HP Q.11.XX Manuals

Table of Contents

• • 5

    Table of Contents

• 13

  Product Documentation

  • 13

    About Your Switch Manual Set
  • 14

    Feature Index

• 18

  Getting Started

  • 18

    Introduction
  • 18

    Overview of Access Security Features
    • 19

      Management Access Security Protection
    • 20

      General Switch Traffic Security Guidelines
  • 21

    Conventions
    • 21

      Command Syntax Statements
    • 22

      Command Prompts
    • 22

      Screen Simulations
    • 22

      Port Identity Examples
  • 23

    Sources for More Information
  • 24

    Need Only a Quick Start
    • 24

      IP Addressing
    • 25

      To Set Up and Install the Switch in Your Network

• 28

  Configuring Username and Password Security

  • 28

    Overview
  • 30

    Configuring Local Password Security
    • 30

      Menu: Setting Passwords
    • 31

      CLI: Setting Passwords and Usernames
    • 32

      Web: Setting Passwords and Usernames
  • 33

    Front-Panel Security
    • 33

      When Security Is Important
    • 34

      Front-Panel Button Functions
    • 36

      Configuring Front-Panel Security
    • 41

      Password Recovery
    • 43

      Password Recovery Process

• 45

  Web and MAC Authentication

  • 45

    Contents
  • 46

    Overview
    • 47

      Client Options
    • 48

      General Features
  • 49

    How Web and MAC Authentication Operate
    • 49

      Authenticator Operation
  • 53

    Terminology
  • 54

    Operating Rules and Notes
  • 56

    General Setup Procedure for Web/Mac Authentication
    • 56

      Do These Steps before You Configure Web/Mac Authentication
    • 58

      Additional Information for Configuring the RADIUS Server to Support MAC Authentication
  • 59

    Configuring the Switch to Access a RADIUS Server
  • 61

    Configuring Web Authentication
    • 61

      Overview
    • 62

      Configure the Switch for Web-Based Authentication
  • 66

    Configuring MAC Authentication On the Switch
    • 66

      Overview
    • 67

      Configure the Switch for Mac-Based Authentication
  • 70

    Show Status and Configuration of Web-Based Authentication
  • 72

    Show Status and Configuration of Mac-Based Authentication
  • 74

    Show Client Status

• 75

  TACACS+ Authentication

  • 75

    Contents
  • 76

    Overview
  • 77

    Terminology Used in TACACS+ Applications
  • 79

    General System Requirements
  • 79

    General Authentication Setup Procedure
  • 82

    Configuring TACACS+ On the Switch
    • 82

      Before You Begin
    • 83

      CLI Commands Described in This Section
    • 83

      Viewing the Switch's Current Authentication Configuration
    • 84

      Viewing the Switch's Current TACACS+ Server Contact Configuration
    • 85

      Configuring the Switch's TACACS+ Authentication Methods
    • 92

      Configuring the Switch's TACACS+ Server Access
  • 97

    How Authentication Operates
    • 97

      General Authentication Process Using a TACACS+ Server
    • 99

      Local Authentication Process
    • 100

      Using the Encryption Key
  • 101

    Controlling Web Browser Interface Access When Using TACACS+ Authentication
  • 101

    Controlling Web Browser Interface Access When Using TACACS
  • 101

    Authentication
  • 102

    Messages Related to TACACS+ Operation
  • 102

    Operating Notes

• 105

  RADIUS Authentication, Authorization and Accounting

  • 105

    Contents
  • 106

    Overview
  • 107

    Terminology
  • 108

    Switch Operating Rules for RADIUS
  • 109

    General RADIUS Setup Procedure
  • 110

    Configuring the Switch for RADIUS Authentication
    • 111

      Outline of the Steps for Configuring RADIUS Authentication
    • 112

      Configure Authentication for the Access Methods You Want RADIUS to Protect
    • 114

      Configure the Switch to Access a RADIUS Server
    • 116

      Configure the Switch's Global RADIUS Parameters
  • 120

    Local Authentication Process
  • 121

    Controlling Web Browser Interface Access When Using RADIUS Authentication
  • 121

    Commands Authorization
    • 121

      Controlling Web Browser Interface Access When Using RADIUS
    • 122

      Enabling Authorization
    • 123

      Configuring Commands Authorization On a RADIUS Server
    • 123

      Displaying Authorization Information
      • 125

        Example Configuration On Cisco Secure Acs for Ms Windows
      • 128

        Example Configuration Using Freeradius
  • 129

    Configuring RADIUS Accounting
    • 130

      Operating Rules for RADIUS Accounting
    • 131

      Steps for Configuring RADIUS Accounting
      • 133

        Reports to the Radius Server
      • 135

        Updating Options
  • 136

    Viewing RADIUS Statistics
    • 136

      General RADIUS Statistics
    • 139

      RADIUS Authentication Statistics
    • 140

      RADIUS Accounting Statistics
  • 141

    Changing Radius-Server Access Order
  • 143

    Messages Related to RADIUS Operation

• 145

  Configuring Secure Shell (SSH)

  • 145

    Contents
  • 146

    Overview
  • 148

    Terminology
  • 149

    Prerequisite for Using SSH
  • 149

    Public Key Formats
  • 149

    Steps for Configuring and Using SSH for Switch and Client Authentication
  • 152

    General Operating Rules and Notes
    • 153

      Assign Local Login (Operator) and Enable (Manager) Password
    • 153

      Configuring the Switch for SSH Operation
    • 154

      Generate the Switch's Public and Private Key Pair
    • 156

      Provide the Switch's Public Key to Clients
    • 159

      Enable SSH On the Switch and Anticipate SSH Client Contact Behavior
    • 162

      Configure the Switch for SSH Authentication
    • 166

      Use an SSH Client to Access the Switch
  • 166

    Further Information On SSH Client Public-Key Authentication
  • 172

    Messages Related to SSH Operation

• 175

  Configuring Secure Socket Layer (SSL)

  • 175

    Contents
  • 176

    Overview
  • 177

    Terminology
  • 179

    Prerequisite for Using SSL
  • 179

    Steps for Configuring and Using SSL for Switch and Client Authentication
  • 180

    General Operating Rules and Notes
    • 181

      Assign Local Login (Operator) and Enable (Manager) Password
    • 182

      Generate the Switch's Server Host Certificate
    • 191

      Enable SSL On the Switch and Anticipate SSL Browser Contact Behavior
  • 195

    Common Errors in SSL Setup

• 197

  Configuring Port-Based and Client-Based Access Control (802.1X)

  • 197

    Contents
  • 199

    Overview
    • 199

      Why Use Port-Based or Client-Based Access Control
    • 199

      General Features
    • 200

      User Authentication Methods
  • 203

    Terminology
  • 206

    General 802.1X Authenticator Operation
    • 206

      Example of the Authentication Process
    • 207

      Switch-Port Supplicant Operation
  • 208

    General Operating Rules and Notes
  • 210

    General Setup Procedure for 802.1X Access Control
    • 210

      Do These Steps before You Configure 802.1X Operation
    • 211

      Overview: Configuring 802.1X Authentication On the Switch
  • 213

    Configuring Switch Ports As 802.1X Authenticators
    • 213

      Enable 802.1X Authentication On Selected Ports
    • 216

      Reconfigure Settings for Port-Access
    • 219

      Configure the 802.1X Authentication Method
    • 220

      Enter the RADIUS Host IP Address(Es)
    • 220

      Enable 802.1X Authentication On the Switch
    • 221

      Optionally Resetting Authenticator Operation
  • 222

    802.1X Open VLAN Mode
    • 222

      Introduction
    • 223

      VLAN Membership Priorities
    • 224

      Use Models for 802.1X Open VLAN Modes
    • 227

      Operating Rules for Authorized-Client and Unauthorized-Client Vlans
    • 230

      Setting Up and Configuring 802.1X Open VLAN Mode
    • 234

      802.1X Open VLAN Operating Notes
  • 236

    Option for Authenticator Ports: Configure Port-Security to Allow Only 802.1X Devices
  • 236

    Option for Authenticator Ports: Configure Port-Security to Allow
  • 236

    Only 802.1X Devices
  • 238

    Configuring Switch Ports to Operate As Supplicants for 802.1X Connections to Other Switches
  • 243

    Displaying 802.1X Configuration, Statistics, and Counters
    • 243

      Show Commands for Port-Access Authenticator
    • 246

      Viewing 802.1X Open VLAN Mode Status
    • 249

      Show Commands for Port-Access Supplicant
  • 250

    How RADIUS/802.1X Authentication Affects VLAN Operation
  • 254

    Messages Related to 802.1X Operation

• 255

  Configuring and Monitoring Port Security

  • 255

    Contents
  • 256

    Overview
    • 256

      Basic Operation
    • 257

      Blocking Unauthorized Traffic
    • 258

      Trunk Group Exclusion
  • 259

    Planning Port Security
  • 260

    Port Security Command Options and Operation
    • 264

      Retention of Static MAC Addresses
    • 264

      Displaying Current Port Security Settings
    • 266

      Configuring Port Security
  • 272

    MAC Lockdown
    • 273

      Differences Between MAC Lockdown and Port Security
    • 275

      Deploying MAC Lockdown
  • 279

    MAC Lockout
    • 281

      Port Security and MAC Lockout
  • 282

    Web: Displaying and Configuring Port Security Features
  • 282

    Reading Intrusion Alerts and Resetting Alert Flags
    • 282

      Notice of Security Violations
    • 283

      How the Intrusion Log Operates
    • 284

      Keeping the Intrusion Log Current By Resetting Alert Flags
    • 289

      Using the Event Log to Find Intrusion Alerts
    • 290

      Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags
  • 290

    Operating Notes for Port Security
  • 292

    Configuring Protected Ports

• 296

  Using Authorized IP Managers

  • 296

    Overview
    • 297

      Configuration Options
    • 297

      Access Levels
    • 298

      Defining Authorized Management Stations
      • 298

        Overview of IP Mask Operation
      • 299

        Menu: Viewing and Configuring IP Authorized Managers
      • 300

        CLI: Viewing and Configuring Authorized IP Managers
      • 301

        Configuring Ip Authorized Managers for the Switch
    • 303

      Web: Configuring IP Authorized Managers
    • 303

      Building IP Masks
      • 303

        Configuring One Station Per Authorized Manager IP Entry
      • 304

        Configuring Multiple Stations Per Authorized Manager IP Entry
      • 306

        Additional Examples for Authorizing Multiple Stations
    • 306

      Operating Notes

• 309

  Index