HP (Hewlett-Packard) 6120 Bedienungsanleitung
- Schauen Sie die Anleitung online durch oderladen Sie diese herunter
- 469 Seiten
- 2.17 mb
Zur Seite of
Ähnliche Gebrauchsanleitungen
-
Switch
HP (Hewlett-Packard) HN220E
8 Seiten 0.1 mb -
Switch
HP (Hewlett-Packard) 4108GL
418 Seiten 5.19 mb -
Switch
HP (Hewlett-Packard) 5697-7483
62 Seiten 1.42 mb -
Switch
HP (Hewlett-Packard) 372284-001
48 Seiten 1.57 mb -
Switch
HP (Hewlett-Packard) TA688-96138
31 Seiten 1.1 mb -
Switch
HP (Hewlett-Packard) OV-UX
104 Seiten 1.62 mb -
Switch
HP (Hewlett-Packard) 2610 Series
4 Seiten 0.1 mb -
Switch
HP (Hewlett-Packard) 445946-001
198 Seiten 8.34 mb
Richtige Gebrauchsanleitung
Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung HP (Hewlett-Packard) 6120 an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von HP (Hewlett-Packard) 6120, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.
Was ist eine Gebrauchsanleitung?
Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung HP (Hewlett-Packard) 6120 die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.
Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung HP (Hewlett-Packard) 6120. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.
Was sollte also eine ideale Gebrauchsanleitung beinhalten?
Die Gebrauchsanleitung HP (Hewlett-Packard) 6120 sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts HP (Hewlett-Packard) 6120
- Den Namen des Produzenten und das Produktionsjahr des Geräts HP (Hewlett-Packard) 6120
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts HP (Hewlett-Packard) 6120
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen
Warum lesen wir keine Gebrauchsanleitungen?
Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von HP (Hewlett-Packard) 6120 zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von HP (Hewlett-Packard) 6120 und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service HP (Hewlett-Packard) finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von HP (Hewlett-Packard) 6120 zu überspringen, wie es bei der Papierform passiert.
Warum sollte man Gebrauchsanleitungen lesen?
In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts HP (Hewlett-Packard) 6120, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.
Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von HP (Hewlett-Packard) 6120 widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.
Inhaltsverzeichnis der Gebrauchsanleitungen
-
Seite 1
Augu st 2 0 09 Pr oC ur v e Ser i es 6 1 20 S w itc he s Acc e ss Se cu rit y Gu ide[...]
-
Seite 2
Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 www.procurv e.com © Copyright 2009 Hewlett-Pa ckard Develo pment Compa ny , L.P . The information cont ained herein is subject to cha nge without notice. All Ri ghts Reserv ed. This document contains p roprietary i nformation , which is protected by c opyri[...]
-
Seite 3
ii[...]
-
Seite 4
iii Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Software Feat[...]
-
Seite 5
iv 2 Configuring Username and Password Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . [...]
-
Seite 6
v Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 3 Web and MAC Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Seite 7
vi Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-60 4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Seite 8
vii Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 RADIUS-Administered CoS and Ra te-Limiting . . . . . . . . . . . . . . . . . . . 5-4 RADIUIS-Administered Commands Authorizati on . . . [...]
-
Seite 9
viii 2. Configure Accou nting Ty pes and the Controls for Sending Reports to the RADIUS Ser v er . . . . . . . . . . . . . . . . . . . . 5-42 3. (Optional) Configure Session Blocki ng and Interim Updat ing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44 Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . .[...]
-
Seite 10
ix 7 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Seite 11
x Using DHCP Snooping with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 Changing the Remote-id from a MAC to an IP Addr ess . . . . . . . 8-11 Disabling the MAC Address Check . . . . . . . . . . . . . . . . . . . . . . . . 8-11 The DHCP Binding Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12 Oper[...]
-
Seite 12
xi 9 Traffic/Security Filters and Monitors Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Seite 13
xii Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6 General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . 10-9 Example of the Authenti cation Process . . . . . . . . . . . . . . . . . . . . . . . . 10-9 VLAN Membership Priority . . . . . . . . . . . . . [...]
-
Seite 14
xiii Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-46 Configuring Switch Ports To Oper ate As Supplicants for 802.1X Connections to Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-47 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Seite 15
xiv Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26 MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26 Port Security and MAC Lock out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-29 Web: Displaying an d Configuring Port Secu r[...]
-
Seite 16
xv Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10 Configuring One St ation Per Autho rized Manager IP Entry . . . . . . 12-10 Configuring Mult iple Stations Per Authorized Ma nager IP Entry . . 12-11 Additional Examples for Auth orizing Mul tiple Sta tions . . . . . . . . . 12-13 Operat[...]
-
Seite 17
xvi[...]
-
Seite 18
xvii Product Documentation About Y our Switch Manual Set Note For the latest version of sw itch documentatio n, please visit any of the follow- ing websites: www .procurve.com/manuals www .hp.com/go/blades ystem/documentation h18004.www1.hp. com/products/blades/ components/c-class-tech-installing.html Printed Publications The publicatio n listed be[...]
-
Seite 19
xviii Software Feature Index This feature index indicates whi ch manual to co nsult for info rmation on a given softw are feature. Note This Index does not cover IPv6 capable software features. For informatio n on IPv6 protocol operatio ns and features (such as DHCPv6, DNS for IPv6, and Ping6), refer to the IPv6 Configuration Guide . Intelligent Ed[...]
-
Seite 20
xix Downloading Software X Event Log X Factory Default Settings X Flow Control (802.3x) X File T ransfers X Friendly Port Names X GVRP X Identity-Driven Management (IDM) X IGMP X Interface Access (T elnet, Console/Serial, W eb) X IP Addressing X Jumbo Packets X LACP X LLDP X LLDP-MED X Loop Protection X MAC Address Management X MAC Lockdown X MAC L[...]
-
Seite 21
xx Port Monitoring X Port Security X Port Status X Port T runking (LACP) X Port-Based Access Control (802.1X) X Protocol VLANS X Quality of Service (QoS) X RADIUS Authentication and Accounting X RADIUS-Based Configuration X RMON 1,2,3,9 X Secure Copy X SFTP X SNMPv3 X Software Downloads (SCP/SFTP , TFPT , Xmodem) X Source-Port Filters X Spanning T [...]
-
Seite 22
xxi VLANs X W eb Authentication RADIUS Support X W eb-based Authentication X W eb UI X Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide[...]
-
Seite 23
1-1 Security Overview Contents 1 Security Overview Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 For More Information . . . . . . . . . . . . . . . . . . . . . .[...]
-
Seite 24
1-2 Security Overview Introduction Introduction This chapter provides a n overview of th e security features included on your switch. T able 1-1 on page 1- 3 outlines the access security and authentication features, while T able 1-2 on page 1-7 highlights the additional fe atures designed to help secure and p rotect your network. For detailed infor[...]
-
Seite 25
1-3 Security Overview Access Security Features Access Security Features This section provides an overvi ew of the switch’ s acc ess security features, authentication protocol s, and metho ds. T able 1-1 lists these fea tures and provides summary config uration guideline s. For more in-depth info rmation, see the references provided (all chap ter [...]
-
Seite 26
1-4 Security Overview Access Security Features T elnet and W eb-browser access enabled The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured . T o reduce the chances of unauthorized users capturing your passwords, secure and encrypte d protocols[...]
-
Seite 27
1-5 Security Overview Access Security Features SSL disabled Secure Socket Layer (S SL) and T ransport Layer Security (TLS) provide remote W eb browser access to the switch via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operati on. The authenticated type includes server certifi[...]
-
Seite 28
1-6 Security Overview Access Security Features 802.1X Access Control none This feature provides port-based or user -based authentication through a RADI US server to protect the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control client access to network services. Included in the general featur es are the f[...]
-
Seite 29
1-7 Security Overview Network Security Features Network Security Features This section outlines features and de fence mechanisms for protecting access through the switch to the network. Fo r more detailed information, see the indicated chapters. T able 1-2. Network Security—Default Settings and Security Gu idelines Feature Default Setting Securit[...]
-
Seite 30
1-8 Security Overview Network Security Features Connection- Rate Filtering based on Virus-Throttling T echnology none This feature helps protect the network from attack and is recommended for use on the network edge. It is primarily focused on the class of worm-like malicious code that tries to replicate itself by taking advantage of weaknesses in [...]
-
Seite 31
1-9 Security Overview Getting Started with Access Security Getting Started with Access Security ProCurve switches are designed as “plu g and play” devices, allowing qui ck and easy installation in your netw ork. In its default configurati on the switch is open to unauthorized access of various type s. When prep aring th e switch for network ope[...]
-
Seite 32
1-10 Security Overview Getting Started with Access Security Keeping the switch i n a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional p recautions, you can do the following: ■ Disable or re-enable the password-clear ing func tion of the Clear button . ■ Configure the Clear button to rebo ot[...]
-
Seite 33
1-11 Security Overview Getting Started with Access Security The welcome banner appears and the first setup option is displayed ( Operator password ). As you advance throug h the w izard, each setup option displays the cu rrent value in brackets [ ] as shown in Figure 1-1. Figure 1-1. Example of Management Int erface Wizard Configuration Welcome to [...]
-
Seite 34
1-12 Security Overview Getting Started with Access Security 2. When you enter the wizard, you have the foll owing options: • T o upda te a setting, type in a new val ue, or press [ Enter ] to keep the current value. • T o quit the wizard wi thout saving any change s, press [ CTRL-C ] at any time. • T o access online Help for any option, press[...]
-
Seite 35
1-13 Security Overview Getting Started with Access Security The W elcome window appears. Figure 1-2. Management Interface Wizard: Welcome Window This page allow s you to choose between two setup type s: • T y pical —provides a multiple page , step -by-step method to configure security settings, with on-screen instructions for each option. • A[...]
-
Seite 36
1-14 Security Overview Getting Started with Access Security 4. The summary setup screen displays th e current configuration settings for all setup options (see Figure 1-3). Figure 1-3. Management Interface Wizard: Summ ary Setup From this screen, you have the fo llowing opti ons: • T o change any setting that is show n, type in a new value or mak[...]
-
Seite 37
1-15 Security Overview Getting Started with Access Security SNMP Security Guidelines In the default configuration, the swit ch is open to access by management stations runni ng SNMP (Simple Network Management Protocol) management application s capable of vi ewing and changing the settings and sta tus data in the switch’ s MIB (Managem ent In form[...]
-
Seite 38
1-16 Security Overview Getting Started with Access Security If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network , then yo u should implemen t the following security precautions when downloadi ng an d booting fro m the software: ■ If SNMP access to the authenticat ion configura tion (hpSwitc hAuth) MIB described ab[...]
-
Seite 39
1-17 Security Overview Precedence of Security Options Precedence of Security Options This section explains ho w port-based securi ty options, and client-based attribute s used for authenti cation , get prioritized on the switch. Precedence of Port-Bas ed Security Options Where the switch is ru nning multiple secu rity options, it implements network[...]
-
Seite 40
1-18 Security Overview Precedence of Security Options value applied to a cli ent session is determined in the following order (from highest to lowe st priority) in which a valu e configured wi th a higher priority overrides a value configured with a l ower priorit y: 1. Attribute profi les applied through the Network Imm unity network-man - agement[...]
-
Seite 41
1-19 Security Overview Precedence of Security Options The profile of attributes app lied for each client (MAC ad dress) session is stored in the hpicfUsrProf ile MIB, which serves as the configuration interface for Network Immunity Manager . A client prof ile consists of NIM-co nfigured, RADIUS-assigned, and statically configured parameters. Using [...]
-
Seite 42
1-20 Security Overview Precedence of Security Options Client-specific conf igurations are applied on a per-parameter basis on a port. In a client-speci fic profile, if D CA de tects that a parameter has configured values from two or more le vels in th e hierarchy of precedence desc ribed above, DCA decides whi ch parameters t o add or remove, or wh[...]
-
Seite 43
1-21 Security Overview ProCurve Identity-Driven Manager (IDM) ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plu s (PCM+) and uses RADIUS-based technologies to create a user -cen tric approach to network access management and network activity tr acking and monitoring. IDM enables control of access security policy from a[...]
-
Seite 44
2-1 2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Seite 45
2-2 Configuring Username and Password Security Contents Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation . . . . . . . . . . . . . . . . . . 2-30 Changing the Operation of the Rese t+Clear Combination . . . . . 2-31 Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Seite 46
2-3 Configuring Username and Password Security Overview Overview Console access includes both the menu interface and the CLI. There are two levels of console access: Manager and Operator . For security , you can set a password pair (username and password) on each of these lev els. Notes Usernames are optional. Also, in th e menu interface , you can[...]
-
Seite 47
2-4 Configuring Username and Password Security Overview T o configure password security: 1. Set a Manager password pair (and an Operator password pair , if applicable for your system). 2. Exit from the cur rent console session. A Manager p assword pair will no w be needed for full acc ess to the console. If you do steps 1 and 2, above, then th e ne[...]
-
Seite 48
2-5 Configuring Username and Password Security Overview Notes The manager and operator passwords and (optio nal) userna mes control access to the menu interface, C LI, and web browser interface. If you configure only a Manager passw ord (with no Operator password), and in a later session the Mana ger password is not entere d correctly in response t[...]
-
Seite 49
2-6 Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are opt ional. Configuring a user - name requires either the CLI or the web browser interface. 1. From the Main Menu select: 3. Console Passwords Figure 2-1. The S[...]
-
Seite 50
2-7 Configuring Username and Password Security Configuring Local Password Security T o Delete Password Protection (Incl uding Recovery from a Lost Password): This procedure deletes al l usernames (if configured) and pass- words (Manager an d Operator). If you have physical access to the switch , press and hold the Clear button (on the front of th e[...]
-
Seite 51
2-8 Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section Configuring M anager and Op erator Passwords. Note Y ou can configure manager and operator passwords in one step. See “Saving Security Credentials in a Config Fi le” on page 2-10 of this gui de. S[...]
-
Seite 52
2-9 Configuring Username and Password Security Configuring Local Password Security If you want to remov e both operator and m anager password p rotection, use the no password all command. W eb: Setting Passwo rds and Usernames In the web browse r interf ace you can enter passwords and (optional) user - names. T o Configure (or Remove) Usernames and[...]
-
Seite 53
2-10 Configuring Username and Password Security Saving Security Credentials in a Config File Saving Security Credentials in a Config File Y ou can store and view the following securi t y settings in internal flash m emory by entering the include-c redentials command: ■ Local manager an d operator passwords and (opt ional) user names that control [...]
-
Seite 54
2-11 Configuring Username and Password Security Saving Security Credentials in a Config File ■ The chapter on “Switch Memo ry and Configuration ” in the Management and Configuration Guide . ■ “Configuring Lo cal Password Securi ty” on page 2-6 in this guide. Enabling the Storage and Display of Security Credentials T o enable the securit[...]
-
Seite 55
2-12 Configuring Username and Password Security Saving Security Credentials in a Config File Local Manager and Op erator Passwords The informat ion saved t o the running- config fil e when the include-credentials command is ente red includ es: password manager [user-name <name>] <hash-type> <pass-ha sh> password operator [user-nam[...]
-
Seite 56
2-13 Configuring Username and Password Security Saving Security Credentials in a Config File Y ou can enter a manager , operator , or 802.1X port-access password in clear ASCII text or hashed fo rmat. However , mana ger and operator passwords are displayed and saved in a configuration f ile only in hashed format; port-access passwords are displayed[...]
-
Seite 57
2-14 Configuring Username and Password Security Saving Security Credentials in a Config File [ priv < priv-pass >] i s the (optional ) hashed privacy password used by a privacy protocol to encrypt SNMPv3 messages between the switch and the station. The following example shows the a dditi onal security credentials for SNMPv3 users that can be [...]
-
Seite 58
2-15 Configuring Username and Password Security Saving Security Credentials in a Config File The password po rt-access values are configured sepa rately from the manager and operator passwords configured with the password manager and password operator commands and used for manageme nt access to the switch. For information on the new passw ord comma[...]
-
Seite 59
2-16 Configuring Username and Password Security Saving Security Credentials in a Config File during authenti cation sessions. Both the sw itch and the server have a copy of the key; the key is neve r transmit ted across the network. For more information, refer to “3. Configure the Switch T o Access a RADIUS Server” on page 6-14 in this guide . [...]
-
Seite 60
2-17 Configuring Username and Password Security Saving Security Credentials in a Config File Note The ip ssh public-key comm and allows you to co nfigure only one SSH client public-key at a time. The ip ssh public-key command behavior includes an implicit appe nd that never overwrit es existing public -key configurati ons on a running switch. If yo[...]
-
Seite 61
2-18 Configuring Username and Password Security Saving Security Credentials in a Config File T o displa y the SSH public -key configurations (72 ch aracters per line) stored in a configurat ion file, enter the show config or sho w running-config command. The following example shows the SSH public keys configured for manager access, along with the h[...]
-
Seite 62
2-19 Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes Caution ■ When you first enter the include-creden tials command to save th e additional se curity crede ntials to the runnin g configuratio n, these settings are moved from internal storage on th e swit ch to the running-co nfig file. Y ou[...]
-
Seite 63
2-20 Configuring Username and Password Security Saving Security Credentials in a Config File • copy config < source-f ilename > config < target-filename >: Makes a local copy of an existing star tup-co nfig file by cop y ing the contents of the startup-co nfig file in one memory sl ot to a new start up-config file in another , empty m[...]
-
Seite 64
2-21 Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running configur ation with the include-cre dentials command: ■ The private keys o f an SSH host cannot be stor ed in the runnin g configuratio n. Only [...]
-
Seite 65
2-22 Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. Y ou can store the password port-access values in the running conf iguration fi le by using the include-credentials command. Note that th e password port-access v [...]
-
Seite 66
2-23 Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel sec urity features provid e the ability to ind ependently ena ble or disable some of t he functions of the two button s located on the fron t of the switch for clearing the passwo rd (Clear button) or restoring the switch to its factory default[...]
-
Seite 67
2-24 Configuring Username and Password Security Front-Panel Security As a result of increased security co ncerns, customers now have the ability to stop someone from r emoving passwords by di sabling the Clear and/or Reset buttons on the f ront of th e switch. Front-Panel Button Functions This section describes the f unctionality of the Clear and R[...]
-
Seite 68
2-25 Configuring Username and Password Security Front-Panel Security Clear Button Pressing the Clear button alone for five seconds resets the password(s) configured on the switch. Figure 2-8. Press the Clear Button for Five Se conds T o Reset the Password(s) Reset Button Pressing the Reset but ton alone for one second causes t he switch to reb oot.[...]
-
Seite 69
2-26 Configuring Username and Password Security Front-Panel Security 2. While holdin g the Reset bu tton, press and ho ld the Clear button for five seconds. 3. Release the Reset button. 4. If the Clear button is held for greater then 2.5 seconds, configuration will be cleared, and the switch will rebo ot. It can take approxima tely 20-2 5 seconds f[...]
-
Seite 70
2-27 Configuring Username and Password Security Front-Panel Security Configuring Front-Panel Security Using the front-panel-sec urity command from the global configurati on context in the CLI you can: • Disable or re-e nable the passwor d-clearing function of the Clear button. Disabling the Clear butt on means that pressing it does not remove loc[...]
-
Seite 71
2-28 Configuring Username and Password Security Front-Panel Security For example, show front-pane l-security produces the followin g output when the switch is configu red with the defa ult front-panel secu rity settings. Figure 2-10. The Default Front-Panel Security Settin gs Reset-on-clea r: Shows the status of the reset-on-clear option ( Enabled [...]
-
Seite 72
2-29 Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button This command displays a Cautio n message in the CLI. If you wa nt to proceed with disabling the Clear button, type [Y] ; otherwise type [N] . For example: Figure 2-11. Example of Disabli ng the Clear Button and Displ aying [...]
-
Seite 73
2-30 Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Bu tton and Setting or Changing the “Reset-On-Clear” Operation For example, suppose that password-clear is disabled and you want to restore it to its defaul t configuration (enabled, with reset-on-clear disabled). Syntax: [no] front-panel-security pa sswo[...]
-
Seite 74
2-31 Configuring Username and Password Security Front-Panel Security Figure 2-12. Example of Re-Enabling th e Clear Button’ s Defa ult Operation Changing the Operation of the Reset+Clear Combination In their d efault co nfigurati on, using the Reset+ Clear button s in the combina- tion describe d under “Restorin g the Factory Defau lt Configura[...]
-
Seite 75
2-32 Configuring Username and Password Security Password Recovery Figure 2-13. Example of Disabli ng the Factory Reset Option Password Recovery The password recovery feature is enabled by default and provide s a metho d for regaining management access to the switch (without resetting the sw itch to its factory default co nfiguration) i n the event [...]
-
Seite 76
2-33 Configuring Username and Password Security Password Recovery factory-default configu ration. This can disru pt network operation and make it necessary to temporarily di sconnect the sw itch from the ne twork to prev ent unauthorized access and other pr oblems while it is being reconfigured. Also, with factory-re set enabled, unauthorized users[...]
-
Seite 77
2-34 Configuring Username and Password Security Password Recovery Figure 2-14. Example of the Steps for Di sabling Password-Recovery Password Recovery Process If you have lost the switch’ s manager username/password, but passwor d- rec over y is enabled, then you can use the Password Recovery Process to gain management access to the switch with a[...]
-
Seite 78
3-1 3 W eb and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Web Authenticati on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Seite 79
3-2 Web and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50 Configuration Co mmands fo r MAC Authentication . . . . . . . . . . . . . . 3-51 Show Commands for MAC-Base d Authentication . . . . . . . . . . . . . . . 3-54 Client Status . . . . . . . . . . . [...]
-
Seite 80
3-3 Web and MAC Authentication Overview Overview W eb and MAC authentication are designed for employment on the “edge” of a network to provide port-based securit y measures for protecting private networks and a switch from unauth or ized access. Because neither method requires clients to run special supplicant software (unlike 802.1X authentica[...]
-
Seite 81
3-4 Web and MAC Authentication Overview Note A proxy server is not supported for use by a browser on a client device that accesses the network thr ough a port co nfigured for web authentication. ■ In the login page, a clie nt enters a username and password, whic h the switch forw ards to a RADI US server for authenticatio n. After authen- ticatin[...]
-
Seite 82
3-5 Web and MAC Authentication Overview ■ Each new W eb/MAC Auth client al ways initiates a MAC authentica- tion attempt. This same client can also initiat e W eb authent ication at any time before t he MAC authen ticati on succeeds. If either authenti - cation succeeds then the other auth entication (if in progress) is ended. No further W eb/MAC[...]
-
Seite 83
3-6 Web and MAC Authentication How Web and MAC Authentication Operate clients by using an “unauthorized” VL AN for each session. The unauthorized VLAN ID assignment can be the same fo r all ports, or differ ent, depending on the services an d access you plan to allow for unauthen ticated clients. Y ou configure access to an optional, un authori[...]
-
Seite 84
3-7 Web and MAC Authentication How Web and MAC Authentication Operate W eb-based Authentication When a client connects to a W eb-Auth enabled port, com munication is redi- rected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their username an d password. The default User Logi[...]
-
Seite 85
3-8 Web and MAC Authentication How Web and MAC Authentication Operate If the client is authenticated and the maximum number of clients allowed on the port ( client-limit ) has not been reached , the port is assigned to a static, untagged VLAN for network access. After a successful login, a client may be redirected to a URL if you specify a URL valu[...]
-
Seite 86
3-9 Web and MAC Authentication How Web and MAC Authentication Operate A client may not be authenticated du e to invali d credentials or a RADIUS server timeout. The max-retries parameter specifies how many time s a client may enter their creden ti als before authentic ation fails. The server-timeout parameter sets how long the switch wa its to rece[...]
-
Seite 87
3-10 Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in pl ace until the session ends. Clients may be forced to reauth enticate after a fixed period of time ( reauth-per iod ) or at any time during a session ( reauthentic ate ). An implicit lo goff period can be set if there is no activity from the c[...]
-
Seite 88
3-11 Web and MAC Authentication Terminology T erminology Authorized-Cli ent VLAN: L ike the Unauth orized-Client VLAN, t his is a conventional, static, untagged, port-b ased VLAN previously configured on the switch by the System Administrat or . The intent in using this VLAN is to provide authenti cated clients with network acce ss and services. Wh[...]
-
Seite 89
3-12 Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch suppo rts concurren t 8 02.1X , W eb and MAC authentication operation on a port (with up to 2 clients allowed). However , concur - rent operation of W eb and MAC au thentication w ith other type s of authentication on the same port is not su pported. [...]
-
Seite 90
3-13 Web and MAC Authentication Operating Rules and Notes 1. If there is a RADIUS-assigned VL AN, then, fo r the duration of t he client session, the p ort belongs to th is VLAN and tempor arily drops all other VLAN memberships. 2. If there is no RADIUS-assigned VLAN, then, for the duratio n of the client session, the port belongs to the Authorized[...]
-
Seite 91
3-14 Web and MAC Authentication Setup Procedure for Web/MAC Authentication W eb/MAC Authentication and LACP W eb or MAC au thentication a nd LACP ar e not supported at the same time on a port. The switch automatically disables LACP on ports configured for W eb or MAC authentication. ■ Use the show port-access web-based commands to display session[...]
-
Seite 92
3-15 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Figure 3-4. Example of show port-a ccess config Command Output 3. Determine whether any VLAN assign ments are needed for authentica ted clients. a. If you configure the RADIUS server to assign a VLAN for an authen- ticated client, this assignment o verrides any VLAN assignme[...]
-
Seite 93
3-16 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that wh en config uring a RADIUS server to assign a VLAN, you can u s e e i t h e r t h e V L A N ’s n a m e o r V I D . F o r example, if a VLAN configured in the switch has a VID of 100 and is named vlan100 , you could co nfigure the RADIUS server to use either “1[...]
-
Seite 94
3-17 Web and MAC Authentication Setup Procedure for Web/MAC Authentication aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff AABBCCDDEEFF AABBCC-DDEEFF AA-BB-CC-DD-EE-FF AA:BB:CC:DD:EE:FF ■ If the device is a switch or othe r VLAN-capable device, use the base MAC address assigned to the device, and not the MAC address assigned to the VLAN throu gh wh ich the d[...]
-
Seite 95
3-18 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Syntax: [no] radius-server [host < ip-addre ss >] [oobm] Adds a server to the RADIUS configuration or (with no ) deletes a server from the configuration. You can config- ure up to three RADIUS serv er addresses. The switch uses the first server it successfully accesses[...]
-
Seite 96
3-19 Web and MAC Authentication Setup Procedure for Web/MAC Authentication For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of ‘1A7rd’ Figure 3-5. Example of Configuri ng a Switch T o Access a RADIUS Server[...]
-
Seite 97
3-20 Web and MAC Authentication Configuring Web Authentication Configuring W eb Authentication Overview 1. If you have not already done so, configure a local username and password pair on th e switch. 2. Identify or create a redirect URL for use by authenticated clients. Pro- Curve recommends that you provid e a redirect URL when using W eb Authent[...]
-
Seite 98
3-21 Web and MAC Authentication Configuring Web Authentication • Y ou can blo ck only incoming t raffic on a port befo re authentication occurs. Outgoing t raffic with unkno wn destination ad dresses is flooded on unau thenticat ed ports configured fo r web authentication. For example, W ake-on-LAN traffic is transmitted on a web-authenti- cated [...]
-
Seite 99
3-22 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access < port-list > controlled-directions <both | in > After you enable web-based au thentication on specified ports, you can use the aaa port-access c ontrolled-direc- tions command to configure how a port transmits traffic before it successfully authentic[...]
-
Seite 100
3-23 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access < port-list > controlled-directions <both | in > — Continued — Notes : ■ For information on how to conf igure the prerequisites for using the aaa port-access control led-directions in comm and, see Chapter 4, “Multiple Instance Spanning-T ree [...]
-
Seite 101
3-24 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based < p ort-list > Enables web-based authenti cation on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax: aaa port-access w eb-based < port-list > [auth-vid < vid >[...]
-
Seite 102
3-25 Web and MAC Authentication Configuring Web Authentication Figure 6. Adding Web Servers with the aaa port-access w eb-based ews-server Command Specifies the base address/mask for the temporary IP pool used by DHCP. The ba se address can be any valid ip address (not a multicas t address). Valid mask range value is <255.255. 240.0 - 255.255.25[...]
-
Seite 103
3-26 Web and MAC Authentication Configuring Web Authentication Figure 7. Removing a Web Server with the aaa port-access web-based ews- server Command ProCurve Switch (config)# no aaa port-access web-based 47 ewa-serv er 10.0.12.181 ProCurve Switch (config)# Syntax: aaa port-access w eb-based < port-list > [ logoff-p eriod ] <60-9999999>[...]
-
Seite 104
3-27 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access w eb-based < port-list > [reauth-period <0 - 9999999>] Specifies the time period, in seconds, the switch enforces on a client to re-au thenticate. Wh en set to 0 , reauthentication is disa bled. (Default: 300 seconds) Syntax: aaa port-access w eb-base[...]
-
Seite 105
3-28 Web and MAC Authentication Configuring Web Authentication Show Commands for W eb Authentication Command Page show port-access web-based [ port-list ] 3-28 show port-access web-based clients [ port-list ] 3-29 show port-access web-based clients < port-list > detailed 3-30 show port-access web-based config [ port-list ] 3-31 show port-acce[...]
-
Seite 106
3-29 Web and MAC Authentication Configuring Web Authentication Figure 4. Example of show port-a ccess web-based Comm and Output Figure 5. Example of show port-a ccess web-based clien ts Command Output ProCurve (config)# show port-access web-based Port Access Web-Based Status Auth Unauth Untagged Tagged Port Cntrl Port Clients Clients VLAN VLANs COS[...]
-
Seite 107
3-30 Web and MAC Authentication Configuring Web Authentication Figure 6. Example of show port-a ccess web-based clien ts detailed Command Ou tput Syntax: show port-access web-based clien ts < port-list > detailed Displays detai led information on the statu s of web- authenticated client sessions on specified switch ports. ProCurve (config)# s[...]
-
Seite 108
3-31 Web and MAC Authentication Configuring Web Authentication Figure 7. Example of show port-a ccess web-based co nfig Command Output Syntax: show port-access web-based con fig [ port-list ] Displays the currently config ured W eb Authentication settings for all switch ports or specified ports, including: • T emporary DHCP base address and mask [...]
-
Seite 109
3-32 Web and MAC Authentication Configuring Web Authentication Figure 8. Example of show port-a ccess web-based co nfig detail Command Outp ut Syntax: show port-access web-based config < port-list > det ailed Displays more detailed inform ation on the currently config- ured W eb Authentication set tings for specified ports. ProCurve (config)#[...]
-
Seite 110
3-33 Web and MAC Authentication Configuring Web Authentication Figure 9. Example of show port-a ccess web-based co nfig auth-server Command Output Syntax: show port-access web-based con fig [ port-list ] auth-serve r Displays the currently config ured W eb Authentication settings for all switch ports or specified ports and includes RADIUS server -s[...]
-
Seite 111
3-34 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Customizing W eb Authentication HTML Files (Optional) The W eb Authentication process displays a series of web pages and sta tus messages to the user during login. The web pages that are displayed can be: ■ Generic, default pages generated directly by the switch[...]
-
Seite 112
3-35 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) ■ T o configure a web server on your network, follow the instructio ns in the documentation provided wi th the server . ■ Before you enable custom W eb Authentication p ages, you should: • Determine the IP address or host name of the web server(s) that will [...]
-
Seite 113
3-36 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Customizable HTML T emplates The sample HTML files desc ribed in the follow ing se ctions are customizable templates. T o help you cr eate your own set HTML files, a set of the templates can be found on th e downlo ad page for ‘K’ software. User Login Page (in[...]
-
Seite 114
3-37 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 9. HTML Code for User Login Page T emplate <!-- ProCurve Web Authenticati on Template index.html --> <html> <head> <title>User Login</ title> </head> <body> <h1>User Login</h1> <p>In order to acce [...]
-
Seite 115
3-38 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Access Granted Page (accept.html). Figure 9-10. Access Granted Page The accept.html file is the web page used to co nfirm a valid client login. This web page is displayed after a valid username and password are entered and accepted. The client device is then grant[...]
-
Seite 116
3-39 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 11. HTML Code for Access Granted Pa ge T emplate <!-- ProCurve Web Authenticati on Template accept.html --> <html> <head> <title>Access Grant ed</title> <!-- The following line is required to automatically redirec t --> &[...]
-
Seite 117
3-40 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Authenticating Page (authen.html). Figure 12. Authenticatin g Page The authen.html file is the web page used to process a client login and is refreshed while user credenti als are checked and verified. Figure 13. HTML Code for Authenticati ng Page T emplate <!-[...]
-
Seite 118
3-41 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Invalid Credential s Page (reject_unaut hvlan.html). Figure 10. Invalid Credentia ls Page The reject_ unauthvlan.html file is the web page used to displ ay login failures in which an unauthenti cated client i s assigned to the V L AN configured for unauthorized cl[...]
-
Seite 119
3-42 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 14. HTML Code for Invalid Credentia ls Page T emplate <!-- ProCurve Web Authenticati on Template reject_unauthvlan.html --> <html> <head> <title>Invalid Cred entials</title> <!-- The following line is required to automatical[...]
-
Seite 120
3-43 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) T imeout Page (timeout.html). Figure 15. T imeout Page The tim eout.ht ml file is the web page used to return an error message if the RADIUS server is not reachable. Y ou can configure the time period (in seconds) that the switch waits for a response from the RADI[...]
-
Seite 121
3-44 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Retry Login Page (retry_login.html). Figure 17. Retry Login Page The retry_login.html file is the w eb page displayed to a client tha t has entered an invalid username and/or passw ord, and is given another opportun ity to log in. The W AUTHRETRIESLEFTGET ESI disp[...]
-
Seite 122
3-45 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 18. HTML Code fo r Retry Login Page T emplate <!-- ProCurve Web Authenticati on Template retry_login.html --> <html> <head> <title>Invalid Cred entials</title> <!-- The following li ne is required to automatically redirect t[...]
-
Seite 123
3-46 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) SSL Redirect Page (sslredirect.html). Figure 19. SSL Redirect Page The sslredirect fil e is the web page displayed when a client is redirected to an SSL server to enter cr edentials for W e b Authentication. If you have enabled SSL on the switch, you can enable se[...]
-
Seite 124
3-47 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 20. HTML Code for SSL Redirect Page T emplate <!-- ProCurve Web Authenticati on Template sslredirect.html --> <html> <head> <title>User Login S SL Redirect</title> <meta h ttp-equiv="refresh" content="5;URL=ht[...]
-
Seite 125
3-48 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Access Denied Page (r eject_novlan.html). Figure 11. Access Denied Page The reject_novlan file is the web page displayed after a client login fails and no VLAN is confi gured for unau thorized clients. The W AUTHQUI ETTIMEGET ESI i nserts the time pe riod used to [...]
-
Seite 126
3-49 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 21. HTML Code for Access Denied Page T emplate <!-- ProCurve Web Authenticati on Template reject_novlan.html --> <html> <head> <title>Access Denie d</title> <!-- The line below i s required to automatically redirect the user[...]
-
Seite 127
3-50 Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on th e switch. 2. If you plan to use multi ple VLANs with MAC Authenti cation, ensure that these VLANs are configured on the sw itch and [...]
-
Seite 128
3-51 Web and MAC Authentication Configuring MAC Authent ication on the Switch Configuration Co mmands for MAC Authentication Command Page Configuration Level aaa port-access mac-based addr -format 3-51 [no] aaa port-access mac-based [e] < port-list >3 - 5 2 [addr -limit] 3-52 [addr -moves] 3-52 [auth-vid] 3-52 [logoff-period] 3-53 [max-reques[...]
-
Seite 129
3-52 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: [no] aaa port-access mac-based < p ort-list > Enables MAC-based authentication on the specified ports. Use the no form of the comm and to disable MAC- based authentication on the specified ports. Syntax: aaa port-access m ac-based [e] < port-list > [add[...]
-
Seite 130
3-53 Web and MAC Authentication Configuring MAC Authent ication on the Switch Syntax: aaa port-access m ac-based [e] < port-list > [logoff-period] <60-9999999> ] Specifies the period, in seco nds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the s[...]
-
Seite 131
3-54 Web and MAC Authentication Configuring MAC Authentication on the Switch Show Commands for MAC- Based Authentication Syntax: aaa port-access m ac-based [e] < port-list > [unauth-vid < vid >] no aaa port-access mac-b ased [e] < port-list > [unauth-vid ] Specifies the VLAN to use for a client that fails authen- tication. If unau[...]
-
Seite 132
3-55 Web and MAC Authentication Configuring MAC Authent ication on the Switch Figure 3-22. Example of show port-a ccess mac-based Command Output Figure 4. Example of show port-a ccess mac-based client s Command Output ProCurve (config)# show port-access mac-based Port Access MAC-Based Status Auth Unauth Untagged Tagged Port Cntrl Port Clients Clien[...]
-
Seite 133
3-56 Web and MAC Authentication Configuring MAC Authentication on the Switch Figure 5. Example of show port-a ccess mac-based client s detail Command Outpu t Syntax: show port-access mac-based clien ts < port-list > detailed Displays detai l ed information on the statu s of MAC- authenticated client sessions on specified ports. ProCurve (conf[...]
-
Seite 134
3-57 Web and MAC Authentication Configuring MAC Authent ication on the Switch Figure 6. Example of show port-a ccess mac-based config Command Output Syntax: show port-access mac-based con fig [ port-list ] Displays the currently config ured MAC Authentication settings for all switch ports or specified ports, including: • M AC address format • S[...]
-
Seite 135
3-58 Web and MAC Authentication Configuring MAC Authentication on the Switch Figure 7. Example of show port-a ccess mac-based config detail Command Outpu t Syntax: show port-access mac-based config < port-list > det ailed Displays more detailed inform ation on the currently config- ured MAC Authentication settings for specified ports. ProCurv[...]
-
Seite 136
3-59 Web and MAC Authentication Configuring MAC Authent ication on the Switch Figure 8. Example of show port-a ccess mac-based config auth-server Command Outp ut Syntax: show port-access mac-based con fig [ port-list ] auth-serve r Displays the currently config ured W eb Authentication settings for all switch ports or specified ports and includes R[...]
-
Seite 137
3-60 Web and MAC Authentication Client Status Client Status The table below show s the possible client status in formation that may be reported by a W eb-based or MAC-based ‘ show ... clients’ command. Reported Status Available Netwo rk Connection Possible Explanations authenticated Authorized VLAN C lient authenticated. Remains connected until[...]
-
Seite 138
4-1 4 T ACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applicati ons: . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 General [...]
-
Seite 139
4-2 TACACS+ Authentication Overview Overview T A CACS+ authentication enables you to use a central server to a llow or deny access to the switches covered in this guide (and other T ACACS-aware devices) in your network. This means that you can use a central database to create multiple unique username/passw ord sets with associated privilege levels [...]
-
Seite 140
4-3 TACACS+ Authentication Terminology Used in TA CACS Applications: T A CACS+ server for authentica tion services. If the swit ch fails to connect to any T AC ACS+ server , it defaults to its own locally assigned passwords for authentication co ntrol if it has been configured to do so. For both Con sole and Telnet access you can configure a lo gin[...]
-
Seite 141
4-4 TACACS+ Authentication Terminology Used in TA CACS Applications: face. (Using the menu interface you can assign a local password, but not a username.) Because this method assigns passwor ds to the switch instead of to individuals who access t he switch, you must distribute the password information on each swit ch to everyone who needs to access[...]
-
Seite 142
4-5 TACACS+ Authentication General System Requirements General System Requirements T o use T ACACS+ authentication, you need th e following: ■ A T ACACS+ server application instal led and configur ed on one or more servers or management stations in your network. (There are several T ACACS+ software packages available.) ■ A switch configured for[...]
-
Seite 143
4-6 TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the T elnet ac cess fails due to a configuration problem. The fo llowing procedure outlines a general setup procedure. Note If a complete access lockou t occurs on the switch as a result of a T ACACS+ configuration, see “T roub[...]
-
Seite 144
4-7 TACACS+ Authentication General Authentication Setup Procedure Note on Privilege Levels When a T ACACS+ server au thenticates an access re quest from a switch, it includes a privilege level code for th e switch to use in determining which privilege level to grant to the te rminal requesti ng access. The switch interprets a privilege level code o[...]
-
Seite 145
4-8 TACACS+ Authentication Configuring TACACS+ on the Switch configuration in your T ACACS+ ser ver application fo r mis-configura- tions or missing data that could aff ect the server’ s interoperation with the switch. 8. After your testing shows that T elnet access using the T ACACS+ server is working properly , configure your T ACACS+ server ap[...]
-
Seite 146
4-9 TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section V iewing the Switch’ s Current Authentication Configuration This command lists the n umber of lo gin attemp ts the switch allows in a single login session, and the pr imary/secondary access method s configured for each type of access. Syntax: show [...]
-
Seite 147
4-10 TACACS+ Authentication Configuring TACACS+ on the Switch V iewing the Switch’ s Current T ACACS+ Server Contact Configuration This comma nd lists the tim eout period, encryption key , and the IP addresses of the first-choice and backup T ACACS + servers the switch can contact. Syntax: show tacacs For example, if the switch was configur ed fo[...]
-
Seite 148
4-11 TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s Authentication Methods The aaa authentication command configures acc ess control for the foll owing access methods: ■ Console ■ Te l n e t ■ SSH ■ We b ■ Port-access (802.1X) However , T ACACS+ authentication is only us ed with the console, T elnet, [...]
-
Seite 149
4-12 TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters T able 4-1. AAA Authentication Pa rameters Syntax: aaa authentica tion < console | telnet | ssh | web | p ort-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level. < login [pri[...]
-
Seite 150
4-13 TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the T ACACS+ Se rver for Single Login In order for the single login feature t o work correctly , you need to check some entries in the User Setu p on the T ACACS+ server . In the User Setup, scroll to the Ad vanced T ACACS+ Settings section. Make sure the radio butto n for ?[...]
-
Seite 151
4-14 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-4. Advanced T ACACS+ Settings Sectio n of the T ACACS+ Server User Setup Then scroll down to t he section that begins with “Shell” (See Figure 4-5). Check the Shell box. Check the Privilege level box and set th e privilege level to 15 to allow “root” privileges. This all[...]
-
Seite 152
4-15 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of t he T ACACS+ Server User Setup As shown in the next table, login and en able access is alwa ys available locally through a direct t erminal connecti on to the switch’ s console port. However , for T elnet access, you can configure T ACACS+ to deny acce[...]
-
Seite 153
4-16 TACACS+ Authentication Configuring TACACS+ on the Switch T able 4-2. Prima ry/Secondary Authen tication T able Caution Regarding the Use of Local for Login Primary Access During local authentication (which uses passwords config ured in the switch instead of in a T ACACS+ server), the sw itch grants read-only access if you enter the Operator pa[...]
-
Seite 154
4-17 TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corre sponding commands to configure them: Console Login (Operator or Read-Only) Acc ess: Primary using T ACACS+ server . Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Ma nager [...]
-
Seite 155
4-18 TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s T ACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one first- choice and up to two backups. Desi gnating backup se rvers provides for a continuation of authentication serv[...]
-
Seite 156
4-19 TACACS+ Authentication Configuring TACACS+ on the Switch Note on Encryption Keys Encryption keys configured in the swit ch must exactly ma tch the encryption keys configured in T ACACS+ servers th e switch will a ttempt to use for authentication. If you configure a global encryption key , the switch uses it only wit h servers for which you hav[...]
-
Seite 157
4-20 TACACS+ Authentication Configuring TACACS+ on the Switch Specifies the IP address of a device runn ing a T ACACS+ server application. Optionally , can also specify the unique, per-server encryption key to use when each assigned serv er has its own, unique key . For more on the encryption key, see “Using the Encryption Key” on page 4-27 and[...]
-
Seite 158
4-21 TACACS+ Authentication Configuring TACACS+ on the Switch Adding, Removing, or Cha nging th e Priority of a T ACACS+ Server . Suppose that the switch was already co nfigured to use T ACACS+ servers at 10.28.227.10 and 10.28.227.15 . In this cas e, 10.28.227.15 was entered first, and so is listed as the first-choice server: Figure 4-6. Example o[...]
-
Seite 159
4-22 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-7. Example of the Switch After Assigni ng a Different “First-Choice” Server T o remove the 10.28.227.1 5 device as a T ACACS+ server , you would use this command: ProCurve (config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key . Use an encryption ke y in [...]
-
Seite 160
4-23 TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encryption key in the switch, re-enter the tacacs-server host command wi thout th e key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you wa nt to eliminate the key, you wou[...]
-
Seite 161
4-24 TACACS+ Authentication How Authentication Operates How Authentication Operates General Authentication Process Using a T ACACS+ Server Authentication through a T ACACS+ server operates generally as described below . For specific operat ing deta ils, refer to the documentation you received with your T ACAC S+ server application. Figure 4-8. Usin[...]
-
Seite 162
4-25 TACACS+ Authentication How Authentication Operates 4. When the requesting te rminal responds to the prompt with a passw ord, the switch forwards it to the T ACACS+ server and one of the following actions occurs: • If the username/pass word pair received from the requesting terminal matches a username/passw ord pair previously stored in the s[...]
-
Seite 163
4-26 TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is config ured to use T ACACS+, it re verts to local authenti- cation only if on e of these tw o conditions exist s: ■ “Local” is the authentication option for the access method being used. ■ T A CACS+ is the primary authenticat ion mode for[...]
-
Seite 164
4-27 TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encr yption key (sometimes term ed “key”, “secret key”, or “secret”) helps to pr event unauthori zed intruders on the network f rom reading username and password information in T ACACS+ packets moving between the switch and [...]
-
Seite 165
4-28 TACACS+ Authentication Controlling Web Browser Interface Acces s When Using TACACS+ Authentication For example, you would use the next co mmand to configure a global encryp- tion key in the switc h to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do n[...]
-
Seite 166
4-29 TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to T ACACS+ Operation The switch generates the CLI messages l isted below . However , you may see other messages generated in your T ACACS+ server a pplication. For informa- tion on such messages, re fer to the documentation you rec eived with the application . Opera[...]
-
Seite 167
4-30 TACACS+ Authentication Operating Notes ■ When T ACACS+ is not enabled on th e switch—or when the switch’ s only designated T ACACS+ servers ar e not accessible— setting a local Operator password wi thout also setting a local Manager password does not protect the s witch from manager -level access by unauthor - ized persons. ■ When us[...]
-
Seite 168
5-1 5 RADIUS Authentication, Authorization, and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Accounting Services . . . . . . . . . . . . . . . . . . . .[...]
-
Seite 169
5-2 RADIUS Authentication, Au thorization, and Accounting Contents Example Configurati on on Cisco Secure ACS for MS Windows 5-30 Example Configuration Usi ng FreeRADIUS . . . . . . . . . . . . . . . . . 5-32 VLAN Assignment in an Authentication Session . . . . . . . . . . . . . . . . 5-34 Tagged and Untagged VLAN Attributes . . . . . . . . . . . .[...]
-
Seite 170
5-3 RADIUS Authentication, Authorization, and Ac counting Overview Overview RADIUS ( Remote Authentication Dial-In User Service ) enables yo u to use up to three servers (one primary server and one or two backups) and mai ntain separate authentication and accountin g for each RADIUS server employed. For authentication, this allows a differ ent pass[...]
-
Seite 171
5-4 RADIUS Authentication, Au thorization, and Accounting Overview Note The switch does not support RADIUS security for SNM P (network manage- ment) access. For i nformation on blocking access through the web br owser interface, refer to “Controlling W eb Br owser Interfac e Access” on page 5-25. Accounting Services RADIUS accounting on the swi[...]
-
Seite 172
5-5 RADIUS Authentication, Authorization, and Ac counting Terminology T erminology AAA: Authentication, Authorization, and Accounting group s of services pro - vided by the carrying protocol. CHAP (Challenge-Handshake Authe ntication Protocol): A challenge- response authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encr[...]
-
Seite 173
5-6 RADIUS Authentication, Au thorization, and Accounting Switch Operating Rules for RADIUS V endor -Specific Attribute: A v endor -defined value config ured in a RADIUS server to specific an optional switch fe ature assigned by the server during an authenticated cl ient session. Switch Operating Rules for RADIUS ■ Y ou must have at l east one RA[...]
-
Seite 174
5-7 RADIUS Authentication, Authorization, and Ac counting General RADIUS Setup Proced ure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS server s to support the switch. (That is, one primary server and one or two ba ckups.) Refer to the documentation provided with the RADIUS server application. 2. Before configuring th[...]
-
Seite 175
5-8 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication Configuring the Switch for RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you hav e configured[...]
-
Seite 176
5-9 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Outline of the Steps fo r Configuring RADIUS Authentication There ar e three ma in steps t o configuring RADIUS authe ntication : 1. Configure RADIUS authentication fo r controlling access through one or more of the following • Serial port ?[...]
-
Seite 177
5-10 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication • T imeou t Period: Th e timeout pe riod the switch waits for a RADIUS server to reply . (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no server response to a RADIUS au thenticat[...]
-
Seite 178
5-11 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possibil ity of being completely locked out of the swit ch in the event that all primary access methods fail. In certain situations, RADIUS servers ca n become isolated fr om the network. [...]
-
Seite 179
5-12 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication Figure 5-2 shows a n example of the show authenticatio n command displaying authorized as the secondary auth entication method for po rt-access, W eb-a uth access, and MAC-auth access. Since the configuration of au thorized means no authenti[...]
-
Seite 180
5-13 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Figure 5-3. Example Confi guration for RADIUS Authent ication Note If you configure the Lo gin Primary method a s local instead of radius (and local passwords are config ured on the switch), then c lie nts connected to your network can gain a[...]
-
Seite 181
5-14 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication this default behav ior for clients with Enable (manager) access. Tha t is, with privilege-mode enabled, the switch immediat ely allo ws Enable (Manager) access to a clie nt for whom t he RADIUS server specifies this access level. 3. Configur[...]
-
Seite 182
5-15 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Note If you want to configure RADIUS accoun ti ng on the swit ch, go to page 5 -37: “Configuring RADIUS Accounting” instead of continuing h ere. Syntax: [no] radius-server host < ip-address > [oobm] Adds a server to the RADIUS confi[...]
-
Seite 183
5-16 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication For example, suppose you h ave configured the switch as shown in figure 5-4 and you now need to make the following changes: 1. Change the encryption k ey for the server at 10.33 .18.127 to “source0 127”. 2. Add a RADIUS server with an IP[...]
-
Seite 184
5-17 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Figure 5-4. Sample Confi guration for RADIUS Server Before Changing the Key and Adding Another Server T o make the changes list ed prior to fi gure 5-4, you would do the following: Figure 5-5. Sample Confi guration for RADIUS Server Aft er Ch[...]
-
Seite 185
5-18 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication ■ Global server key: The serve r key the switch will use for contacts with all RADIUS servers for which there is not a server -specific key configured by radius-server host < ip-address > key < key-string > . This key is option[...]
-
Seite 186
5-19 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Note Where the switch has multiple RADIUS se rvers conf igured to supp ort authen- tication requests, if the firs t server fails to respond, then the switch tries the next server in the list, and so -on. If none of the server s respond, then [...]
-
Seite 187
5-20 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication Figure 5-7. Listings of Globa l RADIUS Parameters Configured In Figure 5-6 After two attempts failing due to username or pa ssword entry errors, the switch will termin ate the session. Global RADIU S parameters from figure 5-6. These two ser[...]
-
Seite 188
5-21 RADIUS Authentication, Authorization, and Ac counting Using SNMP To View and Configure Switch Authentication Features Using SNMP T o V iew and Configure Switch Authentication Features SNMP MIB object acce ss is available fo r switch authe nticat ion config uration (hpSwitchAuth ) f eatures. This means that the sw itches covered b y this Guide [...]
-
Seite 189
5-22 RADIUS Authentication, Au thorization, and Accounting Using SNMP To View and Configur e Switch Authentication Features Changing and Vi ewing the SNMP Access Configuration For example, to disable SNMP access to the switch’ s authentication MIB and then display the result in the Excluded MIB fiel d, you would execute the following two commands[...]
-
Seite 190
5-23 RADIUS Authentication, Authorization, and Ac counting Using SNMP To View and Configure Switch Authentication Features An alternate me thod of determ ining the current Authentication MIB access state is t o use the show run command. Figure 5-9. Using the show run Command to View the Current Authentication MIB Access St ate ProCurve(config)# sho[...]
-
Seite 191
5-24 RADIUS Authentication, Au thorization, and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to loca l authentication only if one of these two cond itions exist s: ■ Local is the authentic ation opti on for the access method being used. ■ The switch has been confi g[...]
-
Seite 192
5-25 RADIUS Authentication, Authorization, and Ac counting Controlling Web Browser Interface Access Controlling W eb Browser Interface Access T o help prevent unauthorized access th rough the web browser interface, do one or more of the following: ■ Configure the switch to suppor t RADIUS authentication for web browser interface acc ess (W eb Aut[...]
-
Seite 193
5-26 RADIUS Authentication, Au thorization, and Accounting Commands Authorization Commands Authorization The RADIUS proto col combines user au thentication and authorization steps into one phase. The user must be su ccessfully authenticated be fore the RADIUS server will send aut horizatio n information (from th e user’ s profile) to the Network [...]
-
Seite 194
5-27 RADIUS Authentication, Authorization, and Ac counting Commands Authorization Enabling Authorization T o configure authorization for controlling access to the CLI commands, enter this command at the CLI. For example, to enable the RADIUS pr otocol as the authorizati on method: When the NAS sends the RADIUS server a valid username and password, [...]
-
Seite 195
5-28 RADIUS Authentication, Au thorization, and Accounting Commands Authorization Displaying Authorization Information Y ou can show the authorization info rmation by enteri ng this command: An example of the o utput is shown . Figure 5-10. Example of Show Authorization Comm and Configuring Commands Auth orization on a RADIUS Server Using V endor S[...]
-
Seite 196
5-29 RADIUS Authentication, Authorization, and Ac counting Commands Authorization The results of using the HP-Command-St ring and HP-Command-Excepti on attributes in various combinations are shown below . Y ou must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server app lications; the two examples below [...]
-
Seite 197
5-30 RADIUS Authentication, Au thorization, and Accounting Commands Authorization Example Configuratio n on Cisco Secure ACS fo r MS W in dows It is necessary to create a dictionary fi le that defines the VSAs so that the RADIUS server application can determin e which VSAs to add to its user interface. The VSAs will appear be low the standard attri[...]
-
Seite 198
5-31 RADIUS Authentication, Authorization, and Ac counting Commands Authorization Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini diction ary file to c: program filescisco acs 3.2utils (or the utils directory wher ever acs i s installed). 3. From the command prompt ex ecute[...]
-
Seite 199
5-32 RADIUS Authentication, Au thorization, and Accounting Commands Authorization 6. Right click and then select New > key . Add the vend or Id number that you determined in step 4 (100 in the example ). 7. Restart all Cisco serv ices. 8. The newly created HP RAD IUS VSA ap pears only when you configure an AAA client (NAS) to use the HP VSA RADI[...]
-
Seite 200
5-33 RADIUS Authentication, Authorization, and Ac counting Commands Authorization 2. Find the location of th e dictionary files used by FreeRADIUS (try /usr/ local/share/freeradius). 3. Copy dictionary .hp to that location. Open the existing dictionary file and add this entry: $ INCLUDE dictionary .hp 4. Y ou can now use HP VSAs with othe r attribu[...]
-
Seite 201
5-34 RADIUS Authentication, Au thorization, and Accounting VLAN Assignment in an Authentication Session VLAN Assignment in an Authentication Session A switch supports co ncurrent 802.1X an d either W eb- or MAC-authenti cation sessions on a port (with up to 32 clients all owed). If you have configured RADIUS as the primary authentication me thod fo[...]
-
Seite 202
5-35 RADIUS Authentication, Authorization, and Ac counting VLAN Assignment in an Authentication Session T agged and Untagge d VLAN Attributes When you configure a user profile on a RAD IUS server to assign a VLAN to an authenticated client , you can use either the VLAN’ s name or VLAN ID (VID) number . For example, if a VLAN configur ed in the sw[...]
-
Seite 203
5-36 RADIUS Authentication, Au thorization, and Accounting VLAN Assignment in an Authentication Session Additional RADI US Attributes The follow ing attrib utes are incl uded in Access-Request and Access-Account- ing packets sent from the switch to the RADIUS server to advertise switch capabilities, report informat ion on authenti cation sessions, [...]
-
Seite 204
5-37 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting Configuring RADIUS Accounting Note This section assumes you have already: ■ Configured RADIUS authen ticat ion on the switch fo r one or more access methods ■ Configured one or more RADIUS servers to support the switch If you have not already done so, refer[...]
-
Seite 205
5-38 RADIUS Authentication, Au thorization, and Accounting Configuring RADIUS Accounting ■ Exec accounti ng: Provides record s holding the info rmation listed below about login session s (console, T elnet, and SSH) on the switch: ■ System accounti ng: Provides records cont aining the information listed below when system eve nts occur on the sw [...]
-
Seite 206
5-39 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting Operating Rules for RADIUS Accounting ■ Y ou can configure up t o four types of accounting to run simulta- neously: exec, system, network, and commands. ■ RADIUS servers used for accounting are also used fo r authentication. ■ The switch must be configu r[...]
-
Seite 207
5-40 RADIUS Authentication, Au thorization, and Accounting Configuring RADIUS Accounting must match the en cryption key us ed on the specified RADIUS server . For more information, refer to the “ [key < key-string >] ” parameter on page 5-14. (Default: null) 2. Configure accounting types and the co ntrols for sendin g reports to the RADIU[...]
-
Seite 208
5-41 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting (For a more complete d escription of the radius-server command and its options, turn to page 5-14.) [key < key-string >] Optional. Specifies an encryption key for use during accounting or authenticati on sessions with the speci- fied server . This key mus[...]
-
Seite 209
5-42 RADIUS Authentication, Au thorization, and Accounting Configuring RADIUS Accounting For example, suppose you want to th e switch t o use the RADIUS server described below for both authenti cation and acco unting purposes . ■ IP address: 10.33.18.151 ■ A non-default UDP port numbe r of 1750 for accoun ting. For this example, assume th at al[...]
-
Seite 210
5-43 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting Note that there is no time sp an associated w ith using the system option. It simply causes the switch to tr ansmit whatever acc ounting data it currently has when one of the above events occurs. ■ Network: Use Network if you w ant to collect accounting infor[...]
-
Seite 211
5-44 RADIUS Authentication, Au thorization, and Accounting Configuring RADIUS Accounting For example, to configure RADIUS accounting on the switch with start-stop for exec fu nctions and stop-only for system functio ns: Figure 5-12. Example of Configu ring Accounting T ypes 3. (Optional) Configure Session Blocking and Interim Updating Options These[...]
-
Seite 212
5-45 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting T o continue the example in figure 5-12, suppose that you wanted the switch to: ■ Send updates every 10 minutes on in-progress accounting sessions. ■ Block accounting for unknown users (no username). Figure 5-13. Example of Optional Account ing Update Perio[...]
-
Seite 213
5-46 RADIUS Authentication, Au thorization, and Accounting Viewing RADIUS Statistics V iewing RADIUS Statistics General RADIUS Statistics Figure 5-14. Example of General RADI US Information from Show Radius Command Syntax: show radius [host < ip-add r >] Shows general RADIUS configuration , including the server IP addresses. Optional form sho[...]
-
Seite 214
5-47 RADIUS Authentication, Authorization, and Ac counting Viewing RADIUS Statistics Figure 5-15. RADIUS Server Information From the Show Radius Host Command Te r m Definition Round T rip T ime The time interval between the mo st recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server . PendingReque[...]
-
Seite 215
5-48 RADIUS Authentication, Au thorization, and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Figure 5-16. Example of Login Attempt and Primary/Se condary Authenticatio n Information from the Show Aut hentication Command Requests The number of RADIUS Accou nti ng-Request packets sent. This does not include retransmissions. A[...]
-
Seite 216
5-49 RADIUS Authentication, Authorization, and Ac counting Viewing RADIUS Statistics Figure 5-17. Example of RADIUS Aut hentication Inform ation from a Specific Server RADIUS Accounting Statistics Figure 5-18. Listing the Account ing Configuration in t he Switch Syntax: show account ing Lists configured accounting interval, “Empty User” suppres[...]
-
Seite 217
5-50 RADIUS Authentication, Au thorization, and Accounting Changing RADIUS-Server Access Order Figure 5-19. Example of RADIUS Account ing Information fo r a Specific Server Figure 5-20. Example Listing of Active RADIUS Accounting Sessions on the Swi tch Changing RADIUS-Server Access Order The switch tries to access RADIUS ser vers according to the [...]
-
Seite 218
5-51 RADIUS Authentication, Authorization, and Ac counting Changing RADIUS-Ser ver Access Order Figure 5-21. Search Order fo r Accessing a RADIUS Server T o exchange the positions of the addre sses so that the serv er at 10.10.10.003 will be the first choice and the server at 10.10.10.001 will be the last, you w ould do the follow ing: 1. Delete 10[...]
-
Seite 219
5-52 RADIUS Authentication, Au thorization, and Accounting Changing RADIUS-Server Access Order Figure 5-22. Example of New RADIUS Server Search Order Removes the “003” and “001” addresses from the RADIUS se rver list . Inserts the “003” address in the first position in the RADIUS server list, and inserts the “001” address in the las[...]
-
Seite 220
5-53 RADIUS Authentication, Authorization, and Ac counting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. T ry pinging the server to determine whether it is accessib le to t he switch. [...]
-
Seite 221
6-1 6 Configuring Secure Shell (SSH) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . [...]
-
Seite 222
6-2 Configuring Secure Shell (SSH) Overview Overview The switches co vered in this gui de us e Secure Shell version 2 (SSHv2) to provide remote access to manageme nt functions on the sw itches via encrypted paths between th e swi tch and management station clients capable of SSH operation. SSH provides T elnet-like functions bu t, unlike T elnet , [...]
-
Seite 223
6-3 Configuring Secure Shell (SSH) Terminology Note SSH in ProCurve switches is based on t he OpenSSH software toolkit. Fo r more informatio n on OpenSSH, visit www .o penssh.com . Switch SSH and User Password Authentication . This option is a subset of the client pu blic-key authe ntication shown in figure 6 -1. It occurs if the switch has SSH ena[...]
-
Seite 224
6-4 Configuring Secure Shell (SSH) Terminology ■ Enable Level: Manager privileges on the switch. ■ Login Level: Operator privilege s on the switch. ■ Local password or username: A Manage r - level or Operator -level password configured in the switch. ■ SSH Enabled: (1) A publ ic/private key pa ir has been generated on the switch ( generate [...]
-
Seite 225
6-5 Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH se rver , you must install a publicly or commercially avail able SSH client application on the computer(s) yo u use for management access to the switch. If you wa nt client public-key authentic ation (page 6-2), then the clie n[...]
-
Seite 226
6-6 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH fo r Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication be tween the switch and an SSH client, you must use the logi n (O perator) level. T able 6-1. SSH Opti ons The general steps for configuri ng[...]
-
Seite 227
6-7 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Prep aratio n 1. Assign a login (Operator) and enable (Manager) password on th e switch (page 6-10). 2. Generate a public/private key pa ir on the switch (page 6-10). Y ou need to do this only once. The k ey remains in the switch ev[...]
-
Seite 228
6-8 Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be expor table to the switch. The switch can only store 10 client key pairs. ■ The switch’ s own public/priv ate key pair and t he (optional) cli ent public key f ile are stored in the switch’ [...]
-
Seite 229
6-9 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 6-19 show crypto client-public-key [<manager | operator>] [keylist-str] [< babble | fingerprint>] 6-27 show crypto host-public -key [< babble | fingerprint >] 6-[...]
-
Seite 230
6-10 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, ProCurve recommends that you alwa ys assign at leas t a Manager password to the switch. Othe rwise, under some circumstances, anyone with T elnet, web, or serial port access could modify the [...]
-
Seite 231
6-11 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When you generate a host key pair on the switch, the switch places the key pair in flash memory (a nd not in the running-config file). A lso, the switch maintains the key pai r across reboots, incl uding power cycles. Y ou should consider this key pair to be “perman[...]
-
Seite 232
6-12 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generat e and display a new key: Figure 6-5. Example of Gen erating a Public/Pr ivate Host Key Pair for the Sw itch The 'show crypto host-publi c-key' displays it in two diff er ent formats because your client may store it in either of thes e form[...]
-
Seite 233
6-13 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes "Zeroizing" the switch’ s key au tomatically di sables SSH (sets ip ssh to no). Thus, if you zeroize the key and then ge nerate a new key , you must also re- enable SSH with the ip ssh command before the s witch c an resume SSH operation. Configuring Key [...]
-
Seite 234
6-14 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation (The generated public key on the switch is always 896 bits.) W ith a dire ct serial connection from a management station to the switch : 1. Use a terminal application such as HyperT erminal to display the switch’ s public key with the show crypto host-pub lic-key command[...]
-
Seite 235
6-15 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation ■ Non-encoded ASCII numeric string: Requires a client ability to display the keys in the “known host s” file in the ASCI I format. This method is tedi ous and error -prone due to the l ength of the keys. (See figure 6-7 on page 6-14.) ■ Phonetic hash: Outputs the k[...]
-
Seite 236
6-16 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note Before enabling SSH on the switch you must generate the switch’ s public/ private key pair . If you have not alread y done so, refer to “2. Generating the Switch’ s Public and Privat e Key Pair” on page 6-1 0. When configured for SSH, the switch us es its host[...]
-
Seite 237
6-17 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation T o disabl e SSH on the switch, do either of the following: ■ Execute no ip ssh . ■ Zeroize the switch’ s existing key pair . (page 6-11). Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher <cipher-type>] Specify a cipher type to use for connect[...]
-
Seite 238
6-18 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [mac <mac-type>] Allows configuration of the set of MACs that can be selected. V alid types are: • hmac-md5 • hmac-sha1 • hmac-sha1-96 • hmac-md5-96 Default: All MAC ty pes are available. Use the no form of the command to disable a MAC type. [port < 1-6553[...]
-
Seite 239
6-19 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note on Port Number ProCurve recommends using the default TCP port number (22). However , you can use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes . Examples of reserved I P ports are 23 (T elnet) and 80 (http). Some othe[...]
-
Seite 240
6-20 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation access to the serial port (and the Cl ear button, whic h removes local password protection), keep physical access to th e switch restricted to authorized per - sonnel. 5. Configuring the Switch for SSH Authentication Note that all methods in this section re sult in authent[...]
-
Seite 241
6-21 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option B: Config uring the Switch for Cl ient Public-Key SSH Authentication. If configured with this option, the switch uses its public key to authenticate itself to a client, bu t the c lient must al so provide a clie nt public-key f or the switch to authenticate . This o[...]
-
Seite 242
6-22 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, assume that you have a client public-key fil e named Client- Keys.pub (on a TFTP server at 10.33.18.117 ) ready for down loading to the switch. For SSH access to the sw itch you want to a llow only clients ha ving a private key t hat matche s a public ke y fou[...]
-
Seite 243
6-23 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-11. Configuring for SSH Access Requ iring a Client Public-Key Match an d Manager Passwords Figure 6-12 shows how to check the results of the above commands. Figure 6-12. SSH Configuration and Clie nt-Public-Key Listing From Figure 6-11 ProCurve(config)# password m[...]
-
Seite 244
6-24 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 6. Use an SSH Client T o Access the Switch T est the SSH co nfigurati on on the switch to ensure that you have achieved the level of SSH operatio n you want for the switch. If you have problems, refer t o "RADIUS-R elated Problem s" in the T r[...]
-
Seite 245
6-25 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 1. The client sends its public key to the switch with a re quest for authenti- cation. 2. The switch compares the client’ s public key to those stored in the switch’ s client-public-key file. (As a prereq uisite, you must use the switch’ s copy tf[...]
-
Seite 246
6-26 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication T o C reate a Client-Pub lic-Key T ext File. These steps describe how to copy client-public-ke ys into the switch for challenge-respon se authentication, and require an understandi ng of how to use you r SSH client app lication. Figure 6-13. Example of [...]
-
Seite 247
6-27 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 2. Copy the client’ s public key into a text file ( filename .txt ). (For example, you can use the Notepad editor includ e d with the Microsof t® W indo ws® software. If you want several client s to use client public-key authentica- tion, copy a pub[...]
-
Seite 248
6-28 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Note copy usb pub-key file can al so be used as a method for copying a public key file to the switch. The operator option replaces the key(s) for operator access (default); follow with the ‘append’ option to add the key(s). For switches that have a [...]
-
Seite 249
6-29 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication For example, if you wanted t o copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 an d then display th e file contents: Figure 6-14. Example of C opying and Displaying a C lient Public-Key File Containing T wo Differe[...]
-
Seite 250
6-30 Configuring Secure Shell (SSH) Messages Related to SSH Operation Caution T o enable client public-key authenti cation to bl ock SSH cli ents whose p ublic keys are not in the client -pub lic-key file copied into the switch , you must configure the Logi n Secondary as none . Oth erwise, the switch a llows such clients to attempt access using th[...]
-
Seite 251
6-31 Configuring Secure Shell (SSH) Messages Related to SSH Operation Logging Messages There ar e event l og messages when a ne w key is generated and zeroized for the server: ssh: New <num-bits> -bit [rsa | dsa] SSH host key insta lled ssh: SSH host key zeroized There are also messages that indicates when a client p ublic key is in stalled o[...]
-
Seite 252
6-32 Configuring Secure Shell (SSH) Messages Related to SSH Operation Debug Logging T o add ssh messages to the debug log outp ut, enter this command: ProCurve# debug ssh LOGLEVEL where LOGLEVEL is one of the foll owin g (in order of increasing verbosity): • fatal • error •i n f o •v e r b o s e • debug • debug2 • debug3[...]
-
Seite 253
7-1 7 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . .[...]
-
Seite 254
7-2 Configuring Secure Socket Layer (SSL) Overview Overview The switches covered in this guide use Secure Socket Layer V ersion 3 (SSLv3) and support for T ransport Lay er Security(TLSv1) to provide rem ote web access to the switches via encrypted paths betw een the switch and manage- ment station client s capable of SSL/TLS operation. Note ProCurv[...]
-
Seite 255
7-3 Configuring Secure Socket Layer (SSL) Terminology Figure 7-1. Switch/User Auth entication SSL on the switches covered in this guide supports these data encryption methods: ■ 3DES (168-bit, 112 Effective) ■ DES (56-bit) ■ RC4 (40-bit, 128-bit) Note: ProCurve Switches use RSA publ ic key al gorithms and Diffie-Hellman, and all references to[...]
-
Seite 256
7-4 Configuring Secure Socket Layer (SSL) Terminology ■ Root Certificate: A trusted certificate used by certificate authorit ies to sign certificates (CA-Signed Certificat es) and used later on to verify that authenticity of those si gned certificates. T rusted certifi cates are distrib - uted as an integral part of most po pular web client s. (s[...]
-
Seite 257
7-5 Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL se rver , you must install a publicly or commercially available SSL enabled we b browser application on the com- puter(s) you use for manage ment acce ss to the switch. Steps for Configuring and Using SSL for Switch and [...]
-
Seite 258
7-6 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re- generating the certi ficate without a compelling reason. Otherwise, you will have to re-introd uce the swit ch’ s certific ate on all ma nagement stations (client s) y[...]
-
Seite 259
7-7 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation 1. Assigning a Local Login (Operator) and Enabling (Manager) Password At a minimum, ProCu rve recommends th at you always assign at least a Manager password to the switch. Othe rwise, under some circumstances, anyone with T el[...]
-
Seite 260
7-8 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-2. Example of Configuri ng Local Passwords 1. Proceed to the securi ty tab an d select device passwords button. 2. Click in the appr opriate box in t he Device Passwords windo w and enter user names and passwords. Y ou will be required to repeat the passwor [...]
-
Seite 261
7-9 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation to connect via SSL to the switch . (The session key pai r mentioned above is not visible on the switch. It is a temporary , internally gener ated pai r used for a particular switch/cli ent se ssion, and then disc arded.) The server certi ficate is stored in the switc[...]
-
Seite 262
7-10 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. T o generate a host certi ficate from the CLI: i. Generate a certificate key pair . This is done with the crypto key generate cert command. The defaul t key size is 512. Note: If a certificate key pair is alre[...]
-
Seite 263
7-11 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T able 7-1. Cert ificate Field Descriptions For example, to generate a ke y and a new host certificate : Figure 7-3. Example of Generating a Self-Sig ned Server Host certificate on the CLI for the Switch. Notes “Zeroizing” the switch’ s server host ce rtificat[...]
-
Seite 264
7-12 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. T o view the current host certif icate from the CLI you use the sh ow crypto host- cert command. For example, to display the new server host certificate: Figure 7-4. Example of show cryp to host-cert command Generate a Self-Sig[...]
-
Seite 265
7-13 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T o generate a self signed host certif icate fr om the web brow ser interface: i. Proceed to the Securi ty tab then the SSL button. The SSL config- uration screen is split up into two halves . The left half is used in creating a new certificate key pa ir and (self-s[...]
-
Seite 266
7-14 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the we b browsers inter - face: Figure 7-5. Self-Signed Certifi cate generation via SSL Web Browser Interface Scree n T o view the current host certifi cate in the web browser interface: 1. Proceed to the Security [...]
-
Seite 267
7-15 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-6. Web browser Interface showing current SSL Host Certifica te Generate a CA-Signed server host certificate with the W eb browser interface T o install a CA-Si gned server host certificate from the web browser i nterface. For more informat ion on how t o ac[...]
-
Seite 268
7-16 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA- signed certif ic ate involves in teraction with o ther entities and consi sts of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission t o the certificate author[...]
-
Seite 269
7-17 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-7. Request for Verified Host Certificate Web Browser Interface Screen 3. Enabling SSL on the Sw itch and Anticipating SSL Browser Contact Behavior T he web-management ssl command enables SSL on the switch and modifies parameters the swit ch uses for transac[...]
-
Seite 270
7-18 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch yo u must genera te the switch’ s ho st certificate and key . If you h ave not a lready done so, refer to “2. Generating the Switch’ s Server Host Certificate” on page 7 -8. When configured for SSL, the switch uses its [...]
-
Seite 271
7-19 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL T o enable SSL o n the switch 1. Generate a Host certificate if you h ave not already done so. (Refer to “2. Generating the Switch’ s Server Host Certificate” on page 7-8.) 2. Execute the web-man agement ssl command. T o d[...]
-
Seite 272
7-20 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-8. Using the web browser interface to e nable SSL and select TCP port numbe r Note on Port Number ProCurve recommends usin g the default IP port number (443). However , you can use web-management ssl tcp-port to specify any TCP port for SSL connec- tions ex[...]
-
Seite 273
7-21 Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CL I Y ou have not generated a certificate key . (Refer to “CLI commands used to generate a Server Host Certificate” on page 7-10.) Enabling SSL on the CLI or Web browse r interface Y ou hav[...]
-
Seite 274
8-1 8 Configuring Advanced Threat Protection Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Seite 275
8-2 Configuring Advanced Threat Protection Contents Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26 Adding an IP-to- MAC Binding to th e DHCP Binding Database . . . . . 8-28 Potential Issues with Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28 Adding a Static Binding[...]
-
Seite 276
8-3 Configuring Advanced Threat Protection Introduction Introduction As your network ex pands to include an increasing number of mobile devices, continuous Internet access, and new classes of users (such as partners, temporary employees, and vi sitors), additional pro tection from attacks launched from both inside and outside your internal network [...]
-
Seite 277
8-4 Configuring Advanced Threat Protection DHCP Snooping • Attempts to exhaust system resources so that sufficie nt resources are not available to transmit legitimate traffic, indicated by an unusually high use of specific system resources • Attempts to att ack th e switch’ s CPU and introduce delay in system response time to new network even[...]
-
Seite 278
8-5 Configuring Advanced Threat Protection DHCP Snooping DHCP snooping accomplishe s this by allowing yo u to distinguish bet ween trusted ports con nected to a DHCP server or swi tch and untruste d ports connected to end-users. DHCP packet s are forwarded betw een trusted ports without inspect ion. DHCP packets received on othe r switch ports are [...]
-
Seite 279
8-6 Configuring Advanced Threat Protection DHCP Snooping T o display the DHCP snooping conf iguratio n, enter this command: ProCurve(config)# show dhcp-snooping An example of the o utput is shown below . Figure 8-1. An Example of the DHCP Snoopin g Command Output T o display statistics about the DHCP snooping process, enter this command: ProCurve(c[...]
-
Seite 280
8-7 Configuring Advanced Threat Protection DHCP Snooping Figure 8-2. Example of Show DHCP Snooping Stati stics Enabling DHCP Snooping on VLANS DHCP snooping on VLANs is disabled by d efault. T o enable DHCP snooping on a VLAN or range of VLANs enter this command: ProCurve(config)# dhcp-snooping vlan <vlan-id-range> Y ou can also use this comm[...]
-
Seite 281
8-8 Configuring Advanced Threat Protection DHCP Snooping Configuring DHCP Snoo ping T rusted Ports By default, all p orts are untrusted. T o configure a por t or range of ports as trusted, enter this command : ProCurve(config)# dhcp-snooping trust <port-list> Y ou can also use this com mand in the in terface context, in which case you are not[...]
-
Seite 282
8-9 Configuring Advanced Threat Protection DHCP Snooping Configuring Authorized Server Addresses If authori zed server a ddresses ar e configu red, a packet from a DHCP server must be received on a trusted port A ND have a source address in the autho- rized server list in order to be consider ed valid. If no authorized servers are configured, all s[...]
-
Seite 283
8-10 Configuring Advanced Threat Protection DHCP Snooping Note DHCP snoo ping only ov errides the Optio n 82 settings on a VLAN that has snooping enabl ed, not o n VLANS witho ut snooping enabled. If DHCP snooping is enable d on a swi tch wher e an ed ge switch is also using DHCP snoopi ng, it is desirable to have the packets forwarded so the DHCP [...]
-
Seite 284
8-11 Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the swit ch as the remote - id in Option 82 additions. The IP address of the VLAN the packet was received on or the IP address of the management VLAN can be used instead b y entering this com[...]
-
Seite 285
8-12 Configuring Advanced Threat Protection DHCP Snooping Figure 8-7. Example Showing the DHCP Snoopin g V erif y MAC Setting The DHCP Binding Database DHCP snooping maintains a database of up to 8192 DHCP bindings on untrusted ports. Each bi nding consists of: ■ Client MAC ad dress ■ Port number ■ VLAN identifier ■ Leased IP address ■ Le[...]
-
Seite 286
8-13 Configuring Advanced Threat Protection DHCP Snooping A message is logged in the system event log if the DHCP binding database fails to update. T o displa y the contents of the DHCP snooping bi nding database , enter this command. Figure 8-8. Example Showing DHCP Snoo ping Binding Database Contents Note If a lease databa se is configured, the s[...]
-
Seite 287
8-14 Configuring Advanced Threat Protection DHCP Snooping ■ ProCurve recommends running a time synchr onization protocol such as SNTP in order to track lease times accurately . ■ A remote server must be used to sa ve lease information or there may be a loss of connectivity after a switch reboot. Log Messages Server <ip-address> packet rec[...]
-
Seite 288
8-15 Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay inform ation logs for <duration>. More than one DHCP client packet received on an untrusted port with a relay in formation field was dropped. T o avoid fi lling the log file with repeated attempts, untrusted rela y informatio n packets will no t be lo gged for t[...]
-
Seite 289
8-16 Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynami c ARP protection ensures that only valid ARP requests and resp ons es are relayed or used to update the local ARP cache. ARP packe ts with invalid IP-to-MAC address bindings adver - tised in the s[...]
-
Seite 290
8-17 Configuring Advanced Threat Protection Dynamic ARP Protection • If a binding is valid, the switch updates its local ARP cache and forwards the packet. • If a binding is invali d, the switch drops the packet, preventing oth er network device s from receiving th e invalid IP-to-MAC info rmation. DHCP snooping intercepts and exam ines DHCP pa[...]
-
Seite 291
8-18 Configuring Advanced Threat Protection Dynamic ARP Protection Enabling Dynamic ARP Protection T o enable dynami c ARP protection for VLAN traffi c on a routing sw itch, enter the arp-protect vlan command at the global configuration l evel. An example of the arp-protect vlan command is shown here: ProCurve(config)# arp-protect vlan 1-101 Config[...]
-
Seite 292
8-19 Configuring Advanced Threat Protection Dynamic ARP Protection Figure 8-9. Configuring T rusted Ports for Dynamic ARP Protect ion T a ke into account the following conf iguration guidelines when you use dynamic ARP prot ection in your ne twork: ■ Y ou should conf igure port s connected to other s witches in t he network as trusted po rts. In [...]
-
Seite 293
8-20 Configuring Advanced Threat Protection Dynamic ARP Protection Adding an IP-to-MAC Bind ing to the DHCP Database A routing switch mai ntains a DHCP binding datab ase, which is used f or DHCP and ARP packet validation. Both the DHCP snooping and DHCP Option 82 insertion features mai ntain the lease database by learning the IP-to-MAC bindings on [...]
-
Seite 294
8-21 Configuring Advanced Threat Protection Dynamic ARP Protection Configuring Additional V alidation Checks on ARP Packets Dynamic ARP protection can b e configured to perfo rm additional vali dation checks on ARP packets. By default, no additional ch ecks are performed. T o configure additional valid ation checks, enter the arp-protect validate c[...]
-
Seite 295
8-22 Configuring Advanced Threat Protection Dynamic ARP Protection Figure 8-1. The show arp-prot ect Command Displaying ARP Packet Statistics T o display statistics about forwarde d ARP packets, dro pped ARP packets, MAC validation failure, and IP validation failures, ente r the show arp-protect statistics command: Figure 8-2. Show arp-prote ct sta[...]
-
Seite 296
8-23 Configuring Advanced Threat Protection Dynamic IP Lockdown Monitoring Dynamic ARP Protection When dynamic ARP prot ection is enab led, you can monitor and troublesh oot the validation of AR P packets with the debug arp-protect command. Use this command when you want to de bug the followin g conditions: ■ The switch is dropping valid ARP pack[...]
-
Seite 297
8-24 Configuring Advanced Threat Protection Dynamic IP Lockdown Protection Against IP So urce Address Spoofing Many network attacks occur when an atta cker injects packets with forge d IP source addresses into the network. Also , some network services use the IP source address as a component in their authentication scheme s. For example, the BSD ?[...]
-
Seite 298
8-25 Configuring Advanced Threat Protection Dynamic IP Lockdown ■ The DHCP bind ing database allows V LANs enabled for DHCP snooping to be known on por ts configured for dynamic IP lockdow n. As new IP-to-MAC address and VLAN bindings are learned, a corre- sponding pe rmit rule i s dynamica lly created and applied to the port (preceding the fi na[...]
-
Seite 299
8-26 Configuring Advanced Threat Protection Dynamic IP Lockdown Assuming that DHCP snooping is enab led and that port 5 is untrusted, dynamic IP lockdown applies the follo wing dynamic VLAN filtering on port 5: Figure 8-4. Example of Interna l Statements used by Dynamic IP Lockdow n Note that th e deny any statement is applied only to VLANs for w h[...]
-
Seite 300
8-27 Configuring Advanced Threat Protection Dynamic IP Lockdown • Dynamic IP lockdown only fi lters packets in VLANs t hat are enabled for DHCP snooping . In order for Dynamic IP lockdown to work on a port, the port mu st be config ured fo r at least one VLAN that is enabled for DHCP snooping. T o enable DHCP snooping on a VLAN, enter the dhcp-sn[...]
-
Seite 301
8-28 Configuring Advanced Threat Protection Dynamic IP Lockdown Adding an IP-to-MAC Bind ing to the DHCP Binding Database A switch maintains a DHCP bi nding database , which is used for dynami c IP lockdown as wel l as for DHCP an d ARP packet valid ation. The DHCP snooping feature maintains the lease da tabase by learning the I P-to-MAC bindings o[...]
-
Seite 302
8-29 Configuring Advanced Threat Protection Dynamic IP Lockdown Adding a Static Binding T o add the static configuration of an IP -to-MAC binding for a port to the leas e database, en ter the ip source-bindin g command at the gl obal configurat ion level. Use the no form of the command to remove the IP-to-MAC binding from the database. Note Note th[...]
-
Seite 303
8-30 Configuring Advanced Threat Protection Dynamic IP Lockdown An example of the show ip source-lockdown status comm and output is show n in Figure 8-5. Note that the operational status of all switch ports is displayed. This information indicates whether or n ot dynamic IP lockdown is supported on a port. Figure 8-5. Example of show ip sou rce-loc[...]
-
Seite 304
8-31 Configuring Advanced Threat Protection Dynamic IP Lockdown Figure 8-6. Example of show ip source-lockdow n bindings Command Out put In the show ip source-l ockdown bindings command output, the “Not in HW” column specifies wh ether or not (YES or NO) a statically configured IP-to- MAC and VLAN binding on a specified port has been combined i[...]
-
Seite 305
8-32 Configuring Advanced Threat Protection Dynamic IP Lockdown Figure 8-7. Example of debu g dynamic-ip-lockd own Command Output ProCurve(config)# debug dynamic -ip-lockdown DIPLD 01/01/90 00:01:25 : denie d ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 1 packets DIPLD 01/01/90 00:06:25 : denie d ip 192.168.2.100 (0) (PORT 4) -> 192.168.[...]
-
Seite 306
8-33 Configuring Advanced Threat Protection Using the Instrumentation Mon itor Using the Instrumentation Monitor The instrumentation monitor can be used to detect anomalies caused by security attacks or other irregular op erations on the swi tch. The following table shows the operating parameters that can be monitored at pre-deter - mined intervals[...]
-
Seite 307
8-34 Configuring Advanced Threat Protection Using the Instrumentation Monitor Operating Notes ■ T o generate alerts for monitored eve nts, you must en able the instru- mentation monito ring log and/or SNMP trap. The threshold for each monitored paramet er can be adjusted to minimize false al arms (see “Configuring Instrumentatio n Monitor” on[...]
-
Seite 308
8-35 Configuring Advanced Threat Protection Using the Instrumentation Mon itor Configuring Instrumentation Monitor The following commands and parameters are used to configure the opera- tional thresh olds that a re monitore d on the switch. By defa ult, the inst rumen- tation monitor is disabled. Syntax: [no] instrumentat ion monitor [parameterN am[...]
-
Seite 309
8-36 Configuring Advanced Threat Protection Using the Instrumentation Monitor T o enable instrum entation monitor usin g the default parame ters and thresh- olds, enter the general instrumenta tion monitor comma nd. T o adjust specific settings, enter the name of the parameter that you wish to modify , and revise the threshold limi ts as needed. Ex[...]
-
Seite 310
8-37 Configuring Advanced Threat Protection Using the Instrumentation Mon itor V iewing the Current In strumentation Monitor Configuration The show instrumentation monitor config uration command displays the config- ured thresholds for moni tored parameters. Figure 8-10. Viewing the Instrumentation Mo nitor Configuration An alternate me thod of det[...]
-
Seite 311
9-1 9 T raffic/Security Filters and Monitors Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Filter Limits . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Seite 312
9-2 Traffic/Security Filters and Monitors Overview Overview Source-port filters are available on the HP ProCurve switch models covered in this gui de. Introduction Y ou can enhance in-band security and improve control over access to network resources by configur ing static filters to forward (the de fault action) or dro p unwanted t raffic. That is[...]
-
Seite 313
9-3 Traffic/Security Fi lters and Monitors Filter Types and Operation Filter T ypes and Operation T able 9-1. Filt er T ypes a nd Criteria Static Filter Ty p e Selection Criteria Source-Port Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per -port (destination) basis.[...]
-
Seite 314
9-4 Traffic/Security Filters and Monitors Filter Types and Operation Source-Port Filters This filter type enables the switc h to forward or drop tr affic from all end nodes on the indicated source-port to specific destination ports. Figure 9-1. Example of a So urce-Port Filter Applicat ion Operating Rules for Source-Port Filters ■ Y ou can config[...]
-
Seite 315
9-5 Traffic/Security Fi lters and Monitors Filter Types and Operation ■ When you create a source port filter , all ports and port trunks (if any) on the switch appear as destinat ions on the li st for that filter , even i f routing is disabled and separate VLANs and/or subnets exist. Where traffic would normall y be allowed betw een ports and/or [...]
-
Seite 316
9-6 Traffic/Security Filters and Monitors Filter Types and Operation Figure 9-3. The Filter for t he Actions Shown in Figure 9-2 Named Source-Port Filters Y ou can specify named source-port filters that may be used on multiple ports and port trunks. A port or port trunk can only have o ne source-port fi lter , but by using this capabili ty you can [...]
-
Seite 317
9-7 Traffic/Security Fi lters and Monitors Filter Types and Operation ■ A named source- port filter can only be deleted whe n it is not applied to any ports. Defining and Configuring Named Source-Port Filters The named source-p ort filter command operat es from the glob al configur ation level. Syntax: [no] filter source-port nam ed-filter < f[...]
-
Seite 318
9-8 Traffic/Security Filters and Monitors Filter Types and Operation A named source-port f ilter must f irst be defi ned and configured before it can be applied. In the followin g example two named source-port filt ers are defined, web-only and accounting . ProCurve(config)# filter source-port named-filter web- only ProCurve(config)# filter source-[...]
-
Seite 319
9-9 Traffic/Security Fi lters and Monitors Filter Types and Operation Using Named Source-Port Filters A company wants to manage tr affic to the Internet an d its accounting server on a 26-port switch. Their network is pi ctured i n Figure 9-4. Swi tch port 1 connects to a router that p rovides connectivit y to a W AN and the Intern et. Switch port [...]
-
Seite 320
9-10 Traffic/Security Filters and Monitors Filter Types and Operation Figure 9-5. Applying Example Named Source-Port Filters Once the named source-port filter s have been defined and config ured we now apply them to the switch ports. Figure 9-6. Source P ort Filters Applied to Sw itch Ports The show filter command shows what ports have filters appl[...]
-
Seite 321
9-11 Traffic/Security Fi lters and Monitors Filter Types and Operation Figure 9-7. Example of the sho w filter Command Using the IDX value in the show filter command, we can see how traffic is filtered on a specif ic port ( Va l u e ).The two outputs b elow show a non - accounting and an accou nting switch port. ProCurve(config)# show filte r Traff[...]
-
Seite 322
9-12 Traffic/Security Filters and Monitors Filter Types and Operation Figure 9-8. Example Showing T raffic Filtered on Speci fic Ports The same command, using IDX 26, shows how traffic from the In ternet is handled. ProCurve(config)# show filte r 4 Traffic/Security Filters Filter Type : Source Port Source Port : 5 Dest Port Type | Action --------- [...]
-
Seite 323
9-13 Traffic/Security Fi lters and Monitors Filter Types and Operation Figure 9-9. Example of S ource Port Filtering wi th Internet T ra ffic As the company grows, mo re resources are requir ed in accounting. T wo additional accounting workstations are added and attached to ports 12 and 13. A second server is added attached to port8. Figure 9-10. E[...]
-
Seite 324
9-14 Traffic/Security Filters and Monitors Filter Types and Operation The following revisions to the named so urce-po rt filter definiti ons maintain the desired network traffic management , as shown in the Action column of the show command. Figure 9-11. Example Show ing Network T raffic Managemen t with Source Po rt Filters W e next apply the upda[...]
-
Seite 325
9-15 Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Figure 9-12. Named Source-Po rt Filte rs Managing T raffic Configuring T raffic/Security Filters Use this procedure t o specify th e type of filters to use on the switch and whether to forward or dro p filtered pa ckets for each filt er you spe cify . 1. Select the st[...]
-
Seite 326
9-16 Traffic/Security Filters and Monitors Configuring Traffic/Secu rity Filters Configuring a Source -Port T raffic Filter Syntax: [no] filte r [source-port < port-number | trunk-name >] Specifies one inbound port or trunk. T raffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the[...]
-
Seite 327
9-17 Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a source-port filter that drops all traffic received on port 5 wi th a destination of port trunk 1 ( Tr k 1 ) and any port in the range of port 10 to port 15 . T o create this filter [...]
-
Seite 328
9-18 Traffic/Security Filters and Monitors Configuring Traffic/Secu rity Filters filter on port 5, then create a trunk w ith ports 5 and 6, and display the results, you would see the following: Figure 9-13. Example of Switch Re sponse to Adding a Filtered Source Port to a Tr u n k Editing a Source-Port Filter The switch includes in one filter the a[...]
-
Seite 329
9-19 Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Figure 9-14. Assigning Additi onal Destination Ports to a n Existing Filter For example, suppose you wanted to co nfigure the filters in table 9-2 on a switch. (For more on source-port filt er s, refer to “Configuring a Source-Port T ra ffic Filter” on page 9-16.)[...]
-
Seite 330
9-20 Traffic/Security Filters and Monitors Configuring Traffic/Secu rity Filters new filter will receiv e the index nu mber “2” and the second new filter will receive the index number "4". This is because the index number “2 ” was made vacant by the earlier deletion, and w a s therefore the lowe st inde x number available for the [...]
-
Seite 331
10-1 10 Configuring Port-Based and User -Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 10-3 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Seite 332
10-2 Configuring Port-Bas ed and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Auth entication Method . . . . . . . . . . . . . . . . 10-24 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 10-25 5. Enable 802.1X Authentica tion on the Switch . . . . . . . . . . . . . . . . 10-25 6. Optional: Re[...]
-
Seite 333
10-3 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Overview Overview Why Use Port-Based or User -Based Access Control? Local Area Networks are often deployed in a way that allows unauthorized clients to attach to network devices, or allows unauthorized users to get access to unattended clients on a networ k. Also, the use of DHCP [...]
-
Seite 334
10-4 Configuring Port-Bas ed and User-Based Access Control (802.1X) Overview • Port-Based access control op tion allowing auth entication by a si ngle client to open the port . This option does not force a client limit and, on a port opened by an auth enticated cl ient, allows unlimit ed client access without requiring further au thentication . ?[...]
-
Seite 335
10-5 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Overview This operat ion improves securit y by opening a given po rt only to indi vidually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenti cat ed. All sessions must use the same untagged VLAN. Also, an authenticated [...]
-
Seite 336
10-6 Configuring Port-Bas ed and User-Based Access Control (802.1X) Terminology This operat ion unblo cks the port while an authenticated client session is in progress. In topologies wh ere simultaneous, multiple client access i s possible this can allow unaut horized and unauthenticate d access by another cli ent while an authenticated client is u[...]
-
Seite 337
10-7 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Terminology a port loses its authenticated client connection, it drops its membership in this VLAN. Note that with m ultiple client s on a port, all su ch clients use the same untagged, port-b ased VLAN membership. Authentication Server: The entity providing an authentication serv[...]
-
Seite 338
10-8 Configuring Port-Bas ed and User-Based Access Control (802.1X) Terminology Static VLAN: A VLAN that has been configured as “permanent” on the switch by using the CLI vlan < vid > command or the Menu interface. Supplicant: The entity that must provide the proper cred entials to t he switch before receiving access to the network. This [...]
-
Seite 339
10-9 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General 802.1X Aut henticator Operation General 802.1X Authenticator Operation This operation provides security on a po int-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X su[...]
-
Seite 340
10-10 Configuring Port-Bas ed and User-Based Access Control (802.1X) General 802.1X Aut henticator Operation Note The switches c overed in this guide can use either 802.1X port- based authen- tication or 802.1X user -bas ed authentication. For more information, refer to “User Authentication Methods” on page 10-4. VLAN Membe rship Priority Follo[...]
-
Seite 341
10-11 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General 802.1X Aut henticator Operation Figure 10-1. Priority of VLAN Assignme nt for an Authenticat ed Client No Ye s New Client Authenticated Untagged VLAN Configured On Port ? RADIUS- Assigned VLAN? Authorized VLAN Configured? Another (Old) Client Already Using Port ? Are All [...]
-
Seite 342
10-12 Configuring Port-Bas ed and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the u ser -based mode, when ther e is an authenticated client on a port, the followin g traffic movement is allowed: • Multicast and bro adcast traffic is allowed on the port. • Unicast traffic to auth [...]
-
Seite 343
10-13 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General Operating Rules and Notes ■ If a port on switch “A” is configur ed as an 802.1X supplicant and is connected to a port on anot her switch, “B”, that is not 802.1X-aware, access to switch “B” will occur wit hout 802.1X sec urity protection. ■ On a port confi[...]
-
Seite 344
10-14 Configuring Port-Bas ed and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Access Control Do These Steps Before Y ou Configure 802.1X Operation 1. Configure a local username and pa ssword on the switch for both the Operator (login) and Manager (enable) access levels. (Wh[...]
-
Seite 345
10-15 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General Setup Procedure for 802.1X Access Control Figure 10-2. Example of the Password Port -Access Command Y ou can save the port-access password for 802.1 X authentication in the configuratio n file by using the inc lude-credential s command. For more infor - mation, see “Sav[...]
-
Seite 346
10-16 Configuring Port-Bas ed and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control 3. Determine whether to us e user -based a ccess control (page 10-4) or port- based access control (page 10-5). 4. Determine whether to use the op tional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for cli[...]
-
Seite 347
10-17 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802. 1X Authentication on the Switch This section outl ines the steps for configuring 802.1X on the switch. For detailed info rmation on each step , refer to the followin g: ■ “802.1X User -Based Acce ss [...]
-
Seite 348
10-18 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Note If you want to implement th e optional port security featur e (step 7) on the switch, you should first en sure that the ports you ha ve configured as 8 02.1X authenticators oper ate as expected. 7. If you are using Port S ecur[...]
-
Seite 349
10-19 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentica tion on Selected Ports This task configures the indivi dual ports you want to operate as 802.1X authenticators for po int-to-poi nt links to 802.1X-aware clients or switc hes, and consists of two ste ps[...]
-
Seite 350
10-20 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User -Based Authen tication or Return to Port- Based Authentication User -Based 802.1X Authentication. Port-Based 802.1X Authentication. Syntax: aaa port-access authenticato r client-limit < port-list > < 1 - 32[...]
-
Seite 351
10-21 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring User -Based 802.1X Authentication This example enables ports A10-A1 2 to operate as authenticators, and then configures the ports for us er -based auth en tication. Figure 10-4. Example of Configuring User-Bas[...]
-
Seite 352
10-22 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the ma x-requests parameter fails (next page). (Default: 60 secon[...]
-
Seite 353
10-23 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time af ter which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disa bled (Default: 0 second) [unauth-vid < vlan-id >[...]
-
Seite 354
10-24 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how th e switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenti cator Y ou can configure local , c[...]
-
Seite 355
10-25 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the auth entication me thod, configure the switch to use 1, 2, or 3 RADIUS se rvers for authentication. The following syntax shows th e bas[...]
-
Seite 356
10-26 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentica tion is operating, y ou can use the following aaa port - access authenticator commands to reset 802.1X authentication an d statistics on specified ports. 7. Optiona[...]
-
Seite 357
10-27 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators ■ The 802.1s Multiple Spanning T ree Protocol (MSTP) or 802. 1w Rapid Spanning T ree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resourc e utilization while maintaining a lo op-free netw ork. For informati on[...]
-
Seite 358
10-28 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Because a port can be con figured for more than one type of authenticat ion to protect the switch from unauth orized access, the last setting you configure with the aaa port-ac cess controlled-directions command is applied to all a[...]
-
Seite 359
10-29 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode Introduction This section describes how to use t he 802.1X Open VLAN mode to provide a path for clien ts that need to acquire 802.1X supplica nt software before proceeding with the auth enti cation process. The Open VLAN mode involves o[...]
-
Seite 360
10-30 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports confi gured to al low multipl e sessions using 802.1X user -based access control, all clients must use the same untagged VLAN. On a given port where there are no currently active, au thenticated clien ts, the first a uthenticated client determin[...]
-
Seite 361
10-31 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note After client authenticati on, the port resumes me mbership in any tagged VLANs for which it i s configured. If th e port is a tagged membe r of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the clie [...]
-
Seite 362
10-32 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode T able 10-2. 802.1X Open VLAN Mode Options 802.1X Per -Port Configuration Port Response No Open VLAN mode: The port automatically blo cks a client that cannot init iate an authenti cation sessi on. Open VLAN mode with both of the f ollowing configured: Unauth[...]
-
Seite 363
10-33 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Authorized-Client VLAN • After client authentication, the po rt drops membership in t he Unauthorized-Client VLAN a nd becomes an u ntagged memb er of this VLAN. Notes: If the client is running an 802.1X supplicant applic ation when the authentic ation ses[...]
-
Seite 364
10-34 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Open VLAN Mode with Only an Unauthor ized-Cl ient VLAN Configured: • When the po rt detects a client, it aut omatically becomes an untagged member of this VLAN. T o limit secu rity risks, the network services and access a vailable on this VLAN should includ[...]
-
Seite 365
10-35 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Open VLAN Mode with Only an Authorized-Client VLAN Con figured: • Port automa tically blocks a client that can not initiate an authentication session . • If the client successfully completes an authen tication session, the port becomes an untagg ed membe[...]
-
Seite 366
10-36 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Au thorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorize d- Client or Unauthorized-Client VLANs These must be configured o n the switch before you co nfigure an 802.1X authenticator port to use them. ([...]
-
Seite 367
10-37 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Effect of Unauthorized-Client VLAN session on untagged port VLAN membership • When an unauth enticated client connect s to a port that is already configured with a static, un tagged VLAN, the switch temporarily moves the port to the Una uthorized-Client VL[...]
-
Seite 368
10-38 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Effect of RADIUS-assigned VLAN This rule assumes no other authenticated clients are already using the port on a different VLAN. The port joins the RADIUS-assigned VLAN as an unta gged member . IP Addressing for a Client Con nected to a Port Configured for 802[...]
-
Seite 369
10-39 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note If you use the same VLAN as the Unau thorized-Client VLAN for all authenti- cator ports, unauth enticated clients on different ports can communicate wit h each other . Note: Limitation on Using an Unauthorized-Client VLAN on an 802.1X Port Configured to[...]
-
Seite 370
10-40 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of bot h the Unauthorized-Client and Authorized-Client VLANs. Re fer to T able 10-2 on page 10-32 for other options. Before you configu re the 802.1X Open VLAN m ode on a p[...]
-
Seite 371
10-41 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the swit ch to use local password authen tication inste ad of RADIUS authentication. However , this is less desirable because it me ans that all clients use the same passwords and have the same access privil ege[...]
-
Seite 372
10-42 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-ra dius for step 2, use the radius host command to configure up to thr ee RADIUS server IP address(es) on the switch. 4. Activate authentication on the switch. 5. T est both the au thorized and unauthorized access [...]
-
Seite 373
10-43 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listin g of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 10-40. For example, suppose you want to conf igu[...]
-
Seite 374
10-44 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For info rmation and an example on viewing current Open VLAN mode operation, ref er to “Viewing 802.1X Open VLAN Mode Status” on page 10-60. 802.1X Open VLAN Operating Notes ■ Although you can configure Open V[...]
-
Seite 375
10-45 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow On ly 802.1X-Authenticated Devices ■ The first client to authenticat e on a port configu red to support multiple clients will determ ine the port’ s VL AN membership for any subsequent clients that authenticate [...]
-
Seite 376
10-46 Configuring Port-Bas ed and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-S ecurity To Allo w Only 80 2.1X-Authenticated Devices Port-Security Note If 802.1X port-access is configured on a given port, th en port-security learn- mode for that port must be set to either continuous (the default) or port-access[...]
-
Seite 377
10-47 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches Configuring Switch Ports T o Operate As Supplicants for 802.1X Connections to Other Switches A switch port can operate as a supplicant in a c onnection to a port on another 802.1X-aware s[...]
-
Seite 378
10-48 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches • If, after the supplicant port sends the configur ed number of start packets, it does not receive a respons e, it assumes that switch “B” is not 802.1X-aware, and transi tions to t[...]
-
Seite 379
10-49 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. Y ou can configure a switch port as a supplicant for a p oint-to-point link to an 802.1X-aware port on another switch[...]
-
Seite 380
10-50 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches aaa port-access sup plicant [ethernet] < p ort-list > (Syntax Conti nued) [secret] Enter secret: < password > Repeat secret: < password > Sets the secret password to be [...]
-
Seite 381
10-51 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port -Access Authenticator 802.1X Authentication Commands page 10-18 802.1X Supplicant Commands page 10-47 802.1X Open VLAN Mode Commands page 10[...]
-
Seite 382
10-52 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Syntax: show port-access authen ticator [ port-list ] [config | statistics | session-counters | vlan | clients | client s detailed • Untagged VLAN : VLAN ID number of the untagged VLAN used in client sessions. If the swi[...]
-
Seite 383
10-53 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-10.Example of show p ort-access authenticat or Command The information displayed with the show p ort-access authenti cator command for individ ual (config | stat istics | session- counters | vlan | cl ients) opt[...]
-
Seite 384
10-54 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters T able 10-3. Field Descriptions of sho w port-access authe nticator config Comma nd Output (Figure 10-11) Field Description Port-access authenticator activated Whether 802.1X authentication is enabl ed or disabled on speci[...]
-
Seite 385
10-55 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-12.Example of show p ort-access authenti cator statistics Command Syntax: show port-access authenticat or statistics [ port-list ] Displays statistical informatio n for all switch ports or spec- ified ports that[...]
-
Seite 386
10-56 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Figure 10-13.Example of show p ort-access authenti cator session-counters Comm and Syntax: show port-access authenticat or session-counters [ port-list ] Displays information for acti ve 802.1X auth entic ation ses- sions [...]
-
Seite 387
10-57 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-14.Example of show p ort-access authenticat or vlan Command Syntax: show port-access authenticat or vlan [ port-list ] Displays the following informat ion on the VLANs configured for use in 802.1X port-access au[...]
-
Seite 388
10-58 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Figure 10-15. Example of show p ort-access authenti cator clients Command Out put Syntax: show port-acc ess authenticator clients [ port-list ] Displays the session status, name, and address for each 802.1X port-access-aut[...]
-
Seite 389
10-59 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-16. Example of show p ort-access authenti cator clients detai led Command Output Syntax: show port-access auth enticator clients < port-list > detailed Displays detai led information on the statu s of 802.[...]
-
Seite 390
10-60 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters V iewing 802.1X Open VLAN Mode Status Y ou can examine the switch’ s curre nt VLAN status by using the show port- access authenticator vla n and show port-access a uthenticator < port-list > com- mands as illustrat[...]
-
Seite 391
10-61 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Thus, in the output shown in figure 10-17: ■ When the Auth VLAN ID is configured and matches the Current VLAN ID , an authenticated client is co nnected to the port. (Th is assumes the port is not a statically configure[...]
-
Seite 392
10-62 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters T able 10-3. Output for Determ ining Open VLAN Mode Statu s (Figure 10-17, Lower) Status Indicator Meaning Status Closed: Either no client is connected or the connected cl ient has not received authorization through 802.1X[...]
-
Seite 393
10-63 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-18.Example of Showing a VLAN wi th Ports Configured for Open VLAN Mode Note that ports B1 and B3 ar e not in the upp er listing, bu t are included und er “Overridden Port VLAN configur ation”. This shows tha[...]
-
Seite 394
10-64 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Show Commands for Po rt-Access Supplicant Note on Supplicant Statistics. For each port configured as a supplicant, show port-access supplic ant statistics < port-list >] displays the source MAC address and statistics[...]
-
Seite 395
10-65 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation supplicant port to another without clearin g the statistics data from the first port, the au thenticator’ s MAC address wi l l appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects V[...]
-
Seite 396
10-66 Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Note Y ou can use 802.1X (port-based or client -based) authentication and either W eb or MAC authenticati on at the same time on a port, with a maximu m of 32 clients allowed on the port. (Th e default is one client.) W eb a[...]
-
Seite 397
10-67 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation • If the port is assigned as a member of an untagged dynamic VLAN that was learn ed through GV RP , the dynamic VLAN conf iguration must exist on th e switch at the time o f authenti cation and GVRP- learned dynami c VLAN[...]
-
Seite 398
10-68 Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation If this tempo rary VLAN assignment cau ses the switch to disable a different untagged static or dynamic VLAN conf igured on the port (as described in the preceding bullet and in “Example of Untagged VLAN Assignment in a RA[...]
-
Seite 399
10-69 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation For example, suppose that a RADIUS-au thenticated, 802.1X-a ware client on port A2 requires access to VLAN 22, but VLAN 22 is config ured for no access on port A2, and VLAN 33 is conf igured as untagged on port A2: Figure 1[...]
-
Seite 400
10-70 Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Figure 10-20.The Active Configuration for VLAN 22 T emporarily Changes for the 802.1X Session However , as shown in Figu re 1 0-19, because VLAN 33 is configured as untagged on port A2 and because a port c an be untagged on [...]
-
Seite 401
10-71 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation When the 802.1X client’ s session on port A2 ends, the port remov es the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as un tagged on the port becomes available again.[...]
-
Seite 402
10-72 Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Note Any port VLAN-ID changes you make on 802.1X-aware ports during an 802.1 X- authenticated session do not take eff e ct until the sessio n ends. W ith GVRP enabled, a temporary , unta gged static VLAN assignment created o[...]
-
Seite 403
10-73 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation T able 10-4. 802.1X Operating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.1X authenticators. Use this comm and to enabl[...]
-
Seite 404
11-1 11 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Basic Operation . . . . . . . . . . . . . . . . . . . . .[...]
-
Seite 405
11-2 Configuring and Monitoring Port Security Contents Web: Checking for Intrus ions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-37 Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-38[...]
-
Seite 406
11-3 Configuring and Monitoring Port Security Overview Overview Port Security (Page 11-4). This feature enables you to configure each switch port with a unique list of th e MAC addresses of devices that are authorized to access the network throug h that port. This e nables ind ividual ports to detect, prevent, and log atte mpts by unauthorized devi[...]
-
Seite 407
11-4 Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port sec urity setting for each port is off , or “continuou s”. That is, any dev ice can access a port without causing a security reaction. Intruder Protection. A port that detects an “intruder” blocks t he [...]
-
Seite 408
11-5 Configuring and Monitoring Port Security Port Security • Static: Enables you to se t a fixed limit on the number of MAC addresses authorized for the port an d to specify some or all of the authorized addresses. (If you spec ify on ly some of the authorized addresses, the port learns the re maining authorized addresses from the traffic it rec[...]
-
Seite 409
11-6 Configuring and Monitoring Port Security Port Security configuratio n to ports on which h ubs, switches, or other devi ces are connected, and to maintain security while also main taining network acce ss to authorized users. For example: Figure 11-1. Example of How Port Security Contro ls Access Note Broadcast and Multicast traffic is always al[...]
-
Seite 410
11-7 Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port securi ty configuration and moni toring according to the following: a. On which ports do you want port secu rity? b. Which devices (MAC addresses) are authorized on each port? c. For each port, what security act ions do you want? (The switch automat[...]
-
Seite 411
11-8 Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Comm ands Used in This Section This section descr ibes the CLI port security command an d how the switch acquires a nd maintai ns authorized addresses. Note Use the global configuration level to execute port-se cur ity configuration[...]
-
Seite 412
11-9 Configuring and Monitoring Port Security Port Security Displaying Port Se curity Settings. Figure 11-2. Example Port Security Listing (Po rts A7 and A8 Show the Default Setting) W ith port numbers incl uded in th e command, show po rt-security displays Learn Mode, Address Limit, (al arm) Action, and Authorized Addresses f or the spec- ified po[...]
-
Seite 413
11-10 Configuring and Monitoring Port Security Port Security Figure 11-3. Example of the Port Security Configura tion Display for a Single Port The next exam ple shows the opti on for entering a range of ports, including a series of non-cont iguous ports. Note that no spaces are al lowed in the po rt number portion of the command stri ng: ProCurve([...]
-
Seite 414
11-11 Configuring and Monitoring Port Security Port Security Figure 11-4. Examples of Show Mac-Address Outputs[...]
-
Seite 415
11-12 Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security an d edit security settings. ■ Add or delete devices from the list of authorized addresses for one or more ports. ■ Clear the Intrusio n flag on specific ports Syntax: port-security [e] <port-list><[...]
-
Seite 416
11-13 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < contin uous | static | port-access | configured | limited- continuous > (Continued) static: Enables you to use the mac-addres s parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter[...]
-
Seite 417
11-14 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < contin uous | static | port-access | configured | limited- continuous > (Continued) Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted device[...]
-
Seite 418
11-15 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Informatio n configuration screen of the Menu interface or the show system information listing. Y ou can set the MAC age ou[...]
-
Seite 419
11-16 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [< mac-addr >] [< mac-addr >] . . . [< mac -addr >] A vailable for learn-mode with the, static , configured , or limited-continu ous option. Allows up to eight authorized devices (MAC addresses) per port, depending on the val[...]
-
Seite 420
11-17 Configuring and Monitoring Port Security Port Security Retention of Static Addresses Static MAC addresses do not age-o ut. MAC addresses learne d by using learn- mode continuous or learn-mode limited -continuous age out according to the currently configured MAC age ti me. (For information on the mac-age-time command, refer to the chapter tit [...]
-
Seite 421
11-18 Configuring and Monitoring Port Security Port Security ■ Delete it by using no port-security < port-num ber > mac-address < mac-ad dr > . ■ Download a configur ation file th at does not includ e the unwanted MAC address assignment. ■ Reset the switch to its fac tory-default co nfiguration. Specifying Authoriz ed Devices and [...]
-
Seite 422
11-19 Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. T o simply add a device (MAC address) to a port’ s existing Authorized Addresses list, enter the port numbe r with the mac-add ress parameter and the device’ s MAC address. This assumes that Learn M ode is set to static and the Authorized Address[...]
-
Seite 423
11-20 Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is alre ady on the list. Note that if you change a port from st atic to cont inuous learn mod e, the port retains in memory any authorized addresses it ha d while in[...]
-
Seite 424
11-21 Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC addresses) fr om the Authorized Addresses list. (An Authoriz ed Address list is available for each port for which Learn Mod e is currently set to “Static”. Refer to the comma[...]
-
Seite 425
11-22 Configuring and Monitoring Port Security MAC Lockdown The following command serves this pu rpose by removing 0c0090-1 23456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090- 123456 The above command sequence results in the following configurat ion [...]
-
Seite 426
11-23 Configuring and Monitoring Port Security MAC Lockdown Y ou will need to enter a sepa rate comm and for each MAC/VLAN pair you wish to lock down. If yo u do not specify a VLAN ID (VID) the sw itch inserts a VID of “1”. How It W orks. Whe n a device’ s MAC address is locked down to a port (typically in a pair with a VLAN) all in formation[...]
-
Seite 427
11-24 Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pai r cannot be locked do wn on a different po rt. Y ou cannot perform MAC Lockdown and 802.1X authentication on the same port or on t he same MAC address. MAC Lockdown and 802. 1X authenticati on are mut[...]
-
Seite 428
11-25 Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safel y code per switch. T o truly lock down a MAC addr ess it wo uld be necessary to use t he MAC Lockdown command fo r every MAC Address and VLAN ID on every switch. In reality few netw ork administra[...]
-
Seite 429
11-26 Configuring and Monitoring Port Security MAC Lockout Deploying MAC Lockdown When you deploy MAC Lockdown you ne ed to consider how you use it wi thin your network topology to ensure security . In some cases where you are using techniques suc h as Spanning T ree Pr otocol (STP) to speed up netw ork per - formance by providing mul tiple paths f[...]
-
Seite 430
11-27 Configuring and Monitoring Port Security MAC Lockout T o use MAC Lockout you must fi rst know the MAC Address you wish t o block. How It W orks. Let’ s say a customer knows there are unauthorized wireless clients who should not have access to the network. T h e network admi nistrator “locks out” the MAC addresses fo r th e wireless clie[...]
-
Seite 431
11-28 Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, po rt security , and 802.1X authenti- cation. Y ou cannot use MAC Lockout to lock: • Broadcast or Mu lticast Addresses (Switches do not learn these) • Switch Agents (T he switch’ s own MAC Address) There ar e limits for the numb er of VLANs and Lock[...]
-
Seite 432
11-29 Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independ ent of port-security and in fact w ill override it. MAC Lockout is pref erable to port- security to stop access from known devi ces because it can be configured for all ports on the switch with one command. It is possible to use MAC Lock[...]
-
Seite 433
11-30 Configuring and Monitoring Port Security Web: Displaying and Confi guring Po rt Security Features W eb: Displaying and Configuring Port Security Features 1. Click on th e Security tab. 2. Click on [Port Security] . 3. Select the settings you want and, if you are usi n g the Static Learn Mode, add or edit the Author ized Addresses field. 4. Im[...]
-
Seite 434
11-31 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ■ The switch enables notification of the intrusi on through the foll owing means: •I n t h e C L I : –T h e show port-secu rity intr usion-log command displays the Intrusion Log –T h e log command displays t he Event Log • In the menu interfa[...]
-
Seite 435
11-32 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most rece nt intrusion at the top of the listing. Y ou cannot delete Intrusio n Log entries (unl ess you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, th[...]
-
Seite 436
11-33 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interf ace indicates per -port intrusions in the Port Statu s screen, and provides details and t he reset function in the Intru sion Log screen. 1. From the Mai[...]
-
Seite 437
11-34 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 11-12 on page 11-33) does not indicate an int rusion for port A1, the alert flag for th e intru- sion on port A1 has already been reset. • Since the switch can show only one uncleared intrusion per port, the[...]
-
Seite 438
11-35 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags In the follow ing ex ample, executi ng show interfac es brief lists the switch ’ s p ort status, whi ch indicates an intru sion alert on port A1. Figure 11-14.Example of an Unac knowledged Intrusi on Alert in a Port Status Display If you wanted to se[...]
-
Seite 439
11-36 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags T o clear the intrusion from port A1 and enable the swit ch to enter any subsequent intrusio n for port A1 in the Intr usion Log, execute the port -security clear - intrusion-flag command. If you then r e -displ ay the port status screen, you will see [...]
-
Seite 440
11-37 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Figure 11-17.Example of Log Listi ng With and Without Dete cted Security Violations From the Menu Interface: In the Main Menu, click on 4. Event Log and use N ext page and P rev page to review the Event Log contents. For More Event Log Information. See[...]
-
Seite 441
11-38 Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder . The Intrusion Log lists detected intrude rs by MAC address. If you are using ProCurve Manager to manage your network, you can use the d evice properties page to link MAC addresses to their co[...]
-
Seite 442
11-39 Configuring and Monitoring Port Security Operating Notes for Port Security ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configur e LACP on a port on which port security is enabled. For example: ProCurve(config)# int e a17 l[...]
-
Seite 443
12-1 12 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Seite 444
12-2 Using Authorized IP Managers Overview Overview Authorized IP Manager Features The Authorized IP Managers feature us es IP addresses and masks to deter - mine which station s (PCs or workstat ions) can access the switch through the network. This c overs access throug h the followin g means: – T elnet and other te rminal emulation appli cation[...]
-
Seite 445
12-3 Using Authorized IP Managers Options Options Y ou can configure: ■ Up to 10 authorized mana ger addresses , where each addre ss applies to either a single mana gement st ation or a group of station s ■ Manager or Operator access privil eges (for T elnet, SNMPv1 , and SNMPv2c access only) Caution Configuring Author ized IP Managers does not[...]
-
Seite 446
12-4 Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations ■ Authorizing Sin gle Stations: The table entry auth orizes a single ma n- agement station to have IP access to the switch. T o use this method , just enter the IP address of an authoriz ed management station in the Autho- rized Manag[...]
-
Seite 447
12-5 Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authori ze four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Mask s” on page 12-1 0. Note The IP Mask is a method for recogniz ing whether a given IP address is authorized for ma[...]
-
Seite 448
12-6 Using Authorized IP Managers Defining Authorized Management Stations Figure 12-2. Example of How T o Add an Authorized Manager Entry (Contin ued) Editing or Dele ting an Au thorized Manage r Entry . Go to the IP Ma nag- ers List screen (figure 12-1), high light the desired entry , and press [E] (for Edi t ) or [D] (for Delete ). CLI: Vi ewing [...]
-
Seite 449
12-7 Using Authorized IP Managers Defining Authorized Management Stations Figure 12-3.Example of the Show IP Auth orized-Manager Display The above example shows an Authorized IP Ma nager List that allows stations to access the switch as shown below: Configuring IP Authorized Managers for the Switch T o Authorize Manager Access. This comm and author[...]
-
Seite 450
12-8 Using Authorized IP Managers Defining Authorized Management Stations If you omit th e < mask bits > when adding a new authorized manager , the switch automatically uses 255.255.255.255 . If you do not specify either Manager or Operator access, the switch assign s the Manager access. For example: Figure 12-4. Example of Specifyi ng an IP [...]
-
Seite 451
12-9 Using Authorized IP Managers Web: Configuring IP Authorized Managers W eb: Configuring IP Authorized Managers In the web browse r interf ace you can configure IP Authorized Managers as described below . T o Add, Modify , or Delete an IP Authorized Manager address: 1. Click on the Security tab. 2. Click on [Authorized Addresses]. 3. Enter the a[...]
-
Seite 452
12-10 Using Authorized IP Managers Building IP Masks Using a W eb Proxy Server to Access the W eb Browser Interface Caution This is NOT recommended. Using a web proxy server between the stations and the switch poses a securi ty risk. If the station uses a web proxy server to connect to the swit ch, any proxy user can access the switch. If it is nec[...]
-
Seite 453
12-11 Using Authorized IP Managers Building IP Masks Figure 12-5. Analysis of IP Mask f or Single-Stat ion Entries Configuring Multiple Statio ns Per Authorized Manager IP Entry The mask dete rmines whet he r the IP address of a station on the network meets the criteria you specify . Th at is, for a given Author ized Manager entry , the switch appl[...]
-
Seite 454
12-12 Using Authorized IP Managers Building IP Masks Figure 12-6. Analysis of IP Mask for Multiple-Station E ntries Figure 12-7. Example of How the Bitm ap in the IP Mask Defines Auth orized Manager Addresses 1st Octet 2nd Octet 3rd Octet 4th Octet Manager -Level or Operator -Level Device Access IP Mask 255 255 255 0 The “255” in the first thre[...]
-
Seite 455
12-13 Using Authorized IP Managers Operating Notes Additional Examples for Au thorizing Mult iple Stations Operating Notes ■ Network Security Precautions: Y ou can enhance your network’ s secu- rity by keeping physical access to th e switch restricted to authorized personnel, usin g the password featu res built into the switch, using the additi[...]
-
Seite 456
12-14 Using Authorized IP Managers Operating Notes • Even if you need proxy server access enabl ed in order to u se other applications, you can still eliminate proxy serv ice for web access to the switch. T o do so, add the IP address or DNS name of the switch to the non-proxy , or “Exceptions” list in the web browser interface you are using [...]
-
Seite 457
Index – 1 Index Numerics 3DES …7 - 3 802.1X access control authenticate users … 10-5 authentication methods … 10-4 authentication, local … 10-6 authentication, user-based … 10-4 authenticator … 10-19 operation … 10-9 show commands … 10-51 unblock port … 10-6 authorized-client VLAN, defined … 10-6 auth-vid … 10-23 auto … 10[...]
-
Seite 458
2 – Index password for port-access … 2-11, 2-21 port, supplicant … 10-16 port-based access … 10-4 client without authentication … 10-5 effect of Web/MAC auth operation … 10-13 enable … 10-19, 10-46 latest client, effect … 10-5 multiple client access … 10-6 multiple clients authenticating … 10-5 no client limit … 10-4 open port[...]
-
Seite 459
Index – 3 ports … 10-39 untagged … 10-30, 10-33, 10-34 untagged membership … 10-20 VLAN operation … 10-65 VLAN use, multiple clients … 10-7 VLAN, assignment conflict … 5-34, 10-12 VLAN, membership priority … 10-10, 10-30 VLAN, priority, RADIUS … 10- 34 VLAN, tagged membership … 10-34 Wake-on-LAN traffic … 10-27 Web/MAC auth ef[...]
-
Seite 460
4 – Index root … 7-4 self-signed … 7-3 CHAP …5 - 1 1 chap-radius …5 - 1 1 cipher,SSH …6 - 1 7 Clear button to delete password protection … 2-7 configuration filters … 9-2 port security … 11-7 RADIUS See RADIUS. saving security cred entials in multiple files … 2-20 SSH See SSH. storage of security credentials console authorized I[...]
-
Seite 461
Index – 5 bpdu protection, none …1 - 8 SSH, disabled … 1-4, 6-2 SSL, disabled … 1-5, 7-2 TACACS+ authentication configuration … 4-9 authentication, disabled … 1-5, 4-2 login attempts, 3 …4 - 6 tacacs-server-timeout, 5 se conds …4 - 2 3 TCP port number for SSH connections, 22 …6 - 1 8 TCP port number for SSL connections, 443 …7 -[...]
-
Seite 462
6 – Index E Eavesdrop Protection … 11-4 encryption key RADIUS … 2-11, 2-15 TACACS … 2-11, 2-15 event log alerts for monitored events … 8-34 intrusion alerts … 11-36 F filetransfer, S SH …6 - 1 7 filter, source-port editing … 9-18 filter indexing … 9-19 filter type … 9-8 idx … 9-8, 9-19 index … 9-8, 9-19 named … 9-6 operati[...]
-
Seite 463
Index – 7 authenticator operation … 3-6 blocked traffic … 3-3 CHAP defined … 3-11 usage … 3-3 client status … 3-60 concurrent with Web … 3-4 configuration commands … 3-51 configuring on the switch … 3-50 switch for RADIUS access … 3-17 the RADIUS server … 3-16 general setup … 3-14 hierarchy of precedence in authentication se[...]
-
Seite 464
8 – Index tracking client authentication failures … 8-33 Web authentication … 10-4 Web/MAC … 10-20 See also 802.1X access control. port scan, detecting …8 - 3 3 port security 802.1X, learn mode requirement … 11-14 authorized addres s definition … 11-5 basic operation … 11-4 caution, device limit … 11-14 configuring … 11-7 config[...]
-
Seite 465
Index – 9 server access order, changing … 5-50 servers, multiple … 5-19 service type value … 5-8 service-type value … 5-14 service-type value, null … 5-14 shared secret key, sa ving to configuration file … 2-11, 2-15 show accounting … 5-49 show authentication … 5-48 SNMP access security not supported … 5-4 SNMP access to auth co[...]
-
Seite 466
10 – Index Option 82 … 8-6, 8-9 statistics … 8-6 untrusted-policy … 8-10 verify … 8-6 source port filters configuring … 9-4 named … 9-6 operating rules … 9-4 See also named source port filters. selection criteria … 9-3 spanning tree edge port configuration … 3-22, 10-26 security features … 1-8 spoofing protection against … 8[...]
-
Seite 467
Index – 11 prerequisites … 7-5 remove self-signed certificate … 7-9 remove server host certificate … 7-9 reserved TCP port numbers … 7-20 root … 7-4 root certificate … 7-4 self-signed … 7-3, 7-12 self-signed certificate … 7-3, 7-9, 7-12 server host certificate … 7-9 SSL server … 7-3 SSLv3 … 7-2 steps for configuring … 7-5 [...]
-
Seite 468
12 – Index U untrusted policy, snooping …8 - 1 0 user name cleared … 2-7 SNMP configuration … 2-3 V vendor-specific attribute configuring support for HP VSAs … 5-29 defining … 5-30 virus detection monitoring ARP requests … 8-33 VLAN 802.1X … 10-65 802.1X, ID changes … 1 0-68, 10-72 802.1X, suspend untagged VLAN … 10-61 not adver[...]
-
Seite 469
ProCurve 5400zl i and *5992-5525* T e chnology for better business outcomes T o learn m or e , visit w w w . hp .com/go /bladesy stem/documentation/ © Cop yri ght 2009 Hewle tt-P ack ard De velopment C ompan y , L.P . The inf orm ation contained here in is subject to change w ithout notice . The only warr anties for HP products and serv ices ar e [...]