HP (Hewlett-Packard) 6120 manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation HP (Hewlett-Packard) 6120. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel HP (Hewlett-Packard) 6120 ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation HP (Hewlett-Packard) 6120 décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation HP (Hewlett-Packard) 6120 devrait contenir:
- informations sur les caractéristiques techniques du dispositif HP (Hewlett-Packard) 6120
- nom du fabricant et année de fabrication HP (Hewlett-Packard) 6120
- instructions d'utilisation, de réglage et d’entretien de l'équipement HP (Hewlett-Packard) 6120
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage HP (Hewlett-Packard) 6120 ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles HP (Hewlett-Packard) 6120 et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service HP (Hewlett-Packard) en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées HP (Hewlett-Packard) 6120, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif HP (Hewlett-Packard) 6120, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation HP (Hewlett-Packard) 6120. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    Augu st 2 0 09 Pr oC ur v e Ser i es 6 1 20 S w itc he s Acc e ss Se cu rit y Gu ide[...]

  • Page 2

    Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 www.procurv e.com © Copyright 2009 Hewlett-Pa ckard Develo pment Compa ny , L.P . The information cont ained herein is subject to cha nge without notice. All Ri ghts Reserv ed. This document contains p roprietary i nformation , which is protected by c opyri[...]

  • Page 3

    ii[...]

  • Page 4

    iii Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Software Feat[...]

  • Page 5

    iv 2 Configuring Username and Password Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . [...]

  • Page 6

    v Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 3 Web and MAC Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 7

    vi Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-60 4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 8

    vii Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 RADIUS-Administered CoS and Ra te-Limiting . . . . . . . . . . . . . . . . . . . 5-4 RADIUIS-Administered Commands Authorizati on . . . [...]

  • Page 9

    viii 2. Configure Accou nting Ty pes and the Controls for Sending Reports to the RADIUS Ser v er . . . . . . . . . . . . . . . . . . . . 5-42 3. (Optional) Configure Session Blocki ng and Interim Updat ing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44 Viewing RADIUS Statistics . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 10

    ix 7 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 11

    x Using DHCP Snooping with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 Changing the Remote-id from a MAC to an IP Addr ess . . . . . . . 8-11 Disabling the MAC Address Check . . . . . . . . . . . . . . . . . . . . . . . . 8-11 The DHCP Binding Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-12 Oper[...]

  • Page 12

    xi 9 Traffic/Security Filters and Monitors Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 13

    xii Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6 General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . 10-9 Example of the Authenti cation Process . . . . . . . . . . . . . . . . . . . . . . . . 10-9 VLAN Membership Priority . . . . . . . . . . . . . [...]

  • Page 14

    xiii Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-46 Configuring Switch Ports To Oper ate As Supplicants for 802.1X Connections to Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-47 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 15

    xiv Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26 MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26 Port Security and MAC Lock out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-29 Web: Displaying an d Configuring Port Secu r[...]

  • Page 16

    xv Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10 Configuring One St ation Per Autho rized Manager IP Entry . . . . . . 12-10 Configuring Mult iple Stations Per Authorized Ma nager IP Entry . . 12-11 Additional Examples for Auth orizing Mul tiple Sta tions . . . . . . . . . 12-13 Operat[...]

  • Page 17

    xvi[...]

  • Page 18

    xvii Product Documentation About Y our Switch Manual Set Note For the latest version of sw itch documentatio n, please visit any of the follow- ing websites: www .procurve.com/manuals www .hp.com/go/blades ystem/documentation h18004.www1.hp. com/products/blades/ components/c-class-tech-installing.html Printed Publications The publicatio n listed be[...]

  • Page 19

    xviii Software Feature Index This feature index indicates whi ch manual to co nsult for info rmation on a given softw are feature. Note This Index does not cover IPv6 capable software features. For informatio n on IPv6 protocol operatio ns and features (such as DHCPv6, DNS for IPv6, and Ping6), refer to the IPv6 Configuration Guide . Intelligent Ed[...]

  • Page 20

    xix Downloading Software X Event Log X Factory Default Settings X Flow Control (802.3x) X File T ransfers X Friendly Port Names X GVRP X Identity-Driven Management (IDM) X IGMP X Interface Access (T elnet, Console/Serial, W eb) X IP Addressing X Jumbo Packets X LACP X LLDP X LLDP-MED X Loop Protection X MAC Address Management X MAC Lockdown X MAC L[...]

  • Page 21

    xx Port Monitoring X Port Security X Port Status X Port T runking (LACP) X Port-Based Access Control (802.1X) X Protocol VLANS X Quality of Service (QoS) X RADIUS Authentication and Accounting X RADIUS-Based Configuration X RMON 1,2,3,9 X Secure Copy X SFTP X SNMPv3 X Software Downloads (SCP/SFTP , TFPT , Xmodem) X Source-Port Filters X Spanning T [...]

  • Page 22

    xxi VLANs X W eb Authentication RADIUS Support X W eb-based Authentication X W eb UI X Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide[...]

  • Page 23

    1-1 Security Overview Contents 1 Security Overview Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 For More Information . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 24

    1-2 Security Overview Introduction Introduction This chapter provides a n overview of th e security features included on your switch. T able 1-1 on page 1- 3 outlines the access security and authentication features, while T able 1-2 on page 1-7 highlights the additional fe atures designed to help secure and p rotect your network. For detailed infor[...]

  • Page 25

    1-3 Security Overview Access Security Features Access Security Features This section provides an overvi ew of the switch’ s acc ess security features, authentication protocol s, and metho ds. T able 1-1 lists these fea tures and provides summary config uration guideline s. For more in-depth info rmation, see the references provided (all chap ter [...]

  • Page 26

    1-4 Security Overview Access Security Features T elnet and W eb-browser access enabled The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured . T o reduce the chances of unauthorized users capturing your passwords, secure and encrypte d protocols[...]

  • Page 27

    1-5 Security Overview Access Security Features SSL disabled Secure Socket Layer (S SL) and T ransport Layer Security (TLS) provide remote W eb browser access to the switch via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operati on. The authenticated type includes server certifi[...]

  • Page 28

    1-6 Security Overview Access Security Features 802.1X Access Control none This feature provides port-based or user -based authentication through a RADI US server to protect the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control client access to network services. Included in the general featur es are the f[...]

  • Page 29

    1-7 Security Overview Network Security Features Network Security Features This section outlines features and de fence mechanisms for protecting access through the switch to the network. Fo r more detailed information, see the indicated chapters. T able 1-2. Network Security—Default Settings and Security Gu idelines Feature Default Setting Securit[...]

  • Page 30

    1-8 Security Overview Network Security Features Connection- Rate Filtering based on Virus-Throttling T echnology none This feature helps protect the network from attack and is recommended for use on the network edge. It is primarily focused on the class of worm-like malicious code that tries to replicate itself by taking advantage of weaknesses in [...]

  • Page 31

    1-9 Security Overview Getting Started with Access Security Getting Started with Access Security ProCurve switches are designed as “plu g and play” devices, allowing qui ck and easy installation in your netw ork. In its default configurati on the switch is open to unauthorized access of various type s. When prep aring th e switch for network ope[...]

  • Page 32

    1-10 Security Overview Getting Started with Access Security Keeping the switch i n a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional p recautions, you can do the following: ■ Disable or re-enable the password-clear ing func tion of the Clear button . ■ Configure the Clear button to rebo ot[...]

  • Page 33

    1-11 Security Overview Getting Started with Access Security The welcome banner appears and the first setup option is displayed ( Operator password ). As you advance throug h the w izard, each setup option displays the cu rrent value in brackets [ ] as shown in Figure 1-1. Figure 1-1. Example of Management Int erface Wizard Configuration Welcome to [...]

  • Page 34

    1-12 Security Overview Getting Started with Access Security 2. When you enter the wizard, you have the foll owing options: • T o upda te a setting, type in a new val ue, or press [ Enter ] to keep the current value. • T o quit the wizard wi thout saving any change s, press [ CTRL-C ] at any time. • T o access online Help for any option, press[...]

  • Page 35

    1-13 Security Overview Getting Started with Access Security The W elcome window appears. Figure 1-2. Management Interface Wizard: Welcome Window This page allow s you to choose between two setup type s: • T y pical —provides a multiple page , step -by-step method to configure security settings, with on-screen instructions for each option. • A[...]

  • Page 36

    1-14 Security Overview Getting Started with Access Security 4. The summary setup screen displays th e current configuration settings for all setup options (see Figure 1-3). Figure 1-3. Management Interface Wizard: Summ ary Setup From this screen, you have the fo llowing opti ons: • T o change any setting that is show n, type in a new value or mak[...]

  • Page 37

    1-15 Security Overview Getting Started with Access Security SNMP Security Guidelines In the default configuration, the swit ch is open to access by management stations runni ng SNMP (Simple Network Management Protocol) management application s capable of vi ewing and changing the settings and sta tus data in the switch’ s MIB (Managem ent In form[...]

  • Page 38

    1-16 Security Overview Getting Started with Access Security If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network , then yo u should implemen t the following security precautions when downloadi ng an d booting fro m the software: ■ If SNMP access to the authenticat ion configura tion (hpSwitc hAuth) MIB described ab[...]

  • Page 39

    1-17 Security Overview Precedence of Security Options Precedence of Security Options This section explains ho w port-based securi ty options, and client-based attribute s used for authenti cation , get prioritized on the switch. Precedence of Port-Bas ed Security Options Where the switch is ru nning multiple secu rity options, it implements network[...]

  • Page 40

    1-18 Security Overview Precedence of Security Options value applied to a cli ent session is determined in the following order (from highest to lowe st priority) in which a valu e configured wi th a higher priority overrides a value configured with a l ower priorit y: 1. Attribute profi les applied through the Network Imm unity network-man - agement[...]

  • Page 41

    1-19 Security Overview Precedence of Security Options The profile of attributes app lied for each client (MAC ad dress) session is stored in the hpicfUsrProf ile MIB, which serves as the configuration interface for Network Immunity Manager . A client prof ile consists of NIM-co nfigured, RADIUS-assigned, and statically configured parameters. Using [...]

  • Page 42

    1-20 Security Overview Precedence of Security Options Client-specific conf igurations are applied on a per-parameter basis on a port. In a client-speci fic profile, if D CA de tects that a parameter has configured values from two or more le vels in th e hierarchy of precedence desc ribed above, DCA decides whi ch parameters t o add or remove, or wh[...]

  • Page 43

    1-21 Security Overview ProCurve Identity-Driven Manager (IDM) ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plu s (PCM+) and uses RADIUS-based technologies to create a user -cen tric approach to network access management and network activity tr acking and monitoring. IDM enables control of access security policy from a[...]

  • Page 44

    2-1 2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 45

    2-2 Configuring Username and Password Security Contents Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation . . . . . . . . . . . . . . . . . . 2-30 Changing the Operation of the Rese t+Clear Combination . . . . . 2-31 Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 46

    2-3 Configuring Username and Password Security Overview Overview Console access includes both the menu interface and the CLI. There are two levels of console access: Manager and Operator . For security , you can set a password pair (username and password) on each of these lev els. Notes Usernames are optional. Also, in th e menu interface , you can[...]

  • Page 47

    2-4 Configuring Username and Password Security Overview T o configure password security: 1. Set a Manager password pair (and an Operator password pair , if applicable for your system). 2. Exit from the cur rent console session. A Manager p assword pair will no w be needed for full acc ess to the console. If you do steps 1 and 2, above, then th e ne[...]

  • Page 48

    2-5 Configuring Username and Password Security Overview Notes The manager and operator passwords and (optio nal) userna mes control access to the menu interface, C LI, and web browser interface. If you configure only a Manager passw ord (with no Operator password), and in a later session the Mana ger password is not entere d correctly in response t[...]

  • Page 49

    2-6 Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are opt ional. Configuring a user - name requires either the CLI or the web browser interface. 1. From the Main Menu select: 3. Console Passwords Figure 2-1. The S[...]

  • Page 50

    2-7 Configuring Username and Password Security Configuring Local Password Security T o Delete Password Protection (Incl uding Recovery from a Lost Password): This procedure deletes al l usernames (if configured) and pass- words (Manager an d Operator). If you have physical access to the switch , press and hold the Clear button (on the front of th e[...]

  • Page 51

    2-8 Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section Configuring M anager and Op erator Passwords. Note Y ou can configure manager and operator passwords in one step. See “Saving Security Credentials in a Config Fi le” on page 2-10 of this gui de. S[...]

  • Page 52

    2-9 Configuring Username and Password Security Configuring Local Password Security If you want to remov e both operator and m anager password p rotection, use the no password all command. W eb: Setting Passwo rds and Usernames In the web browse r interf ace you can enter passwords and (optional) user - names. T o Configure (or Remove) Usernames and[...]

  • Page 53

    2-10 Configuring Username and Password Security Saving Security Credentials in a Config File Saving Security Credentials in a Config File Y ou can store and view the following securi t y settings in internal flash m emory by entering the include-c redentials command: ■ Local manager an d operator passwords and (opt ional) user names that control [...]

  • Page 54

    2-11 Configuring Username and Password Security Saving Security Credentials in a Config File ■ The chapter on “Switch Memo ry and Configuration ” in the Management and Configuration Guide . ■ “Configuring Lo cal Password Securi ty” on page 2-6 in this guide. Enabling the Storage and Display of Security Credentials T o enable the securit[...]

  • Page 55

    2-12 Configuring Username and Password Security Saving Security Credentials in a Config File Local Manager and Op erator Passwords The informat ion saved t o the running- config fil e when the include-credentials command is ente red includ es: password manager [user-name <name>] <hash-type> <pass-ha sh> password operator [user-nam[...]

  • Page 56

    2-13 Configuring Username and Password Security Saving Security Credentials in a Config File Y ou can enter a manager , operator , or 802.1X port-access password in clear ASCII text or hashed fo rmat. However , mana ger and operator passwords are displayed and saved in a configuration f ile only in hashed format; port-access passwords are displayed[...]

  • Page 57

    2-14 Configuring Username and Password Security Saving Security Credentials in a Config File [ priv < priv-pass >] i s the (optional ) hashed privacy password used by a privacy protocol to encrypt SNMPv3 messages between the switch and the station. The following example shows the a dditi onal security credentials for SNMPv3 users that can be [...]

  • Page 58

    2-15 Configuring Username and Password Security Saving Security Credentials in a Config File The password po rt-access values are configured sepa rately from the manager and operator passwords configured with the password manager and password operator commands and used for manageme nt access to the switch. For information on the new passw ord comma[...]

  • Page 59

    2-16 Configuring Username and Password Security Saving Security Credentials in a Config File during authenti cation sessions. Both the sw itch and the server have a copy of the key; the key is neve r transmit ted across the network. For more information, refer to “3. Configure the Switch T o Access a RADIUS Server” on page 6-14 in this guide . [...]

  • Page 60

    2-17 Configuring Username and Password Security Saving Security Credentials in a Config File Note The ip ssh public-key comm and allows you to co nfigure only one SSH client public-key at a time. The ip ssh public-key command behavior includes an implicit appe nd that never overwrit es existing public -key configurati ons on a running switch. If yo[...]

  • Page 61

    2-18 Configuring Username and Password Security Saving Security Credentials in a Config File T o displa y the SSH public -key configurations (72 ch aracters per line) stored in a configurat ion file, enter the show config or sho w running-config command. The following example shows the SSH public keys configured for manager access, along with the h[...]

  • Page 62

    2-19 Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes Caution ■ When you first enter the include-creden tials command to save th e additional se curity crede ntials to the runnin g configuratio n, these settings are moved from internal storage on th e swit ch to the running-co nfig file. Y ou[...]

  • Page 63

    2-20 Configuring Username and Password Security Saving Security Credentials in a Config File • copy config < source-f ilename > config < target-filename >: Makes a local copy of an existing star tup-co nfig file by cop y ing the contents of the startup-co nfig file in one memory sl ot to a new start up-config file in another , empty m[...]

  • Page 64

    2-21 Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running configur ation with the include-cre dentials command: ■ The private keys o f an SSH host cannot be stor ed in the runnin g configuratio n. Only [...]

  • Page 65

    2-22 Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. Y ou can store the password port-access values in the running conf iguration fi le by using the include-credentials command. Note that th e password port-access v [...]

  • Page 66

    2-23 Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel sec urity features provid e the ability to ind ependently ena ble or disable some of t he functions of the two button s located on the fron t of the switch for clearing the passwo rd (Clear button) or restoring the switch to its factory default[...]

  • Page 67

    2-24 Configuring Username and Password Security Front-Panel Security As a result of increased security co ncerns, customers now have the ability to stop someone from r emoving passwords by di sabling the Clear and/or Reset buttons on the f ront of th e switch. Front-Panel Button Functions This section describes the f unctionality of the Clear and R[...]

  • Page 68

    2-25 Configuring Username and Password Security Front-Panel Security Clear Button Pressing the Clear button alone for five seconds resets the password(s) configured on the switch. Figure 2-8. Press the Clear Button for Five Se conds T o Reset the Password(s) Reset Button Pressing the Reset but ton alone for one second causes t he switch to reb oot.[...]

  • Page 69

    2-26 Configuring Username and Password Security Front-Panel Security 2. While holdin g the Reset bu tton, press and ho ld the Clear button for five seconds. 3. Release the Reset button. 4. If the Clear button is held for greater then 2.5 seconds, configuration will be cleared, and the switch will rebo ot. It can take approxima tely 20-2 5 seconds f[...]

  • Page 70

    2-27 Configuring Username and Password Security Front-Panel Security Configuring Front-Panel Security Using the front-panel-sec urity command from the global configurati on context in the CLI you can: • Disable or re-e nable the passwor d-clearing function of the Clear button. Disabling the Clear butt on means that pressing it does not remove loc[...]

  • Page 71

    2-28 Configuring Username and Password Security Front-Panel Security For example, show front-pane l-security produces the followin g output when the switch is configu red with the defa ult front-panel secu rity settings. Figure 2-10. The Default Front-Panel Security Settin gs Reset-on-clea r: Shows the status of the reset-on-clear option ( Enabled [...]

  • Page 72

    2-29 Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button This command displays a Cautio n message in the CLI. If you wa nt to proceed with disabling the Clear button, type [Y] ; otherwise type [N] . For example: Figure 2-11. Example of Disabli ng the Clear Button and Displ aying [...]

  • Page 73

    2-30 Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Bu tton and Setting or Changing the “Reset-On-Clear” Operation For example, suppose that password-clear is disabled and you want to restore it to its defaul t configuration (enabled, with reset-on-clear disabled). Syntax: [no] front-panel-security pa sswo[...]

  • Page 74

    2-31 Configuring Username and Password Security Front-Panel Security Figure 2-12. Example of Re-Enabling th e Clear Button’ s Defa ult Operation Changing the Operation of the Reset+Clear Combination In their d efault co nfigurati on, using the Reset+ Clear button s in the combina- tion describe d under “Restorin g the Factory Defau lt Configura[...]

  • Page 75

    2-32 Configuring Username and Password Security Password Recovery Figure 2-13. Example of Disabli ng the Factory Reset Option Password Recovery The password recovery feature is enabled by default and provide s a metho d for regaining management access to the switch (without resetting the sw itch to its factory default co nfiguration) i n the event [...]

  • Page 76

    2-33 Configuring Username and Password Security Password Recovery factory-default configu ration. This can disru pt network operation and make it necessary to temporarily di sconnect the sw itch from the ne twork to prev ent unauthorized access and other pr oblems while it is being reconfigured. Also, with factory-re set enabled, unauthorized users[...]

  • Page 77

    2-34 Configuring Username and Password Security Password Recovery Figure 2-14. Example of the Steps for Di sabling Password-Recovery Password Recovery Process If you have lost the switch’ s manager username/password, but passwor d- rec over y is enabled, then you can use the Password Recovery Process to gain management access to the switch with a[...]

  • Page 78

    3-1 3 W eb and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Web Authenticati on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 79

    3-2 Web and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50 Configuration Co mmands fo r MAC Authentication . . . . . . . . . . . . . . 3-51 Show Commands for MAC-Base d Authentication . . . . . . . . . . . . . . . 3-54 Client Status . . . . . . . . . . . [...]

  • Page 80

    3-3 Web and MAC Authentication Overview Overview W eb and MAC authentication are designed for employment on the “edge” of a network to provide port-based securit y measures for protecting private networks and a switch from unauth or ized access. Because neither method requires clients to run special supplicant software (unlike 802.1X authentica[...]

  • Page 81

    3-4 Web and MAC Authentication Overview Note A proxy server is not supported for use by a browser on a client device that accesses the network thr ough a port co nfigured for web authentication. ■ In the login page, a clie nt enters a username and password, whic h the switch forw ards to a RADI US server for authenticatio n. After authen- ticatin[...]

  • Page 82

    3-5 Web and MAC Authentication Overview ■ Each new W eb/MAC Auth client al ways initiates a MAC authentica- tion attempt. This same client can also initiat e W eb authent ication at any time before t he MAC authen ticati on succeeds. If either authenti - cation succeeds then the other auth entication (if in progress) is ended. No further W eb/MAC[...]

  • Page 83

    3-6 Web and MAC Authentication How Web and MAC Authentication Operate clients by using an “unauthorized” VL AN for each session. The unauthorized VLAN ID assignment can be the same fo r all ports, or differ ent, depending on the services an d access you plan to allow for unauthen ticated clients. Y ou configure access to an optional, un authori[...]

  • Page 84

    3-7 Web and MAC Authentication How Web and MAC Authentication Operate W eb-based Authentication When a client connects to a W eb-Auth enabled port, com munication is redi- rected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their username an d password. The default User Logi[...]

  • Page 85

    3-8 Web and MAC Authentication How Web and MAC Authentication Operate If the client is authenticated and the maximum number of clients allowed on the port ( client-limit ) has not been reached , the port is assigned to a static, untagged VLAN for network access. After a successful login, a client may be redirected to a URL if you specify a URL valu[...]

  • Page 86

    3-9 Web and MAC Authentication How Web and MAC Authentication Operate A client may not be authenticated du e to invali d credentials or a RADIUS server timeout. The max-retries parameter specifies how many time s a client may enter their creden ti als before authentic ation fails. The server-timeout parameter sets how long the switch wa its to rece[...]

  • Page 87

    3-10 Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in pl ace until the session ends. Clients may be forced to reauth enticate after a fixed period of time ( reauth-per iod ) or at any time during a session ( reauthentic ate ). An implicit lo goff period can be set if there is no activity from the c[...]

  • Page 88

    3-11 Web and MAC Authentication Terminology T erminology Authorized-Cli ent VLAN: L ike the Unauth orized-Client VLAN, t his is a conventional, static, untagged, port-b ased VLAN previously configured on the switch by the System Administrat or . The intent in using this VLAN is to provide authenti cated clients with network acce ss and services. Wh[...]

  • Page 89

    3-12 Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch suppo rts concurren t 8 02.1X , W eb and MAC authentication operation on a port (with up to 2 clients allowed). However , concur - rent operation of W eb and MAC au thentication w ith other type s of authentication on the same port is not su pported. [...]

  • Page 90

    3-13 Web and MAC Authentication Operating Rules and Notes 1. If there is a RADIUS-assigned VL AN, then, fo r the duration of t he client session, the p ort belongs to th is VLAN and tempor arily drops all other VLAN memberships. 2. If there is no RADIUS-assigned VLAN, then, for the duratio n of the client session, the port belongs to the Authorized[...]

  • Page 91

    3-14 Web and MAC Authentication Setup Procedure for Web/MAC Authentication W eb/MAC Authentication and LACP W eb or MAC au thentication a nd LACP ar e not supported at the same time on a port. The switch automatically disables LACP on ports configured for W eb or MAC authentication. ■ Use the show port-access web-based commands to display session[...]

  • Page 92

    3-15 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Figure 3-4. Example of show port-a ccess config Command Output 3. Determine whether any VLAN assign ments are needed for authentica ted clients. a. If you configure the RADIUS server to assign a VLAN for an authen- ticated client, this assignment o verrides any VLAN assignme[...]

  • Page 93

    3-16 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that wh en config uring a RADIUS server to assign a VLAN, you can u s e e i t h e r t h e V L A N ’s n a m e o r V I D . F o r example, if a VLAN configured in the switch has a VID of 100 and is named vlan100 , you could co nfigure the RADIUS server to use either “1[...]

  • Page 94

    3-17 Web and MAC Authentication Setup Procedure for Web/MAC Authentication aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff AABBCCDDEEFF AABBCC-DDEEFF AA-BB-CC-DD-EE-FF AA:BB:CC:DD:EE:FF ■ If the device is a switch or othe r VLAN-capable device, use the base MAC address assigned to the device, and not the MAC address assigned to the VLAN throu gh wh ich the d[...]

  • Page 95

    3-18 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Syntax: [no] radius-server [host < ip-addre ss >] [oobm] Adds a server to the RADIUS configuration or (with no ) deletes a server from the configuration. You can config- ure up to three RADIUS serv er addresses. The switch uses the first server it successfully accesses[...]

  • Page 96

    3-19 Web and MAC Authentication Setup Procedure for Web/MAC Authentication For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of ‘1A7rd’ Figure 3-5. Example of Configuri ng a Switch T o Access a RADIUS Server[...]

  • Page 97

    3-20 Web and MAC Authentication Configuring Web Authentication Configuring W eb Authentication Overview 1. If you have not already done so, configure a local username and password pair on th e switch. 2. Identify or create a redirect URL for use by authenticated clients. Pro- Curve recommends that you provid e a redirect URL when using W eb Authent[...]

  • Page 98

    3-21 Web and MAC Authentication Configuring Web Authentication • Y ou can blo ck only incoming t raffic on a port befo re authentication occurs. Outgoing t raffic with unkno wn destination ad dresses is flooded on unau thenticat ed ports configured fo r web authentication. For example, W ake-on-LAN traffic is transmitted on a web-authenti- cated [...]

  • Page 99

    3-22 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access < port-list > controlled-directions <both | in > After you enable web-based au thentication on specified ports, you can use the aaa port-access c ontrolled-direc- tions command to configure how a port transmits traffic before it successfully authentic[...]

  • Page 100

    3-23 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access < port-list > controlled-directions <both | in > — Continued — Notes : ■ For information on how to conf igure the prerequisites for using the aaa port-access control led-directions in comm and, see Chapter 4, “Multiple Instance Spanning-T ree [...]

  • Page 101

    3-24 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based < p ort-list > Enables web-based authenti cation on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax: aaa port-access w eb-based < port-list > [auth-vid < vid >[...]

  • Page 102

    3-25 Web and MAC Authentication Configuring Web Authentication Figure 6. Adding Web Servers with the aaa port-access w eb-based ews-server Command Specifies the base address/mask for the temporary IP pool used by DHCP. The ba se address can be any valid ip address (not a multicas t address). Valid mask range value is <255.255. 240.0 - 255.255.25[...]

  • Page 103

    3-26 Web and MAC Authentication Configuring Web Authentication Figure 7. Removing a Web Server with the aaa port-access web-based ews- server Command ProCurve Switch (config)# no aaa port-access web-based 47 ewa-serv er 10.0.12.181 ProCurve Switch (config)# Syntax: aaa port-access w eb-based < port-list > [ logoff-p eriod ] <60-9999999>[...]

  • Page 104

    3-27 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access w eb-based < port-list > [reauth-period <0 - 9999999>] Specifies the time period, in seconds, the switch enforces on a client to re-au thenticate. Wh en set to 0 , reauthentication is disa bled. (Default: 300 seconds) Syntax: aaa port-access w eb-base[...]

  • Page 105

    3-28 Web and MAC Authentication Configuring Web Authentication Show Commands for W eb Authentication Command Page show port-access web-based [ port-list ] 3-28 show port-access web-based clients [ port-list ] 3-29 show port-access web-based clients < port-list > detailed 3-30 show port-access web-based config [ port-list ] 3-31 show port-acce[...]

  • Page 106

    3-29 Web and MAC Authentication Configuring Web Authentication Figure 4. Example of show port-a ccess web-based Comm and Output Figure 5. Example of show port-a ccess web-based clien ts Command Output ProCurve (config)# show port-access web-based Port Access Web-Based Status Auth Unauth Untagged Tagged Port Cntrl Port Clients Clients VLAN VLANs COS[...]

  • Page 107

    3-30 Web and MAC Authentication Configuring Web Authentication Figure 6. Example of show port-a ccess web-based clien ts detailed Command Ou tput Syntax: show port-access web-based clien ts < port-list > detailed Displays detai led information on the statu s of web- authenticated client sessions on specified switch ports. ProCurve (config)# s[...]

  • Page 108

    3-31 Web and MAC Authentication Configuring Web Authentication Figure 7. Example of show port-a ccess web-based co nfig Command Output Syntax: show port-access web-based con fig [ port-list ] Displays the currently config ured W eb Authentication settings for all switch ports or specified ports, including: • T emporary DHCP base address and mask [...]

  • Page 109

    3-32 Web and MAC Authentication Configuring Web Authentication Figure 8. Example of show port-a ccess web-based co nfig detail Command Outp ut Syntax: show port-access web-based config < port-list > det ailed Displays more detailed inform ation on the currently config- ured W eb Authentication set tings for specified ports. ProCurve (config)#[...]

  • Page 110

    3-33 Web and MAC Authentication Configuring Web Authentication Figure 9. Example of show port-a ccess web-based co nfig auth-server Command Output Syntax: show port-access web-based con fig [ port-list ] auth-serve r Displays the currently config ured W eb Authentication settings for all switch ports or specified ports and includes RADIUS server -s[...]

  • Page 111

    3-34 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Customizing W eb Authentication HTML Files (Optional) The W eb Authentication process displays a series of web pages and sta tus messages to the user during login. The web pages that are displayed can be: ■ Generic, default pages generated directly by the switch[...]

  • Page 112

    3-35 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) ■ T o configure a web server on your network, follow the instructio ns in the documentation provided wi th the server . ■ Before you enable custom W eb Authentication p ages, you should: • Determine the IP address or host name of the web server(s) that will [...]

  • Page 113

    3-36 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Customizable HTML T emplates The sample HTML files desc ribed in the follow ing se ctions are customizable templates. T o help you cr eate your own set HTML files, a set of the templates can be found on th e downlo ad page for ‘K’ software. User Login Page (in[...]

  • Page 114

    3-37 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 9. HTML Code for User Login Page T emplate <!-- ProCurve Web Authenticati on Template index.html --> <html> <head> <title>User Login</ title> </head> <body> <h1>User Login</h1> <p>In order to acce [...]

  • Page 115

    3-38 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Access Granted Page (accept.html). Figure 9-10. Access Granted Page The accept.html file is the web page used to co nfirm a valid client login. This web page is displayed after a valid username and password are entered and accepted. The client device is then grant[...]

  • Page 116

    3-39 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 11. HTML Code for Access Granted Pa ge T emplate <!-- ProCurve Web Authenticati on Template accept.html --> <html> <head> <title>Access Grant ed</title> <!-- The following line is required to automatically redirec t --> &[...]

  • Page 117

    3-40 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Authenticating Page (authen.html). Figure 12. Authenticatin g Page The authen.html file is the web page used to process a client login and is refreshed while user credenti als are checked and verified. Figure 13. HTML Code for Authenticati ng Page T emplate <!-[...]

  • Page 118

    3-41 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Invalid Credential s Page (reject_unaut hvlan.html). Figure 10. Invalid Credentia ls Page The reject_ unauthvlan.html file is the web page used to displ ay login failures in which an unauthenti cated client i s assigned to the V L AN configured for unauthorized cl[...]

  • Page 119

    3-42 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 14. HTML Code for Invalid Credentia ls Page T emplate <!-- ProCurve Web Authenticati on Template reject_unauthvlan.html --> <html> <head> <title>Invalid Cred entials</title> <!-- The following line is required to automatical[...]

  • Page 120

    3-43 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) T imeout Page (timeout.html). Figure 15. T imeout Page The tim eout.ht ml file is the web page used to return an error message if the RADIUS server is not reachable. Y ou can configure the time period (in seconds) that the switch waits for a response from the RADI[...]

  • Page 121

    3-44 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Retry Login Page (retry_login.html). Figure 17. Retry Login Page The retry_login.html file is the w eb page displayed to a client tha t has entered an invalid username and/or passw ord, and is given another opportun ity to log in. The W AUTHRETRIESLEFTGET ESI disp[...]

  • Page 122

    3-45 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 18. HTML Code fo r Retry Login Page T emplate <!-- ProCurve Web Authenticati on Template retry_login.html --> <html> <head> <title>Invalid Cred entials</title> <!-- The following li ne is required to automatically redirect t[...]

  • Page 123

    3-46 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) SSL Redirect Page (sslredirect.html). Figure 19. SSL Redirect Page The sslredirect fil e is the web page displayed when a client is redirected to an SSL server to enter cr edentials for W e b Authentication. If you have enabled SSL on the switch, you can enable se[...]

  • Page 124

    3-47 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 20. HTML Code for SSL Redirect Page T emplate <!-- ProCurve Web Authenticati on Template sslredirect.html --> <html> <head> <title>User Login S SL Redirect</title> <meta h ttp-equiv="refresh" content="5;URL=ht[...]

  • Page 125

    3-48 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Access Denied Page (r eject_novlan.html). Figure 11. Access Denied Page The reject_novlan file is the web page displayed after a client login fails and no VLAN is confi gured for unau thorized clients. The W AUTHQUI ETTIMEGET ESI i nserts the time pe riod used to [...]

  • Page 126

    3-49 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 21. HTML Code for Access Denied Page T emplate <!-- ProCurve Web Authenticati on Template reject_novlan.html --> <html> <head> <title>Access Denie d</title> <!-- The line below i s required to automatically redirect the user[...]

  • Page 127

    3-50 Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on th e switch. 2. If you plan to use multi ple VLANs with MAC Authenti cation, ensure that these VLANs are configured on the sw itch and [...]

  • Page 128

    3-51 Web and MAC Authentication Configuring MAC Authent ication on the Switch Configuration Co mmands for MAC Authentication Command Page Configuration Level aaa port-access mac-based addr -format 3-51 [no] aaa port-access mac-based [e] < port-list >3 - 5 2 [addr -limit] 3-52 [addr -moves] 3-52 [auth-vid] 3-52 [logoff-period] 3-53 [max-reques[...]

  • Page 129

    3-52 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: [no] aaa port-access mac-based < p ort-list > Enables MAC-based authentication on the specified ports. Use the no form of the comm and to disable MAC- based authentication on the specified ports. Syntax: aaa port-access m ac-based [e] < port-list > [add[...]

  • Page 130

    3-53 Web and MAC Authentication Configuring MAC Authent ication on the Switch Syntax: aaa port-access m ac-based [e] < port-list > [logoff-period] <60-9999999> ] Specifies the period, in seco nds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the s[...]

  • Page 131

    3-54 Web and MAC Authentication Configuring MAC Authentication on the Switch Show Commands for MAC- Based Authentication Syntax: aaa port-access m ac-based [e] < port-list > [unauth-vid < vid >] no aaa port-access mac-b ased [e] < port-list > [unauth-vid ] Specifies the VLAN to use for a client that fails authen- tication. If unau[...]

  • Page 132

    3-55 Web and MAC Authentication Configuring MAC Authent ication on the Switch Figure 3-22. Example of show port-a ccess mac-based Command Output Figure 4. Example of show port-a ccess mac-based client s Command Output ProCurve (config)# show port-access mac-based Port Access MAC-Based Status Auth Unauth Untagged Tagged Port Cntrl Port Clients Clien[...]

  • Page 133

    3-56 Web and MAC Authentication Configuring MAC Authentication on the Switch Figure 5. Example of show port-a ccess mac-based client s detail Command Outpu t Syntax: show port-access mac-based clien ts < port-list > detailed Displays detai l ed information on the statu s of MAC- authenticated client sessions on specified ports. ProCurve (conf[...]

  • Page 134

    3-57 Web and MAC Authentication Configuring MAC Authent ication on the Switch Figure 6. Example of show port-a ccess mac-based config Command Output Syntax: show port-access mac-based con fig [ port-list ] Displays the currently config ured MAC Authentication settings for all switch ports or specified ports, including: • M AC address format • S[...]

  • Page 135

    3-58 Web and MAC Authentication Configuring MAC Authentication on the Switch Figure 7. Example of show port-a ccess mac-based config detail Command Outpu t Syntax: show port-access mac-based config < port-list > det ailed Displays more detailed inform ation on the currently config- ured MAC Authentication settings for specified ports. ProCurv[...]

  • Page 136

    3-59 Web and MAC Authentication Configuring MAC Authent ication on the Switch Figure 8. Example of show port-a ccess mac-based config auth-server Command Outp ut Syntax: show port-access mac-based con fig [ port-list ] auth-serve r Displays the currently config ured W eb Authentication settings for all switch ports or specified ports and includes R[...]

  • Page 137

    3-60 Web and MAC Authentication Client Status Client Status The table below show s the possible client status in formation that may be reported by a W eb-based or MAC-based ‘ show ... clients’ command. Reported Status Available Netwo rk Connection Possible Explanations authenticated Authorized VLAN C lient authenticated. Remains connected until[...]

  • Page 138

    4-1 4 T ACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applicati ons: . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 General [...]

  • Page 139

    4-2 TACACS+ Authentication Overview Overview T A CACS+ authentication enables you to use a central server to a llow or deny access to the switches covered in this guide (and other T ACACS-aware devices) in your network. This means that you can use a central database to create multiple unique username/passw ord sets with associated privilege levels [...]

  • Page 140

    4-3 TACACS+ Authentication Terminology Used in TA CACS Applications: T A CACS+ server for authentica tion services. If the swit ch fails to connect to any T AC ACS+ server , it defaults to its own locally assigned passwords for authentication co ntrol if it has been configured to do so. For both Con sole and Telnet access you can configure a lo gin[...]

  • Page 141

    4-4 TACACS+ Authentication Terminology Used in TA CACS Applications: face. (Using the menu interface you can assign a local password, but not a username.) Because this method assigns passwor ds to the switch instead of to individuals who access t he switch, you must distribute the password information on each swit ch to everyone who needs to access[...]

  • Page 142

    4-5 TACACS+ Authentication General System Requirements General System Requirements T o use T ACACS+ authentication, you need th e following: ■ A T ACACS+ server application instal led and configur ed on one or more servers or management stations in your network. (There are several T ACACS+ software packages available.) ■ A switch configured for[...]

  • Page 143

    4-6 TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the T elnet ac cess fails due to a configuration problem. The fo llowing procedure outlines a general setup procedure. Note If a complete access lockou t occurs on the switch as a result of a T ACACS+ configuration, see “T roub[...]

  • Page 144

    4-7 TACACS+ Authentication General Authentication Setup Procedure Note on Privilege Levels When a T ACACS+ server au thenticates an access re quest from a switch, it includes a privilege level code for th e switch to use in determining which privilege level to grant to the te rminal requesti ng access. The switch interprets a privilege level code o[...]

  • Page 145

    4-8 TACACS+ Authentication Configuring TACACS+ on the Switch configuration in your T ACACS+ ser ver application fo r mis-configura- tions or missing data that could aff ect the server’ s interoperation with the switch. 8. After your testing shows that T elnet access using the T ACACS+ server is working properly , configure your T ACACS+ server ap[...]

  • Page 146

    4-9 TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section V iewing the Switch’ s Current Authentication Configuration This command lists the n umber of lo gin attemp ts the switch allows in a single login session, and the pr imary/secondary access method s configured for each type of access. Syntax: show [...]

  • Page 147

    4-10 TACACS+ Authentication Configuring TACACS+ on the Switch V iewing the Switch’ s Current T ACACS+ Server Contact Configuration This comma nd lists the tim eout period, encryption key , and the IP addresses of the first-choice and backup T ACACS + servers the switch can contact. Syntax: show tacacs For example, if the switch was configur ed fo[...]

  • Page 148

    4-11 TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s Authentication Methods The aaa authentication command configures acc ess control for the foll owing access methods: ■ Console ■ Te l n e t ■ SSH ■ We b ■ Port-access (802.1X) However , T ACACS+ authentication is only us ed with the console, T elnet, [...]

  • Page 149

    4-12 TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters T able 4-1. AAA Authentication Pa rameters Syntax: aaa authentica tion < console | telnet | ssh | web | p ort-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level. < login [pri[...]

  • Page 150

    4-13 TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the T ACACS+ Se rver for Single Login In order for the single login feature t o work correctly , you need to check some entries in the User Setu p on the T ACACS+ server . In the User Setup, scroll to the Ad vanced T ACACS+ Settings section. Make sure the radio butto n for ?[...]

  • Page 151

    4-14 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-4. Advanced T ACACS+ Settings Sectio n of the T ACACS+ Server User Setup Then scroll down to t he section that begins with “Shell” (See Figure 4-5). Check the Shell box. Check the Privilege level box and set th e privilege level to 15 to allow “root” privileges. This all[...]

  • Page 152

    4-15 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of t he T ACACS+ Server User Setup As shown in the next table, login and en able access is alwa ys available locally through a direct t erminal connecti on to the switch’ s console port. However , for T elnet access, you can configure T ACACS+ to deny acce[...]

  • Page 153

    4-16 TACACS+ Authentication Configuring TACACS+ on the Switch T able 4-2. Prima ry/Secondary Authen tication T able Caution Regarding the Use of Local for Login Primary Access During local authentication (which uses passwords config ured in the switch instead of in a T ACACS+ server), the sw itch grants read-only access if you enter the Operator pa[...]

  • Page 154

    4-17 TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corre sponding commands to configure them: Console Login (Operator or Read-Only) Acc ess: Primary using T ACACS+ server . Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Ma nager [...]

  • Page 155

    4-18 TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s T ACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one first- choice and up to two backups. Desi gnating backup se rvers provides for a continuation of authentication serv[...]

  • Page 156

    4-19 TACACS+ Authentication Configuring TACACS+ on the Switch Note on Encryption Keys Encryption keys configured in the swit ch must exactly ma tch the encryption keys configured in T ACACS+ servers th e switch will a ttempt to use for authentication. If you configure a global encryption key , the switch uses it only wit h servers for which you hav[...]

  • Page 157

    4-20 TACACS+ Authentication Configuring TACACS+ on the Switch Specifies the IP address of a device runn ing a T ACACS+ server application. Optionally , can also specify the unique, per-server encryption key to use when each assigned serv er has its own, unique key . For more on the encryption key, see “Using the Encryption Key” on page 4-27 and[...]

  • Page 158

    4-21 TACACS+ Authentication Configuring TACACS+ on the Switch Adding, Removing, or Cha nging th e Priority of a T ACACS+ Server . Suppose that the switch was already co nfigured to use T ACACS+ servers at 10.28.227.10 and 10.28.227.15 . In this cas e, 10.28.227.15 was entered first, and so is listed as the first-choice server: Figure 4-6. Example o[...]

  • Page 159

    4-22 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-7. Example of the Switch After Assigni ng a Different “First-Choice” Server T o remove the 10.28.227.1 5 device as a T ACACS+ server , you would use this command: ProCurve (config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key . Use an encryption ke y in [...]

  • Page 160

    4-23 TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encryption key in the switch, re-enter the tacacs-server host command wi thout th e key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you wa nt to eliminate the key, you wou[...]

  • Page 161

    4-24 TACACS+ Authentication How Authentication Operates How Authentication Operates General Authentication Process Using a T ACACS+ Server Authentication through a T ACACS+ server operates generally as described below . For specific operat ing deta ils, refer to the documentation you received with your T ACAC S+ server application. Figure 4-8. Usin[...]

  • Page 162

    4-25 TACACS+ Authentication How Authentication Operates 4. When the requesting te rminal responds to the prompt with a passw ord, the switch forwards it to the T ACACS+ server and one of the following actions occurs: • If the username/pass word pair received from the requesting terminal matches a username/passw ord pair previously stored in the s[...]

  • Page 163

    4-26 TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is config ured to use T ACACS+, it re verts to local authenti- cation only if on e of these tw o conditions exist s: ■ “Local” is the authentication option for the access method being used. ■ T A CACS+ is the primary authenticat ion mode for[...]

  • Page 164

    4-27 TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encr yption key (sometimes term ed “key”, “secret key”, or “secret”) helps to pr event unauthori zed intruders on the network f rom reading username and password information in T ACACS+ packets moving between the switch and [...]

  • Page 165

    4-28 TACACS+ Authentication Controlling Web Browser Interface Acces s When Using TACACS+ Authentication For example, you would use the next co mmand to configure a global encryp- tion key in the switc h to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do n[...]

  • Page 166

    4-29 TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to T ACACS+ Operation The switch generates the CLI messages l isted below . However , you may see other messages generated in your T ACACS+ server a pplication. For informa- tion on such messages, re fer to the documentation you rec eived with the application . Opera[...]

  • Page 167

    4-30 TACACS+ Authentication Operating Notes ■ When T ACACS+ is not enabled on th e switch—or when the switch’ s only designated T ACACS+ servers ar e not accessible— setting a local Operator password wi thout also setting a local Manager password does not protect the s witch from manager -level access by unauthor - ized persons. ■ When us[...]

  • Page 168

    5-1 5 RADIUS Authentication, Authorization, and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Accounting Services . . . . . . . . . . . . . . . . . . . .[...]

  • Page 169

    5-2 RADIUS Authentication, Au thorization, and Accounting Contents Example Configurati on on Cisco Secure ACS for MS Windows 5-30 Example Configuration Usi ng FreeRADIUS . . . . . . . . . . . . . . . . . 5-32 VLAN Assignment in an Authentication Session . . . . . . . . . . . . . . . . 5-34 Tagged and Untagged VLAN Attributes . . . . . . . . . . . .[...]

  • Page 170

    5-3 RADIUS Authentication, Authorization, and Ac counting Overview Overview RADIUS ( Remote Authentication Dial-In User Service ) enables yo u to use up to three servers (one primary server and one or two backups) and mai ntain separate authentication and accountin g for each RADIUS server employed. For authentication, this allows a differ ent pass[...]

  • Page 171

    5-4 RADIUS Authentication, Au thorization, and Accounting Overview Note The switch does not support RADIUS security for SNM P (network manage- ment) access. For i nformation on blocking access through the web br owser interface, refer to “Controlling W eb Br owser Interfac e Access” on page 5-25. Accounting Services RADIUS accounting on the swi[...]

  • Page 172

    5-5 RADIUS Authentication, Authorization, and Ac counting Terminology T erminology AAA: Authentication, Authorization, and Accounting group s of services pro - vided by the carrying protocol. CHAP (Challenge-Handshake Authe ntication Protocol): A challenge- response authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encr[...]

  • Page 173

    5-6 RADIUS Authentication, Au thorization, and Accounting Switch Operating Rules for RADIUS V endor -Specific Attribute: A v endor -defined value config ured in a RADIUS server to specific an optional switch fe ature assigned by the server during an authenticated cl ient session. Switch Operating Rules for RADIUS ■ Y ou must have at l east one RA[...]

  • Page 174

    5-7 RADIUS Authentication, Authorization, and Ac counting General RADIUS Setup Proced ure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS server s to support the switch. (That is, one primary server and one or two ba ckups.) Refer to the documentation provided with the RADIUS server application. 2. Before configuring th[...]

  • Page 175

    5-8 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication Configuring the Switch for RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you hav e configured[...]

  • Page 176

    5-9 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Outline of the Steps fo r Configuring RADIUS Authentication There ar e three ma in steps t o configuring RADIUS authe ntication : 1. Configure RADIUS authentication fo r controlling access through one or more of the following • Serial port ?[...]

  • Page 177

    5-10 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication • T imeou t Period: Th e timeout pe riod the switch waits for a RADIUS server to reply . (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no server response to a RADIUS au thenticat[...]

  • Page 178

    5-11 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possibil ity of being completely locked out of the swit ch in the event that all primary access methods fail. In certain situations, RADIUS servers ca n become isolated fr om the network. [...]

  • Page 179

    5-12 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication Figure 5-2 shows a n example of the show authenticatio n command displaying authorized as the secondary auth entication method for po rt-access, W eb-a uth access, and MAC-auth access. Since the configuration of au thorized means no authenti[...]

  • Page 180

    5-13 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Figure 5-3. Example Confi guration for RADIUS Authent ication Note If you configure the Lo gin Primary method a s local instead of radius (and local passwords are config ured on the switch), then c lie nts connected to your network can gain a[...]

  • Page 181

    5-14 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication this default behav ior for clients with Enable (manager) access. Tha t is, with privilege-mode enabled, the switch immediat ely allo ws Enable (Manager) access to a clie nt for whom t he RADIUS server specifies this access level. 3. Configur[...]

  • Page 182

    5-15 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Note If you want to configure RADIUS accoun ti ng on the swit ch, go to page 5 -37: “Configuring RADIUS Accounting” instead of continuing h ere. Syntax: [no] radius-server host < ip-address > [oobm] Adds a server to the RADIUS confi[...]

  • Page 183

    5-16 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication For example, suppose you h ave configured the switch as shown in figure 5-4 and you now need to make the following changes: 1. Change the encryption k ey for the server at 10.33 .18.127 to “source0 127”. 2. Add a RADIUS server with an IP[...]

  • Page 184

    5-17 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Figure 5-4. Sample Confi guration for RADIUS Server Before Changing the Key and Adding Another Server T o make the changes list ed prior to fi gure 5-4, you would do the following: Figure 5-5. Sample Confi guration for RADIUS Server Aft er Ch[...]

  • Page 185

    5-18 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication ■ Global server key: The serve r key the switch will use for contacts with all RADIUS servers for which there is not a server -specific key configured by radius-server host < ip-address > key < key-string > . This key is option[...]

  • Page 186

    5-19 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Note Where the switch has multiple RADIUS se rvers conf igured to supp ort authen- tication requests, if the firs t server fails to respond, then the switch tries the next server in the list, and so -on. If none of the server s respond, then [...]

  • Page 187

    5-20 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication Figure 5-7. Listings of Globa l RADIUS Parameters Configured In Figure 5-6 After two attempts failing due to username or pa ssword entry errors, the switch will termin ate the session. Global RADIU S parameters from figure 5-6. These two ser[...]

  • Page 188

    5-21 RADIUS Authentication, Authorization, and Ac counting Using SNMP To View and Configure Switch Authentication Features Using SNMP T o V iew and Configure Switch Authentication Features SNMP MIB object acce ss is available fo r switch authe nticat ion config uration (hpSwitchAuth ) f eatures. This means that the sw itches covered b y this Guide [...]

  • Page 189

    5-22 RADIUS Authentication, Au thorization, and Accounting Using SNMP To View and Configur e Switch Authentication Features Changing and Vi ewing the SNMP Access Configuration For example, to disable SNMP access to the switch’ s authentication MIB and then display the result in the Excluded MIB fiel d, you would execute the following two commands[...]

  • Page 190

    5-23 RADIUS Authentication, Authorization, and Ac counting Using SNMP To View and Configure Switch Authentication Features An alternate me thod of determ ining the current Authentication MIB access state is t o use the show run command. Figure 5-9. Using the show run Command to View the Current Authentication MIB Access St ate ProCurve(config)# sho[...]

  • Page 191

    5-24 RADIUS Authentication, Au thorization, and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to loca l authentication only if one of these two cond itions exist s: ■ Local is the authentic ation opti on for the access method being used. ■ The switch has been confi g[...]

  • Page 192

    5-25 RADIUS Authentication, Authorization, and Ac counting Controlling Web Browser Interface Access Controlling W eb Browser Interface Access T o help prevent unauthorized access th rough the web browser interface, do one or more of the following: ■ Configure the switch to suppor t RADIUS authentication for web browser interface acc ess (W eb Aut[...]

  • Page 193

    5-26 RADIUS Authentication, Au thorization, and Accounting Commands Authorization Commands Authorization The RADIUS proto col combines user au thentication and authorization steps into one phase. The user must be su ccessfully authenticated be fore the RADIUS server will send aut horizatio n information (from th e user’ s profile) to the Network [...]

  • Page 194

    5-27 RADIUS Authentication, Authorization, and Ac counting Commands Authorization Enabling Authorization T o configure authorization for controlling access to the CLI commands, enter this command at the CLI. For example, to enable the RADIUS pr otocol as the authorizati on method: When the NAS sends the RADIUS server a valid username and password, [...]

  • Page 195

    5-28 RADIUS Authentication, Au thorization, and Accounting Commands Authorization Displaying Authorization Information Y ou can show the authorization info rmation by enteri ng this command: An example of the o utput is shown . Figure 5-10. Example of Show Authorization Comm and Configuring Commands Auth orization on a RADIUS Server Using V endor S[...]

  • Page 196

    5-29 RADIUS Authentication, Authorization, and Ac counting Commands Authorization The results of using the HP-Command-St ring and HP-Command-Excepti on attributes in various combinations are shown below . Y ou must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server app lications; the two examples below [...]

  • Page 197

    5-30 RADIUS Authentication, Au thorization, and Accounting Commands Authorization Example Configuratio n on Cisco Secure ACS fo r MS W in dows It is necessary to create a dictionary fi le that defines the VSAs so that the RADIUS server application can determin e which VSAs to add to its user interface. The VSAs will appear be low the standard attri[...]

  • Page 198

    5-31 RADIUS Authentication, Authorization, and Ac counting Commands Authorization Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini diction ary file to c: program filescisco acs 3.2utils (or the utils directory wher ever acs i s installed). 3. From the command prompt ex ecute[...]

  • Page 199

    5-32 RADIUS Authentication, Au thorization, and Accounting Commands Authorization 6. Right click and then select New > key . Add the vend or Id number that you determined in step 4 (100 in the example ). 7. Restart all Cisco serv ices. 8. The newly created HP RAD IUS VSA ap pears only when you configure an AAA client (NAS) to use the HP VSA RADI[...]

  • Page 200

    5-33 RADIUS Authentication, Authorization, and Ac counting Commands Authorization 2. Find the location of th e dictionary files used by FreeRADIUS (try /usr/ local/share/freeradius). 3. Copy dictionary .hp to that location. Open the existing dictionary file and add this entry: $ INCLUDE dictionary .hp 4. Y ou can now use HP VSAs with othe r attribu[...]

  • Page 201

    5-34 RADIUS Authentication, Au thorization, and Accounting VLAN Assignment in an Authentication Session VLAN Assignment in an Authentication Session A switch supports co ncurrent 802.1X an d either W eb- or MAC-authenti cation sessions on a port (with up to 32 clients all owed). If you have configured RADIUS as the primary authentication me thod fo[...]

  • Page 202

    5-35 RADIUS Authentication, Authorization, and Ac counting VLAN Assignment in an Authentication Session T agged and Untagge d VLAN Attributes When you configure a user profile on a RAD IUS server to assign a VLAN to an authenticated client , you can use either the VLAN’ s name or VLAN ID (VID) number . For example, if a VLAN configur ed in the sw[...]

  • Page 203

    5-36 RADIUS Authentication, Au thorization, and Accounting VLAN Assignment in an Authentication Session Additional RADI US Attributes The follow ing attrib utes are incl uded in Access-Request and Access-Account- ing packets sent from the switch to the RADIUS server to advertise switch capabilities, report informat ion on authenti cation sessions, [...]

  • Page 204

    5-37 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting Configuring RADIUS Accounting Note This section assumes you have already: ■ Configured RADIUS authen ticat ion on the switch fo r one or more access methods ■ Configured one or more RADIUS servers to support the switch If you have not already done so, refer[...]

  • Page 205

    5-38 RADIUS Authentication, Au thorization, and Accounting Configuring RADIUS Accounting ■ Exec accounti ng: Provides record s holding the info rmation listed below about login session s (console, T elnet, and SSH) on the switch: ■ System accounti ng: Provides records cont aining the information listed below when system eve nts occur on the sw [...]

  • Page 206

    5-39 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting Operating Rules for RADIUS Accounting ■ Y ou can configure up t o four types of accounting to run simulta- neously: exec, system, network, and commands. ■ RADIUS servers used for accounting are also used fo r authentication. ■ The switch must be configu r[...]

  • Page 207

    5-40 RADIUS Authentication, Au thorization, and Accounting Configuring RADIUS Accounting must match the en cryption key us ed on the specified RADIUS server . For more information, refer to the “ [key < key-string >] ” parameter on page 5-14. (Default: null) 2. Configure accounting types and the co ntrols for sendin g reports to the RADIU[...]

  • Page 208

    5-41 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting (For a more complete d escription of the radius-server command and its options, turn to page 5-14.) [key < key-string >] Optional. Specifies an encryption key for use during accounting or authenticati on sessions with the speci- fied server . This key mus[...]

  • Page 209

    5-42 RADIUS Authentication, Au thorization, and Accounting Configuring RADIUS Accounting For example, suppose you want to th e switch t o use the RADIUS server described below for both authenti cation and acco unting purposes . ■ IP address: 10.33.18.151 ■ A non-default UDP port numbe r of 1750 for accoun ting. For this example, assume th at al[...]

  • Page 210

    5-43 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting Note that there is no time sp an associated w ith using the system option. It simply causes the switch to tr ansmit whatever acc ounting data it currently has when one of the above events occurs. ■ Network: Use Network if you w ant to collect accounting infor[...]

  • Page 211

    5-44 RADIUS Authentication, Au thorization, and Accounting Configuring RADIUS Accounting For example, to configure RADIUS accounting on the switch with start-stop for exec fu nctions and stop-only for system functio ns: Figure 5-12. Example of Configu ring Accounting T ypes 3. (Optional) Configure Session Blocking and Interim Updating Options These[...]

  • Page 212

    5-45 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting T o continue the example in figure 5-12, suppose that you wanted the switch to: ■ Send updates every 10 minutes on in-progress accounting sessions. ■ Block accounting for unknown users (no username). Figure 5-13. Example of Optional Account ing Update Perio[...]

  • Page 213

    5-46 RADIUS Authentication, Au thorization, and Accounting Viewing RADIUS Statistics V iewing RADIUS Statistics General RADIUS Statistics Figure 5-14. Example of General RADI US Information from Show Radius Command Syntax: show radius [host < ip-add r >] Shows general RADIUS configuration , including the server IP addresses. Optional form sho[...]

  • Page 214

    5-47 RADIUS Authentication, Authorization, and Ac counting Viewing RADIUS Statistics Figure 5-15. RADIUS Server Information From the Show Radius Host Command Te r m Definition Round T rip T ime The time interval between the mo st recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server . PendingReque[...]

  • Page 215

    5-48 RADIUS Authentication, Au thorization, and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Figure 5-16. Example of Login Attempt and Primary/Se condary Authenticatio n Information from the Show Aut hentication Command Requests The number of RADIUS Accou nti ng-Request packets sent. This does not include retransmissions. A[...]

  • Page 216

    5-49 RADIUS Authentication, Authorization, and Ac counting Viewing RADIUS Statistics Figure 5-17. Example of RADIUS Aut hentication Inform ation from a Specific Server RADIUS Accounting Statistics Figure 5-18. Listing the Account ing Configuration in t he Switch Syntax: show account ing Lists configured accounting interval, “Empty User” suppres[...]

  • Page 217

    5-50 RADIUS Authentication, Au thorization, and Accounting Changing RADIUS-Server Access Order Figure 5-19. Example of RADIUS Account ing Information fo r a Specific Server Figure 5-20. Example Listing of Active RADIUS Accounting Sessions on the Swi tch Changing RADIUS-Server Access Order The switch tries to access RADIUS ser vers according to the [...]

  • Page 218

    5-51 RADIUS Authentication, Authorization, and Ac counting Changing RADIUS-Ser ver Access Order Figure 5-21. Search Order fo r Accessing a RADIUS Server T o exchange the positions of the addre sses so that the serv er at 10.10.10.003 will be the first choice and the server at 10.10.10.001 will be the last, you w ould do the follow ing: 1. Delete 10[...]

  • Page 219

    5-52 RADIUS Authentication, Au thorization, and Accounting Changing RADIUS-Server Access Order Figure 5-22. Example of New RADIUS Server Search Order Removes the “003” and “001” addresses from the RADIUS se rver list . Inserts the “003” address in the first position in the RADIUS server list, and inserts the “001” address in the las[...]

  • Page 220

    5-53 RADIUS Authentication, Authorization, and Ac counting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. T ry pinging the server to determine whether it is accessib le to t he switch. [...]

  • Page 221

    6-1 6 Configuring Secure Shell (SSH) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 222

    6-2 Configuring Secure Shell (SSH) Overview Overview The switches co vered in this gui de us e Secure Shell version 2 (SSHv2) to provide remote access to manageme nt functions on the sw itches via encrypted paths between th e swi tch and management station clients capable of SSH operation. SSH provides T elnet-like functions bu t, unlike T elnet , [...]

  • Page 223

    6-3 Configuring Secure Shell (SSH) Terminology Note SSH in ProCurve switches is based on t he OpenSSH software toolkit. Fo r more informatio n on OpenSSH, visit www .o penssh.com . Switch SSH and User Password Authentication . This option is a subset of the client pu blic-key authe ntication shown in figure 6 -1. It occurs if the switch has SSH ena[...]

  • Page 224

    6-4 Configuring Secure Shell (SSH) Terminology ■ Enable Level: Manager privileges on the switch. ■ Login Level: Operator privilege s on the switch. ■ Local password or username: A Manage r - level or Operator -level password configured in the switch. ■ SSH Enabled: (1) A publ ic/private key pa ir has been generated on the switch ( generate [...]

  • Page 225

    6-5 Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH se rver , you must install a publicly or commercially avail able SSH client application on the computer(s) yo u use for management access to the switch. If you wa nt client public-key authentic ation (page 6-2), then the clie n[...]

  • Page 226

    6-6 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH fo r Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication be tween the switch and an SSH client, you must use the logi n (O perator) level. T able 6-1. SSH Opti ons The general steps for configuri ng[...]

  • Page 227

    6-7 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Prep aratio n 1. Assign a login (Operator) and enable (Manager) password on th e switch (page 6-10). 2. Generate a public/private key pa ir on the switch (page 6-10). Y ou need to do this only once. The k ey remains in the switch ev[...]

  • Page 228

    6-8 Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be expor table to the switch. The switch can only store 10 client key pairs. ■ The switch’ s own public/priv ate key pair and t he (optional) cli ent public key f ile are stored in the switch’ [...]

  • Page 229

    6-9 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 6-19 show crypto client-public-key [<manager | operator>] [keylist-str] [< babble | fingerprint>] 6-27 show crypto host-public -key [< babble | fingerprint >] 6-[...]

  • Page 230

    6-10 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, ProCurve recommends that you alwa ys assign at leas t a Manager password to the switch. Othe rwise, under some circumstances, anyone with T elnet, web, or serial port access could modify the [...]

  • Page 231

    6-11 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When you generate a host key pair on the switch, the switch places the key pair in flash memory (a nd not in the running-config file). A lso, the switch maintains the key pai r across reboots, incl uding power cycles. Y ou should consider this key pair to be “perman[...]

  • Page 232

    6-12 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generat e and display a new key: Figure 6-5. Example of Gen erating a Public/Pr ivate Host Key Pair for the Sw itch The 'show crypto host-publi c-key' displays it in two diff er ent formats because your client may store it in either of thes e form[...]

  • Page 233

    6-13 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes "Zeroizing" the switch’ s key au tomatically di sables SSH (sets ip ssh to no). Thus, if you zeroize the key and then ge nerate a new key , you must also re- enable SSH with the ip ssh command before the s witch c an resume SSH operation. Configuring Key [...]

  • Page 234

    6-14 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation (The generated public key on the switch is always 896 bits.) W ith a dire ct serial connection from a management station to the switch : 1. Use a terminal application such as HyperT erminal to display the switch’ s public key with the show crypto host-pub lic-key command[...]

  • Page 235

    6-15 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation ■ Non-encoded ASCII numeric string: Requires a client ability to display the keys in the “known host s” file in the ASCI I format. This method is tedi ous and error -prone due to the l ength of the keys. (See figure 6-7 on page 6-14.) ■ Phonetic hash: Outputs the k[...]

  • Page 236

    6-16 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note Before enabling SSH on the switch you must generate the switch’ s public/ private key pair . If you have not alread y done so, refer to “2. Generating the Switch’ s Public and Privat e Key Pair” on page 6-1 0. When configured for SSH, the switch us es its host[...]

  • Page 237

    6-17 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation T o disabl e SSH on the switch, do either of the following: ■ Execute no ip ssh . ■ Zeroize the switch’ s existing key pair . (page 6-11). Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher <cipher-type>] Specify a cipher type to use for connect[...]

  • Page 238

    6-18 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [mac <mac-type>] Allows configuration of the set of MACs that can be selected. V alid types are: • hmac-md5 • hmac-sha1 • hmac-sha1-96 • hmac-md5-96 Default: All MAC ty pes are available. Use the no form of the command to disable a MAC type. [port < 1-6553[...]

  • Page 239

    6-19 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note on Port Number ProCurve recommends using the default TCP port number (22). However , you can use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes . Examples of reserved I P ports are 23 (T elnet) and 80 (http). Some othe[...]

  • Page 240

    6-20 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation access to the serial port (and the Cl ear button, whic h removes local password protection), keep physical access to th e switch restricted to authorized per - sonnel. 5. Configuring the Switch for SSH Authentication Note that all methods in this section re sult in authent[...]

  • Page 241

    6-21 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option B: Config uring the Switch for Cl ient Public-Key SSH Authentication. If configured with this option, the switch uses its public key to authenticate itself to a client, bu t the c lient must al so provide a clie nt public-key f or the switch to authenticate . This o[...]

  • Page 242

    6-22 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, assume that you have a client public-key fil e named Client- Keys.pub (on a TFTP server at 10.33.18.117 ) ready for down loading to the switch. For SSH access to the sw itch you want to a llow only clients ha ving a private key t hat matche s a public ke y fou[...]

  • Page 243

    6-23 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-11. Configuring for SSH Access Requ iring a Client Public-Key Match an d Manager Passwords Figure 6-12 shows how to check the results of the above commands. Figure 6-12. SSH Configuration and Clie nt-Public-Key Listing From Figure 6-11 ProCurve(config)# password m[...]

  • Page 244

    6-24 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 6. Use an SSH Client T o Access the Switch T est the SSH co nfigurati on on the switch to ensure that you have achieved the level of SSH operatio n you want for the switch. If you have problems, refer t o "RADIUS-R elated Problem s" in the T r[...]

  • Page 245

    6-25 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 1. The client sends its public key to the switch with a re quest for authenti- cation. 2. The switch compares the client’ s public key to those stored in the switch’ s client-public-key file. (As a prereq uisite, you must use the switch’ s copy tf[...]

  • Page 246

    6-26 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication T o C reate a Client-Pub lic-Key T ext File. These steps describe how to copy client-public-ke ys into the switch for challenge-respon se authentication, and require an understandi ng of how to use you r SSH client app lication. Figure 6-13. Example of [...]

  • Page 247

    6-27 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 2. Copy the client’ s public key into a text file ( filename .txt ). (For example, you can use the Notepad editor includ e d with the Microsof t® W indo ws® software. If you want several client s to use client public-key authentica- tion, copy a pub[...]

  • Page 248

    6-28 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Note copy usb pub-key file can al so be used as a method for copying a public key file to the switch. The operator option replaces the key(s) for operator access (default); follow with the ‘append’ option to add the key(s). For switches that have a [...]

  • Page 249

    6-29 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication For example, if you wanted t o copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 an d then display th e file contents: Figure 6-14. Example of C opying and Displaying a C lient Public-Key File Containing T wo Differe[...]

  • Page 250

    6-30 Configuring Secure Shell (SSH) Messages Related to SSH Operation Caution T o enable client public-key authenti cation to bl ock SSH cli ents whose p ublic keys are not in the client -pub lic-key file copied into the switch , you must configure the Logi n Secondary as none . Oth erwise, the switch a llows such clients to attempt access using th[...]

  • Page 251

    6-31 Configuring Secure Shell (SSH) Messages Related to SSH Operation Logging Messages There ar e event l og messages when a ne w key is generated and zeroized for the server: ssh: New <num-bits> -bit [rsa | dsa] SSH host key insta lled ssh: SSH host key zeroized There are also messages that indicates when a client p ublic key is in stalled o[...]

  • Page 252

    6-32 Configuring Secure Shell (SSH) Messages Related to SSH Operation Debug Logging T o add ssh messages to the debug log outp ut, enter this command: ProCurve# debug ssh LOGLEVEL where LOGLEVEL is one of the foll owin g (in order of increasing verbosity): • fatal • error •i n f o •v e r b o s e • debug • debug2 • debug3[...]

  • Page 253

    7-1 7 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . .[...]

  • Page 254

    7-2 Configuring Secure Socket Layer (SSL) Overview Overview The switches covered in this guide use Secure Socket Layer V ersion 3 (SSLv3) and support for T ransport Lay er Security(TLSv1) to provide rem ote web access to the switches via encrypted paths betw een the switch and manage- ment station client s capable of SSL/TLS operation. Note ProCurv[...]

  • Page 255

    7-3 Configuring Secure Socket Layer (SSL) Terminology Figure 7-1. Switch/User Auth entication SSL on the switches covered in this guide supports these data encryption methods: ■ 3DES (168-bit, 112 Effective) ■ DES (56-bit) ■ RC4 (40-bit, 128-bit) Note: ProCurve Switches use RSA publ ic key al gorithms and Diffie-Hellman, and all references to[...]

  • Page 256

    7-4 Configuring Secure Socket Layer (SSL) Terminology ■ Root Certificate: A trusted certificate used by certificate authorit ies to sign certificates (CA-Signed Certificat es) and used later on to verify that authenticity of those si gned certificates. T rusted certifi cates are distrib - uted as an integral part of most po pular web client s. (s[...]

  • Page 257

    7-5 Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL se rver , you must install a publicly or commercially available SSL enabled we b browser application on the com- puter(s) you use for manage ment acce ss to the switch. Steps for Configuring and Using SSL for Switch and [...]

  • Page 258

    7-6 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re- generating the certi ficate without a compelling reason. Otherwise, you will have to re-introd uce the swit ch’ s certific ate on all ma nagement stations (client s) y[...]

  • Page 259

    7-7 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation 1. Assigning a Local Login (Operator) and Enabling (Manager) Password At a minimum, ProCu rve recommends th at you always assign at least a Manager password to the switch. Othe rwise, under some circumstances, anyone with T el[...]

  • Page 260

    7-8 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-2. Example of Configuri ng Local Passwords 1. Proceed to the securi ty tab an d select device passwords button. 2. Click in the appr opriate box in t he Device Passwords windo w and enter user names and passwords. Y ou will be required to repeat the passwor [...]

  • Page 261

    7-9 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation to connect via SSL to the switch . (The session key pai r mentioned above is not visible on the switch. It is a temporary , internally gener ated pai r used for a particular switch/cli ent se ssion, and then disc arded.) The server certi ficate is stored in the switc[...]

  • Page 262

    7-10 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. T o generate a host certi ficate from the CLI: i. Generate a certificate key pair . This is done with the crypto key generate cert command. The defaul t key size is 512. Note: If a certificate key pair is alre[...]

  • Page 263

    7-11 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T able 7-1. Cert ificate Field Descriptions For example, to generate a ke y and a new host certificate : Figure 7-3. Example of Generating a Self-Sig ned Server Host certificate on the CLI for the Switch. Notes “Zeroizing” the switch’ s server host ce rtificat[...]

  • Page 264

    7-12 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. T o view the current host certif icate from the CLI you use the sh ow crypto host- cert command. For example, to display the new server host certificate: Figure 7-4. Example of show cryp to host-cert command Generate a Self-Sig[...]

  • Page 265

    7-13 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T o generate a self signed host certif icate fr om the web brow ser interface: i. Proceed to the Securi ty tab then the SSL button. The SSL config- uration screen is split up into two halves . The left half is used in creating a new certificate key pa ir and (self-s[...]

  • Page 266

    7-14 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the we b browsers inter - face: Figure 7-5. Self-Signed Certifi cate generation via SSL Web Browser Interface Scree n T o view the current host certifi cate in the web browser interface: 1. Proceed to the Security [...]

  • Page 267

    7-15 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-6. Web browser Interface showing current SSL Host Certifica te Generate a CA-Signed server host certificate with the W eb browser interface T o install a CA-Si gned server host certificate from the web browser i nterface. For more informat ion on how t o ac[...]

  • Page 268

    7-16 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA- signed certif ic ate involves in teraction with o ther entities and consi sts of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission t o the certificate author[...]

  • Page 269

    7-17 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-7. Request for Verified Host Certificate Web Browser Interface Screen 3. Enabling SSL on the Sw itch and Anticipating SSL Browser Contact Behavior T he web-management ssl command enables SSL on the switch and modifies parameters the swit ch uses for transac[...]

  • Page 270

    7-18 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch yo u must genera te the switch’ s ho st certificate and key . If you h ave not a lready done so, refer to “2. Generating the Switch’ s Server Host Certificate” on page 7 -8. When configured for SSL, the switch uses its [...]

  • Page 271

    7-19 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL T o enable SSL o n the switch 1. Generate a Host certificate if you h ave not already done so. (Refer to “2. Generating the Switch’ s Server Host Certificate” on page 7-8.) 2. Execute the web-man agement ssl command. T o d[...]

  • Page 272

    7-20 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-8. Using the web browser interface to e nable SSL and select TCP port numbe r Note on Port Number ProCurve recommends usin g the default IP port number (443). However , you can use web-management ssl tcp-port to specify any TCP port for SSL connec- tions ex[...]

  • Page 273

    7-21 Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CL I Y ou have not generated a certificate key . (Refer to “CLI commands used to generate a Server Host Certificate” on page 7-10.) Enabling SSL on the CLI or Web browse r interface Y ou hav[...]

  • Page 274

    8-1 8 Configuring Advanced Threat Protection Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 275

    8-2 Configuring Advanced Threat Protection Contents Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26 Adding an IP-to- MAC Binding to th e DHCP Binding Database . . . . . 8-28 Potential Issues with Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-28 Adding a Static Binding[...]

  • Page 276

    8-3 Configuring Advanced Threat Protection Introduction Introduction As your network ex pands to include an increasing number of mobile devices, continuous Internet access, and new classes of users (such as partners, temporary employees, and vi sitors), additional pro tection from attacks launched from both inside and outside your internal network [...]

  • Page 277

    8-4 Configuring Advanced Threat Protection DHCP Snooping • Attempts to exhaust system resources so that sufficie nt resources are not available to transmit legitimate traffic, indicated by an unusually high use of specific system resources • Attempts to att ack th e switch’ s CPU and introduce delay in system response time to new network even[...]

  • Page 278

    8-5 Configuring Advanced Threat Protection DHCP Snooping DHCP snooping accomplishe s this by allowing yo u to distinguish bet ween trusted ports con nected to a DHCP server or swi tch and untruste d ports connected to end-users. DHCP packet s are forwarded betw een trusted ports without inspect ion. DHCP packets received on othe r switch ports are [...]

  • Page 279

    8-6 Configuring Advanced Threat Protection DHCP Snooping T o display the DHCP snooping conf iguratio n, enter this command: ProCurve(config)# show dhcp-snooping An example of the o utput is shown below . Figure 8-1. An Example of the DHCP Snoopin g Command Output T o display statistics about the DHCP snooping process, enter this command: ProCurve(c[...]

  • Page 280

    8-7 Configuring Advanced Threat Protection DHCP Snooping Figure 8-2. Example of Show DHCP Snooping Stati stics Enabling DHCP Snooping on VLANS DHCP snooping on VLANs is disabled by d efault. T o enable DHCP snooping on a VLAN or range of VLANs enter this command: ProCurve(config)# dhcp-snooping vlan <vlan-id-range> Y ou can also use this comm[...]

  • Page 281

    8-8 Configuring Advanced Threat Protection DHCP Snooping Configuring DHCP Snoo ping T rusted Ports By default, all p orts are untrusted. T o configure a por t or range of ports as trusted, enter this command : ProCurve(config)# dhcp-snooping trust <port-list> Y ou can also use this com mand in the in terface context, in which case you are not[...]

  • Page 282

    8-9 Configuring Advanced Threat Protection DHCP Snooping Configuring Authorized Server Addresses If authori zed server a ddresses ar e configu red, a packet from a DHCP server must be received on a trusted port A ND have a source address in the autho- rized server list in order to be consider ed valid. If no authorized servers are configured, all s[...]

  • Page 283

    8-10 Configuring Advanced Threat Protection DHCP Snooping Note DHCP snoo ping only ov errides the Optio n 82 settings on a VLAN that has snooping enabl ed, not o n VLANS witho ut snooping enabled. If DHCP snooping is enable d on a swi tch wher e an ed ge switch is also using DHCP snoopi ng, it is desirable to have the packets forwarded so the DHCP [...]

  • Page 284

    8-11 Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the swit ch as the remote - id in Option 82 additions. The IP address of the VLAN the packet was received on or the IP address of the management VLAN can be used instead b y entering this com[...]

  • Page 285

    8-12 Configuring Advanced Threat Protection DHCP Snooping Figure 8-7. Example Showing the DHCP Snoopin g V erif y MAC Setting The DHCP Binding Database DHCP snooping maintains a database of up to 8192 DHCP bindings on untrusted ports. Each bi nding consists of: ■ Client MAC ad dress ■ Port number ■ VLAN identifier ■ Leased IP address ■ Le[...]

  • Page 286

    8-13 Configuring Advanced Threat Protection DHCP Snooping A message is logged in the system event log if the DHCP binding database fails to update. T o displa y the contents of the DHCP snooping bi nding database , enter this command. Figure 8-8. Example Showing DHCP Snoo ping Binding Database Contents Note If a lease databa se is configured, the s[...]

  • Page 287

    8-14 Configuring Advanced Threat Protection DHCP Snooping ■ ProCurve recommends running a time synchr onization protocol such as SNTP in order to track lease times accurately . ■ A remote server must be used to sa ve lease information or there may be a loss of connectivity after a switch reboot. Log Messages Server <ip-address> packet rec[...]

  • Page 288

    8-15 Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay inform ation logs for <duration>. More than one DHCP client packet received on an untrusted port with a relay in formation field was dropped. T o avoid fi lling the log file with repeated attempts, untrusted rela y informatio n packets will no t be lo gged for t[...]

  • Page 289

    8-16 Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynami c ARP protection ensures that only valid ARP requests and resp ons es are relayed or used to update the local ARP cache. ARP packe ts with invalid IP-to-MAC address bindings adver - tised in the s[...]

  • Page 290

    8-17 Configuring Advanced Threat Protection Dynamic ARP Protection • If a binding is valid, the switch updates its local ARP cache and forwards the packet. • If a binding is invali d, the switch drops the packet, preventing oth er network device s from receiving th e invalid IP-to-MAC info rmation. DHCP snooping intercepts and exam ines DHCP pa[...]

  • Page 291

    8-18 Configuring Advanced Threat Protection Dynamic ARP Protection Enabling Dynamic ARP Protection T o enable dynami c ARP protection for VLAN traffi c on a routing sw itch, enter the arp-protect vlan command at the global configuration l evel. An example of the arp-protect vlan command is shown here: ProCurve(config)# arp-protect vlan 1-101 Config[...]

  • Page 292

    8-19 Configuring Advanced Threat Protection Dynamic ARP Protection Figure 8-9. Configuring T rusted Ports for Dynamic ARP Protect ion T a ke into account the following conf iguration guidelines when you use dynamic ARP prot ection in your ne twork: ■ Y ou should conf igure port s connected to other s witches in t he network as trusted po rts. In [...]

  • Page 293

    8-20 Configuring Advanced Threat Protection Dynamic ARP Protection Adding an IP-to-MAC Bind ing to the DHCP Database A routing switch mai ntains a DHCP binding datab ase, which is used f or DHCP and ARP packet validation. Both the DHCP snooping and DHCP Option 82 insertion features mai ntain the lease database by learning the IP-to-MAC bindings on [...]

  • Page 294

    8-21 Configuring Advanced Threat Protection Dynamic ARP Protection Configuring Additional V alidation Checks on ARP Packets Dynamic ARP protection can b e configured to perfo rm additional vali dation checks on ARP packets. By default, no additional ch ecks are performed. T o configure additional valid ation checks, enter the arp-protect validate c[...]

  • Page 295

    8-22 Configuring Advanced Threat Protection Dynamic ARP Protection Figure 8-1. The show arp-prot ect Command Displaying ARP Packet Statistics T o display statistics about forwarde d ARP packets, dro pped ARP packets, MAC validation failure, and IP validation failures, ente r the show arp-protect statistics command: Figure 8-2. Show arp-prote ct sta[...]

  • Page 296

    8-23 Configuring Advanced Threat Protection Dynamic IP Lockdown Monitoring Dynamic ARP Protection When dynamic ARP prot ection is enab led, you can monitor and troublesh oot the validation of AR P packets with the debug arp-protect command. Use this command when you want to de bug the followin g conditions: ■ The switch is dropping valid ARP pack[...]

  • Page 297

    8-24 Configuring Advanced Threat Protection Dynamic IP Lockdown Protection Against IP So urce Address Spoofing Many network attacks occur when an atta cker injects packets with forge d IP source addresses into the network. Also , some network services use the IP source address as a component in their authentication scheme s. For example, the BSD ?[...]

  • Page 298

    8-25 Configuring Advanced Threat Protection Dynamic IP Lockdown ■ The DHCP bind ing database allows V LANs enabled for DHCP snooping to be known on por ts configured for dynamic IP lockdow n. As new IP-to-MAC address and VLAN bindings are learned, a corre- sponding pe rmit rule i s dynamica lly created and applied to the port (preceding the fi na[...]

  • Page 299

    8-26 Configuring Advanced Threat Protection Dynamic IP Lockdown Assuming that DHCP snooping is enab led and that port 5 is untrusted, dynamic IP lockdown applies the follo wing dynamic VLAN filtering on port 5: Figure 8-4. Example of Interna l Statements used by Dynamic IP Lockdow n Note that th e deny any statement is applied only to VLANs for w h[...]

  • Page 300

    8-27 Configuring Advanced Threat Protection Dynamic IP Lockdown • Dynamic IP lockdown only fi lters packets in VLANs t hat are enabled for DHCP snooping . In order for Dynamic IP lockdown to work on a port, the port mu st be config ured fo r at least one VLAN that is enabled for DHCP snooping. T o enable DHCP snooping on a VLAN, enter the dhcp-sn[...]

  • Page 301

    8-28 Configuring Advanced Threat Protection Dynamic IP Lockdown Adding an IP-to-MAC Bind ing to the DHCP Binding Database A switch maintains a DHCP bi nding database , which is used for dynami c IP lockdown as wel l as for DHCP an d ARP packet valid ation. The DHCP snooping feature maintains the lease da tabase by learning the I P-to-MAC bindings o[...]

  • Page 302

    8-29 Configuring Advanced Threat Protection Dynamic IP Lockdown Adding a Static Binding T o add the static configuration of an IP -to-MAC binding for a port to the leas e database, en ter the ip source-bindin g command at the gl obal configurat ion level. Use the no form of the command to remove the IP-to-MAC binding from the database. Note Note th[...]

  • Page 303

    8-30 Configuring Advanced Threat Protection Dynamic IP Lockdown An example of the show ip source-lockdown status comm and output is show n in Figure 8-5. Note that the operational status of all switch ports is displayed. This information indicates whether or n ot dynamic IP lockdown is supported on a port. Figure 8-5. Example of show ip sou rce-loc[...]

  • Page 304

    8-31 Configuring Advanced Threat Protection Dynamic IP Lockdown Figure 8-6. Example of show ip source-lockdow n bindings Command Out put In the show ip source-l ockdown bindings command output, the “Not in HW” column specifies wh ether or not (YES or NO) a statically configured IP-to- MAC and VLAN binding on a specified port has been combined i[...]

  • Page 305

    8-32 Configuring Advanced Threat Protection Dynamic IP Lockdown Figure 8-7. Example of debu g dynamic-ip-lockd own Command Output ProCurve(config)# debug dynamic -ip-lockdown DIPLD 01/01/90 00:01:25 : denie d ip 192.168.2.100 (0) (PORT 4) -> 192.168.2.1 (0), 1 packets DIPLD 01/01/90 00:06:25 : denie d ip 192.168.2.100 (0) (PORT 4) -> 192.168.[...]

  • Page 306

    8-33 Configuring Advanced Threat Protection Using the Instrumentation Mon itor Using the Instrumentation Monitor The instrumentation monitor can be used to detect anomalies caused by security attacks or other irregular op erations on the swi tch. The following table shows the operating parameters that can be monitored at pre-deter - mined intervals[...]

  • Page 307

    8-34 Configuring Advanced Threat Protection Using the Instrumentation Monitor Operating Notes ■ T o generate alerts for monitored eve nts, you must en able the instru- mentation monito ring log and/or SNMP trap. The threshold for each monitored paramet er can be adjusted to minimize false al arms (see “Configuring Instrumentatio n Monitor” on[...]

  • Page 308

    8-35 Configuring Advanced Threat Protection Using the Instrumentation Mon itor Configuring Instrumentation Monitor The following commands and parameters are used to configure the opera- tional thresh olds that a re monitore d on the switch. By defa ult, the inst rumen- tation monitor is disabled. Syntax: [no] instrumentat ion monitor [parameterN am[...]

  • Page 309

    8-36 Configuring Advanced Threat Protection Using the Instrumentation Monitor T o enable instrum entation monitor usin g the default parame ters and thresh- olds, enter the general instrumenta tion monitor comma nd. T o adjust specific settings, enter the name of the parameter that you wish to modify , and revise the threshold limi ts as needed. Ex[...]

  • Page 310

    8-37 Configuring Advanced Threat Protection Using the Instrumentation Mon itor V iewing the Current In strumentation Monitor Configuration The show instrumentation monitor config uration command displays the config- ured thresholds for moni tored parameters. Figure 8-10. Viewing the Instrumentation Mo nitor Configuration An alternate me thod of det[...]

  • Page 311

    9-1 9 T raffic/Security Filters and Monitors Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Filter Limits . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 312

    9-2 Traffic/Security Filters and Monitors Overview Overview Source-port filters are available on the HP ProCurve switch models covered in this gui de. Introduction Y ou can enhance in-band security and improve control over access to network resources by configur ing static filters to forward (the de fault action) or dro p unwanted t raffic. That is[...]

  • Page 313

    9-3 Traffic/Security Fi lters and Monitors Filter Types and Operation Filter T ypes and Operation T able 9-1. Filt er T ypes a nd Criteria Static Filter Ty p e Selection Criteria Source-Port Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per -port (destination) basis.[...]

  • Page 314

    9-4 Traffic/Security Filters and Monitors Filter Types and Operation Source-Port Filters This filter type enables the switc h to forward or drop tr affic from all end nodes on the indicated source-port to specific destination ports. Figure 9-1. Example of a So urce-Port Filter Applicat ion Operating Rules for Source-Port Filters ■ Y ou can config[...]

  • Page 315

    9-5 Traffic/Security Fi lters and Monitors Filter Types and Operation ■ When you create a source port filter , all ports and port trunks (if any) on the switch appear as destinat ions on the li st for that filter , even i f routing is disabled and separate VLANs and/or subnets exist. Where traffic would normall y be allowed betw een ports and/or [...]

  • Page 316

    9-6 Traffic/Security Filters and Monitors Filter Types and Operation Figure 9-3. The Filter for t he Actions Shown in Figure 9-2 Named Source-Port Filters Y ou can specify named source-port filters that may be used on multiple ports and port trunks. A port or port trunk can only have o ne source-port fi lter , but by using this capabili ty you can [...]

  • Page 317

    9-7 Traffic/Security Fi lters and Monitors Filter Types and Operation ■ A named source- port filter can only be deleted whe n it is not applied to any ports. Defining and Configuring Named Source-Port Filters The named source-p ort filter command operat es from the glob al configur ation level. Syntax: [no] filter source-port nam ed-filter < f[...]

  • Page 318

    9-8 Traffic/Security Filters and Monitors Filter Types and Operation A named source-port f ilter must f irst be defi ned and configured before it can be applied. In the followin g example two named source-port filt ers are defined, web-only and accounting . ProCurve(config)# filter source-port named-filter web- only ProCurve(config)# filter source-[...]

  • Page 319

    9-9 Traffic/Security Fi lters and Monitors Filter Types and Operation Using Named Source-Port Filters A company wants to manage tr affic to the Internet an d its accounting server on a 26-port switch. Their network is pi ctured i n Figure 9-4. Swi tch port 1 connects to a router that p rovides connectivit y to a W AN and the Intern et. Switch port [...]

  • Page 320

    9-10 Traffic/Security Filters and Monitors Filter Types and Operation Figure 9-5. Applying Example Named Source-Port Filters Once the named source-port filter s have been defined and config ured we now apply them to the switch ports. Figure 9-6. Source P ort Filters Applied to Sw itch Ports The show filter command shows what ports have filters appl[...]

  • Page 321

    9-11 Traffic/Security Fi lters and Monitors Filter Types and Operation Figure 9-7. Example of the sho w filter Command Using the IDX value in the show filter command, we can see how traffic is filtered on a specif ic port ( Va l u e ).The two outputs b elow show a non - accounting and an accou nting switch port. ProCurve(config)# show filte r Traff[...]

  • Page 322

    9-12 Traffic/Security Filters and Monitors Filter Types and Operation Figure 9-8. Example Showing T raffic Filtered on Speci fic Ports The same command, using IDX 26, shows how traffic from the In ternet is handled. ProCurve(config)# show filte r 4 Traffic/Security Filters Filter Type : Source Port Source Port : 5 Dest Port Type | Action --------- [...]

  • Page 323

    9-13 Traffic/Security Fi lters and Monitors Filter Types and Operation Figure 9-9. Example of S ource Port Filtering wi th Internet T ra ffic As the company grows, mo re resources are requir ed in accounting. T wo additional accounting workstations are added and attached to ports 12 and 13. A second server is added attached to port8. Figure 9-10. E[...]

  • Page 324

    9-14 Traffic/Security Filters and Monitors Filter Types and Operation The following revisions to the named so urce-po rt filter definiti ons maintain the desired network traffic management , as shown in the Action column of the show command. Figure 9-11. Example Show ing Network T raffic Managemen t with Source Po rt Filters W e next apply the upda[...]

  • Page 325

    9-15 Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Figure 9-12. Named Source-Po rt Filte rs Managing T raffic Configuring T raffic/Security Filters Use this procedure t o specify th e type of filters to use on the switch and whether to forward or dro p filtered pa ckets for each filt er you spe cify . 1. Select the st[...]

  • Page 326

    9-16 Traffic/Security Filters and Monitors Configuring Traffic/Secu rity Filters Configuring a Source -Port T raffic Filter Syntax: [no] filte r [source-port < port-number | trunk-name >] Specifies one inbound port or trunk. T raffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the[...]

  • Page 327

    9-17 Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a source-port filter that drops all traffic received on port 5 wi th a destination of port trunk 1 ( Tr k 1 ) and any port in the range of port 10 to port 15 . T o create this filter [...]

  • Page 328

    9-18 Traffic/Security Filters and Monitors Configuring Traffic/Secu rity Filters filter on port 5, then create a trunk w ith ports 5 and 6, and display the results, you would see the following: Figure 9-13. Example of Switch Re sponse to Adding a Filtered Source Port to a Tr u n k Editing a Source-Port Filter The switch includes in one filter the a[...]

  • Page 329

    9-19 Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Figure 9-14. Assigning Additi onal Destination Ports to a n Existing Filter For example, suppose you wanted to co nfigure the filters in table 9-2 on a switch. (For more on source-port filt er s, refer to “Configuring a Source-Port T ra ffic Filter” on page 9-16.)[...]

  • Page 330

    9-20 Traffic/Security Filters and Monitors Configuring Traffic/Secu rity Filters new filter will receiv e the index nu mber “2” and the second new filter will receive the index number "4". This is because the index number “2 ” was made vacant by the earlier deletion, and w a s therefore the lowe st inde x number available for the [...]

  • Page 331

    10-1 10 Configuring Port-Based and User -Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 10-3 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 332

    10-2 Configuring Port-Bas ed and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Auth entication Method . . . . . . . . . . . . . . . . 10-24 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 10-25 5. Enable 802.1X Authentica tion on the Switch . . . . . . . . . . . . . . . . 10-25 6. Optional: Re[...]

  • Page 333

    10-3 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Overview Overview Why Use Port-Based or User -Based Access Control? Local Area Networks are often deployed in a way that allows unauthorized clients to attach to network devices, or allows unauthorized users to get access to unattended clients on a networ k. Also, the use of DHCP [...]

  • Page 334

    10-4 Configuring Port-Bas ed and User-Based Access Control (802.1X) Overview • Port-Based access control op tion allowing auth entication by a si ngle client to open the port . This option does not force a client limit and, on a port opened by an auth enticated cl ient, allows unlimit ed client access without requiring further au thentication . ?[...]

  • Page 335

    10-5 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Overview This operat ion improves securit y by opening a given po rt only to indi vidually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenti cat ed. All sessions must use the same untagged VLAN. Also, an authenticated [...]

  • Page 336

    10-6 Configuring Port-Bas ed and User-Based Access Control (802.1X) Terminology This operat ion unblo cks the port while an authenticated client session is in progress. In topologies wh ere simultaneous, multiple client access i s possible this can allow unaut horized and unauthenticate d access by another cli ent while an authenticated client is u[...]

  • Page 337

    10-7 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Terminology a port loses its authenticated client connection, it drops its membership in this VLAN. Note that with m ultiple client s on a port, all su ch clients use the same untagged, port-b ased VLAN membership. Authentication Server: The entity providing an authentication serv[...]

  • Page 338

    10-8 Configuring Port-Bas ed and User-Based Access Control (802.1X) Terminology Static VLAN: A VLAN that has been configured as “permanent” on the switch by using the CLI vlan < vid > command or the Menu interface. Supplicant: The entity that must provide the proper cred entials to t he switch before receiving access to the network. This [...]

  • Page 339

    10-9 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General 802.1X Aut henticator Operation General 802.1X Authenticator Operation This operation provides security on a po int-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X su[...]

  • Page 340

    10-10 Configuring Port-Bas ed and User-Based Access Control (802.1X) General 802.1X Aut henticator Operation Note The switches c overed in this guide can use either 802.1X port- based authen- tication or 802.1X user -bas ed authentication. For more information, refer to “User Authentication Methods” on page 10-4. VLAN Membe rship Priority Follo[...]

  • Page 341

    10-11 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General 802.1X Aut henticator Operation Figure 10-1. Priority of VLAN Assignme nt for an Authenticat ed Client No Ye s New Client Authenticated Untagged VLAN Configured On Port ? RADIUS- Assigned VLAN? Authorized VLAN Configured? Another (Old) Client Already Using Port ? Are All [...]

  • Page 342

    10-12 Configuring Port-Bas ed and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the u ser -based mode, when ther e is an authenticated client on a port, the followin g traffic movement is allowed: • Multicast and bro adcast traffic is allowed on the port. • Unicast traffic to auth [...]

  • Page 343

    10-13 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General Operating Rules and Notes ■ If a port on switch “A” is configur ed as an 802.1X supplicant and is connected to a port on anot her switch, “B”, that is not 802.1X-aware, access to switch “B” will occur wit hout 802.1X sec urity protection. ■ On a port confi[...]

  • Page 344

    10-14 Configuring Port-Bas ed and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Access Control Do These Steps Before Y ou Configure 802.1X Operation 1. Configure a local username and pa ssword on the switch for both the Operator (login) and Manager (enable) access levels. (Wh[...]

  • Page 345

    10-15 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General Setup Procedure for 802.1X Access Control Figure 10-2. Example of the Password Port -Access Command Y ou can save the port-access password for 802.1 X authentication in the configuratio n file by using the inc lude-credential s command. For more infor - mation, see “Sav[...]

  • Page 346

    10-16 Configuring Port-Bas ed and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control 3. Determine whether to us e user -based a ccess control (page 10-4) or port- based access control (page 10-5). 4. Determine whether to use the op tional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for cli[...]

  • Page 347

    10-17 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802. 1X Authentication on the Switch This section outl ines the steps for configuring 802.1X on the switch. For detailed info rmation on each step , refer to the followin g: ■ “802.1X User -Based Acce ss [...]

  • Page 348

    10-18 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Note If you want to implement th e optional port security featur e (step 7) on the switch, you should first en sure that the ports you ha ve configured as 8 02.1X authenticators oper ate as expected. 7. If you are using Port S ecur[...]

  • Page 349

    10-19 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentica tion on Selected Ports This task configures the indivi dual ports you want to operate as 802.1X authenticators for po int-to-poi nt links to 802.1X-aware clients or switc hes, and consists of two ste ps[...]

  • Page 350

    10-20 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User -Based Authen tication or Return to Port- Based Authentication User -Based 802.1X Authentication. Port-Based 802.1X Authentication. Syntax: aaa port-access authenticato r client-limit < port-list > < 1 - 32[...]

  • Page 351

    10-21 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring User -Based 802.1X Authentication This example enables ports A10-A1 2 to operate as authenticators, and then configures the ports for us er -based auth en tication. Figure 10-4. Example of Configuring User-Bas[...]

  • Page 352

    10-22 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the ma x-requests parameter fails (next page). (Default: 60 secon[...]

  • Page 353

    10-23 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time af ter which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disa bled (Default: 0 second) [unauth-vid < vlan-id >[...]

  • Page 354

    10-24 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how th e switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenti cator Y ou can configure local , c[...]

  • Page 355

    10-25 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the auth entication me thod, configure the switch to use 1, 2, or 3 RADIUS se rvers for authentication. The following syntax shows th e bas[...]

  • Page 356

    10-26 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentica tion is operating, y ou can use the following aaa port - access authenticator commands to reset 802.1X authentication an d statistics on specified ports. 7. Optiona[...]

  • Page 357

    10-27 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators ■ The 802.1s Multiple Spanning T ree Protocol (MSTP) or 802. 1w Rapid Spanning T ree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resourc e utilization while maintaining a lo op-free netw ork. For informati on[...]

  • Page 358

    10-28 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Because a port can be con figured for more than one type of authenticat ion to protect the switch from unauth orized access, the last setting you configure with the aaa port-ac cess controlled-directions command is applied to all a[...]

  • Page 359

    10-29 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode Introduction This section describes how to use t he 802.1X Open VLAN mode to provide a path for clien ts that need to acquire 802.1X supplica nt software before proceeding with the auth enti cation process. The Open VLAN mode involves o[...]

  • Page 360

    10-30 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports confi gured to al low multipl e sessions using 802.1X user -based access control, all clients must use the same untagged VLAN. On a given port where there are no currently active, au thenticated clien ts, the first a uthenticated client determin[...]

  • Page 361

    10-31 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note After client authenticati on, the port resumes me mbership in any tagged VLANs for which it i s configured. If th e port is a tagged membe r of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the clie [...]

  • Page 362

    10-32 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode T able 10-2. 802.1X Open VLAN Mode Options 802.1X Per -Port Configuration Port Response No Open VLAN mode: The port automatically blo cks a client that cannot init iate an authenti cation sessi on. Open VLAN mode with both of the f ollowing configured: Unauth[...]

  • Page 363

    10-33 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Authorized-Client VLAN • After client authentication, the po rt drops membership in t he Unauthorized-Client VLAN a nd becomes an u ntagged memb er of this VLAN. Notes: If the client is running an 802.1X supplicant applic ation when the authentic ation ses[...]

  • Page 364

    10-34 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Open VLAN Mode with Only an Unauthor ized-Cl ient VLAN Configured: • When the po rt detects a client, it aut omatically becomes an untagged member of this VLAN. T o limit secu rity risks, the network services and access a vailable on this VLAN should includ[...]

  • Page 365

    10-35 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Open VLAN Mode with Only an Authorized-Client VLAN Con figured: • Port automa tically blocks a client that can not initiate an authentication session . • If the client successfully completes an authen tication session, the port becomes an untagg ed membe[...]

  • Page 366

    10-36 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Au thorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorize d- Client or Unauthorized-Client VLANs These must be configured o n the switch before you co nfigure an 802.1X authenticator port to use them. ([...]

  • Page 367

    10-37 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Effect of Unauthorized-Client VLAN session on untagged port VLAN membership • When an unauth enticated client connect s to a port that is already configured with a static, un tagged VLAN, the switch temporarily moves the port to the Una uthorized-Client VL[...]

  • Page 368

    10-38 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Effect of RADIUS-assigned VLAN This rule assumes no other authenticated clients are already using the port on a different VLAN. The port joins the RADIUS-assigned VLAN as an unta gged member . IP Addressing for a Client Con nected to a Port Configured for 802[...]

  • Page 369

    10-39 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note If you use the same VLAN as the Unau thorized-Client VLAN for all authenti- cator ports, unauth enticated clients on different ports can communicate wit h each other . Note: Limitation on Using an Unauthorized-Client VLAN on an 802.1X Port Configured to[...]

  • Page 370

    10-40 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of bot h the Unauthorized-Client and Authorized-Client VLANs. Re fer to T able 10-2 on page 10-32 for other options. Before you configu re the 802.1X Open VLAN m ode on a p[...]

  • Page 371

    10-41 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the swit ch to use local password authen tication inste ad of RADIUS authentication. However , this is less desirable because it me ans that all clients use the same passwords and have the same access privil ege[...]

  • Page 372

    10-42 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-ra dius for step 2, use the radius host command to configure up to thr ee RADIUS server IP address(es) on the switch. 4. Activate authentication on the switch. 5. T est both the au thorized and unauthorized access [...]

  • Page 373

    10-43 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listin g of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 10-40. For example, suppose you want to conf igu[...]

  • Page 374

    10-44 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For info rmation and an example on viewing current Open VLAN mode operation, ref er to “Viewing 802.1X Open VLAN Mode Status” on page 10-60. 802.1X Open VLAN Operating Notes ■ Although you can configure Open V[...]

  • Page 375

    10-45 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow On ly 802.1X-Authenticated Devices ■ The first client to authenticat e on a port configu red to support multiple clients will determ ine the port’ s VL AN membership for any subsequent clients that authenticate [...]

  • Page 376

    10-46 Configuring Port-Bas ed and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-S ecurity To Allo w Only 80 2.1X-Authenticated Devices Port-Security Note If 802.1X port-access is configured on a given port, th en port-security learn- mode for that port must be set to either continuous (the default) or port-access[...]

  • Page 377

    10-47 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches Configuring Switch Ports T o Operate As Supplicants for 802.1X Connections to Other Switches A switch port can operate as a supplicant in a c onnection to a port on another 802.1X-aware s[...]

  • Page 378

    10-48 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches • If, after the supplicant port sends the configur ed number of start packets, it does not receive a respons e, it assumes that switch “B” is not 802.1X-aware, and transi tions to t[...]

  • Page 379

    10-49 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. Y ou can configure a switch port as a supplicant for a p oint-to-point link to an 802.1X-aware port on another switch[...]

  • Page 380

    10-50 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches aaa port-access sup plicant [ethernet] < p ort-list > (Syntax Conti nued) [secret] Enter secret: < password > Repeat secret: < password > Sets the secret password to be [...]

  • Page 381

    10-51 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port -Access Authenticator 802.1X Authentication Commands page 10-18 802.1X Supplicant Commands page 10-47 802.1X Open VLAN Mode Commands page 10[...]

  • Page 382

    10-52 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Syntax: show port-access authen ticator [ port-list ] [config | statistics | session-counters | vlan | clients | client s detailed • Untagged VLAN : VLAN ID number of the untagged VLAN used in client sessions. If the swi[...]

  • Page 383

    10-53 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-10.Example of show p ort-access authenticat or Command The information displayed with the show p ort-access authenti cator command for individ ual (config | stat istics | session- counters | vlan | cl ients) opt[...]

  • Page 384

    10-54 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters T able 10-3. Field Descriptions of sho w port-access authe nticator config Comma nd Output (Figure 10-11) Field Description Port-access authenticator activated Whether 802.1X authentication is enabl ed or disabled on speci[...]

  • Page 385

    10-55 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-12.Example of show p ort-access authenti cator statistics Command Syntax: show port-access authenticat or statistics [ port-list ] Displays statistical informatio n for all switch ports or spec- ified ports that[...]

  • Page 386

    10-56 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Figure 10-13.Example of show p ort-access authenti cator session-counters Comm and Syntax: show port-access authenticat or session-counters [ port-list ] Displays information for acti ve 802.1X auth entic ation ses- sions [...]

  • Page 387

    10-57 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-14.Example of show p ort-access authenticat or vlan Command Syntax: show port-access authenticat or vlan [ port-list ] Displays the following informat ion on the VLANs configured for use in 802.1X port-access au[...]

  • Page 388

    10-58 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Figure 10-15. Example of show p ort-access authenti cator clients Command Out put Syntax: show port-acc ess authenticator clients [ port-list ] Displays the session status, name, and address for each 802.1X port-access-aut[...]

  • Page 389

    10-59 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-16. Example of show p ort-access authenti cator clients detai led Command Output Syntax: show port-access auth enticator clients < port-list > detailed Displays detai led information on the statu s of 802.[...]

  • Page 390

    10-60 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters V iewing 802.1X Open VLAN Mode Status Y ou can examine the switch’ s curre nt VLAN status by using the show port- access authenticator vla n and show port-access a uthenticator < port-list > com- mands as illustrat[...]

  • Page 391

    10-61 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Thus, in the output shown in figure 10-17: ■ When the Auth VLAN ID is configured and matches the Current VLAN ID , an authenticated client is co nnected to the port. (Th is assumes the port is not a statically configure[...]

  • Page 392

    10-62 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters T able 10-3. Output for Determ ining Open VLAN Mode Statu s (Figure 10-17, Lower) Status Indicator Meaning Status Closed: Either no client is connected or the connected cl ient has not received authorization through 802.1X[...]

  • Page 393

    10-63 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-18.Example of Showing a VLAN wi th Ports Configured for Open VLAN Mode Note that ports B1 and B3 ar e not in the upp er listing, bu t are included und er “Overridden Port VLAN configur ation”. This shows tha[...]

  • Page 394

    10-64 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Show Commands for Po rt-Access Supplicant Note on Supplicant Statistics. For each port configured as a supplicant, show port-access supplic ant statistics < port-list >] displays the source MAC address and statistics[...]

  • Page 395

    10-65 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation supplicant port to another without clearin g the statistics data from the first port, the au thenticator’ s MAC address wi l l appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects V[...]

  • Page 396

    10-66 Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Note Y ou can use 802.1X (port-based or client -based) authentication and either W eb or MAC authenticati on at the same time on a port, with a maximu m of 32 clients allowed on the port. (Th e default is one client.) W eb a[...]

  • Page 397

    10-67 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation • If the port is assigned as a member of an untagged dynamic VLAN that was learn ed through GV RP , the dynamic VLAN conf iguration must exist on th e switch at the time o f authenti cation and GVRP- learned dynami c VLAN[...]

  • Page 398

    10-68 Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation If this tempo rary VLAN assignment cau ses the switch to disable a different untagged static or dynamic VLAN conf igured on the port (as described in the preceding bullet and in “Example of Untagged VLAN Assignment in a RA[...]

  • Page 399

    10-69 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation For example, suppose that a RADIUS-au thenticated, 802.1X-a ware client on port A2 requires access to VLAN 22, but VLAN 22 is config ured for no access on port A2, and VLAN 33 is conf igured as untagged on port A2: Figure 1[...]

  • Page 400

    10-70 Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Figure 10-20.The Active Configuration for VLAN 22 T emporarily Changes for the 802.1X Session However , as shown in Figu re 1 0-19, because VLAN 33 is configured as untagged on port A2 and because a port c an be untagged on [...]

  • Page 401

    10-71 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation When the 802.1X client’ s session on port A2 ends, the port remov es the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as un tagged on the port becomes available again.[...]

  • Page 402

    10-72 Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Note Any port VLAN-ID changes you make on 802.1X-aware ports during an 802.1 X- authenticated session do not take eff e ct until the sessio n ends. W ith GVRP enabled, a temporary , unta gged static VLAN assignment created o[...]

  • Page 403

    10-73 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation T able 10-4. 802.1X Operating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.1X authenticators. Use this comm and to enabl[...]

  • Page 404

    11-1 11 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Basic Operation . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 405

    11-2 Configuring and Monitoring Port Security Contents Web: Checking for Intrus ions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-37 Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-38[...]

  • Page 406

    11-3 Configuring and Monitoring Port Security Overview Overview Port Security (Page 11-4). This feature enables you to configure each switch port with a unique list of th e MAC addresses of devices that are authorized to access the network throug h that port. This e nables ind ividual ports to detect, prevent, and log atte mpts by unauthorized devi[...]

  • Page 407

    11-4 Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port sec urity setting for each port is off , or “continuou s”. That is, any dev ice can access a port without causing a security reaction. Intruder Protection. A port that detects an “intruder” blocks t he [...]

  • Page 408

    11-5 Configuring and Monitoring Port Security Port Security • Static: Enables you to se t a fixed limit on the number of MAC addresses authorized for the port an d to specify some or all of the authorized addresses. (If you spec ify on ly some of the authorized addresses, the port learns the re maining authorized addresses from the traffic it rec[...]

  • Page 409

    11-6 Configuring and Monitoring Port Security Port Security configuratio n to ports on which h ubs, switches, or other devi ces are connected, and to maintain security while also main taining network acce ss to authorized users. For example: Figure 11-1. Example of How Port Security Contro ls Access Note Broadcast and Multicast traffic is always al[...]

  • Page 410

    11-7 Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port securi ty configuration and moni toring according to the following: a. On which ports do you want port secu rity? b. Which devices (MAC addresses) are authorized on each port? c. For each port, what security act ions do you want? (The switch automat[...]

  • Page 411

    11-8 Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Comm ands Used in This Section This section descr ibes the CLI port security command an d how the switch acquires a nd maintai ns authorized addresses. Note Use the global configuration level to execute port-se cur ity configuration[...]

  • Page 412

    11-9 Configuring and Monitoring Port Security Port Security Displaying Port Se curity Settings. Figure 11-2. Example Port Security Listing (Po rts A7 and A8 Show the Default Setting) W ith port numbers incl uded in th e command, show po rt-security displays Learn Mode, Address Limit, (al arm) Action, and Authorized Addresses f or the spec- ified po[...]

  • Page 413

    11-10 Configuring and Monitoring Port Security Port Security Figure 11-3. Example of the Port Security Configura tion Display for a Single Port The next exam ple shows the opti on for entering a range of ports, including a series of non-cont iguous ports. Note that no spaces are al lowed in the po rt number portion of the command stri ng: ProCurve([...]

  • Page 414

    11-11 Configuring and Monitoring Port Security Port Security Figure 11-4. Examples of Show Mac-Address Outputs[...]

  • Page 415

    11-12 Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security an d edit security settings. ■ Add or delete devices from the list of authorized addresses for one or more ports. ■ Clear the Intrusio n flag on specific ports Syntax: port-security [e] <port-list><[...]

  • Page 416

    11-13 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < contin uous | static | port-access | configured | limited- continuous > (Continued) static: Enables you to use the mac-addres s parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter[...]

  • Page 417

    11-14 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < contin uous | static | port-access | configured | limited- continuous > (Continued) Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted device[...]

  • Page 418

    11-15 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Informatio n configuration screen of the Menu interface or the show system information listing. Y ou can set the MAC age ou[...]

  • Page 419

    11-16 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [< mac-addr >] [< mac-addr >] . . . [< mac -addr >] A vailable for learn-mode with the, static , configured , or limited-continu ous option. Allows up to eight authorized devices (MAC addresses) per port, depending on the val[...]

  • Page 420

    11-17 Configuring and Monitoring Port Security Port Security Retention of Static Addresses Static MAC addresses do not age-o ut. MAC addresses learne d by using learn- mode continuous or learn-mode limited -continuous age out according to the currently configured MAC age ti me. (For information on the mac-age-time command, refer to the chapter tit [...]

  • Page 421

    11-18 Configuring and Monitoring Port Security Port Security ■ Delete it by using no port-security < port-num ber > mac-address < mac-ad dr > . ■ Download a configur ation file th at does not includ e the unwanted MAC address assignment. ■ Reset the switch to its fac tory-default co nfiguration. Specifying Authoriz ed Devices and [...]

  • Page 422

    11-19 Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. T o simply add a device (MAC address) to a port’ s existing Authorized Addresses list, enter the port numbe r with the mac-add ress parameter and the device’ s MAC address. This assumes that Learn M ode is set to static and the Authorized Address[...]

  • Page 423

    11-20 Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is alre ady on the list. Note that if you change a port from st atic to cont inuous learn mod e, the port retains in memory any authorized addresses it ha d while in[...]

  • Page 424

    11-21 Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC addresses) fr om the Authorized Addresses list. (An Authoriz ed Address list is available for each port for which Learn Mod e is currently set to “Static”. Refer to the comma[...]

  • Page 425

    11-22 Configuring and Monitoring Port Security MAC Lockdown The following command serves this pu rpose by removing 0c0090-1 23456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090- 123456 The above command sequence results in the following configurat ion [...]

  • Page 426

    11-23 Configuring and Monitoring Port Security MAC Lockdown Y ou will need to enter a sepa rate comm and for each MAC/VLAN pair you wish to lock down. If yo u do not specify a VLAN ID (VID) the sw itch inserts a VID of “1”. How It W orks. Whe n a device’ s MAC address is locked down to a port (typically in a pair with a VLAN) all in formation[...]

  • Page 427

    11-24 Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pai r cannot be locked do wn on a different po rt. Y ou cannot perform MAC Lockdown and 802.1X authentication on the same port or on t he same MAC address. MAC Lockdown and 802. 1X authenticati on are mut[...]

  • Page 428

    11-25 Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safel y code per switch. T o truly lock down a MAC addr ess it wo uld be necessary to use t he MAC Lockdown command fo r every MAC Address and VLAN ID on every switch. In reality few netw ork administra[...]

  • Page 429

    11-26 Configuring and Monitoring Port Security MAC Lockout Deploying MAC Lockdown When you deploy MAC Lockdown you ne ed to consider how you use it wi thin your network topology to ensure security . In some cases where you are using techniques suc h as Spanning T ree Pr otocol (STP) to speed up netw ork per - formance by providing mul tiple paths f[...]

  • Page 430

    11-27 Configuring and Monitoring Port Security MAC Lockout T o use MAC Lockout you must fi rst know the MAC Address you wish t o block. How It W orks. Let’ s say a customer knows there are unauthorized wireless clients who should not have access to the network. T h e network admi nistrator “locks out” the MAC addresses fo r th e wireless clie[...]

  • Page 431

    11-28 Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, po rt security , and 802.1X authenti- cation. Y ou cannot use MAC Lockout to lock: • Broadcast or Mu lticast Addresses (Switches do not learn these) • Switch Agents (T he switch’ s own MAC Address) There ar e limits for the numb er of VLANs and Lock[...]

  • Page 432

    11-29 Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independ ent of port-security and in fact w ill override it. MAC Lockout is pref erable to port- security to stop access from known devi ces because it can be configured for all ports on the switch with one command. It is possible to use MAC Lock[...]

  • Page 433

    11-30 Configuring and Monitoring Port Security Web: Displaying and Confi guring Po rt Security Features W eb: Displaying and Configuring Port Security Features 1. Click on th e Security tab. 2. Click on [Port Security] . 3. Select the settings you want and, if you are usi n g the Static Learn Mode, add or edit the Author ized Addresses field. 4. Im[...]

  • Page 434

    11-31 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ■ The switch enables notification of the intrusi on through the foll owing means: •I n t h e C L I : –T h e show port-secu rity intr usion-log command displays the Intrusion Log –T h e log command displays t he Event Log • In the menu interfa[...]

  • Page 435

    11-32 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most rece nt intrusion at the top of the listing. Y ou cannot delete Intrusio n Log entries (unl ess you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, th[...]

  • Page 436

    11-33 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interf ace indicates per -port intrusions in the Port Statu s screen, and provides details and t he reset function in the Intru sion Log screen. 1. From the Mai[...]

  • Page 437

    11-34 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 11-12 on page 11-33) does not indicate an int rusion for port A1, the alert flag for th e intru- sion on port A1 has already been reset. • Since the switch can show only one uncleared intrusion per port, the[...]

  • Page 438

    11-35 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags In the follow ing ex ample, executi ng show interfac es brief lists the switch ’ s p ort status, whi ch indicates an intru sion alert on port A1. Figure 11-14.Example of an Unac knowledged Intrusi on Alert in a Port Status Display If you wanted to se[...]

  • Page 439

    11-36 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags T o clear the intrusion from port A1 and enable the swit ch to enter any subsequent intrusio n for port A1 in the Intr usion Log, execute the port -security clear - intrusion-flag command. If you then r e -displ ay the port status screen, you will see [...]

  • Page 440

    11-37 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Figure 11-17.Example of Log Listi ng With and Without Dete cted Security Violations From the Menu Interface: In the Main Menu, click on 4. Event Log and use N ext page and P rev page to review the Event Log contents. For More Event Log Information. See[...]

  • Page 441

    11-38 Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder . The Intrusion Log lists detected intrude rs by MAC address. If you are using ProCurve Manager to manage your network, you can use the d evice properties page to link MAC addresses to their co[...]

  • Page 442

    11-39 Configuring and Monitoring Port Security Operating Notes for Port Security ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configur e LACP on a port on which port security is enabled. For example: ProCurve(config)# int e a17 l[...]

  • Page 443

    12-1 12 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 444

    12-2 Using Authorized IP Managers Overview Overview Authorized IP Manager Features The Authorized IP Managers feature us es IP addresses and masks to deter - mine which station s (PCs or workstat ions) can access the switch through the network. This c overs access throug h the followin g means: – T elnet and other te rminal emulation appli cation[...]

  • Page 445

    12-3 Using Authorized IP Managers Options Options Y ou can configure: ■ Up to 10 authorized mana ger addresses , where each addre ss applies to either a single mana gement st ation or a group of station s ■ Manager or Operator access privil eges (for T elnet, SNMPv1 , and SNMPv2c access only) Caution Configuring Author ized IP Managers does not[...]

  • Page 446

    12-4 Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations ■ Authorizing Sin gle Stations: The table entry auth orizes a single ma n- agement station to have IP access to the switch. T o use this method , just enter the IP address of an authoriz ed management station in the Autho- rized Manag[...]

  • Page 447

    12-5 Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authori ze four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Mask s” on page 12-1 0. Note The IP Mask is a method for recogniz ing whether a given IP address is authorized for ma[...]

  • Page 448

    12-6 Using Authorized IP Managers Defining Authorized Management Stations Figure 12-2. Example of How T o Add an Authorized Manager Entry (Contin ued) Editing or Dele ting an Au thorized Manage r Entry . Go to the IP Ma nag- ers List screen (figure 12-1), high light the desired entry , and press [E] (for Edi t ) or [D] (for Delete ). CLI: Vi ewing [...]

  • Page 449

    12-7 Using Authorized IP Managers Defining Authorized Management Stations Figure 12-3.Example of the Show IP Auth orized-Manager Display The above example shows an Authorized IP Ma nager List that allows stations to access the switch as shown below: Configuring IP Authorized Managers for the Switch T o Authorize Manager Access. This comm and author[...]

  • Page 450

    12-8 Using Authorized IP Managers Defining Authorized Management Stations If you omit th e < mask bits > when adding a new authorized manager , the switch automatically uses 255.255.255.255 . If you do not specify either Manager or Operator access, the switch assign s the Manager access. For example: Figure 12-4. Example of Specifyi ng an IP [...]

  • Page 451

    12-9 Using Authorized IP Managers Web: Configuring IP Authorized Managers W eb: Configuring IP Authorized Managers In the web browse r interf ace you can configure IP Authorized Managers as described below . T o Add, Modify , or Delete an IP Authorized Manager address: 1. Click on the Security tab. 2. Click on [Authorized Addresses]. 3. Enter the a[...]

  • Page 452

    12-10 Using Authorized IP Managers Building IP Masks Using a W eb Proxy Server to Access the W eb Browser Interface Caution This is NOT recommended. Using a web proxy server between the stations and the switch poses a securi ty risk. If the station uses a web proxy server to connect to the swit ch, any proxy user can access the switch. If it is nec[...]

  • Page 453

    12-11 Using Authorized IP Managers Building IP Masks Figure 12-5. Analysis of IP Mask f or Single-Stat ion Entries Configuring Multiple Statio ns Per Authorized Manager IP Entry The mask dete rmines whet he r the IP address of a station on the network meets the criteria you specify . Th at is, for a given Author ized Manager entry , the switch appl[...]

  • Page 454

    12-12 Using Authorized IP Managers Building IP Masks Figure 12-6. Analysis of IP Mask for Multiple-Station E ntries Figure 12-7. Example of How the Bitm ap in the IP Mask Defines Auth orized Manager Addresses 1st Octet 2nd Octet 3rd Octet 4th Octet Manager -Level or Operator -Level Device Access IP Mask 255 255 255 0 The “255” in the first thre[...]

  • Page 455

    12-13 Using Authorized IP Managers Operating Notes Additional Examples for Au thorizing Mult iple Stations Operating Notes ■ Network Security Precautions: Y ou can enhance your network’ s secu- rity by keeping physical access to th e switch restricted to authorized personnel, usin g the password featu res built into the switch, using the additi[...]

  • Page 456

    12-14 Using Authorized IP Managers Operating Notes • Even if you need proxy server access enabl ed in order to u se other applications, you can still eliminate proxy serv ice for web access to the switch. T o do so, add the IP address or DNS name of the switch to the non-proxy , or “Exceptions” list in the web browser interface you are using [...]

  • Page 457

    Index – 1 Index Numerics 3DES …7 - 3 802.1X access control authenticate users … 10-5 authentication methods … 10-4 authentication, local … 10-6 authentication, user-based … 10-4 authenticator … 10-19 operation … 10-9 show commands … 10-51 unblock port … 10-6 authorized-client VLAN, defined … 10-6 auth-vid … 10-23 auto … 10[...]

  • Page 458

    2 – Index password for port-access … 2-11, 2-21 port, supplicant … 10-16 port-based access … 10-4 client without authentication … 10-5 effect of Web/MAC auth operation … 10-13 enable … 10-19, 10-46 latest client, effect … 10-5 multiple client access … 10-6 multiple clients authenticating … 10-5 no client limit … 10-4 open port[...]

  • Page 459

    Index – 3 ports … 10-39 untagged … 10-30, 10-33, 10-34 untagged membership … 10-20 VLAN operation … 10-65 VLAN use, multiple clients … 10-7 VLAN, assignment conflict … 5-34, 10-12 VLAN, membership priority … 10-10, 10-30 VLAN, priority, RADIUS … 10- 34 VLAN, tagged membership … 10-34 Wake-on-LAN traffic … 10-27 Web/MAC auth ef[...]

  • Page 460

    4 – Index root … 7-4 self-signed … 7-3 CHAP …5 - 1 1 chap-radius …5 - 1 1 cipher,SSH …6 - 1 7 Clear button to delete password protection … 2-7 configuration filters … 9-2 port security … 11-7 RADIUS See RADIUS. saving security cred entials in multiple files … 2-20 SSH See SSH. storage of security credentials console authorized I[...]

  • Page 461

    Index – 5 bpdu protection, none …1 - 8 SSH, disabled … 1-4, 6-2 SSL, disabled … 1-5, 7-2 TACACS+ authentication configuration … 4-9 authentication, disabled … 1-5, 4-2 login attempts, 3 …4 - 6 tacacs-server-timeout, 5 se conds …4 - 2 3 TCP port number for SSH connections, 22 …6 - 1 8 TCP port number for SSL connections, 443 …7 -[...]

  • Page 462

    6 – Index E Eavesdrop Protection … 11-4 encryption key RADIUS … 2-11, 2-15 TACACS … 2-11, 2-15 event log alerts for monitored events … 8-34 intrusion alerts … 11-36 F filetransfer, S SH …6 - 1 7 filter, source-port editing … 9-18 filter indexing … 9-19 filter type … 9-8 idx … 9-8, 9-19 index … 9-8, 9-19 named … 9-6 operati[...]

  • Page 463

    Index – 7 authenticator operation … 3-6 blocked traffic … 3-3 CHAP defined … 3-11 usage … 3-3 client status … 3-60 concurrent with Web … 3-4 configuration commands … 3-51 configuring on the switch … 3-50 switch for RADIUS access … 3-17 the RADIUS server … 3-16 general setup … 3-14 hierarchy of precedence in authentication se[...]

  • Page 464

    8 – Index tracking client authentication failures … 8-33 Web authentication … 10-4 Web/MAC … 10-20 See also 802.1X access control. port scan, detecting …8 - 3 3 port security 802.1X, learn mode requirement … 11-14 authorized addres s definition … 11-5 basic operation … 11-4 caution, device limit … 11-14 configuring … 11-7 config[...]

  • Page 465

    Index – 9 server access order, changing … 5-50 servers, multiple … 5-19 service type value … 5-8 service-type value … 5-14 service-type value, null … 5-14 shared secret key, sa ving to configuration file … 2-11, 2-15 show accounting … 5-49 show authentication … 5-48 SNMP access security not supported … 5-4 SNMP access to auth co[...]

  • Page 466

    10 – Index Option 82 … 8-6, 8-9 statistics … 8-6 untrusted-policy … 8-10 verify … 8-6 source port filters configuring … 9-4 named … 9-6 operating rules … 9-4 See also named source port filters. selection criteria … 9-3 spanning tree edge port configuration … 3-22, 10-26 security features … 1-8 spoofing protection against … 8[...]

  • Page 467

    Index – 11 prerequisites … 7-5 remove self-signed certificate … 7-9 remove server host certificate … 7-9 reserved TCP port numbers … 7-20 root … 7-4 root certificate … 7-4 self-signed … 7-3, 7-12 self-signed certificate … 7-3, 7-9, 7-12 server host certificate … 7-9 SSL server … 7-3 SSLv3 … 7-2 steps for configuring … 7-5 [...]

  • Page 468

    12 – Index U untrusted policy, snooping …8 - 1 0 user name cleared … 2-7 SNMP configuration … 2-3 V vendor-specific attribute configuring support for HP VSAs … 5-29 defining … 5-30 virus detection monitoring ARP requests … 8-33 VLAN 802.1X … 10-65 802.1X, ID changes … 1 0-68, 10-72 802.1X, suspend untagged VLAN … 10-61 not adver[...]

  • Page 469

    ProCurve 5400zl i and *5992-5525* T e chnology for better business outcomes T o learn m or e , visit w w w . hp .com/go /bladesy stem/documentation/ © Cop yri ght 2009 Hewle tt-P ack ard De velopment C ompan y , L.P . The inf orm ation contained here in is subject to change w ithout notice . The only warr anties for HP products and serv ices ar e [...]