hp procurve
switch 2600 series
switch 2800 series
switch 4100 series
switch 6108
access security guide
www.hp.com/go/hpprocurve

Advertising

   Related Manuals for HP procurve switch 2600 series

   Summary of Contents for HP procurve switch 2600 series

  • Page 1

    2600 series switch 2800 series switch 4100 series switch 6108 access security guide www.hp.com/go/hpprocurve...

  • Page 3

    HP ProCurve Switch 2600 Series Switch 2800 Series Switch 4100GL Series Switch 6108 August 2003 Access Security Guide...

  • Page 4

    Microsoft Corporation. by Hewlett-Packard. Software Credits Warranty SSH on HP ProCurve Switches is based on the OpenSSH See the Customer Support/Warranty booklet included with software toolkit. This product includes software developed the product. by the OpenSSH Project for use in the OpenSSH Toolkit. For...

  • Page 5: Table Of Contents, Getting Started, Configuring Username And Password Security

    Contents 1 Getting Started Contents ............1-1 € Introduction and Applicable Switches .

  • Page 6: Table Of Contents

    3 TACACS+ Authentication Contents ............3-1 € Overview .

  • Page 7: Table Of Contents, Configuring Secure Shell (ssh)

    Configuring the Switch for RADIUS Authentication ... . . 4-6 € Outline of the Steps for Configuring RADIUS Authentication ..4-6 € 1. Configure Authentication for the Access Methods You Want € RADIUS To Protect .

  • Page 8: Table Of Contents

    4. Enabling SSH on the Switch and Anticipating SSH Client€ Contact Behavior ......... . . 5-15 € 5.

  • Page 9: Table Of Contents, Configuring And Monitoring Port Security

    General Setup Procedure for Port-Based Access Control (802.1x) ........... . . 7-11 € Do These Steps Before You Configure 802.1x Operation .

  • Page 10: Table Of Contents

    Operating Notes for Port Security ......8-25 € 9 Traffic/Security Filters (HP ProCurve Switch 2824 and 2848) Contents .

  • Page 11: Table Of Contents

    Defining Authorized Management Stations ....10-4€ Overview of IP Mask Operation ......10-4€ Menu: Viewing and Configuring IP Authorized Managers .

  • Page 12

    — This page is intentionally unused. — x€...

  • Page 13: Contents

    Getting Started € Contents Introduction and Applicable Switches ......1-2 € About the Feature Descriptions ....... . 1-2 € Overview of Access Security Features .

  • Page 14: Introduction And Applicable Switches, About The Feature Descriptions

    Getting Started Introduction and Applicable Switches Introduction and Applicable Switches This guide describes how to use HP’s switch security features to protect access to your HP ProCurveProCurve switch. This guide is intended for these switch models: HP ProCurve Switch 4100GL Series (4104GL, 4108GL) ■...

  • Page 15: Overview Of Access Security Features

    IP address previously configured in the switch as "authorized". HP recommends that you use local passwords together with your switch’s other security features to provide a more comprehensive security fabric than if you use only local passwords. For an overview, refer to Table 1-1.

  • Page 16

    Getting Started Overview of Access Security Features Table 1-1. Management Access Security Protection Security Feature Offers Protection Against Unauthorized Client Access to Offers Protection Switch Management Features Against Unauthorized Client Connection Telnet SNMP Access to the (Net Mgmt) Browser Client Network Local Manager and Operator PtP:...

  • Page 17: Command Syntax Conventions, Simulating Display Output, Command Prompts

    Command Prompts In the default configuration, your switch’s CLI prompt includes the switch model number, and appears similar to the following examples: HP ProCurve Switch 4108# HP ProCurve Switch 2650# HP ProCurve Switch 6108# To simplify recognition, this guide uses HPswitch to represent command prompts for all models.

  • Page 18: Screen Simulations, Port Identity Convention For Examples, Related Publications

    Port Identity Convention for Examples This guide describes software applicable to both chassis-based and stackable HP ProCurve switches. Where port identities are needed in an example, this guide uses the chassis-based port identity system, such as "A1", "B3 - B5", "C7", etc.

  • Page 19

    Related Publications PDF version of this guide is also provided on the Product Documentation CD- ROM shipped with the switch. And you can download a copy from the HP ProCurve website. (See “Getting Documentation From the Web” on page 1-8.) General Switch Management and Configuration.

  • Page 20: Getting Documentation From The Web

    Getting Started Getting Documentation From the Web Getting Documentation From the Web Go to the HP ProCurve website at http://www.hp.com/go/hpprocurve. Click on technical support. Click on manuals. Click on the product for which you want to view or download a manual.

  • Page 21: Sources For More Information

    ■ command name followed by “help”. For example: Figure 1-3. How To Find Help in the CLI If you need information on specific features in the HP Web Browser ■ Interface (hereafter referred to as the “web browser interface”), use the online help available for the web browser interface.

  • Page 22: Need Only A Quick Start?, Need Only A Quick Start

    IP Addressing. If you just want to give the switch an IP address, or if you are not using VLANs, HP recommends that you use the Switch Setup screen to quickly configure IP addressing. To do so, do one of the following: Enter setup at the CLI Manager level prompt.

  • Page 23

    Configuring Username and Password Security Contents Overview ........... . . 2-2 € Configuring Local Password Security .

  • Page 24: Overview

    Configuring Username and Password Security Overview Overview€ Feature Default Menu Set Usernames no user names set — — page 2-6 Set a Password no passwords set page 2-4 page 2-5 page 2-6 Delete Password page 2-4 page 2-6 page 2-6 Protection Console access includes both the menu interface and the CLI.

  • Page 25

    Configuring Username and Password Security Overview If you do steps 1 and 2, above, then the next time a console session is started€ for either the menu interface or the CLI, a prompt appears for a password.€ Assuming you have protected both the Manager and Operator levels, the level € of access to the console interface will be determined by which password is €...

  • Page 26: Configuring Local Password Security, Menu: Setting Passwords

    Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the web browser interface. From the Main Menu select: 3.

  • Page 27: Cli: Setting Passwords And Usernames

    Configuring Username and Password Security Configuring Local Password Security If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter. If you do not have physical access to the switch, you will need Manager-Level access: Enter the console at the Manager level.

  • Page 28: Web: Setting Passwords And Usernames

    Configuring Username and Password Security Configuring Local Password Security To Remove Password Protection. Removing password protection means to eliminate password security. This command prompts you to verify that you want to remove one or both passwords, then clears the indicated password(s). (This command also clears the username associated with a password you are removing.) For example, to remove the Operator password (and username, if assigned) from the switch, you would do the following:...

  • Page 29

    TACACS+ Authentication Contents Overview ........... . . 3-2 € Terminology Used in TACACS Applications .

  • Page 30

    (local access) or Telnet (remote access). A3 or Terminal “A” Directly HP ProCurve Switch Accessing the Switch Configured for A2 or Via Switch’s Console...

  • Page 31: Terminology Used In Tacacs Applications:, Terminology Used In Tacacs Applications

    TACACS+ Authentication Terminology Used in TACACS Applications: tion services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/write) privilege level access.

  • Page 32

    TACACS+ Authentication Terminology Used in TACACS Applications: • Local Authentication: This method uses username/password pairs configured locally on the switch; one pair each for manager- level and operator-level access to the switch. You can assign local usernames and passwords through the CLI or web browser inter- face.

  • Page 33: General System Requirements, General Authentication Setup Procedure

    TACACS+ configurations used in your network. TACACS-aware HP switches include the capability of configuring multiple backup TACACS+ servers. HP recommends that you use a TACACS+ server application that supports a redundant backup installation. This allows you to configure the switch to use a backup TACACS+ server if it loses access to the first-choice TACACS+ server.

  • Page 34

    TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation”...

  • Page 35

    15. For more on this topic, refer to the documentation you received with your TACACS+ server application. If you are a first-time user of the TACACS+ service, HP recommends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment.

  • Page 36: Configuring Tacacs+ On The Switch, Beforeyou Begin

    Configuring TACACS+ on the Switch BeforeYou Begin If you are new to TACACS+ authentication, HP recommends that you read the “General Authentication Setup Procedure” on page 3-5 and configure your TACACS+ server(s) before configuring authentication on the switch.

  • Page 37: Cli Commands Described In This Section, Viewing The Switch's Current Authentication Configuration

    TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs 3-10 aaa authentication pages 3-11 through 3-14 console­ Telnet­ num-attempts <1-10 >­ tacacs-server pages 3-15 ­ host < ip-addr > pages 3-15 ­ 3-19­...

  • Page 38: Configuration

    TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. show tacacs Syntax: For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a...

  • Page 39: Configuring The Switch's Authentication Methods

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied).

  • Page 40

    TACACS+ Authentication Configuring TACACS+ on the Switch Table 3-1. AAA Authentication Parameters Name Default Range Function console Specifies whether the command is configuring authentication for the console port - or - or Telnet access method for the switch. telnet enable Specifies the privilege level for the access method being configured.

  • Page 41

    TACACS+ Authentication Configuring TACACS+ on the Switch Table 3-2. Primary/Secondary Authentication Table Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Console — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console —...

  • Page 42

    TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. HPswitch (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server.

  • Page 43: Configuring The Switch's Tacacs+ Server Access

    Note As described under “General Authentication Setup Procedure” on page 3-5, HP recommends that you configure, test, and troubleshoot authentication via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up authentication in either the switch or your TACACS+ server.

  • Page 44

    TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string >] Adds a TACACS+ server and optionally assigns a server-specific encryption key [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its server- specific encryption key, if any) tacacs-server key <key-string>...

  • Page 45

    TACACS+ Authentication Configuring TACACS+ on the Switch Table 3-3. Details on Configuring TACACS Servers and Keys Name Default Range tacacs-server host <ip-addr> none This command specifies the IP address of a device running a TACACS+ server application. Optionally, it can also specify the unique, per-server encryption key to use when each assigned server has its own, unique key.

  • Page 46

    TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range [ key <key-string> ] none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server”...

  • Page 47

    TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 3-5. Example of the Switch After Assigning a Different “First-Choice” Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: HPswitch(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.

  • Page 48: How Authentication Operates, General Authentication Process Using A Tacacs+ Server

    Switch Via Switch’s Console Port TACACS+ Server HP Switch Configured for TACACS+ Operation Second-Choice TACACS+ Server (Optional) Terminal “B” Remotely Accessing This Switch Via Telnet HP Switch Configured for TACACS+ Operation Third-Choice TACACS+ Server (Optional) Figure 3-6. Using a TACACS+ Server for Authentication 3-20...

  • Page 49

    TACACS+ Authentication How Authentication Operates Using figure 3-6, above, after either switch detects an operator’s logon request from a remote or directly connected terminal, the following events occur: The switch queries the first-choice TACACS+ server for authentication of the request. •...

  • Page 50: Local Authentication Process

    TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentica tion only if one of these two conditions exists: “Local” is the authentication option for the access method being used. ■...

  • Page 51: Using The Encryption Key

    TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “secret key”, or “secret”) helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.

  • Page 52: Tacacs+ Authentication

    TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to configure a global encryp tion key in the switch to match a key entered as in two target north40campus TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch: HPswitch(config)# tacacs-server key north40campus...

  • Page 53: Messages Related To Tacacs+ Operation

    TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa tion on such messages, refer to the documentation you received with the application.

  • Page 54

    TACACS+ Authentication Operating Notes When TACACS+ is not enabled on the switch—or when the switch’s ■ only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unautho rized persons.) 3-26...

  • Page 55

    RADIUS Authentication and Accounting Contents Overview ........... . . 4-2 € Terminology .

  • Page 56

    For accounting, this can help you track network resource usage. Authentication. You can use RADIUS to verify user identity for the follow ing types of primary password access to the HP switch: ■ Serial port (Console) ■...

  • Page 57: Terminology

    EAP type, such as MD5-Challenge, Generic Token Card, and TLS (Transport Level Security). Host: See RADIUS Server. NAS (Network Access Server): In this case, an HP switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): RADIUS Client: The device that passes user information to designated RADIUS servers.

  • Page 58: Switch Operating Rules For Radius

    ■ type of access. (Only one primary and one secondary access method is allowed for each access type.) In the HP switch, EAP RADIUS uses MD5 and TLS to encrypt a ■ response to a challenge from a RADIUS server.

  • Page 59: General Radius Setup Procedure

    IP address to the switch. • Determine an acceptable timeout period for the switch to wait for a server to respond to a request. HP recommends that you begin with the default (five seconds).

  • Page 60: Configuring The Switch For Radius Authentication, Outline Of The Steps For Configuring Radius Authentication

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands Page aaa authentication < console | telnet | ssh > < enable | login > radius < local | none > [no] radius-server host <...

  • Page 61

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note This step assumes you have already configured the RADIUS server(s) to support the switch. Refer to the documentation provided with the RADIUS server documentation.) • Server IP address • (Optional) UDP destination port for authentication requests (default: 1812;...

  • Page 62: Radius To Protect

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 1. Configure Authentication for the Access Methods You Want RADIUS To Protect This section describes how to configure the switch for RADIUS authentication through the following access methods: ■ Console: Either direct serial-port connection or modem connection. Telnet: Inbound Telnet must be enabled (the default).

  • Page 63

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch’s local passwords): The switch now allows Telnet and...

  • Page 64: Configure The Switch To Access A Radius Server

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 4-17: “Configuring RADIUS Accounting”...

  • Page 65

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have configured the switch as shown in figure 4-3 and you now need to make the following changes: Change the encryption key for the server at 10.33.18.127 to “source0127”. Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of “source0119”.

  • Page 66: Configure The Switch's Global Radius Parameters

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch’s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters: Number of login attempts: In a given session, specifies how many ■ tries at entering the correct username and password pair are allowed before access is denied and the session terminated.

  • Page 67

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa authentication num-attempts < 1 - 10 > Specifies how many tries for entering the correct user- name and password before shutting down the session due to input errors. (Default: 3; Range: 1 - 10). [no] radius-server key <...

  • Page 68

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose that your switch is configured to use three RADIUS servers for authenticating access through Telnet and SSH. Two of these servers use the same encryption key. In this case your plan is to configure the switch with the following global authentication parameters: Allow only two tries to correctly enter username and password.

  • Page 69

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication After two attempts failing due to username or password entry errors, the switch will terminate the session. Global RADIUS parameters from figure 4-5. Server-specific encryption key for the RADIUS server that will not use the global encryption key.

  • Page 70

    RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: “Local” is the authentication option for the access method being used. ■...

  • Page 71: Radius Authentication, Configuring Radius Accounting

    RADIUS Authentication and Accounting Controlling Web Browser Interface Access When Using RADIUS Authentication Controlling Web Browser Interface Access When Using RADIUS Authentication Configuring the switch for RADIUS authentication does not affect web browser interface access. To prevent unauthorized access through the web browser interface, do one or more of the following: ■...

  • Page 72

    RADIUS Authentication and Accounting Configuring RADIUS Accounting Note This section assumes you have already: Configured RADIUS authentication on the switch for one or more ■ access methods ■ Configured one or more RADIUS servers to support the switch If you have not already done so, refer to “General RADIUS Setup Procedure” on page 4-5 before continuing here.

  • Page 73: Operating Rules For Radius Accounting, Steps For Configuring Radius Accounting

    RADIUS Authentication and Accounting Configuring RADIUS Accounting The switch forwards the accounting information it collects to the designated RADIUS server, where the information is formatted, stored, and managed by the server. For more information on this aspect of RADIUS accounting, refer to the documentation provided with your RADIUS server.

  • Page 74

    RADIUS Authentication and Accounting Configuring RADIUS Accounting – Optional—if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are desig nating, configure a server-specific key. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server.

  • Page 75

    RADIUS Authentication and Accounting Configuring RADIUS Accounting Syntax: [no] radius-server host < ip-address > Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. [acct-port < port-number >] Optional. Changes the UDP destination port for accounting requests to the specified RADIUS server.

  • Page 76

    RADIUS Authentication and Accounting Configuring RADIUS Accounting Because the radius-server command includes an acct-port element with a non- default 1750, the switch assigns this value to the accounting port UDP port numbers. Because auth-port was not included in the command, the authentication UDP port is set to the default 1812.

  • Page 77

    RADIUS Authentication and Accounting Configuring RADIUS Accounting Start-Stop: ■ • Send a start record accounting notice at the beginning of the account ing session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type (Network, Exec, or System).

  • Page 78

    RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additional control over accounting data. Updates: In addition to using a Start-Stop or Stop-Only trigger, you ■ can optionally configure the switch to send periodic accounting record updates to a RADIUS server.

  • Page 79: Viewing Radius Statistics, General Radius Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which.

  • Page 80

    RADIUS Authentication and Accounting Viewing RADIUS Statistics Table 4-2. Values for Show Radius Host Output (Figure 4-11) Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server. Pending Requests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.

  • Page 81: Radius Authentication Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Syntax: show authentication Displays the primary and secondary authentication meth­ ods configured for the Console, Telnet, Port-Access (802.1x), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.

  • Page 82: Radius Accounting Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres­ sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config­ ured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch.

  • Page 83: Changing Radius-server Access Order

    RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 4-16. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.

  • Page 84

    RADIUS Authentication and Accounting Changing RADIUS-Server Access Order To exchange the positions of the addresses so that the server at 10.10.10.003 will be the first choice and the server at 10.10.10.001 will be the last, you would do the following: Delete 10.10.10.003 from the list.

  • Page 85: Messages Related To Radius Operation

    RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation€ Message Meaning A designated RADIUS server is not responding to an Can’t reach RADIUS server < x.x.x.x >. authentication request. Try pinging the server to determine whether it is accessible to the switch. If the server is accessible, then verify that the switch is using the correct encryption key and that the server is correctly configured to receive an authentication request from the...

  • Page 86

    RADIUS Authentication and Accounting Messages Related to RADIUS Operation — This page is intentionally unused. — 4-32€...

  • Page 87

    Configuring Secure Shell (SSH) € Contents Overview ........... . . 5-2 € Terminology .

  • Page 88

    Disabled page 5-18 The HP switches covered in this guide use Secure Shell version 1 or 2 (SSHv1 or SSHv2) to provide remote access to management functions on the switches via encrypted paths between the switch and management station clients capable of SSH operation.

  • Page 89

    Configuring Secure Shell (SSH) Overview Note SSH in the HP Procurve is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http://www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 5-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.

  • Page 90

    Configuring Secure Shell (SSH) Terminology Terminology ■ SSH Server: An HP ProCurve switch with SSH enabled. Key Pair: A pair of keys generated by the switch or an SSH client ■ application. Each pair includes a public key, that can be read by anyone and a private key, that is held internally in the switch or by a client.

  • Page 91: Prerequisite For Using Ssh, Public Key Formats

    Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 5-2), then the client program must have the capability to generate or import keys.

  • Page 92: Authentication

    Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 5-1.

  • Page 93

    Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation Assign a login (Operator) and enable (Manager) password on the switch (page 5-9). Generate a public/private key pair on the switch (page 5-10). You need to do this only once.

  • Page 94: General Operating Rules And Notes

    (clients) you previously set up for SSH access to the switch. In some situations this can temporarily allow security breaches. On HP ProCurve switches that support stacking, when stacking is ■ enabled, SSH provides security only between an SSH client and the stack manager.

  • Page 95: Configuring The Switch For Ssh Operation

    1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.

  • Page 96: Generating The Switch's Public And Private Key Pair

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 5-5. Example of Configuring Local Passwords 2. Generating the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.

  • Page 97

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be "permanent";...

  • Page 98: Providing The Switch's Public Key To Clients

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch Version 1 and Version 2 Views of Same Host Public Key Figure 5-6. Example of Generating a Public/Private Host Key Pair for the Switch The 'show crypto host-public-key' displays data in two different formats because your client may store it in either of these formats after learning the key.

  • Page 99

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below. The public key generated by the switch consists of three parts, separated by one blank space each: Bit Size Exponent <e>...

  • Page 100

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Modulus <n>...

  • Page 101: Contact Behavior

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 5-10. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 5-10 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host”...

  • Page 102

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you have not copied the switch’s public key into the client, your client’s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing.

  • Page 103

    TCP port for SSH connections except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http). Some other reserved TCP ports on the HP ProCurve switches are 49, 80, 1506, and 1513.

  • Page 104: Configuring The Switch For Ssh Authentication

    Client Public-Key Authentication” on page 5-21 Note HP recommends that you always assign a Manager-Level (enable) password to the switch. Without this level of protection, any user with Telnet, web, or serial port access to the switch can change the switch’s configuration. Also,...

  • Page 105

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< local | none >] Configures a password method for the primary and second­ ary login (Operator) access. If you do not specify an optional secondary method, it defaults to none.

  • Page 106

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation C a u t i o n To allow SSH access only to clients having the correct public key, you must configure the secondary (password) method for login public-key to none. Otherwise a client without the correct public key can still gain entry by submitting a correct local login password.

  • Page 107: Use An Ssh Client To Access The Switch

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Figure 5-13 shows how to check the results of the above commands. Lists the current SSH authentication configuration. Shows the contents of the public key file downloaded with the copy tftp command in figure 5-12.

  • Page 108

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication When configured for SSH operation, the switch automatically attempts to use its own host public-key to authenticate itself to SSH clients. To provide the optional, opposite service—client public-key authentication to the switch— you can configure the switch to store up to ten RSA or DSA public keys for authenticating clients.

  • Page 109

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Combines the decrypted byte sequence with specific session data. b. Uses a secure hash algorithm to create a hash version of this informa tion. Returns the hash version to the switch. The switch computes its own hash version of the data in step 6 and compares it to the client’s hash version.

  • Page 110

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Use your SSH client application to create a public/private key pair. Refer to the documentation provided with your SSH client application for details. The switch supports the following client-public-key properties: Property Supported Comments...

  • Page 111

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: copy tftp pub-key-file <ip-address> <filename> Copies a public key file from a TFTP server into flash memory in the switch. show crypto client-public-key [babble | fingerprint] Displays the client public key(s) in the switch’s current client-public-key file.

  • Page 112

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Enabling Client Public-Key Authentication. After you TFTP a client- public-key file into the switch (described above), you can configure the switch to allow one of the following: If an SSH client’s public key matches the switch’s client-public-key ■...

  • Page 113: Messages Related To Ssh Operation

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation€ Message Meaning Indicates an error in communicating with the tftp server or 00000K Peer unreachable. not finding the file to download. Causes include such factors • Incorrect IP configuration on the switch •...

  • Page 114

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning After you execute the crypto key generate ssh [rsa] Generating new RSA host key. If the command, the switch displays this message while it cache is depleted, this could take is generating the key.

  • Page 115

    Configuring Secure Socket Layer (SSL) Contents Overview ........... . . 6-2 € Terminology .

  • Page 116

    SSL/TLS operation. Note­ HP ProCurve switches use SSL and TLS for all secure web transactions, and all references to SSL mean using one of these algorithms unless otherwise noted SSL provides all the web functions but, unlike standard web access, SSL provides encrypted, authenticated transactions.

  • Page 117

    Server) op tions: – Local – TACACS+ – RADIUS Figure 6-1. Switch/User Authentication SSL on the HP ProCurve switches supports these data encryption methods: ■ 3DES (168-bit, 112 Effective) DES (56-bit) ■ RC4 (40-bit, 128-bit) ■ Note:­...

  • Page 118

    Configuring Secure Socket Layer (SSL) Terminology Self-Signed Certificate: A certificate not verified by a third-party ■ certificate authority (CA). Self-signed certificates provide a reduced level of security compared to a CA-signed certificate. CA-Signed Certificate: A certificate verified by a third party certif ■...

  • Page 119: Prerequisite For Using Ssl

    Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include:...

  • Page 120

    The certificate key pair and the SSH key pair are independent of each other, which means a switch can have two keys pairs stored in flash On HP ProCurve switches that support stacking, when stacking is ■ enabled, SSL provides security only between an SSL client and the stack manager.

  • Page 121: Configuring The Switch For Ssl Operation

    1. Assigning a Local Login (Operator) and Enable (Manager)Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.

  • Page 122

    Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface refer to the chapter titled “Using the HP Web Browser Interface” in the Management and Configuration Guide for your switch.

  • Page 123: Generating The Switch's Server Host Certificate

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’s Server Host Certificate You must generate a server certificate on the switch before enabling SSL. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch.

  • Page 124

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To Generate or Erase the Switch’s Server Certificate with the Because the host certificate is stored in flash instead of the running-config file, it is not necessary to use write memory to save the certificate. Erasing the host certificate automatically disables SSL.

  • Page 125

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on Certificate Fields. There are a number arguments used in the generation of a server certificate. table 6-1, “Certificate Field Descriptions” describes these arguments. Table 6-1. Certificate Field Descriptions Field Name Description Valid Start Date...

  • Page 126

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Notes­ “Zeroizing” the switch’s server host certificate or key automatically disables SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation.

  • Page 127

    You can configure SSL from the web browser interface. For more information on how to access the web browser interface, refer to the chapter titled “Using the HP Web Browser Interface” in the Management and Configuration Guide for your switch.

  • Page 128

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter- face: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments Figure 6-5.

  • Page 129

    This section describes how to install a CA-Signed server host certificate from the web browser interface. (For more information on how to access the web browser interface, refer to the chapter titled “Using the HP Web Browser Interface” in the Management and Configuration Guide for your switch.)

  • Page 130

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.

  • Page 131

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Re quest Reply -----BEGIN CERTIFICATE----- MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMBIGA1UEChMLT3Bwb3J0dW5pdGkxGDAW BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0+aMcXgVruVixw/xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B Figure 6-7. Example of a Certificate Request and Reply 3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients.

  • Page 132

    Switch’s Server Host Certificate” on page 6-9. When configured for SSL, the switch uses its host certificate to authenticate itself to SSL clients, however unless you disable the standard HP web browser interface with the no web-management command it will be still available for unsecured transactions.

  • Page 133

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443).

  • Page 134

    Figure 6-8. Using the web browser interface to enable SSL and select TCP port number N o t e o n P o r t HP recommends using the default IP port number (443). However, you can Num b er­...

  • Page 135: Common Errors In Ssl Setup

    Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” o n page 6-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host...

  • Page 136

    Configuring Secure Socket Layer (SSL) Common Errors in SSL setup — This page is intentionally unused. — 6-22€...

  • Page 137

    Configuring Port-Based Access Control (802.1x) Contents Overview ........... . . 7-2 € How 802.1x Operates .

  • Page 138

    RADIUS server while allowing users access from multiple points within the network. General Features 802.1x on the HP ProCurve switches covered in this manual includes the following: ■ Switch operation as both an authenticator (for supplicants having a point-to-point connection to the switch) and as a supplicant for point- to-point connections to other 802.1x-aware switches.

  • Page 139

    Configuring Port-Based Access Control (802.1x) Overview Local authentication of 802.1x clients using the switch’s local user- ■ name and password (as an alternative to RADIUS authentication). Temporary on-demand change of a port’s VLAN membership status ■ to support a current client’s session. (This does not include ports that are members of a trunk.) ■...

  • Page 140

    Configuring Port-Based Access Control (802.1x) Overview Switch Running 802.1x and Operating as an Authenticator 802.1x-Aware Client (Supplicant) LAN Core RADIUS Server Switch Running 802.1x and Connected as a Supplicant Figure 7-1. Example of an 802.1x Application Accounting . The switch also provides RADIUS Network accounting for 802.1x access.

  • Page 141: How 802.1x Operates

    Configuring Port-Based Access Control (802.1x) How 802.1x Operates How 802.1x Operates Authenticator Operation This operation provides security on a direct, point-to-point link between a single client and the switch, where both devices are 802.1x-aware. (If you expect desirable clients that do not have the necessary 802.1x supplicant software, you can provide a path for downloading such software by using the 802.1x Open VLAN mode—refer to “802.1x Open VLAN Mode”...

  • Page 142: Switch-port Supplicant Operation

    Configuring Port-Based Access Control (802.1x) How 802.1x Operates Switch-Port Supplicant Operation This operation provides security on links between 802.1x-aware switches. For example, suppose that you want to connect two switches, where: Switch “A” has port A1 configured for 802.1x supplicant operation. ■...

  • Page 143

    Authentication Server: The entity providing an authentication service to the switch when the switch is configured to operate as an authenticator. In the case of an HP ProCurve switch running 802.1x, this is a RADIUS server (unless local authentication is used, in which case the switch performs this function using its own username and password for authen ticating a supplicant).

  • Page 144

    Configuring Port-Based Access Control (802.1x) Terminology EAP (Extensible Authentication Protocol): EAP enables network access that supports multiple authentication methods. as defined in the EAPOL: Extensible Authentication Protocol Over LAN, 802.1x standard Friendly Client: A client that does not pose a security risk if given access to the switch and your network.

  • Page 145

    Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unau thorized-Client VLAN. Untagged VLAN Membership: A port can be an untagged member of only one VLAN.

  • Page 146

    Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes If a client already has access to a switch port when you configure the ■ port for 802.1x authenticator operation, the port will block the client from further network access until it can be authenticated. ■...

  • Page 147: Do These Steps Before You Configure 802.1x Operation

    Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1x configuration, HP recommends that you use a local username and password pair at least until your other security measures are in place.)

  • Page 148: Overview: Configuring 802.1x Authentication On The Switch

    Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) Overview: Configuring 802.1x Authentication on the Switch This section outlines the steps for configuring 802.1x on the switch. For detailed information on each step, refer to “RADIUS Authentication and Accounting”...

  • Page 149

    Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) If you are using Port Security on the switch, configure the switch to allow only 802.1x access on ports configured for 802.1x operation, and (if desired) the action to take if an unauthorized device attempts access through an 802.1x port.

  • Page 150: Configuring Switch Ports As 802.1x Authenticators, Enable 802.1x Authentication On Selected Ports

    Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Configuring Switch Ports as 802.1x Authenticators 802.1x Authentication Commands Page [no] aaa port-access authenticator < [ethernet] < port-list > 7-14 [control | quiet-period | tx-period | supplicant-timeout | 7-14 server-timeout | max-requests | reauth-period | auth-vid | unauth-vid | initialize | reauthenticate | clear-statistics] aaa authentication port-access...

  • Page 151

    Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Syntax: aaa port-access authenticator < port-list > Enables specified ports to operate as 802.1x authenti­ cators with current per- port authenticator configura­ tion. To activate configured 802.1x operation, you must enable 802.1x authentication.

  • Page 152

    Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Syntax Continued) [server-timeout < 1 - 300 >] Sets the period of time the switch waits for a server response to an authentication request. If there is no response within the configured time frame, the switch assumes that the authentication attempt has timed out.

  • Page 153

    Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Syntax Continued) [initialize] On the specified ports, blocks inbound and outbound traffic and restarts the 802.1x authentication process. This happens only on ports configured with control auto and actively operating as 802.1x authenticators.

  • Page 154: Configure The 802.1x Authentication Method

    Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 3. Configure the 802.1x Authentication Method This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1x authenti cator.

  • Page 155: Enter The Radius Host Ip Address(es), Enter The Radius Host Ip Address(es)

    Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands.

  • Page 156: X Open Vlan Mode

    Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Open VLAN Mode € 802.1x Authentication Commands page 7-14 802.1x Supplicant Commands page 7-34 802.1x Open VLAN Mode Commands [no] aaa port-access authenticator [e] < port-list > page 7-29 [auth-vid < vlan-id >] [unauth-vid <...

  • Page 157: Use Models For 802.1x Open Vlan Modes

    Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during authentication. 2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the VLAN entered in the port’s 802.1x configuration as an Authorized-Client VLAN, if config ured.

  • Page 158

    Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Table 7-1. 802.1x Open VLAN Mode Options 802.1x Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN •...

  • Page 159

    Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.

  • Page 160: Vlans

    Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorized- These must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1x authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.) VLAN Assignment Received from a If the RADIUS server specifies a VLAN for an authenticated supplicant...

  • Page 161

    Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Condition Rule Effect of Authorized-Client VLAN • When a client becomes authenticated on a port that is already configured with a static, untagged VLAN, the switch temporarily session on untagged port VLAN moves the port to the Authorized-Client VLAN (also untagged).

  • Page 162: Setting Up And Configuring 802.1x Open Vlan Mode

    Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Setting Up and Configuring 802.1x Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 7-1 on page 7-22 for other options. Before you configure the 802.1x Open VLAN mode on a port: Statically configure an “Unauthorized-Client VLAN”...

  • Page 163

    Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges.

  • Page 164

    Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration.

  • Page 165

    Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Configuring 802.1x Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 7-26. Syntax: aaa port-access authenticator [e] <...

  • Page 166: X Open Vlan Operating Notes

    Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Inspecting 802.1x Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1x Open VLAN Mode Status” on page 7-39. 802.1x Open VLAN Operating Notes ■...

  • Page 167: Allow Only 802.1x Devices

    Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices If an authenticated client loses authentication during a session in ■ 802.1x Open VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client VLAN configured, then the client loses access to the port until it can reauthenticate itself.

  • Page 168

    Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices N o t e o n If the port’s 802.1x authenticator control mode is configured to authorized (as B l o c k i n g a N o n - shown below, instead of auto), then the first source MAC address from any 80 2 .

  • Page 169: Connections To Other Switches

    Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches 802.1x Authentication Commands page 7-14 802.1x Supplicant Commands [no] aaa port-access < supplicant < [ethernet] < port-list > page 7-34 [auth-timeout | held-period | start-period | max-start | initialize | page 7-35...

  • Page 170

    Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches When port A1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch “B”.

  • Page 171

    Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring a Supplicant Switch Port. Note that you must enable suppli cant operation on a port before you can change the supplicant configuration. This means you must execute the supplicant command once without any other parameters, then execute it again with a supplicant parameter you want to configure.

  • Page 172

    Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [auth-timeout < 1 - 300 >] Sets the period of time the port waits to receive a challenge from the authenticator.

  • Page 173: Displaying 802.1x Configuration, Statistics, And Counters

    Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Displaying 802.1x Configuration, Statistics, and Counters 802.1x Authentication Commands page 7-14 802.1x Supplicant Commands page 7-33 802.1x Open VLAN Mode Commands page 7-20 802.1x-Related Show Commands show port-access authenticator below show port-access supplicant page 7-42...

  • Page 174

    Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters show port-access authenticator (Syntax Continued) config [[e] < port-list >] Shows: • Whether port-access authenticator is active • The 802.1x configuration of the ports configured as 802.1x authenticators If you do not specify < port-list >, the command lists all ports configured as 802.1x port-access authenticators.

  • Page 175: Viewing 802.1x Open Vlan Mode Status

    Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Viewing 802.1x Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show port- access authenticator and show vlan < vlan-id > commands as illustrated in this section.

  • Page 176

    Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters When the Unauth VLAN ID is configured and matches the Current VLAN ■ ID in the above command output, an unauthenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Unauth VLAN.) Note that because a temporary Open VLAN port assignment to either an authorized or unauthorized VLAN is an untagged VLAN membership, these...

  • Page 177

    Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Status Indicator Meaning Unauthorized VLAN < vlan-id >: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated port. 0: No unauthorized VLAN has been configured for the indicated port. <...

  • Page 178: Show Commands For Port-access Supplicant

    Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [[e] < port-list >] [statistics] show port-access supplicant [[e] < port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list >...

  • Page 179: How Radius/802.1x Authentication Affects Vlan Operation

    Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1x Authentication Affects VLAN Operation Static VLAN Requirement.

  • Page 180

    Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1x-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1x client requires access...

  • Page 181

    Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1x session. This is to accommodate an 802.1x client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22.

  • Page 182

    Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation When the 802.1x client’s session on port A2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN actually configured as untagged on the port again becomes available. Thus, when the RADIUS-authenticated 802.1x session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored.

  • Page 183: Messages Related To 802.1x Operation

    Configuring Port-Based Access Control (802.1x) Messages Related to 802.1x Operation Messages Related to 802.1x Operation Table 7-3. 802.1x Operating Messages Message Meaning The ports in the port list have not been enabled as 802.1x Port < port-list > is not an authenticators.

  • Page 184

    Configuring Port-Based Access Control (802.1x) Messages Related to 802.1x Operation — This page is intentionally unused. — 7-48€...

  • Page 185

    Configuring and Monitoring Port Security Contents Overview ........... . . 8-2 € Basic Operation .

  • Page 186

    Configuring and Monitoring Port Security Overview Overview Feature Default Menu Displaying Current Port Security n/a — page 8-10 page 8-17 Configuring Port Security disabled — page 8-12 page 8-17 Intrusion Alerts and Alert Flags page 8-24 page 8-22 page 8-24 Using Port Security, you can configure each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port.

  • Page 187: Blocking Unauthorized Traffic

    Configuring and Monitoring Port Security Overview General Operation for Port Security. On a per-port basis, you can configure security measures to block unauthorized devices, and to send notice of security violations. Once you have configured port security, you can then monitor the network for security violations through one or more of the following: Alert flags that are captured by network management tools...

  • Page 188: Trunk Group Exclusion

    Configuring and Monitoring Port Security Overview Physical Topology Logical Topology for Access to Switch A Switch A Switch A Port Security Port Security Configured Configured PC 1 PC 1 MAC Address Authorized MAC Address Authorized by Switch A by Switch A Switch B Switch B PC 2...

  • Page 189: Planning Port Security

    Configuring and Monitoring Port Security Planning Port Security Planning Port Security Plan your port security configuration and monitoring according to the following: On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port and how many devices do you want to allow per port (up to 8)? Within the devices-per-port limit, do you want to let the switch automatically accept devices it detects on a port, or do you want it...

  • Page 190: Port Security Command Options And Operation

    Configuring and Monitoring Port Security Port Security Command Options and Operation Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 8-11 port-security 8-12 < [ethernet] port-list > 8-12 [learn-mode] 8-12 [address-limit] 8-12 [mac-address] 8-12 [action] 8-12 [clear-intrusion-flag]...

  • Page 191

    Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > learn-mode < continuous | static | configured | port-access > Continuous (Default): Appears in the factory-default setting or when you execute no port-security. Allows the port to learn addresses from inbound traffic from any device(s) to which it is connected.

  • Page 192

    MAC addresses it detects. Note: As of September, 2003, this option is available in the HP ProCurve Switch 2600 Series and the Switch 6108 running software release H.07.30 (or greater), and the HP ProCurve Switch 2800 Series.

  • Page 193

    Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > (- Continued -) action < none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a network man agement station. Operates when: • Learn mode is set to learn-mode static (static-learn) or learn-mode configured (static-configured) and the port detects an unauthorized device.

  • Page 194: Retention Of Static Mac Addresses, Displaying Current Port Security Settings

    Configuring and Monitoring Port Security Port Security Command Options and Operation Retention of Static MAC Addresses Learned MAC Addresses In the following two cases, a port in Static learn mode (learn-mode static) retains a learned MAC address even if you later reboot the switch or disable port security for that port: The port learns a MAC address after you configure the port with learn- ■...

  • Page 195

    Configuring and Monitoring Port Security Port Security Command Options and Operation Using the CLI To Display Port Security Settings. Syntax: show port-security show port-security [e] <port number> show port-security [e] [<port number>-<port number]. . .[,<port number>] Without port parameters, displays operating control settings show port-security for all ports on a switch.

  • Page 196: Configuring Port Security

    Configuring and Monitoring Port Security Port Security Command Options and Operation The following command example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string: HPswitch(config)# show port-security A1-A3,A6,A8 Configuring Port Security Using the CLI, you can:...

  • Page 197

    Configuring and Monitoring Port Security Port Security Command Options and Operation HPswitch(config)# port-security a1 learn-mode static mac-address 0c0090-123456 action send-disable This example configures port A5 to: Allow two MAC addresses, 00c100-7fec00 and 0060b0-889e00, as the ■ authorized devices. ■ Send an alarm to a management station if an intruder is detected on the port.

  • Page 198

    Configuring and Monitoring Port Security Port Security Command Options and Operation Although the Address Limit is set to 2, only one device has been authorized for this port. In this case you can add another without having to also increase the Address Limit.

  • Page 199

    Configuring and Monitoring Port Security Port Security Command Options and Operation If you are adding a device (MAC address) to a port on which the Authorized Addresses list is already full (as controlled by the port’s current Address Limit setting), then you must increase the Address Limit in order to add the device, even if you want to replace one device with another.

  • Page 200

    Configuring and Monitoring Port Security Port Security Command Options and Operation To remove a device (MAC address) from the “Authorized” list and when the current number of devices equals the Address Limit value, you should first reduce the Address Limit value by 1, then remove the unwanted device. Note­...

  • Page 201: Web: Displaying And Configuring Port Security Features, Notice Of Security Violations

    Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Figure 8-8. Example of Port A1 After Removing One MAC Address Web: Displaying and Configuring Port Security Features Click on the Security tab. Click on [Port Security] Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field.

  • Page 202: How The Intrusion Log Operates

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags When a security violation occurs on a port configured for Port Security, the switch responds in the following ways to notify you: The switch sets an alert flag for that port. This flag remains set until: ■...

  • Page 203: Keeping The Intrusion Log Current By Resetting Alert Flags

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags (by resetting the alert flag). The other entries give you a history of past intrusions detected on port A1. Figure 8-9. Example of Multiple Intrusion Log Entries for the Same Port The log shows the most recent intrusion at the top of the listing.

  • Page 204

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen. From the Main Menu select: 1.

  • Page 205

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The above example shows two intrusions for port A3 and one intrusion for port A1. In this case, only the most recent intrusion at port A3 has not been acknowledged (reset).

  • Page 206

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The following commands display port status, including whether there are intrusion alerts for any port(s), list the last 20 intrusions, and either reset the alert flag on all ports or for a specific port for which an intrusion was detected.

  • Page 207

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Dates and Times of MAC Address of latest Intrusions Intruder on Port A1 Earlier intrusions on port A1 that have already been cleared (that is, the Alert Flag has been reset at least twice before the most recent intrusion occurred.

  • Page 208: Using The Event Log To Find Intrusion Alerts

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Using the Event Log To Find Intrusion Alerts The Event Log lists port security intrusions as: W MM/DD/YY HH:MM:SS FFI: port A3 - Security Violation where “ ” is the severity level of the log entry and is the system module that generated the entry.

  • Page 209: Operating Notes For Port Security

    Configuring and Monitoring Port Security Operating Notes for Port Security Click on the Security tab. b. Click on [Intrusion Log] . “Ports with Intrusion Flag” indicates any ports for which the alert flag has not been cleared. To clear the current alert flags, click on [Reset Alert Flags] To access the web-based Help provided for the switch, click on in the web...

  • Page 210

    Configuring and Monitoring Port Security Operating Notes for Port Security LACP Not Available on Ports Configured for Port Security. To main tain security, LACP is not allowed on ports configured for port security. If you configure port security on a port on which LACP (active or passive) is configured, the switch removes the LACP configuration, displays a notice that LACP is disabled on the port(s), and enables port security on that port.

  • Page 211

    Traffic/Security Filters (HP ProCurve Switch 2824 and 2848) Contents Overview ........... . . 9-2 €...

  • Page 212

    Traffic/Security Filters (HP ProCurve Switch 2824 and 2848) Overview Overview Applicable Switch Models. As of September, 2003, Traffic/Security filters are available on these current HP ProCurve switch models: HP ProCurve Switch 2800 Series (source-port filters) ■ HP ProCurve Switch 2512 and 2524 (source-port, multicast, and ■...

  • Page 213

    Traffic/Security Filters (HP ProCurve Switch 2824 and 2848) Overview example, if you want to prevent server "A" from receiving traffic sent by workstation "X", but do not want to prevent any other servers or end nodes from receiving traffic from workstation "X", you would configure a filter to drop traffic from port 5 to port 7.

  • Page 214: Using Source-port Filters, Operating Rules For Source-port Filters

    Traffic/Security Filters (HP ProCurve Switch 2824 and 2848) Using Source-Port Filters Using Source-Port Filters Operating Rules for Source-Port Filters ■ You can configure one source-port filter for each physical port or port trunk on the switch. Each source-port filter you configure is composed of: ■...

  • Page 215: Configuring A Source-port Filter

    Traffic/Security Filters (HP ProCurve Switch 2824 and 2848) Using Source-Port Filters Configuring a Source-Port Filter The source-port filter command operates from the global configuration level. Syntax: [no] filter source-port [e] < source-port-number > [ drop [ forward] | forward [ drop ]] Creates or deletes the source port filter assigned to <...

  • Page 216

    Traffic/Security Filters (HP ProCurve Switch 2824 and 2848) Using Source-Port Filters Configuring a Filter on a Port Trunk. This operation uses the same com mand as that used for configuring a filter on an individual port. However, the configuration process requires two steps: Configure the port trunk.

  • Page 217: Viewing A Source-port Filter

    Traffic/Security Filters (HP ProCurve Switch 2824 and 2848) Using Source-Port Filters Viewing a Source-Port Filter You can list all source-port filters configured in the switch and, optionally, the detailed information on a specific filter. Syntax: show filter Displays a listing of configured filters, where each filter entry includes an...

  • Page 218: Filter Indexing

    Traffic/Security Filters (HP ProCurve Switch 2824 and 2848) Using Source-Port Filters If you wanted to determine the index number for the filter on source port 3 and then view a listing the filter details on source port 3, you would use the show filter and show filter [ INDEX ] commands, as shown in figure 9-4.

  • Page 219: Editing A Source-port Filter

    Traffic/Security Filters (HP ProCurve Switch 2824 and 2848) Using Source-Port Filters Editing a Source-Port Filter The switch includes in one filter the action(s) for all destination ports and/or trunks configured for a given source port. Thus, if a source-port filter already...

  • Page 220

    Traffic/Security Filters (HP ProCurve Switch 2824 and 2848) Using Source-Port Filters — This page is intentionally unused. — 9-10€...

  • Page 221

    Using Authorized IP Managers Contents Overview ........... . 10-2€ Options .

  • Page 222

    Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu Listing (Showing) Authorized page 10-5 page 10-6 page 10-8 Managers Configuring Authorized IP None page 10-5 page 10-6 page 10-8 Managers Building IP Masks page 10-9 page 10-9 page 10-9 Operating and Troubleshooting page 10-12 page 10-12 page 10-12...

  • Page 223: Options, Access Levels

    Using Authorized IP Managers Options Options You can configure: Up to 10 authorized manager addresses, where each address applies ■ to either a single management station or a group of stations Manager or Operator access privileges ■ C a u t i o n ­ Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port.

  • Page 224: Defining Authorized Management Stations, Overview Of Ip Mask Operation

    Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations Authorizing Single Stations: The table entry authorizes a single ■ management station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Authorized Manager IP column, and leave the IP Mask set to 255.255.255.255.

  • Page 225: Menu: Viewing And Configuring Ip Authorized Managers

    Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Masks” on page 10-9. Note­ The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch.

  • Page 226: Cli: Viewing And Configuring Authorized Ip Managers

    Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See “Building IP Masks”...

  • Page 227

    Using Authorized IP Managers Defining Authorized Management Stations The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: Access Mode: 255.255.255.252 10.28.227.100 through 103 Manager 255.255.255.254 10.28.227.104 through 105 Manager...

  • Page 228: Web: Configuring Ip Authorized Managers

    Using Authorized IP Managers Web: Configuring IP Authorized Managers The result of entering the preceding example is: • Authorized Station IP Address: 10.28.227.105 • IP Mask: 255.255.255.255, which authorizes only the specified station (10.28.227.105 in this case). (See “Configuring Multiple Stations Per Authorized Manager IP Entry”...

  • Page 229: Building Ip Masks, Configuring One Station Per Authorized Manager Ip Entry

    Using Authorized IP Managers Building IP Masks For web-based help on how to use the web browser interface screen, click on button provided on the web browser screen. Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network.

  • Page 230: Configuring Multiple Stations Per Authorized Manager Ip Entry

    Using Authorized IP Managers Building IP Masks Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access.

  • Page 231

    Using Authorized IP Managers Building IP Masks Figure 10-4. Analysis of IP Mask for Multiple-Station Entries Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask The “255” in the first three octets of the mask specify that only the exact value in the octet of the corresponding IP address is allowed.

  • Page 232: Additional Examples For Authorizing Multiple Stations

    Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 This combination specifies an authorized IP address of 10.33.xxx.1. It could be applied, for example, to a subnetted network where each subnet is defined by the Authorized 248 1 third octet and includes a management station defined by the value of “1”...

  • Page 233

    Using Authorized IP Managers Operating Notes • Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions”...

  • Page 234

    Using Authorized IP Managers Operating Notes — This page is intentionally unused. — 10-14€...

  • Page 235

    Numerics connection inactivity time … 2-3€ console, for configuring € 3DES … 5-3, 6-3€ authorized IP managers … 10-5€ 802.1x € See port-based access control. … 7-1€ DES … 5-3, 6-3 € disclaimer … ii€ aaa authentication … 3-8€ duplicate IP address € access levels, authorized IP managers …...

  • Page 236

    reserved port numbers … 5-17 length … 2-4€ IP masks € operator only, caution … 2-3 € building … 10-9€ pair … 2-2€ for multiple authorized manager € setting … 2-4€ stations … 10-10€ password pair … 2-2 € for single authorized manager station … 10-9€ password security …...

  • Page 237

    messages … 7-47 open VLAN € quick start … 1-10 € authorized client … 7-21 € configuration … 7-27, 7-29 € general operation … 7-20€ mode … 7-20 € RADIUS € operating notes … 7-30€ accounting … 4-2, 4-17 € operating rules …...

  • Page 238

    RADIUS accounting€ passwords, assigning … 5-9 € See RADIUS. PEM … 5-4€ reserved port numbers … 5-17, 6-20 € prerequisites … 5-5€ public key … 5-5, 5-13 € public key, displaying … 5-14€ reserved IP port numbers … 5-17 € security €...

  • Page 239

    root … 6-4€ setup, general … 3-5 € root certificate … 6-4€ show authentication … 3-8€ self-signed … 6-4, 6-13€ system requirements … 3-5€ self-signed certificate … 6-4, 6-10, 6-13€ TACACS+ server … 3-3€ server host certificate … 6-10€ testing … 3-5€ SSL server …...

  • Page 240

    web browser interface, for configuring port € security … 8-17€ web server, proxy … 8-25 € 6 – Index...

  • Page 241

    Technical information in this document is subject to change without notice. ©Copyright 2002, 2003 Hewlett-Packard Development Company, L.P. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws. Edition 1 Written in U.S.A. August 2003 Manual Part Number 5990-6024...

Comments to this Manuals

Symbols: 0
Latest comments: