HP (Hewlett-Packard) 4100GL manuale d’uso
- Visualizza on-line o scarica il manuale
- 228 pagine
- 5.21 mb
Vai alla pagina of
Manuali d’uso simili
-
Switch
HP (Hewlett-Packard) RPC-2
88 pagine 0.99 mb -
Switch
HP (Hewlett-Packard) LP 2000r
34 pagine 0.44 mb -
Switch
HP (Hewlett-Packard) HP J3178A
112 pagine 3.03 mb -
Switch
HP (Hewlett-Packard) A3100-8-PoE v2 EI
157 pagine 1.7 mb -
Switch
HP (Hewlett-Packard) Q6766-90801
16 pagine 0.13 mb -
Switch
HP (Hewlett-Packard) 1800-8G
62 pagine 0.83 mb -
Switch
HP (Hewlett-Packard) JD311B
157 pagine 1.7 mb -
Switch
HP (Hewlett-Packard) 2520G-POE
101 pagine 2.84 mb
Un buon manuale d’uso
Le regole impongono al rivenditore l'obbligo di fornire all'acquirente, insieme alle merci, il manuale d’uso HP (Hewlett-Packard) 4100GL. La mancanza del manuale d’uso o le informazioni errate fornite al consumatore sono la base di una denuncia in caso di inosservanza del dispositivo con il contratto. Secondo la legge, l’inclusione del manuale d’uso in una forma diversa da quella cartacea è permessa, che viene spesso utilizzato recentemente, includendo una forma grafica o elettronica HP (Hewlett-Packard) 4100GL o video didattici per gli utenti. La condizione è il suo carattere leggibile e comprensibile.
Che cosa è il manuale d’uso?
La parola deriva dal latino "instructio", cioè organizzare. Così, il manuale d’uso HP (Hewlett-Packard) 4100GL descrive le fasi del procedimento. Lo scopo del manuale d’uso è istruire, facilitare lo avviamento, l'uso di attrezzature o l’esecuzione di determinate azioni. Il manuale è una raccolta di informazioni sull'oggetto/servizio, un suggerimento.
Purtroppo, pochi utenti prendono il tempo di leggere il manuale d’uso, e un buono manuale non solo permette di conoscere una serie di funzionalità aggiuntive del dispositivo acquistato, ma anche evitare la maggioranza dei guasti.
Quindi cosa dovrebbe contenere il manuale perfetto?
Innanzitutto, il manuale d’uso HP (Hewlett-Packard) 4100GL dovrebbe contenere:
- informazioni sui dati tecnici del dispositivo HP (Hewlett-Packard) 4100GL
- nome del fabbricante e anno di fabbricazione HP (Hewlett-Packard) 4100GL
- istruzioni per l'uso, la regolazione e la manutenzione delle attrezzature HP (Hewlett-Packard) 4100GL
- segnaletica di sicurezza e certificati che confermano la conformità con le norme pertinenti
Perché non leggiamo i manuali d’uso?
Generalmente questo è dovuto alla mancanza di tempo e certezza per quanto riguarda la funzionalità specifica delle attrezzature acquistate. Purtroppo, la connessione e l’avvio HP (Hewlett-Packard) 4100GL non sono sufficienti. Questo manuale contiene una serie di linee guida per funzionalità specifiche, la sicurezza, metodi di manutenzione (anche i mezzi che dovrebbero essere usati), eventuali difetti HP (Hewlett-Packard) 4100GL e modi per risolvere i problemi più comuni durante l'uso. Infine, il manuale contiene le coordinate del servizio HP (Hewlett-Packard) in assenza dell'efficacia delle soluzioni proposte. Attualmente, i manuali d’uso sotto forma di animazioni interessanti e video didattici che sono migliori che la brochure suscitano un interesse considerevole. Questo tipo di manuale permette all'utente di visualizzare tutto il video didattico senza saltare le specifiche e complicate descrizioni tecniche HP (Hewlett-Packard) 4100GL, come nel caso della versione cartacea.
Perché leggere il manuale d’uso?
Prima di tutto, contiene la risposta sulla struttura, le possibilità del dispositivo HP (Hewlett-Packard) 4100GL, l'uso di vari accessori ed una serie di informazioni per sfruttare totalmente tutte le caratteristiche e servizi.
Dopo l'acquisto di successo di attrezzature/dispositivo, prendere un momento per familiarizzare con tutte le parti del manuale d'uso HP (Hewlett-Packard) 4100GL. Attualmente, sono preparati con cura e tradotti per essere comprensibili non solo per gli utenti, ma per svolgere la loro funzione di base di informazioni e di aiuto.
Sommario del manuale d’uso
-
Pagina 1
access sec ur ity guide www .hp .com/go/hpp r oc ur v e hp pr ocurv e ser ies 4100gl s witc hes[...]
-
Pagina 2
[...]
-
Pagina 3
HP Procurve Series 4100GL Switches Access Security Guide Software Release G.07.XX or Greater[...]
-
Pagina 4
© Copyright 2001-2002 He wlett-Packard Company All Rights Reserved. This document contains inform ation whi c h is protected by copyright. Reproduction, adapta tion, or translation without prior pe rmissio n is prohibited, except as allowed under th e copyr igh t law s. Publication Number 5 990-303 2 Dec e mber 2 002 Edition 2 Applicable Product H[...]
-
Pagina 5
Contents Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Ov erv iew of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Pagina 6
2 T ACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Termi n ology Used in TACACS Applicati o ns: . . . . . . . . . . . . . . . . . . .[...]
-
Pagina 7
Out line of th e Steps f or Conf igurin g RADI U S Authenticat i on . . . . . . 3-6 1. C o nfi g ure Authen ti cation for the Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 2. Config ur e the Sw itch To Access a RAD I US Server . . . . . . . . . . . . 3-10 3. Configu r e the[...]
-
Pagina 8
1. As signing a Local Logi n (Operator ) and Enable (Manager ) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 2. Generat ing the Swi t ch’s Public an d Pr ivate Key Pair . . . . . . . . . . 4-10 3. Providing the Switch ’s Public Key to Clients . . . . . . . . . . . . . . . . . . 4-12 4. Enabl ing SSH on the Swi t ch [...]
-
Pagina 9
6 C onfiguring Port-Based Access Control (802.1x) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Why Use P o rt-Based Access Control? . . . . . . . . . . .[...]
-
Pagina 10
Ho w R A DIU S/ 802.1x Authent ica tion Affects VL AN Operati on . . 6-43 Static VLAN Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-43 Messages R e lated to 802.1x Operati on . . . . . . . . . . . . . . . . . . . . . . . . 6-47 7 C onfiguring a n d Mon i toring Port Security Contents . . . . . . . . . . . . .[...]
-
Pagina 11
Defining Authorized Managem e nt Sta t ions . . . . . . . . . . . . . . . . . . . . . 8-4 Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Menu: Viewing and Co nfiguring IP Author ized Manager s . . . . . . . . . . 8-5 CLI : Viewing and Configu r in g Authorized IP Manager s . . . . . . . . . . . . 8-6[...]
-
Pagina 12
[...]
-
Pagina 13
Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Ov erv iew of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . xii Comman d Syntax Conve n tio ns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Simulating D[...]
-
Pagina 14
Getting Starte d Introduction Introduction This Access Security Guide is int ended for use w i th the follo wing switches: ■ HP Procurv e Switch 4 104G L ■ HP Procurv e Switch 4 108G L T o gether , these two dev i ce s are terme d the HP Procurve Series 4100GL Switches . Overview of Access Security Features ■ Local Manager and Operat or passw[...]
-
Pagina 15
Getting Started Overview of Access Sec u rity Features All ows a ccess to the swi tch by a networked devic e having an IP add r ess previousl y con fig ured in the switch as "authorized". HP recommend s th at you use local pa sswor ds together w i th the switch’ s other security feature s to provide a more comp rehensi v e security fabr[...]
-
Pagina 16
Getting Starte d Command Synta x Conventions Command Syntax Conventions Thi s guide use s the fol l owing conventi ons for com m and syntax and displ ays. Syntax: aaa port-access authenticator < port-list > [ contro l < authorized | auto | unau tho r ized > ] ■ V e rtical bars ( | ) separate altern ative, mutuall y excl usive elements[...]
-
Pagina 17
Getting Started Related Publications Screen Simulations Figures contain ing simulat ed scr e en t e xt and command output look like t his: Figure 1. Exampl e of a Figure Showin g a Sim u lated Screen In some cases, brief comman d- outpu t se quences appear wi thout fig u re iden- tific a tion. F o r ex am pl e: HPswitch(config)# clear public-key HP[...]
-
Pagina 18
Getting Starte d Related Publications HP provides a PDF versi o n of thi s gui d e on t he Product Documentati on CD- ROM shi p ped with the swi t ch. Y o u can also download the late st copy fr om th e HP P r ocurve w ebsit e. ( S ee “Get ting Documentat i on Fro m th e W e b” on page xvii.) Comman d Line Interfa ce Refere nce Guide. This guid[...]
-
Pagina 19
Getting Started Getting Documentation From the Web Getting Documentation From the W eb 1. Go to the HP Procurve w e bsi te at htt p :// www .hp.com/go / hpprocurve 2. Click on technical support . 3. Click on manual s . 4. Click on the product for whi ch you w a nt to view or downl o ad a manual . 2 3 4 xvi i[...]
-
Pagina 20
Getting Starte d Sources for More Information Sources for More Information ■ If you need inform ati on on spec ifi c paramete rs in the menu inte rfa ce, refe r to the online hel p provided in the in terface. Online Help for Menu ■ If yo u need informati o n on a specif ic command in th e CLI, type the comma nd name followed by “help”. For [...]
