Port-access Authenticator

    Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 8-17 802.1X Supplicant Commands page 8-42 802.1X Open VLAN Mode Commands page 8-26 802.1X-Related Show Commands show port-access authenticator below show port-access supplicant page 8-53...

  • Page 244

    Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters show port-access authenticator (Syntax Continued) config [[e] < port-list >] Shows: • Whether port-access authenticator is active • The 802.1X configuration of the ports configured as 802.1X authenticators •...

  • Page 245

    Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters ProCurve(config)# show port-access authenticator config Port Access Authenticator Configuration Port-access authenticator activated [No] : No | Re-auth Access Quiet Supplicant Server Port | Period Control Reqs Period Timeout Timeout Timeout...

  • Page 246: Viewing 802.1x Open Vlan Mode Status, Viewing 802.1x Open Vlan Mode Status

    Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Viewing 802.1X Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show port- access authenticator and show vlan < vlan-id > commands as illustrated in this section.

  • Page 247

    Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters When the Unauth VLAN ID is configured and matches the Current VLAN ■ ID in the above command output, an unauthenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Unauth VLAN.) Note that because a temporary Open VLAN port assignment to either an authorized or unauthorized VLAN is an untagged VLAN membership, these...

  • Page 248

    Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 8-3. Open VLAN Mode Status Status Indicator Meaning Unauthorized VLAN < vlan-id >: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated port.

  • Page 249: Show Commands For Port-access Supplicant, Show Commands For Port-access Supplicant

    Configuring Port-Based and Client-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [[e] < port-list >] [statistics] show port-access supplicant [[e] < port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list >...

  • Page 250: How Radius/802.1x Authentication Affects Vlan Operation, How Radius/802.1x Authentication Affects Vlan Operation

    Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement.

  • Page 251

    Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1X client requires access...

  • Page 252

    Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1X session. This is to accommodate an 802.1X client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22.

  • Page 253

    Configuring Port-Based and Client-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation When the 802.1X client’s session on port A2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN actually configured as untagged on the port again becomes available. Thus, when the RADIUS-authenticated 802.1X session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored.

  • Page 254: Messages Related To 802.1x Operation, Messages Related To 802.1x Operation

    Configuring Port-Based and Client-Based Access Control (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation Table 8-4. 802.1X Operating Messages Message Meaning The ports in the port list have not been enabled as 802.1X Port < port-list > is not an authenticators.

  • Page 255: Table Of Contents

    Configuring and Monitoring Port Security Contents Overview ............9-2 Basic Operation .

  • Page 256: Basic Operation

    Configuring and Monitoring Port Security Overview Overview Note ProCurve switch 2510-24 (J9019A/J9019B): Port security, Web/MAC authenti- cation and 802.1X are not available on the 1000 Mbps uplink ports. (On J9019A, these features are also not available on ports operating at 10 Mbps.) Feature Default Menu...

  • Page 257: Blocking Unauthorized Traffic

    Configuring and Monitoring Port Security Overview General Operation for Port Security. On a per-port basis, you can configure security measures to block unauthorized devices, and to send notice of security violations. Once you have configured port security, you can then monitor the network for security violations through one or more of the following: Alert flags that are captured by network management tools...

  • Page 258: Trunk Group Exclusion

    Configuring and Monitoring Port Security Overview Physical Topology Logical Topology for Access to Switch A Switch A Switch A Port Security Port Security Configured Configured PC 1 PC 1 MAC Address Authorized MAC Address Authorized by Switch A by Switch A Switch B Switch B PC 2...

  • Page 259: Planning Port Security

    Configuring and Monitoring Port Security Planning Port Security Planning Port Security Plan your port security configuration and monitoring according to the following: On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port and how many devices do you want to allow per port (up to 8)? Within the devices-per-port limit, do you want to let the switch automatically accept devices it detects on a port, or do you want it...

  • Page 260: Port Security Command Options And Operation

    Configuring and Monitoring Port Security Port Security Command Options and Operation Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 9-11 port-security 9-12 < [ethernet] port-list > 9-12 [learn-mode] 9-12 [address-limit] 9-12 [mac-address] 9-12 [action] 9-12 [clear-intrusion-flag]...

  • Page 261

    Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > learn-mode < continuous | static | configured | port-access > Continuous (Default): Appears in the factory-default setting or when you execute no port-security. Allows the port to learn addresses from inbound traffic from any device(s) to which it is connected.

  • Page 262

    Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > (- Continued -) learn-mode < continuous | static | configured | port-access > Configured: The static-configured option operates the same as the static-learn option on the preceding page, except that it does not allow the switch to accept non-specified addresses to reach the address limit.

  • Page 263

    Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > (- Continued -) action < none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a network man- agement station. Operates when: •...

  • Page 264: Retention Of Static Mac Addresses, Displaying Current Port Security Settings

    Configuring and Monitoring Port Security Port Security Command Options and Operation Retention of Static MAC Addresses Learned MAC Addresses In the following two cases, a port in Static learn mode (learn-mode static) retains a learned MAC address even if you later reboot the switch or disable port security for that port: The port learns a MAC address after you configure the port with learn- ■...

  • Page 265

    Configuring and Monitoring Port Security Port Security Command Options and Operation Using the CLI To Display Port Security Settings. Syntax: show port-security show port-security [e] <port number> show port-security [e] [<port number>-<port number]. . .[,<port number>] Without port parameters, show port-security displays operating control settings for all ports on a switch.

  • Page 266: Configuring Port Security

    Configuring and Monitoring Port Security Port Security Command Options and Operation The following command example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string: ProCurve(config)# show port-security A1-A3,A6,A8 Configuring Port Security Using the CLI, you can:...

  • Page 267

    Configuring and Monitoring Port Security Port Security Command Options and Operation ProCurve(config)# port-security a1 learn-mode static mac-address 0c0090-123456 action send-disable This example configures port A5 to: Allow two MAC addresses, 00c100-7fec00 and 0060b0-889e00, as the ■ authorized devices. ■ Send an alarm to a management station if an intruder is detected on the port.

  • Page 268

    Configuring and Monitoring Port Security Port Security Command Options and Operation mined by the current address-limit value). For example, suppose port A1 allows two authorized devices, but has only one device in its Authorized Address list: Although the Address Limit is set to 2, only one device has been authorized for this port.

  • Page 269

    Configuring and Monitoring Port Security Port Security Command Options and Operation Note The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. If you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode.

  • Page 270

    Configuring and Monitoring Port Security Port Security Command Options and Operation C a u t i o n The address-limit setting controls how many MAC addresses are allowed in the Authorized Addresses list for a given port. If you remove a MAC address without also reducing the address limit by 1, the port may later detect and accept the same or another MAC address that you do not want in the Autho- rized Address list.

  • Page 271

    Configuring and Monitoring Port Security Port Security Command Options and Operation The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090- 123456 The above command sequence results in the following configuration for port ProCurve(config)# show port-security 1 Port Security Port : 1...

  • Page 272: Mac Lockdown

    Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown MAC Lockdown, also known as “static addressing,” is the permanent assign- ment of a given MAC address (and VLAN, or Virtual Local Area Network) to a specific port on the switch. MAC Lockdown is used to prevent station movement and MAC address hijacking.

  • Page 273: Differences Between Mac Lockdown And Port Security

    Configuring and Monitoring Port Security MAC Lockdown If the device (computer, PDA, wireless device) is moved to a different port on the switch (by reconnecting the Ethernet cable or by moving the device to an area using a wireless access point connected to a different port on that same switch), the port will detect that the MAC Address is not on the appropriate port and will continue to send traffic out the port to which the address was locked.

  • Page 274

    Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown, on the other hand, is not a “list.” It is a global parameter on the switch that takes precedence over any other security mechanism. The MAC Address will only be allowed to communicate using one specific port on the switch.

  • Page 275: Deploying Mac Lockdown

    Configuring and Monitoring Port Security MAC Lockdown These messages in the log file can be useful for troubleshooting problems. If you are trying to connect a device which has been locked down to the wrong port, it will not work but it will generate error messages like this to help you determine the problem.

  • Page 276

    Configuring and Monitoring Port Security MAC Lockdown Internal Server “A” Core 3400cl or 3400cl or 5300xl Switch 5300xl Switch Network There is no need to lock MAC addresses on switches in the internal core network. 3400cl or 3400cl or 5300xl Switch 5300xl Switch Network Edge Lock Server “A”...

  • Page 277

    Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.

  • Page 278

    Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fails, Server A traffic to Server A will not use the backup path via Switch 3 Switch 3 Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 External...

  • Page 279: Mac Lockout

    Configuring and Monitoring Port Security MAC Lockout Displaying status. Locked down ports are listed in the output of the show running-config command in the CLI. The show static-mac command also lists the locked down MAC addresses, as shown below. ProCurve(config)# show static-mac VLAN MAC Address Port 1 001083-34f8fa 9...

  • Page 280

    Configuring and Monitoring Port Security MAC Lockout How It Works. Let’s say a customer knows there are unauthorized wireless clients who should not have access to the network. The network administrator “locks out” the MAC addresses for the wireless clients by using the MAC Lockout command (lockout-mac <mac-address>).

  • Page 281: Port Security And Mac Lockout

    Configuring and Monitoring Port Security MAC Lockout ProCurve(config)# show lockout-mac Locked Out Addresses 007347-a8fd30 Number of locked out MAC addresses = 1 ProCurve(config)# Figure 9-12. Listing Locked Out Ports Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command.

  • Page 282: Reading Intrusion Alerts And Resetting Alert Flags, Notice Of Security Violations

    Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features Click on the Security tab. Click on [Port Security]. Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field.

  • Page 283: How The Intrusion Log Operates

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • In the menu interface: – The Port Status screen includes a per-port intrusion alert – The Event Log includes per-port entries for security viola- tions • In the Web browser interface: –...

  • Page 284: Keeping The Intrusion Log Current By Resetting Alert Flags

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Keeping the Intrusion Log Current by Resetting Alert Flags When a violation occurs on a port, an alert flag is set for that port and the violation is entered in the Intrusion Log. The switch can detect and handle subsequent intrusions on that port, but will not log another intrusion on the port until you reset the alert flag for either all ports or for the individual port.

  • Page 285

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The Intrusion Alert column shows “Yes” for any port on which a security violation has been detected. Figure 9-14. Example of Port Status Screen with Intrusion Alert on Port A3 Type ) to display the Intrusion Log.

  • Page 286

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags (The intrusion log holds up to 20 intrusion records and deletes an intrusion record only when the log becomes full and a new intrusion is subsequently detected.) Note also that the “prior to” text in the record for the earliest intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.

  • Page 287

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The following commands display port status, including whether there are intrusion alerts for any port(s), list the last 20 intrusions, and either reset the alert flag on all ports or for a specific port for which an intrusion was detected.

  • Page 288

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Dates and Times of MAC Address of latest Intrusions Intruder on Port A1 Earlier intrusions on port A1 that have already been cleared (that is, the Alert Flag has been reset at least twice before the most recent intrusion occurred.

  • Page 289: Using The Event Log To Find Intrusion Alerts

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Using the Event Log To Find Intrusion Alerts The Event Log lists port security intrusions as: W MM/DD/YY HH:MM:SS FFI: port A3 - Security Violation where “ ” is the severity level of the log entry and is the system module that generated the entry.

  • Page 290: Operating Notes For Port Security

    Configuring and Monitoring Port Security Operating Notes for Port Security Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags Check the Alert Log by clicking on the Status tab and the Overview] button. If there is a “Security Violation” entry, do the following: Click on the Security tab.

  • Page 291

    Configuring and Monitoring Port Security Operating Notes for Port Security the alert flag status for the port referenced in the dropped entry. This means that, even if an entry is forced off of the Intrusion Log, no new intrusions can be logged on the port referenced in that entry until you reset the alert flags.

  • Page 292: Configuring Protected Ports

    Configuring and Monitoring Port Security Configuring Protected Ports Configuring Protected Ports There are situations where you want to provide internet access to users but prevent them from accessing each other. To achieve this control, you can use the protected-ports command. The command applies per-port, and filters the outbound traffic from a port.

  • Page 293

    If you display the running config file (show running-config) you will see the ports that have been selected as protected ports. ProCurve(config)# show running-config Running configuration: ; J9019B Configuration Editor; Created on release #Q.11.XX hostname "ProCurve Switch 2510-24" snmp-server community "public" Unrestricted vlan 1 name "DEFAULT_VLAN"...

  • Page 294

    Configuring and Monitoring Port Security Configuring Protected Ports 9-40...

  • Page 295: Table Of Contents

    Using Authorized IP Managers Contents Overview ........... . . 10-2 Configuration Options .

  • Page 296

    Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu Listing (Showing) Authorized page 10-5 page 10-6 page 10-9 Managers Configuring Authorized IP None page 10-5 page 10-6 page 10-9 Managers Building IP Masks page 10-9 page 10-9 page 10-9 Operating and Troubleshooting page 10-12 page 10-12 page 10-12...

  • Page 297: Configuration Options, Access Levels

    Using Authorized IP Managers Access Levels Configuration Options You can configure: Up to 10 authorized manager addresses, where each address applies ■ to either a single management station or a group of stations ■ Manager or Operator access privileges (for Telnet, SNMPv1, and SNMPv2c access only) C a u t i o n Configuring Authorized IP Managers does not protect access to the switch...

  • Page 298: Defining Authorized Management Stations, Overview Of Ip Mask Operation

    Using Authorized IP Managers Defining Authorized Management Stations Operator: Allows read-only access from the Web browser and ■ console interfaces. (This is the same access that is allowed by the switch’s operator-level password feature.) Defining Authorized Management Stations Authorizing Single Stations: The table entry authorizes a single ■...

  • Page 299: Menu: Viewing And Configuring Ip Authorized Managers, Menu: Viewing And Configuring Ip Authorized Managers

    Using Authorized IP Managers Defining Authorized Management Stations For example, a mask of 255.255.255.0 and any value for the Authorized Manager IP parameter allows a range of 0 through 255 in the 4th octet of the authorized IP address, which enables a block of up to 254 IP addresses for IP management access (excluding 0 for the network and 255 for broadcasts).

  • Page 300: Cli: Viewing And Configuring Authorized Ip Managers, Cli: Viewing And Configuring Authorized Ip Managers

    Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See “Building IP Masks”...

  • Page 301: Configuring Ip Authorized Managers For The Switch

    Using Authorized IP Managers Defining Authorized Management Stations Figure 10-3. Example of the Show IP Authorized-Manager Display The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: Access Mode: 255.255.255.252 10.28.227.100 through 103...

  • Page 302

    Using Authorized IP Managers Defining Authorized Management Stations Similarly, the next command authorizes manager-level access for any station having an IP address of 10.28.227.101 through 103: ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager If you omit the <mask bits> when adding a new authorized manager, the switch automatically uses 255.255.255.255 for the mask.

  • Page 303: Building Ip Masks, Configuring One Station Per Authorized Manager Ip Entry

    Using Authorized IP Managers Web: Configuring IP Authorized Managers Web: Configuring IP Authorized Managers In the Web browser interface you can configure IP Authorized Managers as described below. To Add, Modify, or Delete an IP Authorized Manager address: Click on the Security tab. Click on [Authorized Addresses].

  • Page 304: Configuring Multiple Stations Per Authorized Manager Ip Entry

    Using Authorized IP Managers Building IP Masks Table 10-1. Analysis of IP Mask for Single-Station Entries Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask The “255” in each octet of the mask specifies that only the exact value in that octet of the corresponding IP address is allowed.

  • Page 305

    Using Authorized IP Managers Building IP Masks Table 10-2. Analysis of IP Mask for Multiple-Station Entries Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask The “255” in the first three octets of the mask specify that only the exact value in the octet of the corresponding IP address is allowed.

  • Page 306: Additional Examples For Authorizing Multiple Stations

    Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 This combination specifies an authorized IP address of 10.33.xxx.1. It could be applied, for example, to a subnetted network where each subnet is defined by the Authorized 248 1 third octet and includes a management station defined by the value of “1”...

  • Page 307

    Using Authorized IP Managers Operating Notes • Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for Web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions”...

  • Page 308

    Using Authorized IP Managers Operating Notes 10-14...

  • Page 309

    Index Numerics VLAN unauthorized-client different ports … 8-34 3DES … 6-3, 7-3 unauthorized-client, best use … 8-33 802.1X untagged … 8-27 See port-based access control. … 8-1 untagged membership … 8-19 802.1X access control 802.1x access control authentication methods … 8-4 authenticate users …...

  • Page 310

    unauthorized-client VLAN, defined … 8-8 RADIUS unauth-vid … 8-22 See RADIUS. VLAN untagged … 8-27 See SSH. VLAN use, multiple clients … 8-7 connection inactivity time … 2-3 console, for configuring authorized IP managers … 10-5 aaa authentication … 4-8 privilege-mode …...

  • Page 311

    caution … 2-3 delete … 2-4 LACP deleting with the Clear button … 2-5 802.1X not allowed … 8-13, 8-17, 8-58 if you lose the password … 2-5 incorrect … 2-3 length … 2-4 operator only, caution … 2-3 MAC Authentication pair …...

  • Page 312

    … 8-4 configuring switch global parameters … 5-12 troubleshooting, gvrp … 8-54 general setup … 5-5 used with port-security … 8-40 HP-Command-Exception … 5-19 VLAN operation … 8-54 HP-command-string … 5-19 ports, protected … 9-38 local authentication … 5-9 prior to …...

  • Page 313

    MD5 … 5-4 client public-key, clearing … 6-26 messages … 5-39 client public-key, creating file … 6-24 network accounting … 5-25 client public-key, displaying … 6-25 operating rules, switch … 5-4 configuring authentication … 6-18 security … 5-9 crypto key … 6-11 security note …...

  • Page 314

    erase certificate key pair … 7-9 configuration, authentication … 4-11 erase host key pair … 7-9 configuration, encryption key … 4-22 generate CA-signed certificate … 7-15 configuration, server access … 4-18 generate host key pair … 7-9 configuration, timeout … 4-23 generate self-signed …...

  • Page 315

    … 9-15 vendor-specific attribute configuring support for HP VSAs … 5-20 defining … 5-21 VLAN 802.1X … 8-54 802.1X, ID changes … 8-57 802.1X, suspend untagged VLAN … 8-51 not advertised for GVRP … 8-57 warranty … 1-ii Web Authentication authenticator operation …...

  • Page 316

    8 – Index...

  • Page 318

    Technical information in this document is subject to change without notice. © Copyright 2008 Hewlett-Packard Development Company, L.P. All rights reserved. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws. July 2008 Manual Part Number 5991-4763...

This manual also for:

U.11.xx

Comments to this Manuals

Symbols: 0
Latest comments: