HP (Hewlett-Packard) W.14.03 manual
- Consulta online o descarga el manual de instrucciones
- 594 páginas
- 7.94 mb
Ir a la página of
manuales de instrucciones parecidos
-
Switch
HP (Hewlett-Packard) 445946-001
198 páginas 8.34 mb -
Switch
HP (Hewlett-Packard) ESA10000
40 páginas 0.19 mb -
Switch
HP (Hewlett-Packard) 5400zl
195 páginas 0.84 mb -
Switch
HP (Hewlett-Packard) LP 2000r
34 páginas 0.44 mb -
Switch
HP (Hewlett-Packard) 2600-PWR
418 páginas 5.19 mb -
Switch
HP (Hewlett-Packard) 5200zl
65 páginas 3.45 mb -
Switch
HP (Hewlett-Packard) JG325A
5 páginas 0.09 mb -
Switch
HP (Hewlett-Packard) 2510
40 páginas 1.29 mb
Buen manual de instrucciones
Las leyes obligan al vendedor a entregarle al comprador, junto con el producto, el manual de instrucciones HP (Hewlett-Packard) W.14.03. La falta del manual o facilitar información incorrecta al consumidor constituyen una base de reclamación por no estar de acuerdo el producto con el contrato. Según la ley, está permitido adjuntar un manual de otra forma que no sea en papel, lo cual últimamente es bastante común y los fabricantes nos facilitan un manual gráfico, su versión electrónica HP (Hewlett-Packard) W.14.03 o vídeos de instrucciones para usuarios. La condición es que tenga una forma legible y entendible.
¿Qué es un manual de instrucciones?
El nombre proviene de la palabra latina “instructio”, es decir, ordenar. Por lo tanto, en un manual HP (Hewlett-Packard) W.14.03 se puede encontrar la descripción de las etapas de actuación. El propósito de un manual es enseñar, facilitar el encendido o el uso de un dispositivo o la realización de acciones concretas. Un manual de instrucciones también es una fuente de información acerca de un objeto o un servicio, es una pista.
Desafortunadamente pocos usuarios destinan su tiempo a leer manuales HP (Hewlett-Packard) W.14.03, sin embargo, un buen manual nos permite, no solo conocer una cantidad de funcionalidades adicionales del dispositivo comprado, sino también evitar la mayoría de fallos.
Entonces, ¿qué debe contener el manual de instrucciones perfecto?
Sobre todo, un manual de instrucciones HP (Hewlett-Packard) W.14.03 debe contener:
- información acerca de las especificaciones técnicas del dispositivo HP (Hewlett-Packard) W.14.03
- nombre de fabricante y año de fabricación del dispositivo HP (Hewlett-Packard) W.14.03
- condiciones de uso, configuración y mantenimiento del dispositivo HP (Hewlett-Packard) W.14.03
- marcas de seguridad y certificados que confirmen su concordancia con determinadas normativas
¿Por qué no leemos los manuales de instrucciones?
Normalmente es por la falta de tiempo y seguridad acerca de las funcionalidades determinadas de los dispositivos comprados. Desafortunadamente la conexión y el encendido de HP (Hewlett-Packard) W.14.03 no es suficiente. El manual de instrucciones siempre contiene una serie de indicaciones acerca de determinadas funcionalidades, normas de seguridad, consejos de mantenimiento (incluso qué productos usar), fallos eventuales de HP (Hewlett-Packard) W.14.03 y maneras de solucionar los problemas que puedan ocurrir durante su uso. Al final, en un manual se pueden encontrar los detalles de servicio técnico HP (Hewlett-Packard) en caso de que las soluciones propuestas no hayan funcionado. Actualmente gozan de éxito manuales de instrucciones en forma de animaciones interesantes o vídeo manuales que llegan al usuario mucho mejor que en forma de un folleto. Este tipo de manual ayuda a que el usuario vea el vídeo entero sin saltarse las especificaciones y las descripciones técnicas complicadas de HP (Hewlett-Packard) W.14.03, como se suele hacer teniendo una versión en papel.
¿Por qué vale la pena leer los manuales de instrucciones?
Sobre todo es en ellos donde encontraremos las respuestas acerca de la construcción, las posibilidades del dispositivo HP (Hewlett-Packard) W.14.03, el uso de determinados accesorios y una serie de informaciones que permiten aprovechar completamente sus funciones y comodidades.
Tras una compra exitosa de un equipo o un dispositivo, vale la pena dedicar un momento para familiarizarse con cada parte del manual HP (Hewlett-Packard) W.14.03. Actualmente se preparan y traducen con dedicación, para que no solo sean comprensibles para los usuarios, sino que también cumplan su función básica de información y ayuda.
Índice de manuales de instrucciones
-
Página 1
Access Security Guide Pr oCurv e Switches W . 1 4.03 29 10al www .procurv e.com[...]
-
Página 2
[...]
-
Página 3
HP ProCurve 2910al Switch February 2009 W.14.03 Access Security Guide[...]
-
Página 4
© Copyright 2009 Hewlett-Pa ckard Development Company, L.P . The information contain ed herein is subject to ch ange with- out notice. All Ri ghts Reserved. This document contains proprie tary information, which is protected by copyright. No pa rt of this document may be photocopied, reproduced, or translated into another lan- gauge without the pr[...]
-
Página 5
Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Software Feature[...]
-
Página 6
2 Configuring Username and Password Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . . .[...]
-
Página 7
Disabling or Re-Enabling the Password Recovery Process . . . . 2-32 Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 3 Web and MAC Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Overview . . . . . . . . . . . . . [...]
-
Página 8
4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Viewing the Switch’s Current TAC ACS+ Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applicati ons: . .[...]
-
Página 9
RADIUS-Administered CoS and Ra te-Limiting . . . . . . . . . . . . . . . . . . . 5-4 SNMP Access to the Switch’s Au thentication Conf iguration MIB . . . 5-4 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . [...]
-
Página 10
General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43 RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45 RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46 Changing RADIUS-Server Access Order . . . . . . . . . .[...]
-
Página 11
Configuring th e Switch To Support RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24 Displaying the Current RAD IUS-Assigned ACL Activity Causes of Client D eauth entication Immediately on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Página 12
8 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Overview Steps for Configuring and Using SSL for Switch and Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Terminology [...]
-
Página 13
ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14 What Is the Difference Between Network (or Subnet) Rules for Defining a Match Between a Packet and an A Configured ACL Has No Ef fect Until You Apply It You Can Assign an ACL Name or Number to an Interface Static Port ACL and Dy namic Port AC[...]
-
Página 14
Configuring Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-44 Configuring Named, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-46 Creating Numbered, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-49 Configurin g Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Página 15
10 Configuring Advanc ed Threat Protection Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Página 16
11 12 Traffic/Security Filters and Monitors Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Página 17
802.1X Port-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 12-5 Alternative To Using a RADIUS Server . . . . . . . . . . . . . . . . . . . . . 12-6 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Página 18
13 802.1X Open VLAN O perating Note s . . . . . . . . . . . . . . . . . . . . . . . . . 12-46 Option For Authenti cator Ports: Configure Port-Security To Allow Only 802.1X- Authenticated Devices . . . . . . . . . . . . . . . . . 12-47 Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-48 Confi[...]
-
Página 19
MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22 Differences Betwee n MAC Lockdown an d Port Security . . . . . . . . 13-24 MAC Lockdown Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 13-25 Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Página 20
Using a Web Proxy Server to Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9 Web-Based Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9 Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Página 21
Product Documentation About Y our Switch Manual Set Note For the latest version of all ProCur ve switch documentation, including Release Notes covering re cently added features, please v isit the ProCurve Networking W eb site at www .procurve.com, c lick on Cu stomer Care , and then click on Manuals . Printed Publications The publication s listed b[...]
-
Página 22
Software Feature Index For the software manual se t supporting your 2910al sw itch model, this feature index indicate s which manual to consult for in formation on a given software feature. Note This Index does not cover IPv6 capable software features. Fo r informatio n on IPv6 protocol operations and features (such as DHCPv6 , DNS for IPv6, Ping6,[...]
-
Página 23
Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide DHCP/Bootp Operation Diagnostic T ools Downloading Software X X X Dynamic ARP Protection Dynamic Configuration Arbiter Eavesdrop Protection Event Log X X X X Factory Default Settings Flow Control (802.3x) F[...]
-
Página 24
Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide MAC Lockdown X MAC Lockout MAC-based Authentication Management VLAN Monitoring and Analysis Multicast F iltering Multiple Configuration Files Network Management Applications (SNMP) OpenView Device Managemen[...]
-
Página 25
Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide RMON 1,2,3,9 Routing Routing - IP Static X X X Secure Copy sFlow SFTP SNMPv3 X X X X Software Downloads (SCP/SFTP , TFPT , Xmodem) Source-Port Filters Spanning T ree (STP , RSTP , MSTP) SSHv2 (Secure Shell)[...]
-
Página 26
Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide Vo i c e V L A N W eb Authentication RADIUS Support W eb-based Authentication W eb UI Xmodem X X X X X xxiv[...]
-
Página 27
1 Security Overview Contents Security Overview Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 For More Information . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Página 28
Security Overview Introduction Introduction This chapter provides a n overview of th e security features included on your switch. T abl e 1-1 on page 1-3 outlines the acce ss security and authentication features, while T able 1-2 on page 1-7 highlights the additi onal features designed to help secure and prot ect your network. For detail ed informa[...]
-
Página 29
Security Overview Access Security Features Access Security Features This section provides an overvi ew of the switch’ s access security features, authentication protocol s, and methods. T able 1-1 lists the se features and provides summary con figuration guidel ines. For more in-depth information, see the references provided (all chap ter and pag[...]
-
Página 30
Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details T elnet and enabled The default remote management protocols enabled on W eb-browser the switch are plain text protocols, which transfer access passwords in open or plain text that is easily captured . T o reduce the chan[...]
-
Página 31
Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details SSL disabled Secure Socket Layer (S SL) and T ransport Layer Security “Quick Start: Using the (TLS) provide remote W eb browser access to the switch Management Interface via authenticated transactions and encrypted pat[...]
-
Página 32
Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details RADIUS disabled For each authorized client, RADIUS can be used to Chapter 6, “RADIUS Authentication authenticate operator or manager access privileg es on Authentication and the switch via the serial port (CLI and Menu[...]
-
Página 33
Security Overview Network Security Features Network Security Features This section outlines features and de fence mechanisms for protecting access through the switch to the network. Fo r more detailed information, see the indicated chapters. T able 1-2. Network Security—Default Settings and Security Gu idelines Feature Default Setting Security Gu[...]
-
Página 34
Security Overview Network Security Features Feature Default Setting Security Guidelines More Information and Configuration Details Access Control none ACLs can filter traffic to or from a host, a group of hosts, Chapter 10, “IPv4 Access Lists (ACL s) or entire subnets. Layer 3 IP f iltering with Access Control Control Lists (ACLs)” Lists (ACLs)[...]
-
Página 35
Security Overview Network Security Features Feature Default Setting Security Guidelines More Information and Configuration Details Key none KMS is available in several ProCurve switch models and Chapter 16, “Key Management is designed to configure and maintain key chains for use Management System” System (KMS) with KMS-capable routing protocols[...]
-
Página 36
Security Overview Getting Started with Access Security Getting Started with Access Security ProCurve switches are designed as “plu g and play” devices, allowing q uick and easy installation in your network . In its default configuration the switch is open to unauthorized access o f various types. Wh en preparing th e switch for network oper ati[...]
-
Página 37
Security Overview Getting Started with Access Security Keeping th e switch in a lo cked wiring closet or other secure space helps to prevent unauthorized physical access. As additional p recautions, you can do the following: ■ Disable or re-enable the password-clear ing func tion of the Clear button . ■ Configure the Clear bu tton to reboot the[...]
-
Página 38
Security Overview Getting Started with Access Security CLI: Management Interface W i zard T o configure se curity settings u sing the CLI wizar d, follow the steps belo w: 1. At the command prompt, type setup mgmt -interfaces . The welcome banner appears and the first setup option is displayed ( Operator password ). As you advance throug h the w iz[...]
-
Página 39
Security Overview Getting Started with Access Security 2. When you enter the wizard, you have the following opt ions: • T o update a setting , type in a new value , or press [ Enter ] to keep the current value. • T o qu it the wizard without saving any changes, press [ CT RL-C ] at any time. • T o access online Help for any option, press [ ? [...]
-
Página 40
Security Overview Getting Started with Access Security The W elcome window appears. Figure 1-2. Management I nterface Wizard: Welcome Window This page allow s you to choose between two setup t ypes: • T y pical —provides a multiple page , step -by-step method to configure security settings, with on-screen instructions for each option. • Advan[...]
-
Página 41
Security Overview Getting Started with Access Security 4. The summary setup scre en displays th e current configuration settings for all setup options (see Figure 1-3). Figure 1-3. Management I nterface Wizard: Summary Setup From this screen, you have the fo llowing options: • T o change any setting that is show n, type in a new value or make a d[...]
-
Página 42
Security Overview Getting Started with Access Security SNMP Security Guidelines In the default configuration, t he swit ch is open to access by management stations run ning SNMP (Simple Network Management Protocol) management application s capabl e of vi ewing and changing the settings and sta tus data in the switch’ s MIB (Manag em ent Informa t[...]
-
Página 43
Security Overview Getting Started with Access Security If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network , then yo u should implemen t the following security precautions: ■ If SNMP access to the authenticat ion configura tion (hpSwitchA uth) MIB described above is not desirable for your network, use t he followi[...]
-
Página 44
Security Overview Precedence of Security Options Precedence of Security Options This section explains how port- based security options, and cli ent-based attribu tes used for au thentication , get prioritized on the switch. Precedence of Port-Bas ed Security Options Where the switch is ru nning multiple security option s, it implements network traf[...]
-
Página 45
Security Overview Precedence of Security Options DCA allows client-specific parameters c onfigured in any of the foll owing ways to be applied and removed a s needed in a specified hierarchy of precedence. When multiple values for an individua l configuration paramete r exist, the value applied to a client session is determin ed in the following o [...]
-
Página 46
Security Overview Precedence of Security Options NIM also allow s you to configure and ap ply client-specific profile s on ports that are not configured to authenticate clients (unauthorized clients), provided that a client’s MAC add ress is known in the switch’s forwarding da tabase. The profile of attributes applied for each clie nt (MAC ad d[...]
-
Página 47
Security Overview Precedence of Security Options Client-specific conf igurations are applied on a per-parameter basis on a port. In a client-speci fic profile, if D CA de tects that a parameter has configured values from two o r more levels in th e hierarchy of precedence desc ribed above, DCA decides whi ch parameters to ad d or remove, or whether[...]
-
Página 48
Security Overview ProCurve Identity-Driven Manager (IDM) ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+) and u ses RADIUS-based technologies to create a user - cen tric approach to network access management and network activity tr acking and monitoring. IDM enables control of access security policy from a cen[...]
-
Página 49
2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Página 50
Configuring Username and Password Security Contents Disabling the Clear Passwo rd Function of the Clear Button on the Switch’s Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Re-Enablin g the Clear Button on the Swit ch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation . . . . . 2-30 Changing [...]
-
Página 51
Configuring Username and Password Security Overview Overview Feature Default Menu CLI Web Set Usernames non e — — page 2-9 Set a Password none page 2-6 page 2-8 page 2-9 Delete Password Protection n/a page 2-7 page 2-8 page 2-9 show front-panel-security n/a — pag e 1-13 — front-panel-security — pag e 1-13 — password-clear enabled — pa[...]
-
Página 52
Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interfa ce areas. This is the default level. That is, if a Manager password has not been set prior to starting the current c onsole sess ion, then anyone having access to the console can access any area of the console interface. Operator: Acce[...]
-
Página 53
Configuring Username and Password Security Overview Notes The manager and operator passwords and (o ptional) usernames cont rol access to the menu interface, C LI, and web browser interface. If you configure only a Manager passw ord (with no Operator password), and in a later session the Mana ger password is not entere d correctly in response to a [...]
-
Página 54
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames ar e optional. Configuring a user - name requires either the CLI or the web browser interface. 1. From the Main Menu select: 3. Console Passwords Figure 2-1. The Set P[...]
-
Página 55
Configuring Username and Password Security Configuring Local Password Security T o Delete Password Protection (Incl uding Recovery from a Lost Password): This procedure deletes al l usernames (if configured) and pass- words (Manager an d Operator). If you have physical access to the swit ch, press and hold the Clear button (on the front of th e swi[...]
-
Página 56
Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below . Configuring M anager and O perator Password s. Note The password co mmand has changed. Y ou can now configure ma nager and operator passwords in one st ep. See “Sav ing Security Cre[...]
-
Página 57
Configuring Username and Password Security Configuring Local Password Security If you want to remov e both operator and m anager password p rotection, use the no password all command. W eb: Setting Passwo rds and Usernames In the web browse r interf ace you can enter passwords and (optional) user - names. T o Configure (or Remove) Usernames and Pas[...]
-
Página 58
Configuring Username and Password Security Saving Security Credentials in a Config File Saving Security Credentials in a Config File Y ou can store and view the following secu rity settings in the ru nning-config file associated with the current software image by entering the incl ude- credentials command (formerly this informat ion was stored only[...]
-
Página 59
Configuring Username and Password Security Saving Security Credentials in a Config File ■ By storing different secu rity setting s in different files, you can test different security configurations wh en you first download a new software version that supports mu ltiple configuration files, by changing the configuration file used when you reboot t[...]
-
Página 60
Configuring Username and Password Security Saving Security Credentials in a Config File ■ SNMP security credentials, incl uding SN MPv1 commu nity names and SNMPv3 us ernames, authenti ca tion, and privacy settings ■ 802.1X port-access passwords and usernames ■ T ACACS+ encryption keys ■ RADIUS shared secret (encryption) keys ■ Public key[...]
-
Página 61
Configuring Username and Password Security Saving Security Credentials in a Config File Password Command Options The password comman d has the follo wing options: Syntax: [no] passwo rd <manager | operator | port-access| all [u ser -name < name >] < hash-t ype > < password >> Set or clear a local username/pa ssword for a giv[...]
-
Página 62
Configuring Username and Password Security Saving Security Credentials in a Config File SNMP Security Credentials SNMPv1 community names and write-access settings, and SNMPv3 usernames continue to be saved in the running configuration file even when you enter the include-creden tials command. In addition, the follo wing SNMPv3 security p arameters [...]
-
Página 63
Configuring Username and Password Security Saving Security Credentials in a Config File 802.1X Port-Access Credentials 802.1X authenticator (port-acc ess) credentials can be stored in a configuration file. 802.1X authenticator credentials are used by a port to authenticate supplicants requesting a poi nt-t o-point connec tion to the switch. 802.1X [...]
-
Página 64
Configuring Username and Password Security Saving Security Credentials in a Config File T ACACS+ server application. (The encryption key is sometimes referred to as “shared secret” or “secret” key .) For more informat ion, see “T ACACS+ Authenticati on” on page 4 -1 in this guide . T ACACS+ shared secret (encryption) keys can be saved i[...]
-
Página 65
Configuring Username and Password Security Saving Security Credentials in a Config File The SSH secu rity credential t hat is stor ed in the running co nfiguration f ile is configured with the ip ssh pub lic-key command used to authenticate SSH clients for manager or opera tor access, along with the hashed content of each SSH client public -key . S[...]
-
Página 66
Configuring Username and Password Security Saving Security Credentials in a Config File T o display th e SSH public -key configurations (72 ch aracters per line) stored in a configurat ion file, enter t he show config or sho w running-config command. The following example shows the SSH public keys configured for manager access, along with the hashe[...]
-
Página 67
Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes Caution ■ When you first enter the include-credentials command to save the additional se curity crede ntials to the runnin g configuratio n, these settings are moved from internal storage on th e switch to the running-conf ig file. Y ou are pro[...]
-
Página 68
Configuring Username and Password Security Saving Security Credentials in a Config File • copy config < source -filename > config < target-filen ame >: Makes a local copy of an existing star tup-co nfig file by cop y ing the contents of the startup-co nfig file in one memory sl ot to a new startup-config file in another , empty memory[...]
-
Página 69
Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running conf iguration with the include-credential s command: ■ The private keys o f an SSH host cannot be stored in the runnin g configuratio n. Only the pu[...]
-
Página 70
Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. Y ou can store the password port-access values in the running conf iguration file by using the include -credentials command. Note that th e password port-access v alues[...]
-
Página 71
Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel sec urity features pro vide the ability to independently enable or disable some of the f unctions of the two button s located on the front of the switch for clearing the passwo rd (Clear button) or restoring the swi tch to its factory default conf i[...]
-
Página 72
Configuring Username and Password Security Front-Panel Security As a result of increased security co ncerns, customers now have the ability to stop someone from r emoving passwords by disabling the Cl ear and/or Reset buttons on the f ront of the switch . Front-Panel Button Functions The System Support Modul e (SSM) of th e switch includes the Syst[...]
-
Página 73
Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset butt on alone for one second cau ses the switch to reboot. Reset Clear Figure 2-8. Press and hold the Reset But ton for One Second T o Reboot the Switch Restoring the Factory Default Configuration Y ou can also use the Reset button together with the Clea[...]
-
Página 74
Configuring Username and Password Security Front-Panel Security Reset Clear Test 4. When the T est LED to the right of th e Clear button begins fl ashing, release the Clear button. . Reset Clear Test It can take approxima tely 20-25 seconds for the switch to reboot. This process restores the switch configuration to the factory default sett ings. Co[...]
-
Página 75
Configuring Username and Password Security Front-Panel Security • Modify the operati on of the Reset+ Cl ear combination (page 2-25) so that the switch stil l reboots, but does not restore the switch’ s factory default configuratio n settings. (Use of the Reset button alone, to simply reboot the swit ch, is not affected.) • Disable or re-enab[...]
-
Página 76
Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to “Password Recovery Process” on page 2-34.) (Default: Enabled .) CAUTION: Disabling this option removes the ability to recover a password on the switch . Disabling this o[...]
-
Página 77
Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button on the Switch’ s Front Panel Syntax: no front-pa nel-security password-clear In the factory-defaul t configuration, pressi ng the Clear button on the switch’ s front panel erases any local usernames and passwords configured [...]
-
Página 78
Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’ s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] fro nt-panel-security password-c lear reset-on-clear This command does both of the follow ing: • Re-enables the password-cleari ng function of the Clear[...]
-
Página 79
Configuring Username and Password Security Front-Panel Security Shows password-clear disabl ed. Enables password-cle ar , with reset-on- clear disabled by the “ no ” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-11. Example of Re-Enablin g the Clear Button’ s Default Operation [...]
-
Página 80
Configuring Username and Password Security Front-Panel Security The command to di sable the factory-reset oper ation produces this caution. T o complete the command, press [Y] . T o abort the comm and, press [N] . Displays the current front- panel-security con figuration, with Factory Re set disabled. Completes the command to disable the factory r [...]
-
Página 81
Configuring Username and Password Security Front-Panel Security Caution Disabling password-recovery requires that factory-reset be enable d, and locks out the abi lity to recover a lost man ager username (if configured) and pass- word on the switch. In thi s event, th ere is no way to recover from a lost manager username/password situation wi thout[...]
-
Página 82
Configuring Username and Password Security Front-Panel Security • If you want to abort the command, press [N] (for “No”) Figure 2-13 shows an example of disabling the password-recovery parameter . Figure 2-13. Example of the Steps for Di sabling Password-Recovery Password Recovery Process If you have lost the switch’ s manager username/pass[...]
-
Página 83
Configuring Username and Password Security Front-Panel Security Note The alternate password provided by the ProCurve Customer Care Center is valid only for a single login attempt. Y ou cannot use the same “one-time-use” password if you lose the password a s econd time. Because the passwo rd algorithm is rand omized based upon your swit ch'[...]
-
Página 84
Configuring Username and Password Security Front-Panel Security 2-36[...]
-
Página 85
3 W eb and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Web Authenticat ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Página 86
Web and MAC Authentication Overview Overview Feature Default Menu CL I We b Configure W eb Aut hentication n/a — 3-18 — Configure MAC Aut hentication n/a — 3-32 — Display W eb Authentication Stat us and Configuration n/a — 3-26 — Display MAC Authentication Stat us and Configuration n/a — 3-36 — W eb and MAC authentication are design[...]
-
Página 87
Web and MAC Authentication Overview Note A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web authentication. ■ In the login page, a cli ent enters a username and passwor d, which the switch forwards to a RADIUS server for a uthentication. After authenticat- ing a clie[...]
-
Página 88
Web and MAC Authentication Overview ■ Each new W eb/MAC Auth clien t always ini tiate s a MAC authentication attempt. This same client can also in itiate W eb authenti cation at any time before the MAC authentication succeed s. If e ither au thentication suc- ceeds then the othe r authentication (if in progre ss) is ended. No further W eb/MAC aut[...]
-
Página 89
Web and MAC Authentication How Web and MAC Authentication Operate Y ou configure access to an optional, un authorized VLAN wh en you configure W eb and MAC authentication on a port. RADIUS-Based Authentication In W eb an d MAC authenti cation, y ou use a RADIUS server to temporarily assign a port to a static VLAN to s upport an au thenticat ed clie[...]
-
Página 90
Web and MAC Authentication How Web and MAC Authentication Operate W eb-based Authentication When a client connects to a W eb-Auth enabled port, communication is redi- rected to t he switch. A tempora ry IP address is assign ed by the switch a nd a login screen is presented for the cli ent to enter their username and pa ssword. The default User Logi[...]
-
Página 91
Web and MAC Authentication How Web and MAC Authentication Operate If the client is authentica ted and the maximum number of clients allowed on the port ( client-limit ) has not been reached , the port is assigned to a static, untagged VLAN for network access. After a successful log in, a client may be redirected to a URL if you specify a URL value [...]
-
Página 92
Web and MAC Authentication How Web and MAC Authentication Operate A client may not be authenticated du e to invali d credentials or a RADIUS server timeout. The max-retries para meter spe cifies how many times a c lient may enter their creden ti als before authentic ation fails. The server-timeout parameter sets how long the switch wa its to receiv[...]
-
Página 93
Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in pl ace until the session ends. Clients may be forced to reauth enticate after a fixed period of time ( reauth-per iod ) or at any time during a session ( reauthentic ate ). An implicit lo goff period can be se t if there is no activity from the clie [...]
-
Página 94
Web and MAC Authentication Terminology T erminology Authorized-C lient VLAN: Like the Unauthorized-C lient VLAN, this is a conventional, static, untagged, port-b a sed VLAN previously configured on the switch by the System Administrat or . The intent in using this VLAN is to provide authenti cated clients with netw ork access and services. When the[...]
-
Página 95
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports co ncurrent 802.1X, W eb and MAC authentication operation on a port (with up to 2 clients all owed). However , concurrent operation of W eb and MAC authenti cation with other types of authentica- tion on the same port is not su pported. That is, t[...]
-
Página 96
Web and MAC Authentication Operating Rules and Notes ■ ■ ■ ■ 1. If there is a RADIUS-assigned VL AN, then, for th e duration of th e client session, the p ort belongs to this VLAN and tempor arily drops all other VLAN memberships. 2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, t he port belongs to the [...]
-
Página 97
Web and MAC Authentication Setup Procedure for Web/MAC Authentication We b / M A C W eb or MAC au thentication a nd LACP ar e not supported at the same time on Authentication a port. The swi tch automatically disables LACP on ports configured for W eb and LACP or MAC authentication. ■ Use the show port-access web-base d commands to display sessio[...]
-
Página 98
---- ---------- ------------- -------- -------- Web and MAC Authentication Setup Procedure for Web/MAC Authentication ProCurve(config)# show port-access config Port Access Status Summary Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes Supplicant Authenticator Web Auth Mac Auth Port Enabled Enable[...]
-
Página 99
Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that whe n configuring a RADI US server to assign a VLAN, you can use either the VL AN’ s name or VID. Fo r example, if a VLAN c onfigured in the switch has a VID of 100 and is named vlan100 , you coul d configure the RADIUS server to use either “10 0” or “vlan100”[...]
-
Página 100
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff AABBCCDDEEFF AABBCC-DDEEFF AA-BB-CC-DD-EE-FF AA:BB:CC:DD:EE:FF ■ If the device is a switch or other VLAN-capable device, use the base MAC address assigned to the device, and not the MA C address assigned to the VLAN through which the de[...]
-
Página 101
Web and MAC Authentication Configuring the Switch To Ac cess a RADIUS Server Syntax: [no] radius-server [host < ip-addre ss >] Adds a server to the RADIUS configuration or (with no ) deletes a server from the configuration. You can config- ure up to three RADIUS serv er addresses. The switch uses the first server it successfully accesses. (Re[...]
-
Página 102
Web and MAC Authentication Configuring Web Authentication Configuring W eb Authentication Overview 1. If you have not already done so, configure a local username and password pair on th e switch. 2. Identify or create a redirec t URL for use by authenticated clients. Pro- Curve recommends that you provid e a redirect URL when using W eb Authenticat[...]
-
Página 103
Web and MAC Authentication Configuring Web Authentication Configuration Co mmands for W eb Authentication Command Page Configuration Level aaa port-access < po rt-list > controlled-directions <both | in> 3-20 [no] aaa port-access web-based < port-list > 3-22 [auth-vid] 3-22 [clear-statistics] 3-22 [client-limit] 3-22 [client-moves[...]
-
Página 104
Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access < port-list > con trolled-directions <both | in> After you enable web-based au thentication on specified ports, you can use the aaa port-acc ess controlled-direc- tions command to configure how a port transmit s traffic before it successfully authenticate[...]
-
Página 105
Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access < port-list > con trolled-directions <both | in> — Continued — Notes : ■ For information on how to config ure the prerequisites for using the aaa port-access contro lled-directions in command, see Chapter 4, “Multi- ple Instance Spanning-T ree O p[...]
-
Página 106
Web and MAC Authentication Configuring Web Authentication Syntax: Syntax: Syntax: Syntax: [no] aaa port-ac cess web-based < port-list > Enables web-based authenti cation on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. aaa port-access web-b ased < port-list > [auth-vid &[...]
-
Página 107
Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access web-based < por t-list > [client-moves] Configures whether the client can move between ports. Default: Disabled Syntax: aaa po rt-access web-based [dhc p-addr < ip-address/mask >] Specifies the base address/mask for the temporary IP pool used by DHCP. The[...]
-
Página 108
Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access web-based < port-list > [m ax-retries <1-10>] Specifies the number of the number of times a client can enter their user name and password bef ore authen- tication fails. This allows the reentry of the user name and password if necessary. (Default: 3) Synt[...]
-
Página 109
Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access web-based < port-list > [redirect -url < url >] no aaa port-access web-based < p ort-list > [redir ect-url] Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome[...]
-
Página 110
Web and MAC Authentication Configuring Web Authentication Show Commands for W eb Authentication Command Page show port-access web-based [ port-list ] 3-26 show port-access web-based clients [ port-list ] 3-27 show port-access web-based clients < port-list > detailed 3-28 show port-access web-based con fig [ port-list ] 3-29 show port-access w[...]
-
Página 111
Web and MAC Authentication Configuring Web Authentication ProCurve(config)# show port-access web-based Port Access Web-Based Status Auth Unauth Untagged Tagged Port % In RADIUS Port Clients Clients VLAN VLANs COS Limit ACL ----- -------- -------- -------- ------ -------- ------ ------ 1 1 1 4006 Yes 70000000 100 Yes 2 2 0 MACbased No Yes Yes Yes 3 [...]
-
Página 112
Web and MAC Authentication Configuring Web Authentication ProCurve(config)# show port-access web-based clients 1 detailed Port Access Web-Based Client Status Detailed Client Base Details : Port : 1 Session Status : authenticated Session Time(sec) : 6 Username : webuser1 MAC Address : 0010b5-891a9e IP : n/a Access Policy Details : COS Map : 12345678[...]
-
Página 113
Web and MAC Authentication Configuring Web Authentication Syntax: show po rt-access web-based conf ig [ port-list ] Displays the currently conf igured W eb Authentication settings for all switch ports or specified ports, including: • T emporary DHCP base address and mask • Support for RADIUS-assi gned dynamic VLANs ( Ye s or No ) • Controlled[...]
-
Página 114
Web and MAC Authentication Configuring Web Authentication Syntax: show po rt-access web-based conf ig < port-list > detailed Displays more detailed inform ation on the currently config- ured W eb Authentication set tings for specified ports. ProCurve(config)# show port-access web-based config 1 detailed Port Access Web-Based Detailed Configur[...]
-
Página 115
Web and MAC Authentication Configuring Web Authentication Syntax: show po rt-access web-based conf ig [ port-list ] auth-server Displays the currently conf igured W eb Authentication settings for all switch ports or specified ports and includes RADIUS server -specific settings, such as: • T im eout w aiting perio d • Number of timeouts supporte[...]
-
Página 116
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on th e switch. 2. If you pla n to use multiple VLANs wi th MAC Authenticatio n, ensure that these VLANs are configured on the sw itch and that[...]
-
Página 117
Web and MAC Authentication Configuring MAC Authent ication on the Switch Configuration Co mmands for MAC Authentication Command Page Configuration Level aaa port-access mac-based addr -format 3-33 [no] aaa port-access mac-based [e] < port-list > 3 - 3 4 [addr -limit] 3-34 [addr -moves] 3-34 [auth-vid] 3-34 [logoff-period] 3-35 [max-requests] [...]
-
Página 118
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: [no] a aa port-access mac-based < port-list > Enables MAC-based authenti cation on the specified ports. Use the no form of the comma nd to disable MAC- based authentication on the specified ports. Syntax: aaa po rt-access mac-based [e] < port-list > [addr -l[...]
-
Página 119
Web and MAC Authentication Configuring MAC Authent ication on the Switch Syntax: aaa po rt-access mac-based [e] < port-list > [logoff-period] <60-9999999> ] Specifies the period, in seco nds, that the switch enforces for an implicit lo goff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switc[...]
-
Página 120
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa po rt-access mac-based [e] < port-list > [unauth-vid < vid >] no aaa port-access mac-based [e ] < port-list > [unauth -vid] Specifies the VLAN to use for a client that fails authen- tication. If unauth- vid is 0 , no VLAN changes occur . Use the no[...]
-
Página 121
---- ----------- -------------------- ------------------- ------------- Web and MAC Authentication Configuring MAC Authent ication on the Switch ProCurve(config)# show port-access mac-based Port Access MAC-Based Status Auth Unauth Untagged Tagged Port % In RADIUS Port Clients Clients VLAN VLANs COS Limit ACL ---- ------- ------- -------- ------ ---[...]
-
Página 122
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show po rt-access mac-based client s < port-list > detailed Displays detailed informat ion on the status of MAC- authenticated client session s on specified ports. ProCurve(config)# show port-access mac-based clients 1 detailed Port Access MAC-Based Client Status [...]
-
Página 123
Web and MAC Authentication Configuring MAC Authent ication on the Switch Syntax: show po rt-access mac-based conf ig [ port-list ] Displays the currently conf igured MAC Authentication settings for all switch ports or specified ports, including: • MAC address format • Support for RADIUS-assi gned dynamic VLANs ( Ye s or No ) • Controlled dire[...]
-
Página 124
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show po rt-access mac-based conf ig < port-list > detailed Displays more detailed inform ation on the currently config- ured MAC Authentication settings for specified ports. ProCurve(config)# show port-access mac-based config 1 detailed Port Access MAC-Based Detai[...]
-
Página 125
Web and MAC Authentication Configuring MAC Authent ication on the Switch Syntax: show po rt-access mac-based conf ig [ port-list ] auth-server Displays the currently conf igured W eb Authentication settings for all switch ports or specified ports and includes RADIUS server -specific settings, such as: • T im eout w aiting perio d • Number of ti[...]
-
Página 126
Web and MAC Authentication Client Status Client Status The table below show s the possible client status in formation that may be reported by a W eb-based or MAC-based ‘ show ... clients’ command. Reported Status Available Network Connection Possible Explanations authenticated Authorized VLAN Client authenticated. Remains connected until logoff[...]
-
Página 127
4 T ACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applicati ons: . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 General Auth[...]
-
Página 128
TACACS+ Authentication Overview Overview Feature Default Men u CLI We b view the switch’ s authentication configuration n/a — page 4-9 — view the switch’ s T ACACS+ server contact n/a — page 4- — configuration 10 configure the switch’ s authentication methods disabled — page 4- — 11 configure the switch to contact T ACACS+ server([...]
-
Página 129
TACACS+ Authentication Terminology Used in TA CACS Applications: T ACACS+ server for authentica tion services. If the swit ch fails to connect to any T ACACS+ serve r , it defaults to its own locally assigned passwords for authentication co ntrol if it has been configured to do so. For bo th Console and Telnet access you can configure a lo gin (rea[...]
-
Página 130
TACACS+ Authentication Terminology Used in TA CACS Applications: everyone who needs to access the swit ch, and you must configure and manage password protection on a per -switch basi s. (For more on local auth entication, re fer to chapter 2, “Configuring Username and Password Security”.) • T A CACS+ Authentication: This method enables you to[...]
-
Página 131
TACACS+ Authentication General System Requirements General System Requirements T o use T ACACS+ authentication, you need th e following: ■ A T ACACS+ server applicat ion installed and configured on one or more servers or management stati ons in your network. (There are sever al T ACACS+ softwa re p ackages available.) ■ A switch configured for [...]
-
Página 132
TACACS+ Authentication General Authentication Setup Procedure Note If a complete access lockou t occurs on the switch as a result of a T ACACS+ configuration, see “T roubleshooting T ACACS+ Op eration” in the T rouble- shooting chapter of the Management and Configuration Gui de for your switch. 1. Famili arize yourself with the r equirements fo[...]
-
Página 133
TACACS+ Authentication General Authentication Setup Procedure If you are a first-time user of th e T ACACS+ service, ProC urve recom- mends that you configure only the mini mum feature set required by th e T ACACS+ application to pr ovide service in your network environment. After you have success with the minimu m feature set, you may then want to[...]
-
Página 134
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring T ACACS+ on the Switch Before Y ou Begin If you are new to T ACACS+ authentication, ProCur ve recommends that you read the “General Authen tication Se tup Procedure” on page 4-5 and configure your T ACACS+ server(s) before config uring authenticati on on the switch. The switch[...]
-
Página 135
TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication 4-9 show tacacs 4-10 aaa authentication 4-11 through 4-17 console T elnet num-attempts <1-10 > tacacs-server 4-18 host < ip-addr > 4 - 1 8 key 4 -22 timeout < 1-255 > 4-23 V iewing the Switch’ s Curren[...]
-
Página 136
TACACS+ Authentication Configuring TACACS+ on the Switch V iewing the Switch’ s Current T ACACS+ Server Contact Configuration This comma nd lists the tim eout period, encryption key , and the IP addre sses of the first-choice and backup T ACACS + servers the switch can contact. Syntax: show tacacs For example, if the switch was configur ed for a [...]
-
Página 137
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s Authentication Methods The aaa authentication command configures ac cess control for t he following access methods: ■ Console ■ Te l n e t ■ SSH ■ We b ■ Port-access (802.1X) However , T ACACS+ authentication is only us ed with the console, T elnet, or SS[...]
-
Página 138
TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: aaa authen tication < console | telnet | ssh | web | p ort-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level. < login [privilege-mode] > The server grants privileges at the Operator privilege l[...]
-
Página 139
TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters T able 4-1. AAA Authentication Parameters Parameters Name Default Range Function console, T elnet, n/a n/a Specifies the access method us ed when authentica ting. T ACACS+ SSH, web or po rt- access authentication only uses the consol e, T elnet or SSH access methods.[...]
-
Página 140
TACACS+ Authentication Configuring TACACS+ on the Switch numbers 0 through 15, with zero allo wing only Operator privileges (and requiring two logins) and 15 representing root privil eges. The root priv ilege level is the only leve l that will a llow Manager le vel access on the switch. Figure 4-4. Advanced T ACACS+ Sett ings Section of the T ACACS[...]
-
Página 141
TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of the T ACACS+ Server User Setup As shown in the next table, login and en able access is always available locall y through a direct t erminal connection to the switch’ s console port. However , for T elnet access, you can configure T ACACS+ to deny access if a[...]
-
Página 142
TACACS+ Authentication Configuring TACACS+ on the Switch T able 4-2. Primary/Secondary Authenticat ion T able Access Method and Privilege Level Authentication Options Effect on Access Attempts Primary Secondary Console — Login local none* Local userna me/password access only . tacacs local If T acacs+ server unavailable, uses local username/passw[...]
-
Página 143
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of acce ss options and the corre sponding commands to configure them: Console Login (Operator or Re ad-Only) Access: Primary using T ACACS+ server . Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Ma nager or R[...]
-
Página 144
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s T ACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one first- choice and up to two backups. Design ating ba ckup ser vers provides for a continuation of authenticat ion service[...]
-
Página 145
TACACS+ Authentication Configuring TACACS+ on the Switch tacacs-server key < key-string > Enters the optional gl obal encryption key. [no] tacacs-server key Removes the optional global encryption key. (Does not affect any server-specific en cryption key assignments.) tacacs-server timeout < 1-255 > Changes the wait period for a TACACS s[...]
-
Página 146
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host < ip-addr > [key < key-string > none n/a Specifies the IP address of a device running a T ACACS+ serv er application. Optionally , can also specify the unique, per- server encryption key to use when each assigned server has it s own, uniqu e key. For more o[...]
-
Página 147
TACACS+ Authentication Configuring TACACS+ on the Switch key < key-string > none (null) n/a Name Default Range Specifies the optional, global “e ncryption key” that is also assigned in t he T A CACS+ server(s) that the switch will access for authentication. This option is subor dinate to any “per -server” encryption ke ys you assign, [...]
-
Página 148
TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “ first-choice ” T ACACS+ authentication device. Figure 4-7. Example of the Switch After Assigni ng a Different “First-Choice” Server T o remove the 10.28.227.1 5 device as a T ACACS+ server , you would use this command: ProCurve (config)# no tacacs-serv[...]
-
Página 149
TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encry ption key in the switch, re-enter the tacacs-server host comman d without th e key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you wa nt to eliminate the key, you would u[...]
-
Página 150
TACACS+ Authentication How Authentication Operates How Authentication Operates General Authentication Process Using a T ACACS+ Server Authentication through a T ACACS+ server operates generally as described below . For specific operat ing details, refer to the documentation you received with your T ACACS+ server application. ProCurve Switch Configu[...]
-
Página 151
TACACS+ Authentication How Authentication Operates 4. When the requesting te rm inal responds to the prompt with a p assword, the switch forwards it to the T ACACS+ server and one of the following actions occurs: • If the username/pass word pair received from the reques ting terminal matches a username/passw ord pair previously stored in the serv[...]
-
Página 152
TACACS+ Authentication How Authentication Operates attempt limi t without a successful a uthentication , the login session is terminated and the op erator at the re questing te rminal mu st initiate a new session before trying again. Note The switch’ s menu allows yo u to configure only t he local Operator an d Manager passwords, and not any user[...]
-
Página 153
TACACS+ Authentication Controlling Web Browser Interface Acces s When Using TACACS+ Authentication in the switch must be i d entical to th e encryption key configured in the corresponding TACACS+ serv er. If the key is the same for all TACACS+ servers the switch will use for authenticat ion, then co nfigur e a global key in the switch. If the key i[...]
-
Página 154
TACACS+ Authentication Messages Related to TACACS+ Operation ■ Configure the switch’ s Authorized IP Manager feature to allow web browser access only from authorized management stations. (The Autho- rized IP Manager featur e does not interfere wi th T ACACS+ operation.) ■ Disable web browser access to the swit ch by going to the System Infor [...]
-
Página 155
TACACS+ Authentication Operating Notes Operating Notes ■ If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as T ACACS+ servers in the authorized man- ager list. That is, auth entication traffi c between a T ACACS+ server and the switch is not subj ect to Authoriz ed IP Manager controls conf igu[...]
-
Página 156
TACACS+ Authentication Operating Notes 4-30[...]
-
Página 157
5 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Página 158
RADIUS Authenti cation and Accounting Contents Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34 Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35 Operating Rules for RADIUS Acco unting . . . . . . . . . . . . . . . . . . . . . . 5-37 Steps for Configu ring[...]
-
Página 159
RADIUS Authentication and Accounting Overview Overview Feature Default Menu CLI We b Configuring RADIUS Auth entication None n/a 5-8 n/a Configuring RADIUS A ccounting None n/a 5-35 n/a Configuring RADIUS Auth orization None n/a 5-26 n/a Viewing RADIUS Statistics n/a n/a 5-43 n/a RADIUS ( Remote Authentication Dial-In User Service ) enables yo u to[...]
-
Página 160
RADIUS Authenti cation and Accounting Overview Note The switch does not support RADIUS security for SNMP (network manage- ment) access. For i nformation on blocking access through the web browser interface, refer to “Controlling W e b Br owser Interface Access” on page 5-2 5. Accounting Services RADIUS accounting on the switch col lects resourc[...]
-
Página 161
RADIUS Authentication and Accounting Terminology T erminology AAA: Authentication, Authorization, and Account ing groups of services pro - vided by the carrying protocol . CHAP (Challenge-Handshake Authe ntication Protocol): A challenge- response authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a [...]
-
Página 162
RADIUS Authenti cation and Accounting Switch Operating Rules for RADIUS Shared Secret Key: A text value used for en crypting data in RADIUS packets. Both the RADIUS client and the RADIUS server have a copy of the key , and the key is never transmitted across the network. V endor -Specific Attribute: A vendor -defined value config ured in a RADIUS s[...]
-
Página 163
RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS server s to support the switch. (That is, one primary server and one or two ba ckups.) Refer to the documentation provided with the RADIUS server application. 2. Before configuring the switch, co llect th [...]
-
Página 164
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying anoth er RADIUS server or quitting. (This depends on how many RADIUS servers you hav e configured the switch to access.) • Determine whether you want to bypass a R[...]
-
Página 165
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps fo r Configuring RADIUS Authentication There ar e three main step s to configuring RAD IUS authenticati on: 1. Configure RADIUS authentication fo r controlling access through one or more of the followin g • Serial port • T e l n e t • S [...]
-
Página 166
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication • T imeout Pe riod: The ti meout pe riod the swit ch waits for a RADIUS server to reply . (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no serv er response to a RADIUS au thentication request. (Defau[...]
-
Página 167
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possib ility of being completely locked out of the swit ch in the event that all primary access methods fail. Syntax: aaa authentication < console | te lnet | ssh | web | < enab le | login <local | rad[...]
-
Página 168
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication Figure 5-2 shows a n example of the show authentication command displ aying authorized as the secondary auth entication method for po rt-acc ess, W eb-auth access, and MAC-auth access. Since the configuration of au thorized means no authentication will be perf o[...]
-
Página 169
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-3. Example Confi guration for RADIUS Authent ication The switch now allows T elnet and SSH authentication only through RADIUS. Note: The We bu i access task shown in this figure is available only on th e switches covered in this guid e. Note If you config[...]
-
Página 170
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication this default beh avior for clients with Enable (manager) access. Tha t is, with privilege-mode enabled, the switch immediat ely allo ws Enable (Manager) access to a clie nt for whom the RADIUS server specifies this access level. Syntax: [no] aaa authe ntication [...]
-
Página 171
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch T o Access a RADIUS Server This section desc ribes how to con figure the switch to interact with a RADIUS server for both authenticat ion and accounting services. Note If you want to configure RADIUS accounti ng on the switch, go to page 5-[...]
-
Página 172
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication [key < key-string > ] Optional. Specifies an encry ption key for use during authentication (or accounting) s essions with the specified server . This key must match the encryption key used on the RADIUS server . Use this comma nd only if the specified serv[...]
-
Página 173
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-4. Sample Confi guration for RADIUS Server Before Changing the Key and Adding Another Server T o make the cha nges listed prior to fi gure 5-4, you would do the following: Changes the key for the existing server to “source0127” (step 1, above). Adds t[...]
-
Página 174
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication ■ Global server key: The server key the switch will use for contacts with all RADIUS servers for which there is not a server -specific key configured by radius-server host < ip-address > key < key-string > . This key is optional if you configure a [...]
-
Página 175
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 - 15 > Specifies the maximum time the swi tch waits for a response to an authenticati on request before counting the attempt as a failure. (D efault: 3 seconds; Range: 1 - 15 seconds) radius-server retransmit < 1 - 5 > If a RA[...]
-
Página 176
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication After two attempts failing due to username or pa ssword entry errors, the switch will termin ate the session. Global RADIU S parameters from figure 5-6. These two servers will use the global encr yption key . Server -specific en cryption key for the RADIUS serve[...]
-
Página 177
Security Notes RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features Using SNMP T o Vi ew and Configure Switch Authentication Features SNMP MIB object acce ss is available fo r switch authe ntication conf iguration (hpSwitchAuth ) f eatures. This means that the sw itches cove red by this Guide allow , [...]
-
Página 178
RADIUS Authenti cation and Accounting Using SNMP To View and Configur e Switch Authentication Features Changing and Vi ewing the SNMP Access Configuration Syntax: snmp-server mib hpsw itchauthmib < excluded | inclu ded > included: Enables manager -level SN MP read/write access to the switch’ s authentication conf iguration (hpSwitchAuth) MI[...]
-
Página 179
RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features An alternate me thod of determ ining the current Authentication MIB access state is t o use the show run command. ProCurve(config)# show run Running configuration: ; J8715A Configuration Editor; Created on release #W.14. XX hostname "ProCurve&q[...]
-
Página 180
RADIUS Authenti cation and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to l ocal authentication only if one of these two conditions exists: ■ Local is the authentic ation option for the access method be ing used. ■ The switch has been con figured to query one o r m[...]
-
Página 181
RADIUS Authentication and Accounting Controlling Web Browser Interface Access Controlling W eb Browser Interface Access T o help prevent unauthorized access th rough the web browser interface, do one or more of the following: ■ Configure the switch to suppor t RADIUS authentication for web browser interface access (See chapter 3, “W eb and MAC [...]
-
Página 182
RADIUS Authenti cation and Accounting Commands Authorization Commands Authorization The RADIUS proto col combines user au thentication and authorization steps into one phase. The user must be su ccessfully authenticated be fore the RADIUS server will send aut horization information (from th e user’ s profile) to the Network Access Server (NAS). A[...]
-
Página 183
RADIUS Authentication and Accounting Commands Authorization Enabling Authorization T o configure authorization for controlling access to the CLI commands, enter this command at the CL I. Syntax: [no] aaa authoriza tion <commands> <radius | n one> Configures authorization for controlling access to CLI commands. When enabled, the swit ch [...]
-
Página 184
RADIUS Authenti cation and Accounting Commands Authorization Displaying Authorization Information Y ou can show the authorization info rmation by entering this command: Syntax: show authorization Configures authorization for controlling access to CLI commands. When enabled, the swit ch checks the list of commands supplied by the RADIUS server du ri[...]
-
Página 185
RADIUS Authentication and Accounting Commands Authorization The results of using the HP-Command-St ring and HP-Command-Exception attributes in various combinations are shown below . HP-Command-String HP-Command-Exception Description Not present Not present If comm and authorization is enabled and the RADIUS server does not provide any authorization[...]
-
Página 186
RADIUS Authenti cation and Accounting Commands Authorization Example Configuratio n on Cisco Secure ACS fo r MS W indows It is necessary to create a dictionary fi le that defines the VSAs so that the RADIUS server application can determin e which VSAs to add to its user interfac e. The VSAs will appear below the standard attrib utes that can be con[...]
-
Página 187
RADIUS Authentication and Accounting Commands Authorization Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini dictiona ry file to c: program filescisco acs 3.2 utils (or the utils directory wher ever acs i s installed). 3. From the command prompt ex ecute the following comma [...]
-
Página 188
RADIUS Authenti cation and Accounting Commands Authorization 6. Right click and then select New > key . Ad d the vendor Id number that you determined in step 4 (100 in the example ). 7. Restart all Cisco se rvices. 8. The newly crea ted HP RADIUS VSA ap pears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select[...]
-
Página 189
RADIUS Authentication and Accounting Commands Authorization # # dictionary.hp # # As posted to the lis t by User <user_email> # # Version: $Id: dictio nary.hp, v 1.0 2006/02/23 17:07:07 # VENDOR Hp 11 # HP Extensions ATTRIBUTE Hp-Command-String 2 string Hp ATTRIBUTE Hp-Command-Exception 3 integer Hp # Hp-Command-Exception Attribute Values VAL[...]
-
Página 190
RADIUS Authenti cation and Accounting Commands Authorization Additional RADI US Attributes The followin g attributes are inc luded in Access-Request and Access-Account- ing packets sent from the switch to the RADIUS server to adve rtise switch capabilities, report informat ion on authentication sessi ons, and dynamically 42reconfigure authenticatio[...]
-
Página 191
RADIUS Authentication and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 5 - 3 8 [acct-port < port-number >] 5-38 [key < key-string >] 5-38 [no] aaa accounting < exec | network | system | command s> 5-41 < start-stop | stop-only[...]
-
Página 192
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting ■ Exec accounti ng: Provides reco rds holding the in formation listed below about login session s (console, T elnet, and SSH) on the switch: • Acct-Authentic • Acct-Status-T ype • NAS-Identifier • Acct-Delay-T ime • Acct-T erminate-Cause • NAS-IP-Address • Acct-Sess[...]
-
Página 193
RADIUS Authentication and Accounting Configuring RADIUS Accounting Operating Rules for RADIUS Accounting ■ Y ou can confi gure up to four types of accounti ng to run simulta- neously: exec, system, network, and commands. ■ RADIUS servers used for accounting are also used fo r authentication. ■ The switch must be configured to acce ss at least[...]
-
Página 194
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting must match the encrypti on key used on the specified RADIUS server . For more information, refer to the “ [key < key-string >] ” parameter on page 5-15. (Default: null) 2. Configure accounting ty pes and the co ntrols for sendin g reports to the RADIUS server . • Accoun[...]
-
Página 195
RADIUS Authentication and Accounting Configuring RADIUS Accounting [key < key-string >] Optional. Specifies an encryption key for use during accounting or authenticati on sessions with the speci- fied server . This key must match the encryption key used on the RADIUS server . Use this command only if the specified server requires a different [...]
-
Página 196
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting The radius-server command as shown in figure 5-11, above, configures the switch to use a RADIUS serv er at IP a ddress 10.33.18.151 , with a (non-de fault) UDP accounting port of 1750, and a server -specific key of “source0151”. 2. Configure Accounting T ype s and the Controls [...]
-
Página 197
RADIUS Authentication and Accounting Configuring RADIUS Accounting ■ Stop-Only: • Send a stop record accounting noti ce at the end of the accounting session. The notice includes the latest data the switch has co llected for the requested accounting type (Network, Exec, Commands, or System). • Do not wait fo r an acknowledgment. The system opt[...]
-
Página 198
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additi onal control ov er accounting data. ■ Updates: I n addition to us ing a Start-Stop or St op-Only trigger , you can optionally configur e the switch to send periodic acc[...]
-
Página 199
RADIUS Authentication and Accounting Viewing RADIUS Statistics V iewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration , including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius , the server’s IP address must be configure[...]
-
Página 200
RADIUS Authenti cation and Accounting Viewing RADIUS Statistics Figure 5-15. RADIUS Server Information From the Show Radius Host Command Te r m Definition Round T rip T ime The time interval between the mo st recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server . PendingRequests The number of RAD[...]
-
Página 201
RADIUS Authentication and Accounting Viewing RADIUS Statistics Requests The number of RADIUS Accounti ng-Request packets sent. This does not include retransmissions. Te r m Definition AccessChallenges Th e number of RA DIUS Access-Challenge packets (valid or invalid) received from this server . AccessAccepts The number of RADIUS Access-Accept packe[...]
-
Página 202
RADIUS Authenti cation and Accounting Viewing RADIUS Statistics Figure 5-17. Example of RADIUS Aut hentication Inform ation from a Specific Server RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres- sion status, accounting ty pes, methods, and modes. show radius accounting Lists accou[...]
-
Página 203
RADIUS Authentication and Accounting Changing RADIUS-Ser ver Access Order Figure 5-19. Example of RADIUS Account ing Information for a Spe cific Server Figure 5-20. Example Listing of Active RADIUS Accounting Sessions on t he Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS ser vers according to the order in which their [...]
-
Página 204
RADIUS Authenti cation and Accounting Changing RADIUS-Server Access Order RADIUS server IP addresses li sted in the order in which the switch will try to access them. In this case, the server at IP address 1.1.1.1 is first. Note: If the switch succe ssfully accesses the first server , it does not try to ac cess any other servers in the l ist, even [...]
-
Página 205
RADIUS Authentication and Accounting Changing RADIUS-Ser ver Access Order Removes the “003” and “001” addresses from the RADIUS se rver list. Inserts the “003” address in the first position in the RADIUS server list, and inserts the “001” address in the last position in the li st. Shows the new order in which the switch searches for[...]
-
Página 206
RADIUS Authenti cation and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. T ry pinging the server to determine whether it is accessible to t he switch. If the server is acces[...]
-
Página 207
6 Configuring RADIUS Server Support for Switch Services Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 RADIUS Server Configuration for Viewing the Currently Active Pe r-Port CoS and Rat e-Limiting Contrasting Dy namic (R A DIUS-Assigned) and How a RADIUS Server Applie [...]
-
Página 208
Configuring RADIUS Se rver Support for Switch Services Contents Configuring th e Switch To Support RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23 Displaying the Current RAD IUS-Assigned ACL Activity Causes of Client D eauth entication Immediately on the Switch . . [...]
-
Página 209
Configuring RADIUS Server Support for Switch Services Overview Overview This chapter p rovides information that applies to setting up a RADIUS server to configure the foll owing switch features on po rts supporting RADIUS- authenticated clients: ■ CoS ■ Rate-Limiting ■ ACLS Optional Network Mana gement Applications. Per -port CoS and rate- li[...]
-
Página 210
Configuring RADIUS Se rver Support for Switch Services RADIUS Server Configuration for Per-Por t CoS (802.1p Priority) and Rate-Limiting RADIUS Server Configuration for Per -Port CoS (802.1p Priority) and Rate- Limiting This section provides general guidel in es for configuring a RADIUS server to dynamically apply CoS (Class of Service) and Rate-Li[...]
-
Página 211
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Service Control Method and Operating Notes: Rate-Limiting on V endor-Sp ecific Attribute configured in the RADIUS server . inbound traffic ProCurve (HP) vendor -specific ID:11 This feature assigns a VSA: 46 (integer[...]
-
Página 212
Configuring RADIUS Se rver Support for Switch Services RADIUS Server Configuration for Per-Por t CoS (802.1p Priority) and Rate-Limiting T able 6-2. Examples of Assigned and Ap plied Rate Limits RADIUS-Assigned Bandwidth (Kbps) Applied Increments Applied Rate Limit (Kbps) Difference/Kbps 5,250 100 Kbps 5,200 50 50,250 1 Mbps 50,000 250 Kbps 51,000 [...]
-
Página 213
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Syntax: show port-access authenticator [ po rt-list ] show rate-limit all show qos port-priority These commands display the Co S and Rate-Limiting settings specified by the RADIUS server used to grant authentication[...]
-
Página 214
Configuring RADIUS Se rver Support for Switch Services RADIUS Server Configuration for Per-Por t CoS (802.1p Priority) and Rate-Limiting ProCurve(config)# show qos port-priority Port priorities Port Apply rule | DSCP Priority Radius Override ---- ----------- + ------ ----------- --------------- B1 Priority | 3 No-override B2 No-override | No-overri[...]
-
Página 215
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Configuring and Using RADIUS-Assigned Access Control Lists Introduction A RADIUS-assigned ACL is co nfigured on a RADIUS server and dynamical ly assigned by th e server to filter traffic enterin g th e switch through a specific port af[...]
-
Página 216
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists • RADIUS-assigned ACL: dynamic ACL assigned to a port by a RAD IUS server to f ilter inbound t raffic from an authenticated c lient on that port An ACL can be configured on an inte rface as a static port ACL. (RADIUS- assigned ACLs a[...]
-
Página 217
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Permit: An ACE configured with this acti on allows the switch to forward an inbound packet f or which there is a match within an applicable ACL. Permit Any Any: An abbreviated form of permit in ip f rom any to any , which permits any i[...]
-
Página 218
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Overview of RADIUS-A ssigned, Dynamic ACLs RADIUS-assigned ACLs enhance network and switch management access security and traffic control by permit ting or denying authenticated client access to specific network resources and to the sw[...]
-
Página 219
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Note A RADIUS-assigned ACL assignment filt ers all inbound IP traffic from an authenticated client on a port, regardless of whether the client’ s IP traffic is to be switched or routed. RADIUS-assigned ACLs can be used either with or[...]
-
Página 220
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists RADIUS-assigned ACLs Static Port ACLs Allows one RADIUS-assigned AC L per authenticated client on a port. (Each such ACL filter s traffic from a different, authenticated client.) Note: The switch provides ample resources for supporting[...]
-
Página 221
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists the same username/ password pair . Wh ere the client MAC address is the selection criteria, only the client havi ng that MAC address can use the corre- sponding ACL. When a RADIUS server auth enticates a client, it also assigns the ACL[...]
-
Página 222
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists 3. Configure the ACLs on a RADIUS server accessible to the inte nded clients. 4. Configure the switch to use the desi red RADIUS server and to support the desired client authentication sc heme. Options include 80 2.1X, W eb authenticat[...]
-
Página 223
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Operating Rules for RADIUS-Assigned ACLs ■ Relating a Client to a RADIUS-Assigned ACL: A RADIUS-assi gned ACL for a particular cli ent must be configured in the RADIUS ser ver under the authentication credentials the server should ex[...]
-
Página 224
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Elements in a RADIUS-assig ned ACL Configuration. A RADIUS- assigned ACL configuration in a RADIUS server ha s the following el ements: ■ vendor and ACL identifiers: • ProCurve (HP) V endor -Specific ID: 11 • V endor -Specific At[...]
-
Página 225
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Configuring ACE Syntax in RADIUS Servers The follow ing syntax and operating inf o rmation applies to ACLs configured in a RADIUS server . ACE Synta x Nas-filter -Rule =”< permit | deny > in <ip | ip-protocol-value > from[...]
-
Página 226
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists any: • Specifies any IPv4 destin ation address if one of the following is true: – the A CE uses the standard attribute ( Nas-f ilter -Rule ). For example: Nas-filter-Rule=”permit in tcp from any to any 23” Nas-filter-Rule+=”p[...]
-
Página 227
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists 1. Enter the ACL standard at tr ibute in the FreeRADI US dictionary .rfc4849 file. ATTRIBUTE Nas-FILTER-Rule 92 2. Enter the switch IP address, NAS (Network Attached Server) type, and the key used in the FreeRADIU S client s.conf file.[...]
-
Página 228
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists 1. Enter the ProCurve vendor -specifi c ID and the ACL VSA in the FreeRADIUS dictionary file: VENDOR HP 11 ProCurve (HP) V endor -Specific ID BEGIN-VENDOR HP ATTRIBUTE HP-IP-FILTER-RAW 61 STRING END-VENDOR HP ProCurve (HP) Vendor -Spec[...]
-
Página 229
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Note For syntax details on RADIUS-assigned ACLs, refer to the ne xt section, “Format Details for ACEs Configur ed in a RADIUS-Assigned ACL”. Client’ s Use rname (802.1X or Web Authenticatio n) Client’ s Password (802.1X or Web [...]
-
Página 230
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Configuration Notes Explicitly Permitting Any IP T raffic. Entering a permit in ip from any to any (permit any any) ACE in an ACL permits all IP traffic not previously permitted or denied by that ACL. Any ACEs listed af ter that point [...]
-
Página 231
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Note Refer to the documentati on provided with your RADIUS server for infor - mation on how th e server receives and manag es network accounti ng informatio n, and how to perform any configurati on steps necessary to enable the server [...]
-
Página 232
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Displaying the Current RA DIUS-Assigned ACL Activity on the Switch These commands output data i ndicating the current ACL activity i mposed per - port by RADIUS server responses to client authentic ation. Syntax: show access-list radiu[...]
-
Página 233
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Syntax: show port-a ccess authenti cator < port-list > For ports, in < port-lis t > that are configured for authentication, th is command indicates whether there are any RADIUS-assigned features active on the port(s). (Any [...]
-
Página 234
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists ProCurve(config)# show port-access aut henticator 2-3 Port Access Authenticator Status Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Auth Unauth Untagged Tagged Kbps In RADIUS Cntrl [...]
-
Página 235
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Event Log Messages Message Meaning ACE parsing error, permit/deny keyword < ace-# > client < mac-address > port < port-# > . Could not add ACL entry. Could not create ACL entry. Could not add ACL, client mac < mac-[...]
-
Página 236
Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Message Meaning Invalid Access-list entry length, Notifies that the string conf igured for an ACE entry on the client < mac-add ress > port < port-# > . Radius server exceeds 80 characters. Memory allocation failure for IDM[...]
-
Página 237
7 Configuring Secure Shell (SSH) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Página 238
Configuring Secure Shell (SSH) Overview Overview Feature Default Menu CLI We b Generating a public/private key pair on the switch No n/a page 7-9 n/a Using the switch’ s public key n/a n/a page 7-12 n/a Enabling SSH Disabled n/a page 7-15 n/a Enabling client public-key authentication Disabled n/a pages 7-20, n/a 7-23 Enabling user authentication [...]
-
Página 239
Configuring Secure Shell (SSH) Terminology Switch SSH and User Password Authentication . This option is a subset of the client pu blic-key authe ntication shown in figure 7-1. It occurs if the switch has SSH enabled but does not have login access ( login pub lic-key ) configured to authenticate the client’ s key . As in figure 7-1, the switch aut[...]
-
Página 240
Configuring Secure Shell (SSH) Prerequisite for Using SSH ■ Local password or username: A Manager - level or Operator -le vel pass- word configured in the swit ch. ■ SSH Enabled: (1) A publ ic/private key pair has been generated on the switch ( generate ssh [dsa | rsa] ) and (2) SSH is enabled ( ip ssh ). (Y ou can generate a key pair without e[...]
-
Página 241
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication be tween the switch and an SSH client, you must use the logi n (O perator) level. T able 7-1. SSH Options Switch Access Level Primary SSH Authenti[...]
-
Página 242
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH fo r Switch and Client Authentication B. Switch Prep aration 1. Assign a login (Operator) and enable (Manager) password on th e switch (page 7-8). 2. Generate a public/private key pair on the switch (page 7-9 ). Y ou need to do this only once. The k ey remains in the switch even if [...]
-
Página 243
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generat ed on an SSH client must be exportab le to the switch. The switch can on ly store 10 client key pa irs. ■ The switch’ s own public/p rivate key pair and the (optional) cli ent public key file are stored in the switch’ s f[...]
-
Página 244
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section P age show ip ssh 7-18 [keylist-str] [< babble | fingerprint>] cert [rsa] <keysize> | ssh [ dsa | rsa [bits <keysize>]] aaa authentication ssh < public key file > [<append |[...]
-
Página 245
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation T o Configure Local Passwords. Y ou can configure b oth the Operato r and Manager password with one command. Syntax: password < manager | operator | a ll > Figure 7-4. Example of Config uring Local Passwords 2. Generating the Switch’ s Pu blic and Privat e Key Pair Y ou[...]
-
Página 246
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When you generate a host key pair on the switch, the switch places the key pair in flash memory ( and not in the running-config file). Also, the switch maintains the key pai r across reboots, including power cycles. Y ou should consider this key pair to be “permanent ”[...]
-
Página 247
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation show crypto host-public -key Displays switch’s public ke y. Displays the version 1 and version 2 views of the key. See “SSH Client Public-Ke y Authentication” on page 2-16 in this guide for info rmation about public keys saved in a configuration file. [ babble ] Displays [...]
-
Página 248
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation hosts file, note that the fo rmatting and comments need not match. For version 1 keys, the three numeric values bit size , exponent <e>, an d modulus <n> must match; for PEM keys, only th e PEM-en coded string itself must match. Notes "Zeroizing" the switc[...]
-
Página 249
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation The public key gen erated by the switch consists of t hree parts, separated by one blank space each: Bit Size Exponent <e> Modulus <n> 896 35 427199470766077426366625060579924214851527933248752021855126493 293407540704782860432930458032140273304999167004670769854352[...]
-
Página 250
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add a ny data required by your SSH c lient application. For example Before saving the key to an SSH client’ s "known hosts" file you may have to insert the switch’ s IP address: Bit Size Exponent <e> Modulu s <n> Inserted IP Address Figure 7-8. Exam[...]
-
Página 251
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Hexadecimal "Fingerpri nts" of the Same Switch Phonetic "Hash" of Switch’ s Public Key Figure 7-9. Examples of Visual Phoneti c and Hexadecimal Con versions of the Switch’ s Pub lic Key The two commands shown in figure 7-9 convert the displayed format of[...]
-
Página 252
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavio r . At the first contact be tween the switch and an SSH client, if the swit ch’ s pu blic ke y has not been copied into the client, then the client’ s first connection to th e switch will question the connec tion and, for security reasons, provide[...]
-
Página 253
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher <cipher-type>] Specify a cipher type to use for connection. V alid types are: • aes128-cbc • 3des-cbc • aes192-cbc • aes256-cbc • rijndael-cbc@lysator .liu.se • aes128-ctr • aes192-ctr • ae[...]
-
Página 254
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (default: 22). Important: See “Note on Port Number” on page 7-18. [public-key <manager | operator> ] Configures a client public key. manager : Select manager public keys (ASCII formatted). oper[...]
-
Página 255
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution Protect your private key file from ac cess by anyone other than yoursel f. If someone can access your private key file, they can then penetrate SSH security on the switch by ap pearing to be you. SSH does not prot ect the switch fr om unauthorized access via the web int[...]
-
Página 256
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option A: Configuring SSH Access for Password-Only SSH Authentication. When configured with this option, the sw itch uses its pub- lic key to authenticate itself to a clie nt, but uses only p asswords for client authentication. Syntax: aaa authentication ssh login < local | [...]
-
Página 257
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: copy tftp pub-key-file < ipv4-address | ipv6-address > < filename > Copies a public key fi le into the switch. aaa authentication ssh login public-key Configures the switch to authenticate a cl ient public-key at the login level with an opti onal secondary p[...]
-
Página 258
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation ProCurve(config)# password manager us er-name leader Configures Manager user- name and password. Configures the switch to allow SSH access only for a client whos e public key matches one of the keys in the p ublic key file. Configures the primary and secondary password methods [...]
-
Página 259
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 6. Use an SSH Client T o Access the Switch T est the S SH configuration o n the switch to ensure that you have achieved the level of SSH operatio n you want for the switch. If you have probl ems, refer to "RADIUS-R elated Problem s" in the T rouble[...]
-
Página 260
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication If you enable client public-key auth entication, the follow ing events occur when a client tries to acc ess the switch using SSH: 1. The client sends its public key to the switch with a re quest for authenti- cation. 2. The switch compares the client’ s pu[...]
-
Página 261
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication T o Crea te a Client-Publi c-Key T e xt File. These steps describe how to copy client-public-ke ys into the switch for challenge-respon se authentication, and require an understandi ng of how to use you r SSH client application. Figure 7-13. Exa mple of a Cl[...]
-
Página 262
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 2. Copy the client’ s public key into a text file ( filename .txt ). (For example, you can use the Notepad editor includ e d with the Microsof t® W indows® software. If you want several client s to use client public-key authentica- tion, copy a public k [...]
-
Página 263
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication The babble option converts the key data to phonetic hashes that are easier fo r visual comparisons. The fingerprint option converts the ke y data to hexadec- imal hashes that are for the same purpose. The keylist-str selects keys to display (comma-delimited [...]
-
Página 264
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Syntax: clear crypto public-key Deletes the client-public-ke y file from the swi tch. Syntax: clear crypto public-key 3 Deletes the entry with an index of 3 from the client-public-key fi le on the switch. Enabling Client Pub lic -Key Authentication. After yo[...]
-
Página 265
Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. File transfe r did not occur . Indicates an error in communicating with the tftp server or not finding the file to download. Causes incl ude such factors as: • Incorrect IP configuration on the switch • I n[...]
-
Página 266
Configuring Secure Shell (SSH) Messages Related to SSH Operation Generating new RSA host key. If the After you execu te the generate ssh [dsa | rsa] Message Meaning cache is depleted, this could t ake up to comman d, the switch displays this message while it two minutes. is gene rating the k ey . Host RSA key file corrupt or not found. Th e switch?[...]
-
Página 267
8 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . .[...]
-
Página 268
Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu CLI We b Generating a Self Signed Certificate on the switch No n/a page 8-8 page 8-12 Generating a Certificate Request on the switch No n/a n/a page 8-15 Enabling SSL Disabled n/a page 8-17 page 8-19 The switches covered in this guide use Secure Socket Layer V ersion 3 (SS[...]
-
Página 269
Configuring Secure Socket Layer (SSL) Terminology ProCurve Switch (SSL Server) SSL Client Browser 1. Switch-to-Cl ient SSL Cert. 2. User -to-Sw itch (login password an d enable password authe ntication) options: – Local – T ACACS+ – R ADIUS Figure 8-1. Switch/ User Authentication SSL on the switches covered in this guide supp orts these data [...]
-
Página 270
Configuring Secure Socket Layer (SSL) Terminology ■ Root Certificate: A trusted certificate used by certificate author ities to sign certificates (CA-Signed Certificat es) and used later on to verify that authenticity of those si gned certificates. T rusted certificates are distrib- uted as an integral part of most po pular web clients. (see brow[...]
-
Página 271
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL se rver , you must install a publicly or commercially available SSL enabled we b browser application on the com- puter(s) you use for manage ment acce ss to the switch. Steps for Configuring and Using SSL for Switch and Clie[...]
-
Página 272
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes 4. Use your SSL enabled brow ser to acc ess the switch using the sw itch’ s IP address or DNS name (if allowed by your browser). Refer to the documentatio n provided with the browser appl ication. General Operating Rules and Notes ■ Once you generate a certificate on the sw[...]
-
Página 273
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 8-19 show config page 8-19 show crypto host-cert 8-12 crypto key generate cert [rsa] <5 12 | 768 |1024> 8-10 zeroize cert 8-10 crypto host-cert generate s[...]
-
Página 274
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Security T ab Password Button Figure 8-2. Example of Configurin g Local Passwords 1. Proceed to the security tab an d select device passwords button. 2. Click in the appropr iate box in the Device Passwords wi ndow and enter user names and passwords. Y ou will be require[...]
-
Página 275
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The server cert ificate is stored in the switch’ s flash memory . The server certificate should be added to your certi ficate folder on th e SSL clients who you want to have access to the switch. Most browser applications automati- cally add the switch’ s host certif[...]
-
Página 276
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. Syntax: crypto key generate cert [rsa] < 512 | 768 |1024 > Generates a key pair for use in the certificate. crypto key zeroize cert Erases the switch’ s certificat e key and disa bles SSL opera- tion. crypt[...]
-
Página 277
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T able 8-1.Certificate Field Descrip tions Field Name Description V alid Start Date This should be the date you desire to begin using the SSL functionality . V alid End Date This can be any future date, however good security practices would suggest a valid duration of ab[...]
-
Página 278
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. Syntax : show crypto host-cert Displays switch’s host certificate T o view the current host certif icate from the C LI you use the show crypt o host- cert command. For example, to display the new server host certificate: Show host[...]
-
Página 279
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T o generate a self signed host certif icate from the web b rowser interface: i. Proceed to the Security tab then the SSL bu tton. The SSL config- uration screen is split up into two halve s. The left ha lf is used in creating a new certificate key pa ir and (self-sign e[...]
-
Página 280
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web brow sers inter - face: Certificate T ype Box Key Size Selection Certificate Argu ments Figure 8-5. Self-Signed Certificate generat i on via SSL Web Browser Interface Screen T o view the current host certifi cat[...]
-
Página 281
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 8-6. Web browser Interface showing curren t SSL Host Certificate Generate a CA-Signed server host certificate with the W eb browser interface T o install a CA-Signed server host c ertificate from the web browser interface. For more inf[...]
-
Página 282
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation that involves having the certificate authority verify the certifi cate request and then digitally signing the request to gen erate a certific ate response (the usable server host certificate). The third phase is the down load phase consisting of pasting to the switch web[...]
-
Página 283
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation -----BEGIN C ERTIFICA TE----- MIICZDCCAc2gA wIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgU FVSUE9TRVMgT05MWTEd MBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzA V BgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb2 90MB4X[...]
-
Página 284
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch yo u must genera te the switch’ s host certificate and key . If you h ave not already done so, refer to “2. Generating the Switch’ s Server Host Certificate” on page 8-8. When configured for SSL, the switch uses its host cer[...]
-
Página 285
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443). Important: See “Note on Port Number” on page 8-20. show config [...]
-
Página 286
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Sele ction Figure 8-8. Using the web b rowser interface to enable SSL an d select TCP port number Note on Port ProCurve recommends using the default IP port number (443). However , you Number can use web-management ssl tcp-port to specify any T[...]
-
Página 287
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CL I Y ou have not generated a certificate key . (Refer to “CLI commands used to generate a Server Host Certificate” on page 8-10.) Enabling SSL on the CLI or Web browse r interface Y ou have not[...]
-
Página 288
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup 8-22[...]
-
Página 289
9 IPv4 Access Control Lists (ACLs) Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 What Is the Difference Between Network (or Subnet) Rules for Defining a Match Between a Packet and an Overview of Options for Applying IPv4 ACLs on the Switch . . . . . . 9-6 Static ACLS . [...]
-
Página 290
IPv4 Access Control Lists (ACLs) Contents Configuring and Assigning a n IPv4 ACL . . . . . . . . . . . . . . . . . . . . . . . 9-34 A Configured ACL Has No Ef fect Until You Apply It You Can Assign an ACL Name or Number to an Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-34 [...]
-
Página 291
IPv4 Access Control Lists (ACLs) Contents Displaying ACL Configuration D ata . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-85 Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-86 Display the Content of All ACL s on the Switch . . . . . . . . . . . . . . . . . . 9-87 Display Static Port ACL As[...]
-
Página 292
IPv4 Access Control Lists (ACLs) Introduction Introduction An Access Control List (ACL) is a list of one or more Access Control Entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing th e switch’ s interface s. This chapter describes how to config ure, apply , an d edit IPv4 ACLs in [...]
-
Página 293
IPv4 Access Control Lists (ACLs) Introduction Notes IPv4 ACLs can enhance network security by blocking se lected traffic, and can serve as part of your netwo rk security program. However , because ACLs do not provide user or device authentica tion, or protectio n from malic ious manipulation of data carried in IPv4 packet transmissions, they should[...]
-
Página 294
IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Overview of Options for Applying IPv4 ACLs on the Switch T o apply IPv4 ACL filtering, assign a configured IPv4 ACL to the interface on which you want traffic filt ering to occur . Port tr affic ACLs can be a pplied either statically or dynamically (using a RA[...]
-
Página 295
9-49 9-76 IPv4 Access Control Lists (ACLs) Overview of Options for Appl ying IPv4 ACLs on the Switch Create a Standard, ProCurve(config)# access-list < 1-99 > < deny | permit > Numbered ACL < any | host < SA > | SA /< mask-length > | SA < mask >> or [ log ] 2 Add an ACE to the End of an Existing Standard, Numbere[...]
-
Página 296
IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch T able 9-2. Command Summary for I Pv4 Extended ACLs Action Comman d(s) Page Create an Extended, Named ACL or Add an ACE to the End of an Existing, Extended ACL ProCurve(config)# ip access-list extended < name-str | 100-199 > 9-55 ProCurve(config-std-nacl[...]
-
Página 297
IPv4 Access Control Lists (ACLs) Overview of Options for Appl ying IPv4 ACLs on the Switch Enter or Remove a ProCurve(config)# ip access-list extended < name-str | 100-199 > 9-81 Action Comman d(s) Page Remark ProCurve(config-ext-nacl)# [ remark < remark-str > | no remark ] 9-83 For numbered, extended ACLs only , the following remark co[...]
-
Página 298
IPv4 Access Control Lists (ACLs) Terminology T erminology Access Control Entry (ACE): A policy consi sting of criter ia and an action (permit or deny) to execute on a p acket if it meets the criteria. The elements co mposing the crit eria include: • source IPv4 address and mask (standard and extended ACLs) • destination IP v4 address and mask ([...]
-
Página 299
IPv4 Access Control Lists (ACLs) Terminology ACL Mask: Follows any IPv4 address ( source or destination) lis ted in an ACE. Defines which bits in a packet’ s corresponding IPv4 addressin g must exactly match the addressing in the ACE, and which bits need not match (wildcards). See also “How an ACE Us es a Mask T o Screen Packets for Matches” [...]
-
Página 300
IPv4 Access Control Lists (ACLs) Terminology Inbound T raffic: For the purpose of defining where the switch applies IPv4 ACLs to filter traffic, in bound traffic is a packet that meets one of the following crit eria: • Static Port ACL: Inbound traffic is a packet entering the switch on the port. • Dynamic Port ACL: Where a RA DIUS server has au[...]
-
Página 301
IPv4 Access Control Lists (ACLs) Terminology whether there is a match betwee n a packet and the ACE. In an extended ACE, this is the first of two IPv4 ad dresses used by the ACE to determine whether there is a match between a p acket and the ACE. See also “DA”. seq-# : The term used in ACL syntax st atements to repr esent the sequence number va[...]
-
Página 302
IPv4 Access Control Lists (ACLs) Overview Overview T ypes of IPv4 ACLs A permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, o r on source address plus other factors. Standard ACL: Use a standard ACL when you need to pe rmit or deny IPv4 traffic based on so urce address on ly . St andard ACLs are al so us[...]
-
Página 303
IPv4 Access Control Lists (ACLs) Overview Static Port ACL and Dyna mic Port ACL Applications An IPv4 static port ACL filt ers any IPv4 traffic inboun d on the designated port, regardless of whether the traf fic is switched or routed. Dynamic (RADIUS-assigned) Port ACL Applications Dynamic (RADIUS-assigned) port ACL s are configured on RADIUS server[...]
-
Página 304
IPv4 Access Control Lists (ACLs) Overview 802.1X User -Bas ed and Port-Ba sed Applicati ons. User -Based 802.1X access control allows up to 8 individually a uthenticated clients on a given port. However , port-based a ccess contro l does not set a clie nt limit, and requires only one authenticat ed client to open a given p ort (and is recommended f[...]
-
Página 305
IPv4 Access Control Lists (ACLs) Overview • T h e C L I remark command option allow s you to enter a separate comment for each ACE. ■ A source or destinati on IPv4 addre ss and a mask, together , ca n define a single host, a range of h osts, or all hosts. ■ Every ACL populated with one or more explicit ACEs includes an Implicit Den y as the l[...]
-
Página 306
IPv4 Access Control Lists (ACLs) Overview General Steps for Planni ng and Configuring ACLs 1. Identify the ACL application to apply . As part of this step, determine the best points at whi ch to apply specific ACL controls. For example, you can improve network perfor mance by filtering unwanted IPv4 traff ic at the edge of the network instead of in[...]
-
Página 307
IPv4 Access Control Lists (ACLs) Overview For more details on ACL planning consideratio ns, refer to “Planning an ACL Application” on page 9-24. Caution Regarding the Use of Source Routing Source routing is enab led by default on the switch and can be used to override ACLs. For this reason, if you are usin g ACLs to enhance network security , t[...]
-
Página 308
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation IPv4 Static ACL Operation Introduction An ACL is a list of one or more Ac cess Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). A static ACL applies onl y to the switch in which it is configured. ACLs operate on assigned interfaces, and [...]
-
Página 309
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation ACL. This directs the ACL to permit (f orward) packets that do not have a match with any earlier ACE listed in th e ACL, and prevents these packets from being filtered by the implicit “deny any”. Example. Suppose the ACL in figure 9-2 is a ssigned to filter the IPv4 traffic from an auth[...]
-
Página 310
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation Is there a match? Perform action (permit or den y). No T est a packet agains t criteria in first A CE. Ye s No Ye s Deny the packet (invoke an Implici t Deny). End Perform ac tion (permit or deny). End End T est the packet against criteria in second ACE. Is there a match? T est packet again[...]
-
Página 311
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation 1. Permit inbound IPv4 traffic from IP address 10.11.11.42. 2. Deny only the inbound T elnet traffi c from address 10.11.11.101. 3. Permit only inbound T elnet traffic fr om IP address 10.11.11.33. 4. Deny all other inbound IPv4 traffic. The following AC L model , wh en assigned to inbound [...]
-
Página 312
IPv4 Access Control Lists (ACLs) Planning an ACL Application Planning an ACL Application Before creating and im plementing ACLs, you need to defi ne the po licies you want your ACLs to enfor ce, and und erstand how the ACL assignments will impact your network users. Note All IPv4 traffic entering the switch on a giv en interface is filtered by all [...]
-
Página 313
IPv4 Access Control Lists (ACLs) Planning an ACL Application ■ What are the logical points for mini mizing unw anted traffic, and what ACL application(s) should b e used? In many cases it makes sense to prevent unwant ed traffic from rea chi ng the core of your network by configuring ACLs to dro p the unwanted traffic at or close to the edge of t[...]
-
Página 314
IPv4 Access Control Lists (ACLs) Planning an ACL Application Caution IPv4 ACLs can enhance network security by blocking selec ted traffic, and can serve as one aspect of ma intaining network security . However , because ACLs do not provide user or device authenti cation, or protectio n fr om malicious manipulation of data carried in IP pa cket tran[...]
-
Página 315
IPv4 Access Control Lists (ACLs) Planning an ACL Application ■ Generally , you should list ACEs fr om the most speci fic (individual hosts) to the most general (subnets or groups of subnets) unl ess doing so permits traf fic that you want dropped . For example, an ACE allowing a small group o f workstations to use a sp ecialized printer should oc[...]
-
Página 316
IPv4 Access Control Lists (ACLs) Planning an ACL Application ■ Explicitly Permitting Any IPv4 T raffic: Entering a permit any or a permit ip any any A CE in an ACL pe rmits all IPv4 traffic not previ ously permitted or denied by that ACL. Any ACEs liste d after that point do not have any effect. ■ Explicitly Denyi ng Any IPv4 T raf fic: Enterin[...]
-
Página 317
IPv4 Access Control Lists (ACLs) Planning an ACL Application Thus, the bi ts set to 1 in a netw ork mask define the part of an IPv4 address to use for the ne twork numb er , and the bits set to 0 in the m ask define th e part of the address to use for the host number . In an ACL, IPv4 addresses and masks pr ovide crite ria for determinin g whether [...]
-
Página 318
IPv4 Access Control Lists (ACLs) Planning an ACL Application ACL mask to overlap one bit, which allows matches with hosts in two subnets: 31.30.224.0 and 31.30.240.0. Bit Position in the Third Octet of Subnet Mask 255.255.240.0 Bit V alues 128 64 32 1 6 8 4 2 1 Subnet Mask Bits Mask Bit Settings Affecting Subnet Addresses 1 0 1 0 1 0 1 n/a n/a n/a [...]
-
Página 319
IPv4 Access Control Lists (ACLs) Planning an ACL Application • A group of IPv4 addresses fits t he matching criteria. I n t h i s c a s e you provide bo th the address and the mask. For ex ample: access-list 1 permit 10.28.32.1 0.0.0.31 Address Ma sk 10.28.32.1 0.0.0.31 This policy states tha t: – In the first three octets of a packet’ s SA, [...]
-
Página 320
IPv4 Access Control Lists (ACLs) Planning an ACL Application dictates that a match occurs onl y when the source address on such packets is identical to the addr ess configured in the ACE. ip access-list standard Fileserver permit 10.28.252.117 0.0.0.0 exit Inbound Packet “A” On VLAN 20 – Destination Address: 10.35.248.184 – Source Address: [...]
-
Página 321
IPv4 Access Control Lists (ACLs) Planning an ACL Application T able 9-3. Mask Effect on Selected Oct ets of the IPv4 Addresse s in T able 9-2 Addr Octet Mask Octet 128 64 32 16 8 4 2 1 Range A 3 0 all bits 252 1 1 1 1 1 1 0 0 B 3 7 last 3 bits 248-255 1 1 1 1 1 0 or 1 0 or 1 0 or 1 C 4 0 all bits 195 1 1 0 0 0 0 1 1 D 2 15 last 4 bits 32-47 0 0 1 0[...]
-
Página 322
IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL Configuring and Assigning an IPv4 ACL ACL Feature Page Caution Regarding the Use of IPv4 Source Routing Configuring and Assigning a Standard ACL 9-44 Configuring and Assigning an Extended ACL 9-53 Enabling or Disabling ACL Filtering 9-73 Overview General Steps for Implementing [...]
-
Página 323
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Options for Permit/Deny Policies The permit or deny policy for IPv4 traffic you want to f ilter can be based on source address alone, or on source address plus other IPv4 factors. ■ Standard ACL: Uses only a packet's sour ce IPv4 address as a crite- rion for permitting or[...]
-
Página 324
IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL 3. One or more deny/per mit list entries (ACEs): One entry per line. Element Notes T ype Standard or Extended Identifier • Alphanumeric; Up to 64 Characters, Including Spaces • Numeric: 1 - 99 (Standard) or 100 - 199 (Extended) Remark Allows up to 100 alphanumeric c haracte[...]
-
Página 325
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 9-7 shows how to in terpret th e entries in a stand ard ACL. ProCurve(Config)# show running . . . ACL List Heading with List T ype and Identifier (Name o r Number) ip access-list standard “Sample-List” 10 deny 10.28.150.77 0.0.0.0 log 20 permit 10.28.150.[...]
-
Página 326
IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL ip access-list extended < identifier > [ [ seq-# ] remark < remar k-str >] < permit | deny > < ipv4-protoc ol-type > < SA > < src-acl-mask > < DA > <dest-acl-m ask > [ log ] < permit | deny > tcp < SA > < src-acl-ma[...]
-
Página 327
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 9-9 shows how to in terpret the entries in an extende d ACL. Figure 9-9. Example of a Di splayed Extended ACL Confi guration ProCurve(config)# show running Running configuration: ; J9146A Configuration Editor; Created o n release #W.14.XX hostname "ProCu[...]
-
Página 328
IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL For example, suppose that you have app lied the ACL shown in figure 9-10 to inbound IPv4 traffic on VLAN 1 (the default VLAN): ip access-list extended "Sample-List- 2" 10 deny ip 10.28.235.10 0.0.0.0 0.0.0.0 255.255.255.255 20 deny ip 10.28.245.89 0.0.0.0 0.0.0.0 255.[...]
-
Página 329
50 IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Line # Action Any packet from any IPv4 SA to an y IPv4 DA will be permitted (forwarded). The only traffic to reach this ACE will be IPv4 packets not specifically per mitted or denied by the earlier ACEs. n/a The Implicit Deny is a function the switch automatically adds as t h[...]
-
Página 330
IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL Using the CLI T o Create an ACL Command Page access-list (standard ACLs) 9-44 access-list (extended ACLs) 9-53 Y ou can use either the switch CLI or an offline text editor to create an ACL. This section describes th e CLI method, which is recommended for creating short ACLs. (T[...]
-
Página 331
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL T o insert an ACE anywhere in a numbe red ACL, use the same process as described above for inserting an ACE anywhere in a named ACL. For example, to insert an ACE deny ing IPv4 traffic from the host at 10.10.10.77 as line 52 in an existing ACL identifie d (named) with the number[...]
-
Página 332
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Standard ACLs T able 9-6. Command Summary for Standard ACLs Action Comman d(s) Page Create a Standard, Named ACL or Add an ACE to the End of an Existing Stan- dard, Named ACL ProCurve(config)# ip access-list standard < name-str > ProCurve(config-std-nacl)# < deny | perm[...]
-
Página 333
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs A standard ACL uses only source IPv4 a ddresses in its ACEs. This type of ACE is useful when you need to: ■ Permit or deny any IP v4 traffic based on source address only . ■ Quickly control the IPv 4 traffic from a specific address. This allows you to isolate IPv4 traffic problem s gene[...]
-
Página 334
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Named, Standard ACLs This section describes th e commands for performing the following: ■ creating and/or entering the c ontext of a named, standard ACL ■ appending an ACE to the end of an ex isting list or enteri ng the first ACE in a new list For other IPv4 ACL topics, re [...]
-
Página 335
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring ACEs in an Na med, Standard ACL. Configuring ACEs is done after using the ip access-list standard < name-str > command described above to enter the “Named ACL” ( nacl ) context of an access list. For a standard ACL syntax summary, ref er to table 9-6 on page 9-44 . Syn[...]
-
Página 336
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs [ log] This option generates an ACL log message if: • The action is deny. • There is a match. • AC L logging is enabled on t he switch. (Refer to “” on page 9-96.) (Use the debug command to direct ACL logging output to the current console session and/or to a Syslog server . Note t[...]
-
Página 337
-------------------------------------- ----------------------------------------- IPv4 Access Control Lists (ACLs) Configuring Standard ACLs ProCurve(config)# show access-list Sam ple-List Access Control Lists Name: Sample-List Type: Standard Applied: No SEQ Entry 10 Action: permit 20 IP : 10.10.10.104 Action: deny (log) IP : 10.10.10.1 Mask: 0.0.0.[...]
-
Página 338
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Creating or Adding to an Stan dard, Numbered ACL. This command is an alternative to u sing ip access-list standard < name-str > and does not use the “Named ACL” ( nacl ) context . For a standard ACL syntax summary, refer to table 9-6 on page 9-44. Syntax: access-list < 1-99 >[...]
-
Página 339
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs < any | host < SA > | SA < mask | SA / mask-length >> Defines the source IPv4 address (S A) a packet must carry for a match with the ACE. • any — Allows IPv4 packets from any SA. • host < SA > — Specifies only packets having < SA > as the source. Use th[...]
-
Página 340
----------------------------------- ------------------------------------------- IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Example of Creating and V iewing a Stand ard ACL. This example cre- ates a standard, numbered ACL with the same ACE content as show in figure 9-11 on p age 9-48. ProCurve(config)# access-list 17 pe rmit host 10.[...]
-
Página 341
9-55 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Extended ACLs T able 9-7. Command Summary for E xtended ACLs Action Command(s) Page Create an Extended, Named ACL or Add an ACE to the End of an Existing, Extended ACL ProCurve(config)# ip access-list extended < name-str | 100-199 > ProCurve(config-std-nacl)# < den[...]
-
Página 342
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Action Command(s) Page Enter or Remove a Pro Curve(config)# ip access-list extended < name-str | 100-199 > 9-81 Remark ProCurve(config-ext-nacl)# [ remark < remark-str > | no < 1 - 2147 483647 > remark ] 9-83 For numbered, extended ACLs only , the following remar k command[...]
-
Página 343
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Named, Extended ACLs For a match to occur with an ACE in an extended ACL, a packet must have the source and destination address criter ia specified by the ACE, as well as any IPv4 protocol-specific crit eria included in the command. Use the following general st eps to crea te or[...]
-
Página 344
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Creating a Named, Extended ACL and/ or Entering the “Named ACL” ( nacl ) Context. This command is a prerequisite to entering or editing ACEs in a named, extend ed ACL. (For a summary of the extended ACL synta x options, refer to table 9-7 on page 9-53.) Syntax: ip access-list extend ed [...]
-
Página 345
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configure ACEs in a Named, Ex tended ACL and/or Enter the “Named ACL” ( nacl ) Context. Configuring ACEs is done after using the ip access- list standard < name-str > comman d described on page 9-56 to enter the “Named ACL” ( nacl ) context of an ACL. For an exte nded ACL synt[...]
-
Página 346
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Used after deny or permit to specify the pack et protocol type required for a match. An extend ed ACL must include one of the following: • ip — any IPv4 packet. • ip-protocol — any one of the following IPv4 proto col names: ip-in-ip ipv6-[...]
-
Página 347
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < any | host < DA > | DA/mask -length | DA/ < mask >> This is the second instance of IP v4 addressing in an extended ACE. It follows the first (SA) instance, described earlier , and defines the destination address (D A) that a packet must carry in order to have a match wit[...]
-
Página 348
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ tos < tos-setting > ] This option can be used after th e DA to cause the ACE to match packets with the specified T ype -of-Service (T oS) setting. T oS values can be entered as the fo llowing numeric settings or , in the case of 0, 2, 4, and 8, as alpha numeric names: 0 or normal 2 [...]
-
Página 349
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for TCP and UDP T raffic in Extended ACLs. An ACE designed to permit or deny TCP or UDP traffi c can optionally include port number criteria for either the sour ce or destin ation, or both. Use of TCP criteria al so allows the established option for controlling TCP connection traf f[...]
-
Página 350
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Port Number or Well-Known Port Name: Use the TCP or UDP port number required by your appli- cation. The switch also a ccepts these well-known TCP or UDP port names as an alternative to their port numbers: • TCP : bgp, dns, ftp , http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet • U[...]
-
Página 351
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for ICMP T raffic in Extended ACLs. This option is useful where it is necessary to per mit some types of ICMP traffic and deny other types, instead of si mply permitting or de nying all types of ICM P traffic. That is, an ACE designed to permit or deny ICMP traf fic can optionally i[...]
-
Página 352
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ icmp-type-name ] These name options are an alternative to the [icmp-type [ icmp-code] ] methodology described above . For more infor - mation, visit the IANA website cited above. administratively-prohibited net-tos-unreachable alternate-address net-unreachable conversion-error network-unk[...]
-
Página 353
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Option for IGMP in Extended ACLs. This option is useful where it is nec- essary to permit some typ es of IGMP traffic and den y other types instead of simply permitting or de nying all types of IGMP traffic. That is, an ACE designed to permit or deny IGMP traffic can op tionally include an [...]
-
Página 354
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs For other IPv4 ACL topics, re fer to the follow ing: To p i c Page configuring named, standard ACLs 9-46 configuring numbered, standard ACLs 9-49 configuring named, extended ACLs 9-55 applying or removing an ACL on an interface 9-73 deleting an ACL 9-74 editing an ACL 9-75 sequence numberin[...]
-
Página 355
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs If the ACL does not already ex ist, this command creates the specified ACL and its first ACE. If the ACL already exists, the new ACE is appended to the en d of the config ured list of explicit ACEs. In the default co nfiguration, the ACEs in an ACL will automati cally be a ssigned consecuti[...]
-
Página 356
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Specifies the packet protocol t ype required for a match. An extended ACL must includ e one of the following: • ip — any IPv4 pa cket. • ip-protoco l — any one of the following IPv4 protocol names: ip-in-ip ipv6-in-ip gre esp ah ospf pim [...]
-
Página 357
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs SA Mask Application: The mask is applied to the SA in the ACL to define which bits in a packet’ s source SA must exactly match the address configured in the ACL and which bits need not match. Example: 10.10.10. 1/24 and 10.10.10.1 0.0.0.255 both define any IP address in the range of 10.10[...]
-
Página 358
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ precedence < 0 - 7 | precedenc e-name >] This option causes the ACE to match packets with the specified IP preceden ce value. V alues can be entered as the following IP precedence numbers or alphanumeric names: 0 or routine 1 “ priority 2 “ immediate 3 “ flash 4 “ flash-over[...]
-
Página 359
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Additional Options f or TCP and UDP T raffic. An ACE designed to per - mit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for control ling TCP conn ection traffic. ([...]
-
Página 360
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Syntax: access-list < 100 - 199 > < deny | permit > igmp < src-ip > < dest -ip > [ igmp - type ] The IGMP “type” criteria is id entical to the criteria described for IGMP in named, extended ACLs, beginning on page 9-65. 9-72[...]
-
Página 361
IPv4 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface Adding or Removing an ACL Assignment On an Interface Filtering Inbound IPv4 T raffic Per Port For a given port, po rt list, or static port trunk, you can assign an ACL as a static port ACL to filter any IPv4 traffic entering the sw itch on that interface. Y ou can[...]
-
Página 362
IPv4 Access Control Lists (ACLs) Deleting an ACL ProCurve(config)# interface b10 ip acce ss-group My-List in ProCurve(config)# interface b10 ProCurve(eth-b10)# ip access-group 155 in Enables a static port ACL ProCurve(eth-b10)# exit from a port context. ProCurve(config)# no interface b10 ip access-group My-List in Disables a static po rt ACL from t[...]
-
Página 363
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Editing an Existing ACL The CLI provid es the capability for ed iting in the switch by u sing sequence numbers to insert or dele te individual ACEs. An offline method is also avail- able. This section describes using the CL I for editing ACLs. T o use the offline method for editing ACLs, refe[...]
-
Página 364
IPv4 Access Control Lists (ACLs) Editing an Existing ACL ■ Y ou can delete any ACE from any AC L (named or numb ered) by using the ip access-list command to enter the ACL ’ s context, and then using the no < seq-# > command (page 9- 79). ■ Deleting the last ACE from an ACL l eaves the ACL in memory . In this case, the ACL is “empty”[...]
-
Página 365
IPv4 Access Control Lists (ACLs) Editing an Existing ACL For example, to append a fourth ACE to the end of the ACL in figure 9-16: P roCurve(config)# ip access-list st andard My-List ProCurve(config-std-nacl)# permit any ProCurve(config-std-nacl)# show run . . . ip access-list standard "My-List" 10 permit 10.10.10.25 0.0.0.0 20 permit 10.[...]
-
Página 366
IPv4 Access Control Lists (ACLs) Editing an Existing ACL 2. Begin the ACE command with a sequ ence number that identifies the position you want the ACE to occupy . (The sequence number range is 1- 2147483647 .) 3. Complete the ACE with the command syntax appropriate for the type of ACL you are editing. For example, inserting a new ACE between the A[...]
-
Página 367
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Deleting an ACE from an Existing ACL This action uses ACL sequence numbers to de lete ACEs from an ACL. Syntax: ip access-list < stand ard | extended > < name-str | 1 - 99 | 100 - 199 > no < seq-# > The first command enters the “Named-ACL” context for the specified ACL. [...]
-
Página 368
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Resequencing the ACEs in an ACL This action reconf igures the starting sequence number for ACEs in an ACL, and resets the numeric interval betw een sequence numbers for ACEs config- ured in the ACL . Syntax: ip access-list resequence < name-str | 1 - 99 | 100 - 199 > < starting-seq-#[...]
-
Página 369
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Attaching a Remark to an ACE A remark is numbered in the same way as an ACE, and use s the same sequence number as the ACE to which it refers. Th is operation requires that the remark for a given ACE be entered prior to entering the ACE itself. Syntax: access-list < 1 - 99 | 100 - 199 >[...]
-
Página 370
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Note After a numbered ACL has been created (using access-list < 1 - 99 | 100 - 199 > ), it can be mana ged as either a name d or numbered ACL. For example, in an existing ACL with a numeric identifier of “115”, either of the following c om- mand sets adds an ACE denying IP traffi c [...]
-
Página 371
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Inserting Remarks and Related ACEs W ithin an Existing List. To insert an ACE with a rem ark within an ACL by specifying a sequ ence number , insert the numbered remark first, then, using the same sequence number , insert the ACE. (This operation applies only to ACLs accessed using the “Nam[...]
-
Página 372
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Operating Notes for Remarks ■ The resequence command ignores “orphan” remarks that do not have an ACE counterp art with the same sequ ence number . For example, if : • a remark numbered “55” exists in an ACE • there is no ACE numbered “55” in the same ACL • resequence is e[...]
-
Página 373
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying ACL Configuration Data ACL Commands Function Page show access-list show access-list config show access-list ports < all | port-list > show access-list < acl-name- str > show access-list resources show access-list radius < all | port-list > show config sh[...]
-
Página 374
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display an ACL Summary This command lists the configured IPv 4 ACLs. Syntax: show access-list List a summary table of the name, type, and appl ication status of IPv4 ACLs configured on the switch. For example: ProCurve(config)# show access-list Access Control Lists Type Appl Name --[...]
-
Página 375
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display the Content of All ACLs on the Switch This command lists the configurati on details for the IPv4 ACLs in t he running- config file. Syntax: show access-list con fig List the configured syntax for all IPv4 ACLs currently config- ured on the switch. Note Notice that you can us[...]
-
Página 376
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display Static Port ACL Assignments This command briefly lists the identificat ion and type(s) of current static port ACL assignments to individual switch po rts and trunks, as configured i n the running-config file . (The switch allows one sta tic port ACL assignment p er port.) Sy[...]
-
Página 377
-------------------------------------- ---------------------------------------- IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying the Content of a Specific ACL This command displays a specif ic ACL configu red in the run ning config file in an easy-to-read tabular format. Note This information also appears in the show ru[...]
-
Página 378
-------------------------------------- -------------------------------- : IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data ProCurve(config)# show access-list Lis t-120 Access Control Lists Name: List-120 Type: Extended Indicates whether the AC L is applied to an interface. Applied: No SEQ Entry Indicates source and destin ation en[...]
-
Página 379
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data IP Used for Standard ACLs: The source IP address to which the config ured mask is ap plied to determine whether there is a match with a packet. Field Description Src IP Used for Extended ACLs: Same as above. Dst IP Used for Extended ACLs: The source and destination IP addresses to w[...]
-
Página 380
IPv4 Access Control Lists (ACLs) Monitoring Static ACL Performance Monitoring Static ACL Performance ACL statistics counters provide a mean s for monitoring ACL performance by using coun ters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. Th is can help, for example, to determ[...]
-
Página 381
IPv4 Access Control Lists (ACLs) Monitoring Static ACL Performance ACE Counter Oper ation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the crit eria in that ACE, and maintain s a running total of the match es since the last counter reset. For example, in ACL line 10 be low, ther[...]
-
Página 382
IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline Creating or Editing ACLs Offline The section titl ed “Editing an Existi ng ACL” on page 9-75 describes how to use the CLI to edit an ACL, and is m ost applicable in cases where the A CL is short or there is only a minor editi ng task to perform. The offl ine method provides a use[...]
-
Página 383
10 permit tcp 10.30.133.27 0.0.0.0 eq 23 0.0.0.0 255.255.255.255 IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline If you are replacing an ACL on the sw itch with a n ew ACL that uses th e same number or name syntax, begin th e command file with a no ip access- list c ommand to remove the earlier vers ion of the ACL from th e switch[...]
-
Página 384
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enable ACL “Deny” Logging ACL logging enables the sw itch to generate a message w hen IP traffic meets the criteria for a match with an ACE that results in an explic it “deny” action. Y ou can use ACL l ogging to help: ■ T est your network to ensure that your ACL config uratio[...]
-
Página 385
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includes both the deny acti on and the optional log parameter , an ACL log me ssage is sent to the desi gnated debug destinat ion. The first time a pa cket matches an ACE with deny and log configured, t[...]
-
Página 386
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enabling ACL Loggin g on the Switch 1. If you are using a Syslog server , use the loggin g < ip-addr > command to configure the Syslog server IP address(es). Ensure that the switch can access any Syslog server(s) you specify . 2. Use logging facility syslog to enable th e logging [...]
-
Página 387
IPv4 Access Control Lists (ACLs) General ACL Operating Notes General ACL Operating Notes ACLs do not provide DNS hostname support. ACLs cannot be config- ured to screen hostname IP traf fic betwee n the switch and a DNS. ACLs Do Not Affect Serial Port Access. ACLs do not apply to the switch’ s serial port. ACL Screening of IPv4 T raffic Generated[...]
-
Página 388
IPv4 Access Control Lists (ACLs) General ACL Operating Notes Monitoring Shared Resources. Applied ACLs share internal switch resources with several ot her features. The switch provides ample resource s for all featu res. However , if the in tern al resources become fully subscribed, additional ACLs cannot be app lied until the necessary resources a[...]
-
Página 389
10 Configuring Advanced Threat Protection Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Página 390
Configuring Advanced Threat Protection Introduction Introduction As your network ex pands to include an increasing n umber of mobile devices, continuous Internet access, and new classes of users (such as partners, temporary employees, and vi sitors), additional protection from attacks launched from both inside and outside your internal network is o[...]
-
Página 391
Configuring Advanced Threat Protection DHCP Snooping • Attempts to exhaust system resources so that sufficie nt resources are not available to transmit legitimate traffic, indicated by an unusually high use of specific system resources • Attempts to att ack th e switch’ s CPU and introduce delay in system response time to new network events ?[...]
-
Página 392
Configuring Advanced Threat Protection DHCP Snooping DHCP snooping a ccomplishes t his by allowing you to distinguish betwe en trusted ports con nected to a DHCP server or switch and untrusted p orts connected to end-users. DHCP packet s are forwarded betw een trusted ports without inspect ion. DHCP packets received on othe r switch ports are inspe[...]
-
Página 393
----- ----- Configuring Advanced Threat Protection DHCP Snooping option : Add relay information opti on (Option 82) to DHCP client packets that are being forwarded out truste d ports. The default is yes , add relay information. trust : Configure trusted ports. Only server packets received on trusted ports are forwarded. Default: untr usted . verify[...]
-
Página 394
Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# show dhcp-snoopin g stats Packet type Action Reason Count ----------- ------- ------------ ---------------- -------- - server forward from trusted port 8 client forward to trusted p ort 8 server drop received on untrusted port 2 server drop unauthorized server 0 client drop dest[...]
-
Página 395
Configuring Advanced Threat Protection DHCP Snooping Configuring DHCP Snoo ping T r usted Ports By default, all p orts are untrusted. T o configure a port or r ange of ports as trusted, enter t his command: ProCurve(config)# dhcp-snooping trust <port-list> Y ou can also use this command in the in terface context, in which case you are not abl[...]
-
Página 396
--------------------- Configuring Advanced Threat Protection DHCP Snooping Configuring Authorized Server Addresses If authori zed server addre sses are configu red, a packet f rom a DHCP server must be received on a trusted port A ND have a source address in the autho- rized server list in order to be consider ed valid. If no authorize d servers ar[...]
-
Página 397
Configuring Advanced Threat Protection DHCP Snooping Note DHCP snoopi ng only ov errides the Option 82 settings o n a VLAN th at has snooping enabl ed, not on VLANS wit hout snooping enabled . If DHCP snooping is enable d on a swi tch where an ed ge switch is also using DHCP snoopi ng, it is desirable to have the packets forwarded so the D HCP bind[...]
-
Página 398
Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the swit ch as the remote - id in Option 82 additions. The IP address of the VLAN the packet was received on or the IP address of the management VLAN can be used instead b y entering this command [...]
-
Página 399
Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# dhcp-snooping verify mac ProCurve(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans : 4 Verify MAC : yes Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : subnet-i p Figure 10-7. Exa mple Showing the DHCP Snoo[...]
-
Página 400
Configuring Advanced Threat Protection DHCP Snooping A message is logged in the system event log if the DHCP binding database fails to update . T o display the co ntents of the DHCP sn ooping bind ing database, en ter this command. Syntax: show dhcp-sno oping binding ProCurve(config)# show dhcp-snooping b inding MacAddress IP VLAN Interface Time le[...]
-
Página 401
Configuring Advanced Threat Protection DHCP Snooping ■ ProCurve recommends running a time synchr onization protocol such as SNTP in order to track lease times accurately . ■ A remote server must be used to s a ve lease i nformation or there may be a loss of connectivity after a switch reboot. Log Messages Server <ip-address> pack et recei[...]
-
Página 402
Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay inform ation logs for <duration>. More than one DHCP client packet received on an untrusted port with a relay in formation field was dropped. T o avoid filling the log file w ith repeated attempts, untrusted rela y informatio n packets will no t be lo gged for the sp[...]
-
Página 403
Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and respons es are relay ed or used to update the local ARP cache. ARP packe ts with invalid IP-to-MAC address bindings adver - tised in the source [...]
-
Página 404
Configuring Advanced Threat Protection Dynamic ARP Protection ■ V erifi es IP-to-MAC addr ess bindings on untr usted ports with th e informa- tion stored in the lease datab ase maintained by DHCP snooping and user - configured static bi ndings (in non-DHCP environment s): • If a binding is valid, the switch updates its local ARP cache and forwa[...]
-
Página 405
Configuring Advanced Threat Protection Dynamic ARP Protection Enabling Dynamic ARP Protection T o enabl e dynamic ARP protection for VL AN traffic on a routin g switch, enter the arp protect vlan command at the global configuration level. Syntax: [no] arp prote ct vlan [ vlan-range ] vlan-range Specifi es a VLAN ID or a range of VLAN IDs from one t[...]
-
Página 406
Configuring Advanced Threat Protection Dynamic ARP Protection Figure 10-9. Confi guring T rusted Ports for Dynamic ARP Protection T ake into ac count the following conf iguration guide lines when you use dynamic ARP prot ection in your ne twork: ■ Y ou should configur e port s connected to other s wit ches in the n etwork as trusted po rts. In th[...]
-
Página 407
Configuring Advanced Threat Protection Dynamic ARP Protection Adding an IP-to-MAC Bind ing to the DHCP Database A routing switch mai ntains a DHCP binding database, which is used for DHCP and ARP packet validation. Both the DHCP snooping and DHCP Option 82 insertion feature s maintain the lease database by learning the IP-to-MAC bindings on u ntrus[...]
-
Página 408
Configuring Advanced Threat Protection Dynamic ARP Protection Configuring Additional V alidation Checks on ARP Packets Dynamic ARP protection can b e configured to perform additional val idation checks on ARP packets. By default, no additional ch ecks are performed. T o configure additional validation checks, enter the arp p rotect validate command[...]
-
Página 409
----- ----- Configuring Advanced Threat Protection Dynamic ARP Protection ProCurve(config)# show arp protect ARP Protection Information Enabled Vlans : 1-4094 Validate : dst-mac, src-mac Port Trust B1 Yes B2 Yes B3 No B4 No B5 No Figure 10-10.The show arp protec t Command Displaying ARP Packet Statistics T o display statistics about forwarde d ARP [...]
-
Página 410
Configuring Advanced Threat Protection Dynamic ARP Protection Monitoring Dynamic ARP Protection When dynamic ARP prot ection is enabled, you can moni tor and troubleshoot the validation of AR P packets with the debug arp prot ect command. Use this command when you want to de bug the followin g conditions: ■ The switch is dropping valid ARP packet[...]
-
Página 411
Configuring Advanced Threat Protection Using the Instrumentation Mon itor Using the Instrumentation Monitor The instrumentation mo nitor can be used to detect anomalies caused by security attacks or other irregular op erations on th e switch. The followin g table shows the operating parameters that can be monitored at pre-deter - mined intervals, a[...]
-
Página 412
Configuring Advanced Threat Protection Using the Instrumentation Monitor Operating Notes ■ T o generate alerts for monitored eve nts, you must en able the instru- mentation monito ring log and/or SNMP trap. The threshol d for each monitored parameter can be adjusted to minimize false alarms (see “Configuring Instrumentation Monitor” on page 1[...]
-
Página 413
Configuring Advanced Threat Protection Using the Instrumentation Mon itor Configuring Instrumentation Monitor The following commands and parameters are used to configure the opera- tional thresh olds that are monitore d on the switch. By defaul t, the instru men- tation monit or is disabled. Syntax: [no] instrumentat ion monitor [parameterN ame|all[...]
-
Página 414
Configuring Advanced Threat Protection Using the Instrumentation Monitor T o enable instrument ation monitor usin g the default parame ters and thresh- olds, enter the general instrumenta tion monitor command . T o adjust specific settings, enter the name of the parameter that you wish to modify , and revise the threshold limi ts as needed. Example[...]
-
Página 415
Configuring Advanced Threat Protection Using the Instrumentation Mon itor V iewing the Current In strumentation Monitor Configuration The show instrumentation monitor config uration command displays the config- ured thresholds for mo nitored paramet ers. ProCurve# show instrumentation monitor configuration PARAMETER LIMIT ------------------------- [...]
-
Página 416
Configuring Advanced Threat Protection Using the Instrumentation Monitor 10-28[...]
-
Página 417
11 T raffic/Security Filters and Monitors Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Página 418
Traffic/Security Filters and Monitors Overview Overview Applicable Switch Models . As of June 2007, T raffic/Security fil ters are available on these current ProCurve switch models: Switch Models Source-Port Filters Protocol Filters Multicast Filters Switch 8212 zl Y es Y es Y es Series 6400cl Y es No No Series 5400zl Y es Y es Y es Series 4200vl Y[...]
-
Página 419
Traffic/Security Fi lters and Monitors Filter Types and Operation Y ou can enhance in-band security and improve control over access to network resources by configur ing static filters to fo rward (the default action) or drop unwanted t raffic. That is, you can co nfig ure a traffic filter to either forward or drop all netwo rk traffic moving to out[...]
-
Página 420
Traffic/Security Filters and Monitors Filter Types and Operation Source-Port Filters This filter type enables the switc h to forward or drop traf fic from all end nodes on the indicated so urce-port to specific destination ports. End Node “A” Server Switch 8212zl Configured for Source-Port Filtering Hub End Node “B” End Node “C” Port 1 [...]
-
Página 421
Traffic/Security Fi lters and Monitors Filter Types and Operation ■ When you create a source port filter , all ports and port trunks (if any) on the switch appear as destinat ions on the list for that filter , even if routing is disabled and separate VLANs and/or subnets exist. Where traffic would norm ally be allowed b etween ports and/or tru nk[...]
-
Página 422
Traffic/Security Filters and Monitors Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to destination port 7 (server "A" ). Notice that the filter allows traffic to move fr om source port 5 to all other destin ation ports. Figure 11-3. The Filter for the A[...]
-
Página 423
Traffic/Security Fi lters and Monitors Filter Types and Operation ■ T o change the na med source-po rt filter used o n a port or port t runk, the current filter must fi rst be removed, using the no fil ter source-port named-filter <filter-name > command . ■ A named source- port filter can only be deleted whe n it is not applied to any por[...]
-
Página 424
Traffic/Security Filters and Monitors Filter Types and Operation Syntax: filter source-port nam ed-filter < filter -name > forw ard < destin ation-port-list > Configures the named source-port filter to forward traffic having a destination on the port s and/or port trunks in the < destination-port-list >. Since “forward” is the[...]
-
Página 425
Traffic/Security Fi lters and Monitors Filter Types and Operation Viewing a Named Source-Port Filter Y ou can list all source-port filters co nfigured in the switch, both named and unnamed, and t heir action using the show command below . Syntax: show filter source-po rt Displays a listing of config ured source-port filters, where each filter entry[...]
-
Página 426
Traffic/Security Filters and Monitors Filter Types and Operation Defining and Con figuring Example Named Source-Port Filters. While named source-p ort filters may be defined and configured in two steps, this is not necessary . Here w e define and conf igure each of the named source-port filters for ou r example network in a single st ep. ProCurve(c[...]
-
Página 427
11-11 Traffic/Security Fi lters and Monitors Filter Types and Operation Figure 11-7. Example of the sho w filter Command Using the IDX value in the show filter command, we can see how traffic is filtered on a specif ic port ( Va l u e ).The two o utputs below show a non - accounting and an accou nting switch port. ProCurve(config)# show filter Traf[...]
-
Página 428
Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 24 ProCurve(config)# show filter 4 Traffic/Security Filters Traffic/Security Filters Filter Type : Source Port Filter Type : Source Port Source Port : 10 Source Port : 5 Dest Port Type | Action Dest Port Type | Action --------- --------- + ----------- ---[...]
-
Página 429
Traffic/Security Fi lters and Monitors Filter Types and Operation ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- --------- + ------------- ----------- 1 10/100TX | Forward 2 10/100TX | Forward 3 10/100TX | Forward 4 10/100TX | Forward 5 10/100TX | Forward 6 10/10[...]
-
Página 430
Traffic/Security Filters and Monitors Filter Types and Operation The following revisions to the named so urce-port fi lter definiti ons maintain the desired network traffic management , as shown in the Action column of the show command. ProCurve(config)# filter source-port named-filter accounting forward 8,12,13 ProCurve(config)# filter source-port[...]
-
Página 431
Traffic/Security Fi lters and Monitors Filter Types and Operation ProCurve(config)# show filter source-por t Traffic/Security Filters Filter Name | Port List | Action -------------------- + ---------------- ---- + -------------------------- web-only | 2-6,9,14-26 | drop 2-26 accounting | 7-8,10-13 | drop 1-6,9,14-26 no-incoming-web | 1 | drop 7-8,1[...]
-
Página 432
Traffic/Security Filters and Monitors Filter Types and Operation T able 11-2. Multicast Filter Limits Max-VLANs Setting Maximum # of Multicast Filters (Static and IGMP Combined) 1 (the minimum) 420 8 (the default) 413 32 or higher 389 Notes Per -Port IP Multicast Filters. The static multicast filters described in this section filter traffi c having[...]
-
Página 433
Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Only one filter f or a particular prot ocol type can be configur ed at any one time. For example, a separate protocol filter can be configured for each of the protocol types listed above, b ut only one of those can be an IP filter . Also, the destination po rts for a proto[...]
-
Página 434
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Configuring a Source -Port T raffic Filter Syntax: [no] filter [source-port < port-number | trunk-nam e >] Specifies one inbound port or trunk. T raffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the sourc[...]
-
Página 435
Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a source-port filter that drops all traffic received on port 5 wi th a destination of port trunk 1 ( Tr k 1 ) and any port in the range of port 10 to port 15 . T o create this fi lter you [...]
-
Página 436
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters filter on port 5, then create a trunk w ith ports 5 and 6, and display the results, you would see the following: The *5* shows that port 5 is configured for fi ltering, but the filtering action has bee n suspended while the port is a membe r of a trunk. If you want the trunk[...]
-
Página 437
Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Figure 11-15. Assigning Add itional Destinati on Ports to an Existing Filt er Configuring a Multicast or Protocol T raffic Filter Syntax: [no] filter [multicast < mac- address >] Specifies a multicast address. Inbound traffic received (on any port) with this multicas[...]
-
Página 438
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters For example, suppose you wa nted t o configur e the fi lters in table 11-3 on a switch. (For more on source-port filt er s, refer to “Configuring a Source-Port T raffic Filter” on page 11-18.) T able 11-3. Filter Example Filter T ype Filter V alue Actio n Destination Por[...]
-
Página 439
Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Displaying T raffic/ Security Filters This command displays a listing of all f ilters by index number and also en ables you to use th e index number to display t he details of individual filters. Syntax: show filter Lists the filters configured in the switch, with correspo[...]
-
Página 440
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Filter Inde x Numbers (Automatically Assi gned) Lists all filters con figured in the switch. Uses the index number (IDX) for a specific filter to list the details for that filter onl y . Criteria for Individual Filters Figure 11-17. Example of Displaying Filter Data 11-24[...]
-
Página 441
12 Configuring Port-Based and User -Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 12-3 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Página 442
Configuring Port-Bas ed and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Auth entication Method . . . . . . . . . . . . . . . . 12-26 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 12-27 5. Enable 802.1X Authentic a tion on the Switch . . . . . . . . . . . . . . . . 12-27 6. Optional: Reset [...]
-
Página 443
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Overview Overview Feature Default Menu CL I We b Configuring Switch Ports as 802.1X Authenticators Disabled n/a page 12-19 n/a Configuring 802.1X Open VLAN Mode Disabled n/a page 12-31 n/a Configuring Switch Ports to Operate as 802.1X Supplicants Disabled n/a page 12- 49 n/a Displayin[...]
-
Página 444
Configuring Port-Bas ed and User-Based Access Control (802.1X) Overview • Port-Based access control opti on allowing authenticat ion by a single client to open the port . This option does not force a client limit and, on a port opened by an auth enticated clien t, allows unlimit ed client access without requiring further au thentication . • Sup[...]
-
Página 445
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Overview credentials. This op eration improves security by opening a given port only to individually auth enticated clients, while simultan eously blocking access to the same port for clients that cannot be authenticated. All sessions must use the same untagged VLAN. Also, an auth ent[...]
-
Página 446
Configuring Port-Bas ed and User-Based Access Control (802.1X) Terminology This operat ion unblocks the port while an authenticated client se ssion is in progress. In topologi es wh ere simultaneous, multiple client access i s possible this can allow unauthorized and unauthen ticated access by another cli ent while an authenticated client is usi ng[...]
-
Página 447
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Terminology a port loses its authenticated client connection, it drops its membership in this VLAN. Note that with multiple clie nts on a port, all such clients use the same untagged, port-b ased VLAN membership. Authentication Server: The entity providing an authentication service to[...]
-
Página 448
Configuring Port-Bas ed and User-Based Access Control (802.1X) Terminology Static VLAN: A VLAN that has been configured as “permanent” on the switch by using the CLI vlan < vid > command or the Menu interfac e. Supplicant: The entity that must provide the proper cred entials to the swit ch before receiving access to the network. This is u[...]
-
Página 449
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General 802.1X Aut henticator Operation General 802.1X Authenticator Operation This operation provides security on a po int-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X suppli[...]
-
Página 450
Configuring Port-Bas ed and User-Based Access Control (802.1X) General 802.1X Aut henticator Operation Note The switches covered in this guide can use either 802.1X port-based authen- tication or 802.1X user -bas ed authentication. For more information, refer to “User Authentication Methods” on page 12-4. VLAN Membe rship Prio rity Following cl[...]
-
Página 451
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General 802.1X Aut henticator Operation No Ye s New Client Authenticated Untagged VLAN Configured On Port ? RADIUS- Assigned VLAN? Authorized VLAN Configured? Another (Old) Client Already Using Port ? Are All Ol d Clients On Unauthorized VLAN? No No Ye s Ye s Assign New Client to RADI[...]
-
Página 452
Configuring Port-Bas ed and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the u ser -based mode, when there is an authenticated client on a port, the followin g traffic movement is allowed: • Multicast and bro adcast traffic is allowed on the port. • Unicast traffic to authen ticat[...]
-
Página 453
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General Operating Rules and Notes ■ If a port on switch “A” is configur ed as an 802.1X suppli cant and is connected to a port on anot her switch, “B”, that is not 802.1X-aware, access to switch “B” will occur wit hout 802.1X sec urity protection. ■ On a port configure[...]
-
Página 454
Configuring Port-Bas ed and User-Based Access Control (802.1X) General Operating Rules and Notes not enabled. That is, any non-authenticating client attempting to access the port after another clien t authenticates with port -based 802.1X would still have to authenticate t hrough W eb-Auth or MAC-Au th. 12-14[...]
-
Página 455
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Access Control Do These Steps Before Y ou Configure 802.1X Operation 1. Configure a local username and pa ssword on the switch for both the Operator (login) and Manager (enable) access levels. (While [...]
-
Página 456
---- ---------- ------------- -------- -------- Configuring Port-Bas ed and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control ProCurve(config)# password port-acc ess us er-name Jim s ecret3 Figure 12-2. Exa mple of the Password Port-Acce ss Command Y ou can save the port-access password for 802.1X authentication i[...]
-
Página 457
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General Setup Procedure for 802.1X Access Control 3. Determine whether to us e user -based access control (pag e 12-4) or port- based access control (page 12-5). 4. Determine whether to use the op tional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for client [...]
-
Página 458
Configuring Port-Bas ed and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802. 1X Authentication on the Switch This section outl ines the steps for configuring 802.1X on the switch. For detailed info rmation on each step , refer to the followin g: ■ “802.1X User -Based Access Control?[...]
-
Página 459
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators Note If you want to implement the option al port security featur e (step 7) on the switch, you should first en sure that the ports you ha ve configured as 802.1X authenticators oper ate as expected. 7. If you are using Port S ecurity o[...]
-
Página 460
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentica tion on Selected Ports This task configures the indivi dual ports you want to operate as 802.1X authenticators for po int-to-point li nks to 802.1X-aware clients or sw itches, and consists of two ste ps: A. En[...]
-
Página 461
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User -Based Au thentication or Return to Port-Based Authentication User -Based 802.1X Authentication. Syntax: aaa port-acce ss authenticator client-limit < port-list > < 1 -8> Used after executing aaa port-access[...]
-
Página 462
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring User -Based 802.1X Authentication This example enables ports A10-A1 2 to operate as authenticators, and then configures the ports for us er -based auth entic ation. ProCurve(config)# aaa port-access authenticator a10[...]
-
Página 463
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the ma x-requests parameter fails (next page). (Default: 60 seconds) [...]
-
Página 464
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the ma x-requests parameter fails (next page). (Default: 60 seconds) [t[...]
-
Página 465
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time af ter which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disa bled (Default: 0 second) [unauth-vid < vlan-id >] Co[...]
-
Página 466
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how th e switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenti cator Y ou can configure local , chap-ra[...]
-
Página 467
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the au thentication me thod, configure the switch to use 1, 2, or 3 RADIUS se rvers for authentication. The following syntax shows th e basic co[...]
-
Página 468
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentica tion is operating, y ou can use the following aaa port- access authenticator commands to reset 802.1X authentication an d statistics on specified ports. Syntax: aaa port-[...]
-
Página 469
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators ■ The 802.1s Multiple Spanning T ree Protocol (MSTP) or 802.1w Rapi d Spanning T ree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while m aintaining a lo op-free netw ork. For informati on on h[...]
-
Página 470
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Because a port can be con figured for more than one type of authenticat ion to protect the switch from unauth orized access, the last setting you configure with the aaa port-ac cess controlled-directions command is applied to all authen [...]
-
Página 471
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands page 12-51 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator < port-list > page 12-45 [auth-vid < vlan-id >] [unauth-vid < vlan-id >] 802.[...]
-
Página 472
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports confi gured to allow multi ple sessions using 802.1X user -based access control, all clients must use the same untagged VLAN. On a given port where there are no currently active, au thenticated clien ts, the first authenti cated client determines the [...]
-
Página 473
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note After client authenticati on, the port resumes me mbership in any tagged VLANs for which it i s configured. If th e port is a tagged membe r of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the clie nt is[...]
-
Página 474
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode T able 12-1. 802.1X Open VLAN Mode Options 802.1X Per -Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client t hat cannot initiate an authenti cation session. Open VLAN mode with both of the f ollowing configured: Unauthorized-C[...]
-
Página 475
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode 802.1X Per -Port Configuration Port Response Authorized-Client VLAN • After c lient authentication, the po rt drops membership in the Unauthorized-Client VLAN a nd becomes an u ntagged member of this VLAN. Notes: If the client is running an 802.1X supplicant ap[...]
-
Página 476
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per -Port Configuration Port Response Open VLAN Mode with Only an Unauthoriz ed-Client V LAN Configured: • When the port d etects a client, it automatically b ecomes an untagged member of this VLAN. T o limit secu rity risks, the network services and acces[...]
-
Página 477
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Open VLAN Mode with Only an Authorized-Client VLAN Con figured: 802.1X Per -Port Configuration Port Response • Port automatically blocks a client that cannot initiate an authentication session . • If the client su ccessfully completes an authenticat ion sessi[...]
-
Página 478
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Au thorized-Client and Unauthorized-Client VLANs T able 12-2. Operating Rules for Client VLANs Condition Rule Static VLANs used as Authorize d- Client or Unauthorized-Client VLANs VLAN Assignment Received fro m a RADIUS Server These must be conf[...]
-
Página 479
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN session on untagged port VLAN membership • When an una uthenticated client conn ects to a port that is already configured with a static, un tagged VLAN, the switch temporarily moves the port to the Una uthorized[...]
-
Página 480
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an u ntagged member . This rule assumes no other authenticated clients are already using the port on a different VLAN. IP Addressing for a Client Con nected to a Port Configure[...]
-
Página 481
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Condition Rule Note: Limitation on Using an Unauthorized-Client VLAN on an 802.1X Port Configured to Allow Multiple-Client Access Y ou can optionally ena ble switches to allow up to eight clie nts per - port. The Unauthorized-Client VLAN feature can operat e on a[...]
-
Página 482
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of bot h the Unauthorized-Client and Authorized-Client VLANs. Re fer to T able 12-1 on pa ge 12-34 for other options. Before you configu re the 802.1X Open VLAN mode on a por t: [...]
-
Página 483
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the swit ch to use local password auth entication inste ad of RADIUS authentication. However , this is less desirable because it me ans that all clients use the same passwords and have the same access privil eges. Al[...]
-
Página 484
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you sel ected either eap-radius or chap-radiu s for step 2, use the radius host command to configure up to thr ee RADIUS server IP address(es) on the switch. Syntax: rad ius host < ip-address > Adds a server to the RADIUS configuration. [key < server[...]
-
Página 485
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listin g of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 12-42. Syntax: aaa p ort-access authenticato r < p[...]
-
Página 486
Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For info rmation and an example on viewing current Open VLAN mode operatio n, refer to “Viewing 802.1X Open VLAN Mode Status” on page 12-62. 802.1X Open VLAN Operating Notes ■ Although you can configure Open VL AN m[...]
-
Página 487
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow On ly 802.1X-Authenticated Devices reauthenticate itself. If the re are mu ltiple cli ents authenticate d on the port, if one clie nt loses access an d attempts to re-authentica te, that client will be handled as a new c[...]
-
Página 488
Configuring Port-Bas ed and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-S ecurity To Allo w Only 80 2.1X-Authenticated Devices Port-Security Note If 802.1X port-access is configured on a given port, th en port-security learn- mode for that port must be set to either continuous (the default) or port-access . In [...]
-
Página 489
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches Configuring Switch Ports T o Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands [no] aaa port-access < supp[...]
-
Página 490
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches • If, after the supplicant port sends the configur ed number of star t packets, it does not receive a respons e, it assumes that switch “B” is not 802.1X-aware, and transi tions to the au[...]
-
Página 491
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. Y ou can configure a switch port as a supplicant for a p oint-to-point link to an 802.1X-aware port on another switch. Con[...]
-
Página 492
Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches aaa port-access sup plicant [ethernet] < port-list > (Syntax Conti nued) [secret] Enter secret: < password > Repeat secret: < password > Sets the secret password to be u sed b[...]
-
Página 493
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands page 12-49 802.1X Open VLAN Mode Commands page 12-31 802.1X-Related Show Commands show port-access [...]
-
Página 494
Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Syntax: show port-access authen ticator [ port-list ] [config | statistics | session-counters | vlan | clien ts]| detailed] —Continued— • Unt agged VLAN : VLAN ID number of the untagged VLAN used in client sessions. If the[...]
-
Página 495
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters ProCurve(config)# show port-access aut henticator 2-3 Port Access Authenticator Status Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Auth Unauth Untagged Tagged Kbps In RADI[...]
-
Página 496
Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Syntax: show port-access authen ticator config [ port-list ] Displays 802.1X port-access au thenticator configuration settings, including: • Whether port-access authentication is enabled • Whether RADIUS-assigned dyn amic VL[...]
-
Página 497
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Access Control Port’ s authentication mode: Auto: Network access is allowed to any connected device that supports 802.1X authentication and provides valid 802.1X credentials. Authorized: Network access is allowed to any devi[...]
-
Página 498
Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters ProCurve(config)# show port-acces s authenticator statistics Port Access Authenticator Statistics Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLA Ns [No] : No Source TX TX RX RX RX RX RX P[...]
-
Página 499
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Syntax: show port-access authenticat or vlan [ port-list ] Displays the following informat ion on the VLANs configured for use in 802.1X port-access au thentication on all switch ports, or specified ports, that are enabled as [...]
-
Página 500
----- ------------ ------------- --------------- -------------- Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Syntax: show port-a ccess authenticato r clients [ port-list ] Displays the session status, name, and address for each 802.1X port-access-authenticate d client on t[...]
-
Página 501
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Syntax: show port-a ccess authenticato r clients < port-list > detailed Displays detai led information on the status of 802.1X- authenticated client sessions on specified ports. ProCurve (config)# show port-access authen[...]
-
Página 502
Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters V iewing 802.1X Open VLAN Mode Status Y ou can examine the switch’ s curre nt VLAN status by using the show port- access authenticator vla n and show port -access authenticat or < port-list > com- mands as illustrated in[...]
-
Página 503
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Thus, in the output shown in figure 12-17: ■ When the Auth VLAN ID is configured and matches the Current VLAN ID , an authenticated client is co nnected to the port. (Th is assumes the port is not a statically configured mem[...]
-
Página 504
Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters T able 12-5. Output for Determining Open VLAN Mode Status (Figure 12-18, Lower) Status Indicator Meaning Status Closed: Either no client is connected or the connected cl ient has not received authorization through 802.1X authent[...]
-
Página 505
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Note that ports B1 and B3 are not in the upp er listing, but are included und er “Overridden Port VLAN configur ation”. This shows that s tatic, unta gged VLAN memberships o n ports B1 and B3 have been overridd en by tempo[...]
-
Página 506
Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Show Commands for Po rt-Access Supplicant Syntax: show port-a ccess supplicant [< port-list >] [statistics] show port-access supplican t [< port-list >] Shows the port-access suppl icant configuration (excluding the [...]
-
Página 507
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation supplicant port to another without clearin g the statistics data from the first port, the au thenticator’ s MAC address wil l appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Op[...]
-
Página 508
Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Note Y ou can use 802.1X (port-based or client -based) authentica tion and either W eb or MAC authenticati on at the same time o n a port, with a maxi mum of eight clients allowed on the port. (Th e default is one client.) W eb au[...]
-
Página 509
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation • If the port is assigned as a member of an untagged dynamic VLAN that was learn ed through GVRP , the dynamic VLAN conf iguration must exist on the swit ch at the time o f authenti cation and GVRP- learned dyna mic VLANs for [...]
-
Página 510
Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation If this tempora ry VLAN assignment cau ses the switch to disable a different untagged static or dynamic VLAN conf igured on the port (as described in the preceding bullet and in “Example of Untag ged VLAN Assignment in a RADIUS-[...]
-
Página 511
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation For example, suppose that a RADIUS-au thenticated, 802.1X-a ware client on port A2 requires access to VLAN 22, but VLA N 22 is config ured for no access on port A2, and VLAN 33 is conf igured as untagged on port A2: Scenario: An[...]
-
Página 512
Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation This entry sho ws that port A2 is temp orarily untagg ed on VLAN 22 for an 802 .1X sessi on. This is to accommodate an 802.1X client’ s access, authenticated by a RADIUS server , where the server included an instruc tion to put [...]
-
Página 513
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation When the 802.1X client’ s session on port A2 en ds, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as un tagged on the port becomes available again. Ther[...]
-
Página 514
Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Syntax: aaa port-access gvrp-vlans — Continued — 2. After you enable dynamic VLAN assignment in an authen- tication session, it is reco mmended that you use the interface unknown-vlans command on a per -port basis to prevent d[...]
-
Página 515
Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation T able 12-6. 802.1X Ope rating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.1X authenticators. Use this comm and to enable th[...]
-
Página 516
Configuring Port-Bas ed and User-Based Access Control (802.1X) Messages Related to 802.1X Operation 12-76[...]
-
Página 517
13 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Basic Operation . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Página 518
Configuring and Monitoring Port Security Contents Web: Checking for Intrus ions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-40 Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-41 13-2[...]
-
Página 519
Configuring and Monitoring Port Security Overview Overview Feature Default Menu CLI We b Displaying Current Port S ecurity n/a — page 13-8 page 13-33 Configuring Port Security d isabled — page 13-12 page 13-33 Retention of Static Addresses n/a — page 13-17 n/a MAC Lockdown disabled — page 13-22 MAC Lockout disabled — page 13-30 Intrusion [...]
-
Página 520
Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default po rt security setting for each port is off , or “continuous”. T hat is, any dev ice can access a port without causing a security reaction. Intruder Protection. A port that detects an “intruder” blocks the intrud[...]
-
Página 521
Configuring and Monitoring Port Security Port Security • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port an d to specify some or all of the authorized addresses. (If you spec ify on ly some of the authorized addresses, the port learns the re maining authorized addresses from the traffic it receives [...]
-
Página 522
Configuring and Monitoring Port Security Port Security configuratio n to ports on which h ubs, switches, or othe r devices are connected, and to maintain security while also main taining network a ccess to authorized users. For example: Figure 13-1. Exa mple of How Port Security Contro ls Access Switch A Port Security Configured Switch B MAC Addres[...]
-
Página 523
Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port securi ty configuration and moni toring according to the following: a. On wh ich ports do you wa nt port securit y? b. Whic h devices (MAC addresses) are authorized on each port? c. For each port, what security act ions do you want? (The switch automatic[...]
-
Página 524
Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Comm ands Used in This Section show port-security 13-9 show mac-address port-security 13-12 < port-list > 13-12 learn-mode 13-12 address-limit 13-15 mac-address 13-16 action 13-16 clear -intrusion-flag 13-17 no port-security 13-17 [...]
-
Página 525
Configuring and Monitoring Port Security Port Security Displaying Port Se curity Settings. Syntax: show po rt-security show port-security < port nu mber > show port-security [< po rt number >-< port number> ]. . .[,< port number >] The CLI uses the same command to provide two types of port security listings: • All ports on[...]
-
Página 526
Configuring and Monitoring Port Security Port Security Figure 13-3. Exa mple of the Port Security Config uration Display for a Single Port The next exam ple shows the op tion for entering a ra nge of ports, inc luding a series of non-cont iguous ports. Note that no spaces are allowed in the port number portion of the command string: ProCurve(config[...]
-
Página 527
Configuring and Monitoring Port Security Port Security Figure 13-4. Exa mples of Show Mac-Address Outputs 13-11[...]
-
Página 528
Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security an d edit security settings. ■ Add or delete devices from the list of authorized addresses for one or more ports. ■ Clear the Intru sion flag on specific port s Syntax: port-security [e] <port-list>< lear[...]
-
Página 529
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < contin uous | static | port-acc ess | configured | limited- continuous > (Continued) static: Enables you to use the mac-addre ss parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (exp[...]
-
Página 530
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < contin uous | static | port-acc ess | configured | limited- continuous > (Continued) Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted devi ce to [...]
-
Página 531
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Informatio n configuration screen of the Menu interface or the show system information listing. Y ou can set the MAC age out time[...]
-
Página 532
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [< mac-addr >] [< mac-addr >] . . . [< mac -addr >] A vailable for learn-mode with the, static , conf igured , or limited-continu ous option. Allows up to eight autho rized devices (MAC addresses) per port, depending on the value s[...]
-
Página 533
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) clear -intrusion-flag Clears the intrusion flag for a specific port. (See “Reading Intrusion Alerts and Resetting Alert Flags” on page 13-33.) no port-security <port-list> m ac-address < mac-addr > [ <mac-addr> <mac-addr> ] Removes t[...]
-
Página 534
Configuring and Monitoring Port Security Port Security ■ Delete it by using no port-security < port-nu mber > mac-address < mac-addr > . ■ Download a configur ation file that does not includ e the unwanted MAC address assignment. ■ Reset the switch to its fac tory-default co nfiguration. Specifying Authoriz ed Devices and Intrusio[...]
-
Página 535
Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. T o simply add a device (MAC address) to a port’ s existing Authorized Addresses list, enter the port number with the mac-add ress parameter and the device’ s MAC addre ss. This assumes that Learn Mod e is set to static and the Authorized Addresses lis[...]
-
Página 536
Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is alre ady on the list. Note that if you change a port from st atic to co ntinuous learn m ode, the port retain s in memory any authorized addresses it ha d while in s ta[...]
-
Página 537
Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC address es) from the Authorized Addresses list. (An Authoriz ed Address list is available for each port for which Learn Mode is currentl y set to “Static”. Refer to the command syn[...]
-
Página 538
Configuring and Monitoring Port Security MAC Lockdown The following command serves this pu rpose by removing 0c0090-1 23456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090- 123456 The above command sequence results in the following configu ration for po[...]
-
Página 539
Configuring and Monitoring Port Security MAC Lockdown Y ou will need to enter a separate comm and for each MAC/VLAN pa ir you wish to lock down. If yo u do not specify a VLAN ID (VID) the sw itch inserts a VID of “1”. How It W orks. When a device’ s MAC address is locked down to a port (typically in a pair with a VLAN) all in formation sent t[...]
-
Página 540
Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pai r cannot be locked do wn on a different po rt. Y ou cannot perform MAC Lockdown and 802.1X authentication on the same port or on t he same MAC address. MAC Lockdown and 802.1X authentication are mutually ex[...]
-
Página 541
Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Loc kdowns that you can safely code per switch. T o truly lock down a MAC addr ess it would be necessary to use the MAC Lockdown command fo r every MAC Address and VLAN ID on every switch. In reality few netw ork administrato rs wi[...]
-
Página 542
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lo ckdown you ne ed to consider how you use it wi thin your network topology to ensure security . In some cases where you are using techniques such as “meshing” or Spannin g T ree Protocol (STP) to speed up network performa nce by providing mu lt ip[...]
-
Página 543
Configuring and Monitoring Port Security MAC Lockdown ProCurve Switch ProCurve Switch ProCurve Switch ProCurve Switch Internal Core Network Switch 1 Switch 1 Mixed Users Edge Devices Lock Server “A” to these ports. Server “A” Network Edge There is no n eed to lock MAC addresses on switches in the internal core n etwork. Figure 13-10. MAC Lo[...]
-
Página 544
Configuring and Monitoring Port Security MAC Lockdown The key points for this Model T opology are: • The Core Network is separated fro m the edge by the use of switches which have been “locked down” for security . • All switches connected to the edge (outside us ers) each ha ve only one port they can use to co nnect to th e Core Network and[...]
-
Página 545
Configuring and Monitoring Port Security MAC Lockdown Figure 13-11. Connectivity Prob lems Using MAC Lockdown with Mult iple Paths M i x e d U s e r s Internal Network External Network Switch 1 Server A Server A is locked down to Switch 1, Upli nk 2 PROBLEM: If this link fails, traffic to Server A will not use the backup path via Switch 3 Switch 2 [...]
-
Página 546
Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a M AC address on all ports and VLANs for a switch so that any traffic to or from the “l ocked-out” MAC address will be dropped. This means that all data pack ets addressed to or from the given address are stopped by th e switch. MAC Lo ckout is im[...]
-
Página 547
Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, po rt security , and 802.1X authenti- cation. Y ou cannot use MAC Lockout to l ock: • Broadcast or Mu lticast Addresses (Switches do not learn these) • Switch Agents (T he switch’ s own MAC Address) There ar e limits for the numb er of VLANs, Multi cast F[...]
-
Página 548
Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independ ent of port-security an d in fact will override it. MAC Lockout is preferab le to port-security to st op access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in [...]
-
Página 549
Configuring and Monitoring Port Security Web: Displaying and Configur ing Port Security Features W eb: Displaying and Configuring Port Security Features 1. Click on the Security tab. 2. Click on [Port Security] . 3. Select the settings you want and, if you are usi n g the Static Learn Mode, add or edit the Author ized Addresses field. 4. Implement [...]
-
Página 550
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ■ The switch enables notification of the i ntrusion through the following means: • I n t h e C L I : – T h e show po rt-security int rusion-log command displays the Intrusion Log – T h e log command displays the Event Log • In the menu interface: ?[...]
-
Página 551
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Figure 13-12. Example of M ultiple Intrusion Log E ntries for the Same Port The log shows the most rece nt intrusion at the top of the listing. Y ou cannot delete Intrusio n Log entries (unless you reset th e switch to its factory-default configuration). Ins[...]
-
Página 552
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interf ace indicates per -port intrusions in the Port Status screen, and provides details and t he reset function in the In trusion Log screen. 1. From the Main Menu [...]
-
Página 553
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 13-1 3 on page 13-36) does not indicate an int rusion for port A1, the alert fl ag for the intru- sion on port A1 has already been reset. • Since the switch can show only one uncleared intrusion per port, the aler[...]
-
Página 554
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags clear intrusion-flag s Clear intrusion flags on all ports. port-security [e] < port-n umber > clear-intrusion-flag Clear the intrusion flag on one or more specific ports. In the follo wing ex ample, executi ng show interfac es brief lists the switch’[...]
-
Página 555
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags T o clear the intrusi on from port A1 and enable the swit ch to enter any subsequent intrusio n for port A1 in the Intrusion Log, execute th e port-security clear -intrusion-fla g command. If yo u then re-displ ay the port status screen, you will see that th[...]
-
Página 556
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Listing with Security Violati on Detected Log Listing with No Security Violat ion Detected Log Command with “security” for Search Figure 13-18. Example of Log Listi ng With and Without Detecte d Security Violations From the Menu Interface: In the Mai[...]
-
Página 557
Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder . The Intrusion Log lists detected intrude rs by MAC address. If you are using ProCurve Manage r to manage your network, you can use the d evice properties page to link MAC addresses to their corresp[...]
-
Página 558
Configuring and Monitoring Port Security Operating Notes for Port Security ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allo w you to configure LACP on a port on whic h port security is enabled. For example: ProCurve(config)# int e a17 lacp p[...]
-
Página 559
14 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Página 560
Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI W eb Listing (Showing) Authorized Managers n/a page 14-5 page 14-6 page 14-8 Configuring Authorized IP Managers None page 14-5 page 14-6 page 14-8 Building IP Masks n/a page 14-10 page 14-10 page 14-10 Operating and T roubleshooting Notes n/a page[...]
-
Página 561
Using Authorized IP Managers Options Options Y ou can configure: ■ Up to 100 authorized manager addresses , where eac h address applies to either a single ma nagement st ation or a group of station s ■ Manager or Operator access privileges Caution Configuring Authorized IP Ma nagers does not protect access to the switch through a modem or direc[...]
-
Página 562
Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP column, and leave the IP Mask set to 255.255.255.255 . This is the easie st way to use the Author ized Managers feature . (For more on this topic, see “Configuring One Stat ion Per Authorized Manager IP E ntry” on page 14-10.) ■ Authorizing Mu ltiple Station[...]
-
Página 563
Using Authorized IP Managers Defining Authorized Management Stations Menu: V iewing and Config uring IP Authorized Managers Only IPv4 is suppor ted when using the m enu to set the manage ment access method. From the console Main Menu, select: 2. Switch Configuration … 6. IP Authorized Managers ProCurve 22-Apr-2008 20:17:5 3 ======================[...]
-
Página 564
------------------------ Using Authorized IP Managers Defining Authorized Management Stations Editing or Dele ting an Au thorized Manage r Entry . Go to the IP Manag- ers List screen (figure 14-14-1), high lig ht the desire d entry , and press [E] (f or Edit ) or [D] (for Delete ). CLI: Vi ewing and Configurin g Authorized IP Managers Authorized IP[...]
-
Página 565
Using Authorized IP Managers Defining Authorized Management Stations ProCurve(config)# ip authorized-managers 10.10.10.2 255.255.255.255 manager Figure 14-4. Exa mple of Configuring IP Authorized Man ager T o Authorize Manager Access. This command autho rizes manager -leve l access for any station with an IP address of 10.2 8.227 .0 through 10.28.2[...]
-
Página 566
Using Authorized IP Managers Web: Configuring IP Authorized Managers W eb: Configuring IP Authorized Managers In the web browse r interf ace you can configure IP Authorized Mana gers as described below . T o Add, Modify , or Delete an IP Authorized Manager address: 1. Click on the Security tab. 2. Click on the Authorized Addresses but ton . 3. Ente[...]
-
Página 567
Using Authorized IP Managers Web: Configuring IP Authorized Managers access through a web proxy server requires that you first add the web proxy server to the Authorized Manager IP lis t. This reduces security by opening switch access to anyone who uses the web proxy server . How to Eliminate the W eb Proxy Server There ar e two ways to e liminate [...]
-
Página 568
Using Authorized IP Managers Building IP Masks Building IP Masks The IP Mask parameter contro ls how th e switch uses an Authorized Manager IP value to recognize the IP addre sses of authorized manager stati ons on your network. Configuring One Station Pe r Authorized Manager IP Entry This is the easiest way to apply a ma sk. If you have ten or few[...]
-
Página 569
Using Authorized IP Managers Building IP Masks IP list. Thus, in the example shown ab ove, a “255” in an IP Mask octet ( all bit s in the octet are “on”) means only one va lue is allowed for that o ctet—the value you specify in the corresponding octet of the Authorize d Manager IP list. A “0 ” (all bits in the octet are “off”) mea[...]
-
Página 570
Using Authorized IP Managers Building IP Masks T able 14-3. Example of How the Bitmap in the IP Mask Defines Authorized Man ager Addresses 4th Octet of IP Mask: 4th Octet of Authorized IP Address: 249 5 Bit Numbers Bit Bit Bit Bit Bit Bit Bit Bi t 7 6 5 4 3 2 1 0 Bit V alues 128 64 32 16 8 4 2 1 4th Octet of IP Mask (249) 4th Octet of IP Authorized[...]
-
Página 571
Using Authorized IP Managers Operating Notes Operating Notes ■ Network Security Precautions: Y ou can enhance your network’ s secu- rity by keeping physical access to th e switch restricted to authorized personnel, usin g the password featu res built into the sw itch, using t he additional sec urity features descri bed in this manu al, and prev[...]
-
Página 572
Using Authorized IP Managers Operating Notes 14-14[...]
-
Página 573
15 Key Management System Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2 Configuring Key Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Página 574
Key Management System Overview Overview The switches co vered in this guide provide suppo rt fo r advanced routing capabilities. Security tu rns out to be e xtremely important as complex ne t- works and the internet grow and become a part of our daily life and business. This fact forces protocol develope rs to improve security mechanisms employed b[...]
-
Página 575
Key Management System Configuring Key Chain Management Configuring Key Chain Management KMS-Related CLI Commands in This Section Page show key-chain < chain _name > page 15-3 [ no ] key-chain chain_name page 15-3 [ no ] key-chain chain_name key Key_ID page 15-4 The Key Man agement System (KMS) h as three configur ation steps: 1. Create a key [...]
-
Página 576
Key Management System Configuring Key Chain Managemen t show key-chain Displays the current key chain s on the switch and th eir overall status. For example, to generat e a new key chain entry: Add new key chain Entry “Procurve1”. Display key chain entries. Figure 15-1. Adding a New Key Chain Entry After you add an entry , you can assign key(s)[...]
-
Página 577
Key Management System Configuring Key Chain Management [ accept-lifetime infinite ] [ send-lifetime infinite ] accept-lifetime inf inite: Allows packets with this key to be accepted at any time fr om boot-up until the key is removed. send-lifetime infi nite: A llows the switch to send this key as authorization, from boot- up until the key is remove[...]
-
Página 578
Key Management System Configuring Key Chain Managemen t Note [ key-string < key_str > ] This option specifies the ke y value referenced by the protocol using the key. The < key_str > can be any string up to 14 ch aracters in length. accept-lifetime < mm/dd/yy [ yy ] hh:mm:ss | no w > Specifies the start date and time o f the valid[...]
-
Página 579
Key Management System Configuring Key Chain Management Adds a key with full time and date Adds a key with duration expressed i n seconds. Figure 15-3. Adding T ime-Dependent Keys to a Key Chain Entry Note Given transmission del ays and the variations in the time value from swi tch to switch, it is advisable to include some fle xibility in the Acc e[...]
-
Página 580
Key Management System Configuring Key Chain Managemen t Y ou can use show key-chain to display the key s tatus at the time the command is issued. Using the info rmation from the example configuration in figures 15-3 and 15-4, if you execute show key-chai n at 8:05 on 01/19/03, the display would appear as fol lows: Figure 15-5. Status of Keys in Key[...]
-
Página 581
Index Numerics 3DES …8 - 3 802.1X ACL, effect on … 9-16 802.1X access control authenticate users … 12-5, 12-4, 1 2-6, 12-4, 12-20 backend state … 12-62 operation … 12-9 show commands … 12-53, 12-62 unblock port … 12-6 … 12-6, 12-25, 12-22 blocked port, trunked … 12-13 caution, unauthorized-clien t VLAN … 12-39 CHAP … 12-3 chap[...]
-
Página 582
terminology … 12-6, 12-29, 12 -67, 12-68, 12-69, 12-13, 12-23, 12-24 unauthenticated port … 12- 28, 12-22, 12-25, 12-8, 12-41, 12-25, 12-35, 12-25, 12-33, 12-47 access … 12-4, 12-10 client authentication … 12-5, 12-4, 12-48, 12-21, 12-32, 12-21 enable … 12-20, 12-48 limit … 12-4, 12-21 tagged VLAN … 12-5 VLAN … 12-40, 12-41 Web/MAC [...]
-
Página 583
configure … 9-65 option … 9-71 traffic … 9-18, 9-72 implicit deny See deny any, implicit. … 9-12, 9-20 See ACL, wildcar d. IPX … 9-26 log function, with mirroring … 9-17 See ACL, lo gging. … 9-17, 9-18, 9-48 described … 9-96 session … 9-17 …9 - 9 9 mask … 9-11, 9-17, 9-29, 9-47 CIDR … 9-43 defined … 9-11 multiple IP addres[...]
-
Página 584
state … 12-62 authorized addresses for IP management s ecurity … 14-3, 13-5 authorized IP managers access levels … 14-3 building IP masks … 14-10 configuring … 14-6, 14-8, 14-5 definitions of single and multiple … 14-3 effect of duplicate IP addresses … 14-13 IP mask for multiple stations … 1 4-10, 14-4 operating notes … 14-13, 14[...]
-
Página 585
verify … 10-5 documentation feature matrix … -xx latest versions … -xix printed in-box publications … -xix release notes … -xix duplicate IP address effect on authorized IP managers … 14-13 dynamic ARP protection additional validation checks on ARP packets … 10-20 ARP packet debugging … 10-22 displaying ARP statistics … 10-21 enab[...]
-
Página 586
address count … 10-23, 14-1 reserved port numbers … 7-18 IP attribute …5 - 3 6 IP masks building … 14-10 for multiple authorized manager stations … 14-10 operation … 14-4 IP routing dynamic ARP protection, enabling … 10-15 validation checks on ARP packets, configuring … 10-20 IP-to-MAC binding … 10-19 IPv4, ACL vendor-specific att[...]
-
Página 587
O open VLAN mode See 802.1X access control. OpenSSH …7 - 2 OpenSSL …8 - 2 operating notes authorized IP managers … 14-13 port security … 13-41 operator password … 2-4, 2-6, 2-7 saving to configuration file … 2-12 Option 82 snooping … 10-5 P packet validation … 10-5 password 802.1X port-access … 2-12, 2-21 browser/console access ?[...]
-
Página 588
multiple ACL applicat ion types in use … 6-15 NAS-Prompt-User serv ice-type value … 5-14 network accounting … 5-35 operating rules, switch … 5 -6, 6-7, 6-8, 6-7, 6-8 rate-limiting … 6-4, 6-6, 6-4 security … 5-13, 5-4, 5-37, 5-47, 5-19, 5-8, 5-14, 2-12, 2-16, 5-46, 5-45 SNMP access security not supported … 5-4 statistics, viewing … 5[...]
-
Página 589
saving security creden tials to configuration file … 2-12, 2-14, 2-21 snooping authorized server … 10-4, 10-8 binding database … 10-11 changing remote-id … 10-10 DHCP … 10-3 disable MAC check … 10-10 Option 82 … 10-5, 10-8 statistics … 10-5 untrusted-policy … 10-9 verify … 10-5 source port filters configuring … 11-4 named … [...]
-
Página 590
configuration, authenti cation … 4-11, 4-22, 4-18, 4-23, 4-10 encryption key … 4-6, 4-18, 4-19, 4-22, 4-29, 4-26, 4-23, 2-12 general operation … 4-2 IP address, server … 4-18 local manager passwo rd requirement … 4-29 messages … 4-28 NAS … 4-3 precautions … 4-5, 4-8, 4-18, 4-6 server access … 4-18, 4-21, 4- 5, 2-15, 4-8, 4-13, 4-5[...]
-
Página 591
SSL … 8-18 unsecured access, SSL … 8-18 web server, proxy … 13-41 wildcard See ACL, wildcard. See ACL. wildcard, ACL, defined …6 - 1 1 Index – 11[...]
-
Página 592
12 – Index[...]
-
Página 593
[...]
-
Página 594
© Copyright 2009 Hewlett-Pack ard Development Company , L.P . February 2009 Manual Part Number 5992-5439[...]