-
Pagina 21
Getting Started Need Only a Quick Start? Need Only a Quick Start? IP Addre s sing. If yo u just want to gi ve the sw it ch an IP address so that it can communicate on your network, or if yo u are not usi ng VLANs, HP recomme n ds that you use the Switch Se tup screen to quickly configure IP add r essin g. T o do so , do one of the follow in g: ■ [...]
-
Pagina 22
[...]
-
Pagina 23
1 Configuring Username and Password Security Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Configuring Local Pas s word Sec uri ty . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Menu: Setting Passwo r ds . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Pagina 24
Configuring Use r name and Password Security Overview Overview Feature Default Menu CL I We b Set Usernames no user names set — — page 1- 6 Set a Password no passwords set pa ge 1-4 page 1- 5 page 1- 6 De lete Pass word n/a pa ge 1-4 page 1- 6 page 1- 6 Prote c tion Console access includes both the menu interface and the CLI. There are tw o lev[...]
-
Pagina 25
Configuring Username and Password Security Overview If you do ste p s 1 and 2, above, the n th e next time a console session is start ed for either the menu interf ace or the CLI, a p r omp t appears f or a passwo r d. Assuming you have prote c te d both the Manag e r and Operator lev e ls, the level of access to the consol e in terface will be det[...]
-
Pagina 26
Configuring Use r name and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As n o t e d earl i er in t h is sec t i on, user n a m e s a r e op t i ona l . C o n f ig u r i n g a user - name requi r es ei ther the CLI or the web browser in terface. 1. From the Main Menu select: 3. Co[...]
-
Pagina 27
Configuring Username and Password Security Configuring Local Password Security If you have physical access to the switch, press and ho ld the Clear bu tton ( on th e f r ont o f th e swi t ch) fo r a min i mum of on e second to clear al l passwo rd pr otect ion , then ent er new passwo r ds as described earlier in this chapte r . If you do not have[...]
-
Pagina 28
Configuring Use r name and Password Security Configuring Local Password Security T o Remove Password Pro t ection . Removing passwo r d p r otect ion means to eliminate password securit y . Thi s com m and pro m pts you to ver ify that you want to remove on e or both passwo r ds, th en clears the indicat ed pa ssword ( s). (This command also cle a [...]
-
Pagina 29
2 T ACACS+ Authentication Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Termi n ology Used in TACACS Applicati o ns: . . . . . . . . . . . . . . . . . . . . 2-4 Ge neral S y stem Re qui r ements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 G[...]
-
Pagina 30
TACACS+ Authentication Overview Overview Feature Default Men u CL I We b view the switch’ s authentication configuration n/a — page 2-1 0 — view the switc h’ s T A CACS+ ser v er contact configuration n/a — page 2-1 0 — configur e the switch’ s authentica t ion methods disabled — page 2-1 1 — configure the switch to contact T ACA [...]
-
Pagina 31
TACACS+ Authentication Overview server and (2) local passwords confi g ured on the switch. That is, with T A CACS+ configured, the switch fir s t tries to contact a designated T ACA CS+ serv er fo r authenti cation ser vic es. If the switch fail s to conne c t to any T A CACS+ serve r , it defaults to its own locally assigned p a sswords for authen[...]
-
Pagina 32
TACACS+ Authentication Terminology Used in TA CACS Applications: T e rminology Used in T ACACS Applications : ■ N A S ( N etwork A c cess Ser v e r ): T h is is a n i nd u s t ry t e rm f o r a T A CACS-aware device that communi cates with a T ACACS server for authentication services. Some other terms you may see in literature de scribing T ACACS[...]
-
Pagina 33
TACACS+ Authentication General System Requirements • T A CACS + Authentication: This method ena bles you to use a T ACACS+ s e rver in your network to ass i gn a unique password, user name, a n d privilege le vel to e ach in dividua l or group w ho needs access to one or mor e sw it ches or other T A CACS-aware devices. This all o ws you t o a[...]
-
Pagina 34
TACACS+ Authentication General Authentication Setup Procedure Notes The eff e ct i veness of TA C ACS+ se c u r i ty d e p e nds on c o rrectly using your TACACS+ ser v er application. For this reason, HP recommends that you thoroughly tes t all TACACS+ configur ations used in your network. TACACS-aware HP switches include the capability of configu[...]
-
Pagina 35
TACACS+ Authentication General Authentication Setu p Procedure 2. Determine th e f o llowing: • The IP address(es) of the T A CACS+ server(s) you want the switch to use for authentication. If you will use more than one server , de termine which ser v er is yo ur first-choice for authentication ser v ices. • The encryption key , if any , for all[...]
-
Pagina 36
TACACS+ Authentication General Authentication Setup Procedure Caution Y o u s ho u ld ens u re t h at t h e s w i t ch h a s a l o cal M a n a ger passwo r d. O t her - wise, if authentication through a T ACACS+ server fails for any reason, then unauthorize d access will be a vai la ble throu gh th e con s ol e port or Telnet. 5. Using a termi nal [...]
-
Pagina 37
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring T ACACS+ on the Switch Before Y ou Begi n If you are new to T AC ACS+ authentication, HP recomm en ds that you read the “General Authenticat ion Setup Pro c edu r e” o n pa ge 2- 6 an d configure your T A CACS+ server( s ) before configur ing authenticati on on the switch. The[...]
-
Pagina 38
TACACS+ Authentication Configuring TACACS+ on the Switch V i ewing the Switch’ s Current Authentication Configuration This command lists the n u mber of logi n attemp ts t he swi t ch al lows in a sin gle lo gin session, and the prim ary/secondary access method s confi g ured fo r each type of access. Syntax: show authentica t ion This example sh[...]
-
Pagina 39
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s Authentication Methods Th e aaa authe n ticati on command configures the access control for conso le port and T e lnet a ccess to the swi t ch . That is, for both access methods, aaa authenticatio n specifies whether to use a T ACACS + server or the switch’ s loc[...]
-
Pagina 40
TACACS+ Authentication Configuring TACACS+ on the Switch T able 2-1. AAA Authentication Pa rameters Name Default Range Function console n/a n /a Specifies whether the command is conf igu r in g au thentic ation for the conso l e por t - or - or T e lne t access method for the switch. tel n et enable n/a n /a Specifies the privilege level for the ac[...]
-
Pagina 41
TACACS+ Authentication Configuring TACACS+ on the Switch T able 2-2. Prima r y/Secondary Authen tication T abl e Access M e thod and Privilege Level Au thentic ation Op tions Effect on Access Attempts Primary Second ary Console — Log in local none* Local userna me/password access only . tacac s l ocal If T acacs+ server unava i lable, uses local [...]
-
Pagina 42
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of acc e ss options and the corre s ponding comma n ds to configure the m: Console Login (Operat o r o r Read-Only) Access: Pri m ary using T A CACS+ server . Secondary using Local. HPswitch (config)# aaa authentication console login tacacs local Console Login (Oper[...]
-
Pagina 43
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s T A CACS+ Server Access The tacacs-serve r command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one fir s t cho i ce and up to tw o ba cku p s. Desi gnating backup se rvers provides fo r a continuation of authenticat io[...]
-
Pagina 44
TACACS+ Authentication Configuring TACACS+ on the Switch Note on Encryption Key s Synta x: tacacs-server host < ip-addr > [key < key - string >] Adds a TACACS+ server an d opt i onally assigns a s erv er-s pecifi c encryption key . [no] tacacs-server host < ip-addr > Remov e s a TACACS+ server assign ment (including its server- sp[...]
-
Pagina 45
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host < ip-addr > [key < key-string > none n/a Specifies the IP address of a device running a T A CACS+ serv er applica t ion. Optionally , can also specify the unique, per - serve r encryptio n key to us e when each assigned server has its own, un iqu e key . Fo[...]
-
Pagina 46
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Name Default Range key < key- s tring > none (nu l l) n/a Specifies the optiona l, global "encryption key" that i s also assigned in the T A CA CS+ server(s) that the switc h will access for authentication. This o p tion is subordinat e to any "pe r -se[...]
-
Pagina 47
TACACS+ Authentication Configuring TACACS+ on the Switch T he "10" ser v er is now the " first-choice " T A CACS+ au the n tic a tion devi ce. Figure 2-5. Example of the Switch After Assigning a Different "Fir st-Choice" Server T o re move the 10.28.227.1 5 device as a T ACACS+ ser v er , you would use this comma n d: [...]
-
Pagina 48
TACACS+ Authentication How Authe n tication Operates To del e te a per-server e n cry p tion key in the switch, re-enter the tacacs-se rver host co mm and wi thout t h e key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you wa nt to elimi n ate the key , you[...]
-
Pagina 49
TACACS+ Authentication How Authentication Operates Using figure 2-6, a b ove, after e i ther sw it ch detec t s an opera t or’ s logon request fr om a remot e or directl y conn ect e d termin al, the foll ow ing events occ u r: 1. The sw itch queries the f irs t- choi ce T ACACS+ ser v er for authentication of the request. • If the swi tc[...]
-
Pagina 50
TACACS+ Authentication How Authe n tication Operates Local Authentication Process When the switch is configured to use T ACACS+, it reverts to local authentica - tion only if one of thes e two co nditions exist s : ■ "Local" i s the authenti cation op ti on fo r the access method bei n g used. ■ T A CACS+ is the primary authenticat[...]
-
Pagina 51
TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encr yption key (someti me s termed "key", "secre t key", or "s ecret " ) hel p s to preven t unau thori z ed intruders on th e network fr om re adi ng username and password information in T ACACS+ packets movin[...]
-
Pagina 52
TACACS+ Authentication Controlling Web Browser Interface Acces s When Using TACACS+ Authentication F o r examp l e, you w ou l d u s e t h e next co mmand to c o nf i g ure a g l obal encryp - tion key in the switc h to match a ke y ente red as north40camp us in tw o target TACACS+ ser v ers. (That is, both servers use the same key for your switch.[...]
-
Pagina 53
TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to T ACACS+ Operation The sw it ch gen e rat e s the CL I message s listed below . However , y o u may se e other messages generated in your T ACACS+ server a pplication. For informa - tion on such messages, re fer to the documentation you rec e ive d wi th the applica t [...]
-
Pagina 54
TACACS+ Authentication Operating Notes ■ When T ACA C S+ is not enabled on t h e switch—or when the switch ’ s only designated T ACACS+ servers ar e not accessible— setting a local Operator passwo r d with ou t also setting a local Manag er password does not protect the switch from man a ge r - l evel a cc e ss by unautho - rized persons.) [...]
-
Pagina 55
3 RADIUS Authentication and Accounting Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Termi n ology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Switch Operating Rules for RAD I US . . . . . . . . . . . . . .[...]
-
Pagina 56
RADIUS Authenti cation and Accounting Overview Overview Feature Default Menu CL I We b Configuring RADIUS Auth en tication None n /a 3-6 n /a Configuring RADIUS A ccounting None n /a 3-16 n/a Vi ewing RADIUS Statistics n/a n /a 3-23 n/a RADIUS ( Remote Authentication Dial-In User Service ) enables yo u to use up to three servers (one primary server[...]
-
Pagina 57
RADIUS Authentication and Accounting Terminology T e rminology CHAP (Ch a l l enge - H a n dsh a ke Auth e n t i c a tion Protoco l ): A chal l e nge - response authentic a tion protocol that uses the Message Digest 5 (MD5) hashi ng scheme to encrypt a response to a ch alle nge from a RAD I US server . EAP(Extensible A u then ticatio n Protocol): A[...]
-
Pagina 58
RADIUS Authenti cation and Accounting Switch Ope r ating Rules for RADIUS Switch Operating Rules for RADIUS ■ Y ou must have at least one RA DIU S server accessible to the switc h. ■ The switch supports authentic a tion and ac counting us ing up to three RADIUS ser v ers. The switch accesse s the ser v ers in the order in which they are listed [...]
-
Pagina 59
RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to thre e RADIUS server s to support the switch. (That is, one pri m ary server and one or tw o ba ck ups.) Re fer to the documentation provi d ed with the RADIU S server applica t ion. 2. Before configuring the sw itc[...]
-
Pagina 60
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands Page aaa authentication 3-8 < c onsole | telnet | ssh > < enable | log i n > radius 3-8 < local | none > 3 -8 [no] radius-server host < IP-address > 3-10 [...]
-
Pagina 61
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note Th i s st e p assum e s you have a l ready c o n f igu r ed t h e RADIUS serve r (s) t o support the swi t ch. Refer to th e documentation pro vid ed with the RADIUS ser v er documentati on .) • Se r ver IP address • ( Opt i onal ) UDP desti n atio n p[...]
-
Pagina 62
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication 1. Configure Authentication for the Access Methods Y ou W a nt RADIUS T o Protect This sect i on descr ibes ho w to configure the swi t ch fo r RADIUS authenticati on throu gh the follo wing a ccess m ethod s: ■ Console: Eithe r direct serial-port connecti[...]
-
Pagina 63
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have alread y configured lo cal passwo r ds on th e switch, but want to use RADIUS to pr ote c t primary T elnet and SSH access withou t a llowi ng a sec onda ry T elnet or SSH acc ess option (w h i ch wo uld be th e switch ’ s lo cal pa[...]
-
Pagina 64
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication 2. Confi g ure the Switch T o Access a RADIUS Server This section desc ribes how to confi gure the switch to i n teract w i th a RADIUS server fo r both authenticat ion an d accounting servi c es. Note I f y o u w a n t to con f i g u r e RADIUS accou n t i [...]
-
Pagina 65
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose yo u h ave c o nfi g ure d the swi t ch as shown in fig u re 3 -3 and you now need to make the following chan ges: 1. Change the encrypti on key for the serve r at 10.33.18 .127 to "source0127". 2. Add a RADIUS serv er wi th an IP[...]
-
Pagina 66
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication 3. Confi g ure the Switch’ s Global RADIUS Parameters Y ou can configure the switc h for the fo llowing g lob al RADIU S param e ters: ■ Number of lo gin attem p ts: In a given session, specifi e s how many tries at entering the corre c t use r name and [...]
-
Pagina 67
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 .. 15 > Specifie s the maximum time th e switc h waits for a response to an authenticati on request before counting the attempt as a failure. (Default: 3 seco nds; Range: 1 - 15 seconds ) radius-server retransmit < 1 .. 5 > If[...]
-
Pagina 68
RADIUS Authenti cation and Accounting Local Authentication Process Aft er two attempts failing due to username or passwor d entry errors, the switch wil l ter m inate the session . Glo bal RADIU S para meter s from figur e 3-5. These two ser v ers wil l us e th e global encryp t ion key . Serve r -s pecifi c encrypti on key for the RADIUS serv er t[...]
-
Pagina 69
RADIUS Authentication and Accounting Controlling Web Browser Interface Acces s When Using RADIUS Authentication For local authenticat ion, the swi t ch uses the Op erator -level an d Manag er -level use r nam e/pa sswo r d set(s) p r eviously co nfigured loca lly on th e switch . (Th e se are the usernames a n d passwords you can configure using th[...]
-
Pagina 70
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Command s Page [no] radius- s erver host < ip-ad d ress > 3-19 [ acct-port < port-number >] 3-19 [key < key - string >] 3-19 [no] aaa accounting < exec | network | sy stem > 3-21 < start-stop | stop-only>[...]
-
Pagina 71
RADIUS Authentication and Accounting Con f iguring RADIUS Accounting (For 802.1x information fo r the swi t ch, refer to “C onfiguring Port- B ased Acc e ss Co ntrol (802.1x)” on page 6-1.) ■ Ex ec accounti ng : Provides records cont aining t h e i nfo rmat i on lis ted below about lo gin session s (consol e , T eln et , and S S H) o n the sw[...]
-
Pagina 72
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting ■ If access to a RADIUS server fails du ring a session, bu t after the cli e nt has been a u the n ticated, the switch continues to assume the server i s available to rec e ive accounting data. Thus, if server access fails during a session, it w ill not receive acco unti n g data[...]
-
Pagina 73
RADIUS Authentication and Accounting Con f iguring RADIUS Accounting 1. Configure the Switch T o Access a RADIUS Server Before y ou config ur e the ac tual acco unting pa ram et e rs, yo u should first configure the swi tch to use a RAD IUS serve r . This is the same a s the process de scribed o n pa ge 3-10. Y ou need to repeat t his step here on [...]
-
Pagina 74
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting Because the r adius-s erver command inc lu des an acct-p ort elemen t with a non default 1750, the switch assigns this value t o the accounting p ort UDP port n u mbe r s. Because a u th- port was not i ncluded in the comman d , the authenti cat ion UDP port is set to the defa u lt[...]
-
Pagina 75
RADIUS Authentication and Accounting Con f iguring RADIUS Accounting ■ Start - Stop : • S e n d a start record ac c ounting not i ce at the b e ginn i n g of the account - ing session and a stop r e cor d noti ce at the end of the se ssio n . Bot h notices include the latest data the switch has co llected for the requested accounting type (N[...]
-
Pagina 76
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These opt i onal paramet e rs give you addi ti onal cont ro l ov er accoun ti ng d ata. ■ Updates: I n additi on to us ing a St art - St op or St op -Onl y trigger , yo u can optionally configur e the swi t ch [...]
-
Pagina 77
RADIUS Authentication and Accounting Viewing RADIUS Statistics V i ewing RADIUS Statistics General RADIUS Statistics Syntax: show rad i us [ host < ip-add r >] Shows general RADIUS configuration , in cluding the server I P addresses. Optional form shows data for a specific RADIUS host. To use sho w radius , the server’s IP address must be c[...]
-
Pagina 78
RADIUS Authenti cation and Accounting Viewi n g RADIUS Statistics Te rm De finition Round T r ip T ime Th e time interval between the mo st recent Accounting-Respo n se and th e Accounting- Request that matched it from th is RADIUS accounting server . PendingRequests The number of RADIUS Accounting-Request packets sent to this se rver that have not[...]
-
Pagina 79
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Stati s tics Syntax: show a u thenticatio n Di splays the pri m ary and secondary authentication methods configured for the Console, T e lnet, Port-Access (80 2. 1x), and SSH methods of acce ssing the switch. Also displays the number of access attempts currently al[...]
-
Pagina 80
RADIUS Authenti cation and Accounting Viewi n g RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, "Empty User " supression status, accountin g types, methods, and modes. show rad i us accounting Lists accounting statis tics for the RADIUS server(s) configured in the switch (using [...]
-
Pagina 81
RADIUS Authentication and Accounting Changing RADIUS-Ser ver Access Order Figure 3-16. Exampl e Listing of Active RADIUS Accounting Sessions on t he Swi t ch Changing RADIUS-Server Access Order The switch tri e s to a ccess RADIUS ser vers according to the order in wh ich their IP addresses are listed by the show radius comma n d. Also, when you ad[...]
-
Pagina 82
RADIUS Authenti cation and Accounting Changing RADIUS-Server Access Order T o excha nge the positions of the addre sse s so that the server a t 10.10.10.003 will be the first choice and the server at 10 .10.10.001 will be the la st, you w o uld do the follo win g: 1. Del e te 10.10.10.003 from the list. This op ens t he thir d (lowest) posit i o[...]
-
Pagina 83
RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS serve r is n ot responding to an authentication request. T r y pinging the server to determine wheth er it is accessib le to t he switch. If the server is a[...]
-
Pagina 84
[...]
-
Pagina 85
4 Configuring Secure Shell (SSH) Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Termi n ology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . [...]
-
Pagina 86
Configuring Secure Shell (SSH) Overview Overview Feature Default Menu CL I We b Generating a public/pr i vate key pair on the switc h No n/a page 4-10 n/a Using the switch’ s public key n/a n/a page 4-12 n/a Enabling SSH Disabled n/a page 4-15 n/a Enabling client public-ke y authentication D isabled n/a pages 4-19, n/a 4-2 2 Enabling user authent[...]
-
Pagina 87
Configu r ing Secure Shell (SSH) Terminology Note SSH in the HP Proc ur ve Series 41 00GL swi t ches is based o n the Open SSH software toolki t. Fo r m o re i nfo rmat i on on OpenSS H, visit htt p :// ww w .o penssh.com . Switch SSH and User Password Authentication . This opt i on is a subset of the cli e nt pu blic- key authe nti catio n sh ow i[...]
-
Pagina 88
Configuring Secure Shell (SSH) Prerequisite for Using SSH ■ PEM (Privacy E n hanced Mode): Refers to an ASCII-formatted cli e nt p ubl ic-k ey th at has be en encoded fo r por tabi lity and efficiency . SSHv2 cli e nt pu blic- keys ar e typ ica lly store d in the PEM format. See figure s 4- 3 and 4-4 fo r examples of PEM-enc o ded ASCII and non e[...]
-
Pagina 89
Configu r ing Secure Shell (SSH) Public Key Formats Public Key Formats Any client ap plication yo u use f or cli e nt public- k ey authenticatio n with th e swi t ch must have the c a pability export public key s . The switc h ca n accept keys in the PEM-Encoded AS CII Format or i n the No n- Encoded ASCII fo rmat . Co mment descr ib ing p ub lic B[...]
-
Pagina 90
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH fo r Switc h and Client Authentication Switch Access Lev el Pri m ary S SH Authentication Authenticate Switch Public Key to SSH Clients? Authenticate Client Public Key to th e Switch ? Primary Switch Pas s word Authenticatio n Secondary Switch Pas s word Authentication Manager (Enab[...]
-
Pagina 91
Configu r ing Secure Shell (SSH) Ste p s for Configuring and Using SSH for Switch and Client Authentication B. Switch Prep arat ion 1. Assig n a login (Operator) and enable (Manager) passwo r d on th e swi tch (page 4-9 ). 2. Generate a public/pri vate key pa ir on the switc h (page 4-1 0 ). Y ou n e ed t o do t his only once. The k ey remains i[...]
-
Pagina 92
Configuring Secure Shell (SSH) General Opera t ing Rules and Notes General Operating Rules and Notes ■ Public keys gen e rat ed on an SSH cl ient must be exportabl e to th e swi tch. The swi t ch can only store 10 keys cli e nt key pairs. ■ Th e swi t ch ’ s ow n public/pri v at e key pai r and th e (optional) cli e nt pu b lic k ey f ile are[...]
-
Pagina 93
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Sectio n P age show ip ssh 4 -17 show c r ypto c l ient-public-k ey [ke y list-str] [< babble | 4-2 5 fingerprint >] show c r ypto h o st-public -key [< babble | fingerp r int >] 4-14 show a u t[...]
-
Pagina 94
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: password < manage r | operator | all > Figure 4-6. Exampl e of Config uring Loc a l Password s 2. Generating the Swi t ch’ s Pu blic and Privat e Key Pai r Y ou must generate a public and priva t e ho st key pa ir on the swi t ch. The switc h us es this key pa i[...]
-
Pagina 95
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you gen e rat e a host ke y pair on the switc h , the switch places the ke y pair in f l ash memo ry (a nd no t in t he running-c o nfi g fil e ). Also, the switch mai ntains th e key pai r across reboots, in cluding p ower cycles. Y ou sho uld consi der this key p[...]
-
Pagina 96
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generat e and display a new key: Host Public Key for the Switch Ve rsion 1 and V e rsion 2 vie ws of same host publ ic key Figure 4-7. Example of Gen e rating a Public/ Pr i vat e Host K e y P a ir for the Sw itc h The 'sho w crypt o host - public-k e y&apo[...]
-
Pagina 97
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation di stribut i on t o cl ient s is t o use a di re ct, se rial connection betwee n the sw itch and a management dev i ce (laptop, PC, or UN IX w o rk station), as de scribe d belo w . The publ ic ke y gen e rat e d by the swit ch consi sts of t h ree parts, separated by one bla[...]
-
Pagina 98
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add a ny data required by your SSH c lient appl ica t io n. For example Before saving the key to an SSH cli e nt’ s "know n hosts" file you may have to inser t the switch’ s IP address: Bit Size Exp onent <e> Modu lus <n > Inserted IP Address Fig[...]
-
Pagina 99
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation He xadecima l "Fingerpri nt s" of the Same Switch Phoneti c "Has h" of Swi t ch ’ s Public Ke y Figure 4-11. Examples of V i sua l Phonetic and He xadecim a l Conve r sio n s of the Switch’ s Public Key The t w o commands sho w n i n figure 4-11 conver[...]
-
Pagina 100
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Refer to “5. Configuring the Swi t ch fo r SSH Authenticat i on” on page 4-18. SSH Client Conta ct Behavio r . At the first contact be tw ee n the switch and an SSH client, if you have not co pied th e swi t ch’ s publ i c ke y into the c lient, your cli e nt’ s first c[...]
-
Pagina 101
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SS H connections (default: 22) . Important: See “Note on Port N u mber” on page 4-17. [timeout < 5 - 120 >] The SSH login timeout va lue (default: 120 seconds). [v ersio n <1 | 2 | 1-or -2 > The versio[...]
-
Pagina 102
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SS H does not p r otect t h e switch f r om unauthorized a ccess via the we b interface, T e lnet, SNMP , or the seria l port. Wh ile web and T e lnet access can be restric t ed by the u s e of passwo r ds lo cal to the switc h , if you are unsure of th e security t his pr ovi [...]
-
Pagina 103
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Configures a password method for the primary and secondary enable (Manager) acc ess. If you do not spec- ify an optional secondary method, it defaults to none . Option B: Co nf ig uring the Switc h for Cl ient Pu blic -Key SSH Authentication. If confi g ured with this op ti o[...]
-
Pagina 104
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: a aa authe n tic a tion ssh enable < local | tacacs | radius > < local | n one > Configures a password method for the primary and secondary enable (Manager) access. I f you do not spec- ify an optional secondary method, it defaults to none . For example, ass[...]
-
Pagina 105
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 4-14 shows how to chec k the results of the above co mmands. Li st s t h e c urr en t SSH authenticati on configuratio n. Shows the conte n ts o f the publi c key fil e downloaded with the copy tftp command in figur e 4-1 3 . In this example, the fil e contains two cli[...]
-
Pagina 106
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Further Information on SSH Client Public-Key Authentication The section titled “5. Config uring the Swi t ch for SSH Au thenticat i on” on p a ge 4-1 8 li sts the steps for co nfiguring SSH a u the n tication on the swi t ch. However , if you are new t o[...]
-
Pagina 107
Configu r ing Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 3. If there is not a match , an d yo u ha ve not configu r ed the switc h to a ccept a lo gin passwo r d as a secondary authenticat i on meth od, the switch denies SSH access to the client. 4. If there is a match, the switch: a. Generates a random seque[...]
-
Pagina 108
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Notes Co mments in pu b lic k ey files, suc h as smith@support.cairns.co m in figure 4-15 , may appear in a SSH client applica tio n’ s gen erated p ubl ic key . Whi le such comments may hel p to disti n gui s h one key fro m anoth er , they do no t po se [...]
-
Pagina 109
Configu r ing Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Note on Public The actual c onte nt of a public key entry in a publi c key fil e is determined by Key s the SSH client application generating th e key . (Alt hough you can manu ally ad d or edit an y comments the c lient appli cat ion adds t o the end of t[...]
-
Pagina 110
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Syntax: clear crypto pub lic - key Deletes the cli e nt-public-ke y file from the switch. Syntax: clear crypto pub lic - key 3 Deletes the entry with an index of 3 from the client- public-key file on the switch. Ena b l i ng C l i e nt Pu b l i c -Key Authen[...]
-
Pagina 111
Configu r ing Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp serve r or not finding the file to download. Causes include such factors as: • Incorrect IP configuration on the switch • In correct IP addre ss in the co[...]
-
Pagina 112
Configuring Secure Shell (SSH) Messages Related to SSH Ope r ation Message Meaning Error: Requested keyfile does not ex ist. Th e cl ient key d oes not exist in the switc h. Use cop y tftp to download the key from a T F TP se rver . Generating new RSA host key. If the After you execute the crypt o key generate ssh [rsa ] cache is depleted, this cou[...]
-
Pagina 113
5 Configuring Secure Socket Layer (SSL) Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Termi n ology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . .[...]
-
Pagina 114
Configuring Secure Socke t Layer (SSL) Overview Overview Feature Default Menu CL I We b Generating a Self Signed Certificate on the switch No n/a page 5- 9 page 5-13 Generating a Certificate Request on the switch No n/a n /a page 5-15 Enabling SSL Disabled n/a page 5-17 page 5-19 The Serie s 4 100G L switc hes use Secure Socket Layer V e rsion 3 (S[...]
-
Pagina 115
Configuring Secure Socket Layer (SSL) Terminology HP Switch (SSL Server) SSL Client Brow ser 1. Switc h-t o-Client SSL Ce rt. 2. Us er-to - Switc h (log in passwor d an d enable p a ssword a u the n tication) option s: – Lo cal – T A C ACS+ – R ADIU S Figure 5-1. Switch/Use r Authent ication S SL on the Series 4100GL switch es sup p or ts the[...]
-
Pagina 116
Configuring Secure Socke t Layer (SSL) Prerequisite for Using SSL ■ C A -Signed Certificate: A c e rtific a t e v e rif i ed by a th i r d p a rty c e rtif - ic ate a u thori t y (CA). Authenti city of CA-Signed certificates can be veri f ied by an audit trail lea ding to a trusted root certificate. ■ R oo t C e rtifi c at e : A trust e d c e r[...]
-
Pagina 117
Configuring Secure Socket Layer (SSL) Ste p s for Configuring and Using SSL for Switch and Client Authentication 1. Install an SSL capable browser ap plic at i on on a m ana gement st at i on you w a nt to use for access to the sw itch. ( Ref er to th e d ocumentatio n pr ovided with your bro w ser .) Note: The latest ve rsions of Mi croso ft In[...]
-
Pagina 118
Configuring Secure Socke t Layer (SSL) General Opera t ing Rules and Notes General Operating Rules and Notes ■ Once you g e n e r a te a c e rtific a t e on the sw i t c h you should a v oid re - generating the certificat e without a compelli ng reason. Otherwise , you w ill have to re- i ntroduce the sw i t ch ’ s c e rt i f i c ate on a ll ma[...]
-
Pagina 119
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section P age web-management ssl show config show c r ypto h o st-cert crypt o key generate cert [rsa] <512 | 768 |1024> zeroize cert crypto host-cert generate self-signed [arg-list] zeroize [...]
-
Pagina 120
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface T o Confi g ure Local Passwo rds. Y ou can configure both the Op erator an d Manager passw o rd on one screen. T o access the w e b browser interface see the Serie s 4100GL swi t ches Manag e ment and Confi g ura tio n guide C h apter ti [...]
-
Pagina 121
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’ s Server Host Certificate Y ou must g e nerate a server certificate on the swi t ch before enablei ng SSL. The swit ch us es this serve r ce rt ific ate, along w ith a dynamical ly gen erate d session ke y pai r to negot i ate an encryption me[...]
-
Pagina 122
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation T o Generate or Erase the Switch’ s Server Certificate with the CLI Bec a use the host certificate is store d in fl ash in stead of th e running-conf ig file, it is n ot nece ssary to use writ e memo ry to save the ce rti f icate . Erasing the host certifica t e autom[...]
-
Pagina 123
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on certificate fields. The re are a numbe r arguments used in th e ge neration of a server certificate. table 9- 1, “Certi fica te Field D e scriptions” desc ribe s thes e arguments. Field Name Description V a lid Start Date Th is should be the date you desi[...]
-
Pagina 124
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Notes "Zeroizing" the switch’ s server host ce rtifica t e or key automatically disables S SL (sets web- managemen t ssl to No ). Thus, if you zeroize the serve r host certificate or key and then generate a new key a n d server certificate, you must also re-[...]
-
Pagina 125
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a S e lf-Signed Host Ce rtificate with the W e b browser interface Y ou can confi g ure SSL f rom the web b r owser interface. For more in formati on on how to access the web browser interf ace see the Series 4100GL sw itches Management and Configuration guide C[...]
-
Pagina 126
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation For exam ple , to generate a new host certificate via the we b browsers interface : Security T ab SSL button Cer t ificate T y pe Box Key Size Selectio n Cer t ificate Argu ment Create Cer t ificate Bu tton Figure 5-5. Self-Signed Ce rtificate genera tion via SSL Web Br[...]
-
Pagina 127
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Ho st Certi f ica te Figure 5-6. Web b r owser Int e rface showing c u rrent SSL Host Certif ica te Generate a CA-Signed server host certificate with the W eb browser interface T o in stall a CA-Si g ned server host c e rt if icate from the web browser i n te[...]
-
Pagina 128
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation The in stallation of a CA-signed c e rti f icate i nvo lves interac t io n with other ent iti es and consi sts of three phases. The first pha s e i s the creation of the C A certificate req ues t, w h ic h is then copied off f r om t h e swi t ch f o r submission t o th[...]
-
Pagina 129
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Cer t ificate Request Cer t ificate Request Rep ly -----BEGI N CE RTIFICA TE---- - MIICZDCCAc2gA wIB A gIDMA0XMA0GCS q GSIb3DQEBBAUAMIGHMQswCQYD V QQGEwJa QTEiMCAGA1UEC B MZR k9S IFRFU1RJTkc gU FVS U E9TRVMgT0 5M WTEdMBsGA1UEC h MU VGhhd3R l IENlcnRpZmljYXRpb24xFzA V BgN[...]
-
Pagina 130
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch yo u must generate th e switc h’ s host certificate and key . If you h ave not a l ready done so, refer to “2. Generating the Switch’ s Server Host Certificate” on pag e 5- 9. When configured for SSL, the swi t ch uses its [...]
-
Pagina 131
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [ no] w eb-management ssl Enables or disables SSL on the swi t ch. [port < 1-65535 | default:443 >] The TCP port number for SS L connections (default: 443). Important: See “Note on Port Number” on page 5-20. show co[...]
-
Pagina 132
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and por t nu mbe r Selectio n Figure 5-8. Using the web b r ow ser int e rface to enable SSL an d select T C P port n u mbe r Note on Port HP recommends using the default IP port number (443). How ever , you ca n Num b er use w eb-management ssl tcp-port to s[...]
-
Pagina 133
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Err o r During Possible Cause Generating host certificate on CLI Y ou have not g enerate d a certificate key (“CLI commands used to generate a Server Host Certificate” on page 5-10) Enabling SSL on the CLI or Web browser interfa ce Y ou hav e not generat[...]
-
Pagina 134
[...]
-
Pagina 135
6 Configuring Port-Based Access Control (802.1x) Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Ho w 802.1x O p era t es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Termi n ology . . . . . . . . . . . . . . . . . . . [...]
-
Pagina 136
Configuring Port-Based Ac ce ss Control (802.1x) Overview Overview Featu re Default Menu CL I We b Configu r in g Switch Ports as 802.1x Authenticators D isabled n/a page 6-14 n/a Configu r ing 802.1x Open VLAN M ode Disabled n/a page 6-20 n/a Configuring Switch Ports to Operate as 802.1x Supplicants Disabled n/a page 6-33 n/a Displaying 802.1x [...]
-
Pagina 137
Configuring Port-Based Access Control (802.1x ) Overview ■ Loc a l authenti c a t i on of 8 02.1x c li e nts using the sw i t ch ’ s l o c a l user - name and password (as an altern ative to RADIUS au the n tication). ■ T em porary on-demand change of a p o rt ’ s VLAN membershi p statu s to support a current cli e nt ’ s session. (Th is [...]
-
Pagina 138
Configuring Port-Based Ac ce ss Control (802.1x) Overview Authenticating One Sw itch to Another . 802.1x authentic a tion also enables the swi tch to op erate as a suppl i cant w hen connected to a port on another switch running 802.1x authentic a tion. RAD I US Server LAN Core 802. 1 x- A w ar e Client (Suppl icant) Switch Runni ng 802.1x and Conn[...]
-
Pagina 139
Configuring Port-Based Access Control (802.1x ) How 802.1x Operates How 802.1x Operates Authenticator Operation This operation pro vid es securi ty on a direct, point-to -point li nk between a singl e cl ie nt and th e swi t ch, where bo th devices are 802.1 x-awa re. (If you exp e ct desirabl e cl ie nts that do not have the necessa ry 8 02.1x sup[...]
-
Pagina 140
Configuring Port-Based Ac ce ss Control (802.1x) How 802.1x Operates Switch-Port Supplicant Operation Thi s operation provides security on l i nks between 802.1x-a ware switches. For example, suppose that you w a nt to connect two swi tch es, where: ■ Switch "A " h a s port A1 co nfigu r ed for 802.1 x supp licant operation. ■ Y ou wa[...]
-
Pagina 141
Configuring Port-Based Access Control (802.1x ) Terminology • A "f ai lu re" response cont i nues t h e b loc k o n po rt B5 and cau s es po rt A1 to wait for the "held -time " p e rio d be fore tryi ng again to achi eve authentication th rough p o rt B5. Note Y ou can co nf igure a swi tc h port to op erate as both a suppl i [...]
-
Pagina 142
Configuring Port-Based Ac ce ss Control (802.1x) Terminology EA P (Ex ten sible Auth entic a tion Prot oco l) : EAP enables network access tha t supports mul t iple authenti cat ion met hod s. EAPOL : Exten s ible Authenticat i on Prot ocol Over LA N, as defined in the 802.1x standard . Fri end ly Clie nt: A cli e nt that does not p o se a s ecurit[...]
-
Pagina 143
Configuring Port-Based Access Control (802.1x ) General Ope r ating Rules and Notes membe r of that VLAN as long as at least one o ther port on the swi t ch is st a t i c al l y configured as a t a gg e d or untagg e d memb e r of the same Unau - thori z ed-Client VLAN. Untagged VLAN Membership: A port can be an untagged membe r of only one V LAN. [...]
-
Pagina 144
Configuring Port-Based Ac ce ss Control (802.1x) General Opera t ing Rules and Notes ■ If a client a l ready has access to a swi t ch port when you c o nfi g ure the port for 802.1x authentic a tor operation, the port will block the client from further network access until it can be au thenticated. ■ On a port c o nfi g ured for 802.1x with RAD[...]
-
Pagina 145
Configuring Port-Based Access Control (802.1x ) Gen e ral Setup Procedure for Port - B ased Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) Do These Steps Before Y ou Configure 802.1x Operation 1. Configure a local username a n d pa ssword o n th e sw it ch for both the Operato r (l ogin) and Manager (en a bl [...]
-
Pagina 146
Configuring Port-Based Ac ce ss Control (802.1x) General Setup Procedure fo r Port-B ased Acc e ss Control (802.1x) Overview: Configuri n g 802. 1x Authentication on the Switch This sect i on out line s th e steps for configuring 802 .1x on the switch. For detaile d i nfo rmat i on on each step, re fe r to “Co n figuring the Swi t ch fo r RADIUS [...]
-
Pagina 147
Configuring Port-Based Access Control (802.1x ) Gen e ral Setup Procedure for Port - B ased Access Control (802.1x) 7. If you a re usi n g Port S ecurity on the switch, conf igure the swi t ch to allow only 8 02.1x access on ports config ured for 802.1x operati on, a n d (i f de sired) the ac tion to take if an unauthorize d devi ce attempts access[...]
-
Pagina 148
Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Configuring Switch Ports as 802.1x Authenticators 802.1x Authentication Commands Page [no] aaa port-access authent icator < [ethernet] < port-list > 6-15 [ control | quiet-period | tx-period | supplicant- t imeout | 6-1 5 server -timeout | ma[...]
-
Pagina 149
Configuring Port-Based Access Control (802.1x ) Configuring Switch Ports as 802.1x Authenticators 1. Enabl e 802.1x Authenti cation on Selected Ports Thi s task configures the indivi dual ports you wa nt to operate as 802.1x aut h ent i cato r s f or poin t-to-point li nks to 802.1x- awa re cli e nts or swi t ches. (Actual 8 02.1x operation do es n[...]
-
Pagina 150
Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access auth enticator < po rt-list > (Syntax Conti nued ) [quiet-period < 0 .. 65535 > ] Sets the period during whi c h the por t does not try to acquire a supplicant. The period begins after the last attempt auth or iz ed by th e[...]
-
Pagina 151
Configuring Port-Based Access Control (802.1x ) Configuring Switch Ports as 802.1x Authenticators aaa port-access auth enticator < po rt-list > (Syntax Conti nued ) [ unauth-vid < vlan -id >] Co nf ig ur es an e xsi ti ng st atic VLA N to be th e U naut hori zed- Clien t VLAN. T h is enables you to p r ovide a p a th f o r client s with[...]
-
Pagina 152
Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 3. Configure the 802.1x Authentication Method This t a sk spe cif ies ho w the switch will authenticate the cr ed entials provided by a suppl i cant conn e c t e d to a s w itch port configured as an 80 2 .1x authenti - cator . Synta x: aaa authentica[...]
-
Pagina 153
Configuring Port-Based Access Control (802.1x ) Configuring Switch Ports as 802.1x Authenticators 4. Enter the RADIUS Host IP Address(es) If you selecte d ei ther e ap-rad i us or c hap-radiu s for th e authentication m ethod, configure the swi t ch to use 1 to 3 RADIUS serve rs for authentic a tion. The following syntax shows th e basic comma n ds[...]
-
Pagina 154
Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode 802.1x Open VLAN Mode 802.1x Authentication Commands page 6-14 802.1x Supplicant Commands page 6-34 802.1x Open VLAN Mode Commands [no] aaa port-access authenticator [ e ] < port-list > pag e 6-29 [ auth-vi d < vlan-id > ] [ u nauth-vid < vlan-id > ] 802.1x-[...]
-
Pagina 155
Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode ■ 1st Priority: The port join s a VLAN to w hic h it has been assigned by a RADIU S server during authentication. ■ 2n d Priority: If RADIUS a u the n tication does not incl ude assigning a VLAN to the port, then the switch a ssigns the port to the VLAN entere d in the port?[...]
-
Pagina 156
Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode T able 6-1. 802.1x Open VLAN Mode Options 802.1x Per - Port Configuration Port Response No Ope n VLAN mode: T he port auto m atically blo c ks a client that cannot initiate an au th en ti ca ti on sessi on. Open VLAN mod e with both of the f o llow i ng configure d: Una u thoriz[...]
-
Pagina 157
Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode 802.1x Per - Port Configuration Port Response Open VLAN Mode wi th Only a n Unau thorized-Clie nt VLAN Configu r ed : • • • Wh en the port de te cts a c lient, it automa t ically beco mes an un tagged member of this VLAN. T o limit security risks, the netwo rk service s and[...]
-
Pagina 158
Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode Operating Rules for Au thorized-Client and Unauthorized-Client VLANs Conditio n Rul e Static VLANs use d as Authorize d- Client or Unautho r ized-Client VLANs VLAN Assignment Received fro m a R ADIUS S erv er T e mp ora r y VLAN Membership During a Client Sessio n Effect of Una [...]
-
Pagina 159
Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode Conditio n Rul e Multiple Authe n ticator Po rts Using Y ou can use the same sta t ic VLAN as the Unauthorized-Clie nt VLAN the Same Unautho r ized-Client a nd for all 802.1x authenticato r ports configured on the switch. Similarly , Autho r ized-Client VLANs you ca n use t he sa[...]
-
Pagina 160
Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode Setting Up and Configurin g 802.1x Open VLAN Mode Preparati o n. This section assumes use of bot h the Unau thorized-Cl i ent and Authorize d-C lient VLANs. Re fer to T a ble 6-1 on page 6- 22 for other options. Before y ou config ur e the 80 2.1x Open VLAN mod e on a port : ■[...]
-
Pagina 161
Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode Note tha t as an alternative , you can configure the swi t ch to use loca l passwo r d authen tication inste a d o f RADIUS authenticat i on. How e ver , this is less d e sirab l e because it me ans that all clients use the same passwords and have the same access priv il eges. Al[...]
-
Pagina 162
Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode 3. If you selected either e ap-rad i us or c hap-ra diu s for step 2, use the radius host command to configure up to thr ee RADIUS server IP addre s s(es) on the swi t ch. Syntax : rad i us host < ip-address > Adds a server to the RADIUS configurati o n. [ key < server [...]
-
Pagina 163
Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode Confi gur ing 802.1 x Op en VLAN Mode . Use these co mmands to actually configure Open VLAN mode. For a listi n g of the steps needed to pre pare the swi t ch for using Open VLAN mode, re fer to “Preparation” on page 6-26. Syntax: aaa p o rt-access a u th enticato r [e] < [...]
-
Pagina 164
Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode Inspe c ting 802.1 x Op en VLAN Mode Op erati o n. For informati on an d an example on viewing curre nt Open VLAN mode operation, refer to “Viewing 802.1x Open VLAN M ode Status” on page 6-38. 802.1x Open VLAN Operating Notes ■ Although you can configu r e Open VL AN mode [...]
-
Pagina 165
Configuring Port-Based Access Control (802.1x ) Option For Authenticator Ports: Configur e Port-Security To Allow Only 802.1x Devices ■ If a n authenticat ed c lient l o ses authenti cati on during a session in 802.1 x Open VLAN mode , the port VLAN membershi p reverts back to the Unauthori zed -Client VLAN. Option For Authenticator Ports: Config[...]
-
Pagina 166
Configuring Port-Based Ac ce ss Control (802.1x) Option For Authenticator Ports: Configure Po rt-Security To Allow Only 802.1x Devices Note on If the port’ s 802. 1x authentic a tor c ontrol mode i s co nfigured to auth o rized (as Blocking a Non- shown bel ow , instead o f au to ), then the first sour ce MAC address from any 8 02.1 x Device devi[...]
-
Pagina 167
Configuring Port-Based Access Control (802.1x ) Configuring Switch Por t s To Oper ate As Supplicants for 802.1x Connections to Othe r Switches Configuring Switch Ports T o Operate As Supplicants for 802.1x Connections to Other Switches 802.1x Authentication Commands page 6-14 802.1x Supplicant Commands [no] aaa port-access < supp licant < [e[...]
-
Pagina 168
Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports To Operate As Suppli cants for 802.1x Connections to Other Switches 1. When port A1 on switch " A " is f i rst connected to a port on switch "B" , or if the ports a r e a l ready connec te d and ei ther swi t ch reboot s, port A1 begins sending sta rt pack[...]
-
Pagina 169
Configuring Port-Based Access Control (802.1x ) Configuring Switch Por t s To Oper ate As Supplicants for 802.1x Connections to Othe r Switches Confi g uring a Supplicant S w itch Port. N o te that you must e n a b le suppl i - cant operation on a port before y o u ca n change the supplic ant configuration. Thi s means you must e x ecute the supp l[...]
-
Pagina 170
Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports To Operate As Suppli cants for 802.1x Connections to Other Switches aaa port-access supplicant [ eth e rnet ] < port-list > (Syntax Continu ed) [ auth-timeout < 1 - 300 > ] Sets the period of time the por t waits to receive a challenge from the authentica tor . If[...]
-
Pagina 171
Configuring Port-Based Access Control (802.1x ) Displaying 802.1x Con f igurat ion, Statistics, and Counters Displaying 802.1x Configuration, Statistics, and Counters 802.1x Authentication Commands 802.1x Supplicant Commands 802.1x Open VLAN Mode Commands 802.1x-Related Sho w Command s show port-access authenticator show port-access sup p licant De[...]
-
Pagina 172
Configuring Port-Based Ac ce ss Control (802.1x) Displaying 802.1x C onfiguration, Stat istics, and Counters show port-access au the n ticator (Syntax Continue d) config [ [ e] < port-list >] S how s: • W hether port-access authenticator i s active • T he 802.1x configuration of the ports configured as 802 . 1x authen tic a tors If you do[...]
-
Pagina 173
Configuring Port-Based Access Control (802.1x ) Displaying 802.1x Con f igurat ion, Statistics, and Counters An Unau th VLAN ID appear i ng in the Cur r ent VLA N ID column for the same p ort i ndicate s an un authenticated clien t is connecte d to thi s port. (As s umes that the po rt i s not a stati c ally configured member of V L AN 100.) Items [...]
-
Pagina 174
Configuring Port-Based Ac ce ss Control (802.1x) Displaying 802.1x C onfiguration, Stat istics, and Counters 25 as an authorize d VLAN, then the po rt’ s me mbership in VLAN 1 w ill be tempora r ily suspe n ded wh enever an au th en ticated 802.1x cli e nt is attached to the port. T able 6-1. Open VLAN Mode Sta t us Status Indicator M eaning Port[...]
-
Pagina 175
Configuring Port-Based Access Control (802.1x ) Displaying 802.1x Con f igurat ion, Statistics, and Counters Syntax: show vla n < vlan-id > Displa y s the port sta t us for the se lected VLAN , includin g an in dication of which port m e mb erships have been temporarily overridden by Ope n VLAN mod e. Note that ports B1 a nd B3 are not i n th[...]
-
Pagina 176
Configuring Port-Based Ac ce ss Control (802.1x) Displaying 802.1x C onfiguration, Stat istics, and Counters Show Commands for Po rt-Access Supplicant Syntax: show port-access supplic ant [ [e] < port-list >] [ statistics ] sho w port-access supplican t [ [e] < po rt-list >] Shows the port-access suppl icant configuration (exclud i n g [...]
-
Pagina 177
Configuring Port-Based Access Control (802.1x ) How RADIUS/802.1x Authenticat ion Affects VLAN Operation supplicant port to another without cl eari n g the stati s tic s data from the first po rt, t he authenti cato r’ s MAC address w il l appea r in the suppl i cant sta tis tic s fo r both ports. How RADIUS/802.1x Authentication Affects VLAN Ope[...]
-
Pagina 178
Configuring Port-Based Ac ce ss Control (802.1x) How RADIUS/802.1x Authenticat ion Affects VLAN Operation For example, suppose that a RADIUS-au thenticated, 802.1x- awa re cli e nt on port A2 req uires a ccess to VLA N 22, but VLA N 22 is config ured for no access on po rt A2, and VLAN 33 is co nfigured as untagged o n port A2: Scenario: An authori[...]
-
Pagina 179
Configuring Port-Based Access Control (802.1x ) How RADIUS/802.1x Authenticat ion Affects VLAN Operation Th is entry show s that p or t A2 is temporaril y untagg ed on VLAN 22 for an 802.1x se ssion. This is to accomodate an 802.1x client’ s access , aut henticated by a RAD I US ser v er , whe re the ser v er i nclude d an instr uct ion to p ut t[...]
-
Pagina 180
Configuring Port-Based Ac ce ss Control (802.1x) How RADIUS/802.1x Authenticat ion Affects VLAN Operation When the 802.1x cl ie nt’ s session on port A2 ends, the port discard s the tempora ry untagged VLAN membe r ship. At this time the stati c VLAN actually co nfi g ure d as untagged on the port again bec o mes available. Thus, when th e RADIUS[...]
-
Pagina 181
Configuring Port-Based Access Control (802.1x ) Messages Related to 802.1x Operation Messages Related to 802.1x Operation T able 6-2. 802.1x Operating Messages Message Meaning Port < port-list > is not an The ports in the port list ha ve not bee n e nabled as 802.1x authenticator. authenticators. Use this comm and to enable the po rts as auth[...]
-
Pagina 182
[...]
-
Pagina 183
7 Configuring and Monitoring Port Security Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Basic Op er ati on Blocking Unautho riz ed Tr affi c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Trunk Group Excl us io n . . . . . . . . . . . . . . . .[...]
-
Pagina 184
Configuring a nd Monitoring Port Security Overview Overview Feature Default Menu CL I We b Displaying Current Port Security n /a — page 7- 9 page 7-15 Configuring Port Security d isabled — page 7-10 page 7-15 Intrusion Alerts and Alert Flags n/a page 7-21 page 7-19 page 7-22 Using Port Security , you can configure each swi t ch po rt w ith a un[...]
-
Pagina 185
Configuring and Monitoring Port Security Basic Operation Gener a l Operation for Port Security . On a per - por t basis, you can configure security measure s to block un authori z ed de vic e s, and to send notic e of security vi olations. O nce you have configured port secu rity , you can then monitor the network for security viol ations t h rough[...]
-
Pagina 186
Configuring a nd Monitoring Port Security Basic Ope r ation Switch A Port Securi ty Configured Switch B MAC Address Au tho riz ed by Switch A PC 1 MAC Address Au tho riz ed by Switc h A PC 2 MAC Address NO T Authorized by Switc h A PC 3 MAC Address NO T Autho riz ed by Swi t ch A Switch C MAC Address NO T Au tho riz ed by Switch A Switch A Port Sec[...]
-
Pagina 187
Configuring and Monitoring Port Security Planning Port Security Planning Port Security 1. Plan your port securi ty configuration and moni toring according to the follow i ng : a. On which po rts d o y ou want port secu rit y? b. Which dev i ces (MAC addresses) are authorize d on each port (up to 8 per port)? c. For each port, w h at security act io[...]
-
Pagina 188
Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n Port Security Command Options and Operation Port Sec u rity Comm ands Used in T h is Section show port-security 7 -9 po rt-security 7-10 < [ethernet] port-list > 7-10 [learn-mod e] [address-limit] [mac-address] [action] [clear -i ntrusion-flag] no port-secu[...]
-
Pagina 189
Configuring and Monitoring Port Security Port Security Command Options and Operation T able 7-1. Port Security Parameters Parameter Des c rip tion Port L i st <[ethernet] port-lis t > Identifies the port or ports on which to apply a port security command. Lea rn learn-mode < static | continuous | port-access > Specifies how the port acq[...]
-
Pagina 190
Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n Parameter Des c rip tion Act i on actio n <none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a netwo rk management station when Learn Mod e is set to stati c and the port detects an unauth o rized device, or when Lear n Mode is se[...]
-
Pagina 191
Configuring and Monitoring Port Security Port Security Command Options and Operation Assigned/Authori zed Addresses. : I f y ou manual ly a ssign a MAC address (using port-security < po rt-nu m ber > address-list < m ac-add r > ) and then exe c ute write mem o ry , the assigned MAC a d dress rema ins in memo ry u nt il you d o on e of t[...]
-
Pagina 192
Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n W i th port numbers i n cluded i n th e command , sho w port-securit y displays Learn M o de, A d dress L i m i t , (a l a rm) Ac t i on, and Aut h or i z ed A d dresses f o r the s p ec - ified ports on a switch . The following example lists the full port sec u [...]
-
Pagina 193
Configuring and Monitoring Port Security Port Security Command Options and Operation For i nfo rmat i on on th e i ndivid u al control paramet e rs, see t h e P o rt Securi ty Parameter table on page 7-7. Sp eci f ying Au thoriz ed Devices and Intrusio n Responses. Thi s e x ample configures port A1 to au tomaticall y accept the first device (MAC a[...]
-
Pagina 194
Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n T he Address Limit has no t b een r eached. Al though the Address Lim i t is set to 2, only one device has been au thorized fo r this port. In thi s ca se you can ad d anot her withou t ha ving to also in cr ease th e Address Limit. Figure 7-4. Example of Add i n[...]
-
Pagina 195
Configuring and Monitoring Port Security Port Security Command Options and Operation If yo u are adding a devic e (MAC address) to a port on which th e Authorized Addresse s list is already ful l (as control l ed by the port’ s current Address L imit setting), then you must increase the Address Limit in order to add the device, even if yo u want [...]
-
Pagina 196
Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n Note Y ou can reduc e the address limi t below the numbe r of curr en tly authori z ed addresses on a port. Thi s enables you to subsequentl y remove a dev i ce from the “Authorized ” list wit hout openin g the possibility for an unw a nte d dev i ce to autom[...]
-
Pagina 197
Configuring and Monitoring Port Security Web: Displaying a nd Configur ing Port Security Features W e b: Displaying and Configuring Port Security Features 1. Cl ic k on the Security tab . 2. Cl ic k on [Port Security] . 3. Select the settings you wa nt and, if you are usi n g the Static Learn Mode, add or edit the Author ized Addresses field. 4. Im[...]
-
Pagina 198
Configuring a nd Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags – The show po rt-secur ity i ntr usi o n- log com m and displ a ys th e Intru s ion L og – The log command displays t h e Even t Log • I n the menu interface : – T he Port Status screen inc l ud es a per - port i n trusi on alert – T he E v ent Lo[...]
-
Pagina 199
Configuring and Monitoring Port Security Rea d ing Intrusion Alerts and Resetting Alert Flags The log shows the most recent i n trusion at the top of the listing. Y o u cannot dele te Intru s ion Log ent ries ( unless yo u reset the swi t ch to i t s factory - default configuration). Instead, i f the log is fil l ed wh en the switch detects a new i[...]
-
Pagina 200
Configuring a nd Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The In trusi on Aler t colum n show s “Y es ” for any port o n whic h a security vio l ation has been detecte d. Figure 7-10. Exampl e of Port Status Sc ree n w ith Intrusion Alert on Po rt A3 2. T y pe [I ] ( I ntrusion lo g ) to di splay the I n tru s[...]
-
Pagina 201
Configuring and Monitoring Port Security Rea d ing Intrusion Alerts and Resetting Alert Flags (Th e intru s ion log ho lds up to 20 intr usi on record s and delet e s an intru s ion reco rd only wh en the log becomes ful l and a new i n trusi on is subsequ e ntl y dete cted.) Note also that the “ p r ior to ” text in the record fo r t h e ear l[...]
-
Pagina 202
Configuring a nd Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Intrusio n Aler t on port A1. Figure 7-12. Example of a n Unac knowledged Int r usion Ale r t i n a Port Statu s Displa y If you w ant ed t o see th e deta ils of th e i n trusi on, you would then en ter th e show port-securit y intrusion-log command. For e[...]
-
Pagina 203
Configuring and Monitoring Port Security Rea d ing Intrusion Alerts and Resetting Alert Flags Intru s ion Al ert o n por t A 1 is no w cleared . Figure 7-14. Example of Port Status Sc ree n After Ale r t Flags Reset For more on clearing in tru s ions, see “Note on Send -D is able Oper ation” on page 7-17 Using the Event Log T o Find Intrusion A[...]
-
Pagina 204
Configuring a nd Monitoring Port Security Operating Notes fo r Port Security From the Menu Interface: In the M a in Menu , c lick on 4. Event Log and use N ext pag e and P rev page to revie w the Eve nt Log contents. For More Event Log Information. See “Using the E vent Log T o Identi fy Problem Sources” in th e " T roubleshooti n g" [...]
-
Pagina 205
Configuring and Monitoring Port Security Operating Notes for Port Security W i thout b oth of th e above conf igur ed , the switch detects onl y the proxy server’ s MA C address, and not you r PC or wor k stat i on MAC add r ess , and interp rets your connect ion as unauthori zed . “Prior T o” En tries in the Intrusion Log. If you reset the s[...]
-
Pagina 206
[...]
-
Pagina 207
8 Using Authorized IP Managers Contents Using Authorized IP Managers Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Options . . . . . . . . . . .[...]
-
Pagina 208
Using Authorized IP Managers Overview Overview Authori zed IP Manager Featu r es Feature D efault M enu CLI W eb Listing (Showing) Authorized Managers n/a page 8-5 page 8-6 page 8-8 Configuring Authorized IP Managers None page 8-5 page 8-6 page 8-8 Building IP Masks n /a page 8-9 page 8-9 page 8-9 Operating and T r oubleshooting n/a page 8-12 page [...]
-
Pagina 209
Using Authorized IP Managers Options Options Y ou can conf igur e: ■ Up to 10 a u thorized manager addresses , w her e eac h a d dress applies to either a singl e management stati on or a group o f stati ons ■ Manager or Operator access privi l eges Caution Configu r ing Aut hor ized IP Ma nag e rs does not prote ct access to the swi t ch th ro[...]
-
Pagina 210
Using Authorized IP Managers Defining Authorize d M anagement Stations Defining Authorized Management Stations ■ Auth or izing Sin g le Sta tions: The tabl e entry au thor izes a sin g le management stati on to hav e IP acce ss to the swi tch. T o use this method, just enter the IP addre ss o f an authori z ed management sta t ion in the Authori [...]
-
Pagina 211
Using Authorized IP Managers Definin g Autho r ized Management Stations rized Man a ger IP address to authori ze f our IP addresses for managem ent station access. The details on how to use IP masks are provided unde r “Bu ildin g IP Masks” on page 8-9. Note The IP Mask is a method fo r recogni z ing whethe r a given IP ad dress is authori z ed[...]
-
Pagina 212
Using Authorized IP Managers Defining Authorize d M anagement Stations 2. Enter an Au tho riz ed Man ager IP address h ere. 5. Pr ess [E nter] , then [S ] (for Sav e ) to configur e the IP A u tho riz ed Manage r en try . 3. Use the defa u lt mask to allow access by one man age ment devi ce, o r edit the mask to a llow a ccess by a bl ock of manage[...]
-
Pagina 213
Using Authorized IP Managers Definin g Autho r ized Management Stations The above example shows an Authorized IP Ma nager List that allows stations to access the switch a s show n below : IP Mask Authorize d Station IP Address: Access Mode: 255.255.255.252 1 0.28.2 27.100 through 103 M anager 255.255.255.254 1 0.28.2 27.104 through 105 M anager 255[...]
-
Pagina 214
Using Authorized IP Managers Web: Configuring IP Authorized Managers The resul t of ente ri ng the pre ceeding example is: • A uthorized Stati on IP Address: 10.28.227.105 • I P Mask: 2 55.255.255.255, w h ich aut hori z es only the specified station (10.28.227.105 in this case ) . (See “C onfiguring Mult iple Stat i ons Per Authorize d Manag[...]
-
Pagina 215
Using Authorized IP Managers Buildi n g IP Masks For web -ba sed help on how t o us e t h e w eb bro w ser i nte rface s c reen, cl ic k on th e [?] button pr ovi d ed on the web browser screen. Building IP Masks Th e IP M a sk parameter con t rols how th e switch use s an A u thorized Manager IP value to recogni z e the IP addre sses of authorize [...]
-
Pagina 216
Using Authorized IP Managers Building IP Masks Configuring Multiple Statio ns Per Authorized Manager IP Entry The ma sk de te rmines whethe r th e IP address of a station on the ne two r k meets the criteria you specify . Th at i s, for a gi ven Author ize d Manager entry , the switch applies the IP mask to the IP address y o u sp ecify to determin[...]
-
Pagina 217
Using Authorized IP Managers Buildi n g IP Masks Figure 8-5. Analy s is o f IP Ma sk fo r M u ltipl e -Sta tion Entries 1s t Oct et 2nd Oct et 3rd Oct et 4t h Oct et Manager -L evel or Ope r ator-Le v el Device Access IP Mask 255 255 255 0 The “255” in the first three octets of the mask spe c ify that only the exa ct Authorized 10 28 22 7 125 v[...]
-
Pagina 218
Using Authorized IP Managers Operating Notes Additional Examples for Au thorizing Mult iple Stations Entries for Authorized Manager List Results IP Mask 255 2 55 0 2 55 This combinati on specifies a n authoriz ed IP a ddress of 10.33. xx x .1. It could be Authorized 10 33 24 8 1 applied, for example, to a subnetted netwo rk where each subnet is def[...]
-
Pagina 219
Using Authorized IP Managers Ope r ating Notes • E ven i f you need p r oxy server access enabl ed in o r der to u se other application s, you can sti ll elimin ate proxy service fo r web access to the switch. T o do so, add th e IP address or DNS name of the swi t ch t o the non-p r oxy , o r “Exceptions” l i st in the web bro w ser i nte rf[...]
-
Pagina 220
[...]
-
Pagina 221
Index Numerics 3DES … 4 -3, 5-3 802.1x See port-ba s ed access con t rol . …6 -1 A aaa authentication … 2-9 access levels, authorized IP managers … 8 -3 accounting See RADIUS.- addres s authorized for port security … 7 -3 authentication See TACACS.- authorized addresses for IP m a nagement security … 8 -4 for port security … 7 -3 auth[...]
-
Pagina 222
inconsistent value … 7 -12 O ope n VLAN mode See por t ac cess co ntr ol OpenSSH … 4-3, 5-2 oper a ting notes authorized IP managers … 8-12 port security … 7 -22 ope rator pas sw o rd … 1-2, 1- 4 P password browser/c o nsole access … 1-3 case-sensitive … 1-4 caution … 1 -3 delet e … 1 -4 deleting with the Clear butto n … 1 -5 if[...]
-
Pagina 223
supplicant , en abling … 6 -34 switch username and password … 6-3 terminolog y…6 -7 troubleshooting, gvrp … 6-43 used with port-security … 6 -31 VLAN operation … 6- 43 prior to … 7 -19, 7-20, 7-23 Privacy Enhanced Mode (PEM) See SS H.- pro xy web ser v er … 7-22 Q quick start … 1-xix R RADIUS accounting … 3-2, 3-16 accounting, c[...]
-
Pagina 224
host k ey pair … 4 -11 key, babble … 4 -11 key, fingerprint … 4-11 keys, zeroizing … 4-11 key-size … 4 -17 know n -host file … 4 -13, 4- 15 man-in-the-middle s p oofing … 4 -16 messages, operating … 4 -27 OpenSSH … 4-3 oper a ting rules … 4-8 outbound SSH n o t secure … 4 -8 password security … 4 -18 password-only a u thenti[...]
-
Pagina 225
overview … 1 -xii precautions … 2 -6 prepa r ing to configure … 2-9 preventing switch lockout … 2 -1 5 privilege level code … 2 -7 server access … 2-15 server prior i ty … 2 -18 se tup, ge ner al … 2-6 show authentication … 2-9 supported features … 2 -3 syste m requirements … 2 -5 TACACS+ server … 2 -4 testing … 2-6 timeou[...]
-
Pagina 226
6 – Index[...]
-
Pagina 227
[...]
-
Pagina 228
T ec hnical inf o r mation in t his doc ume nt is su bj ec t to c hange w it hou t no tice . ©Cop yr ight He wlett-P ack ar d C om pan y 2000, 200 2 . All r ight r eserved . Re pr odu ction , ada pta tion , or transla tion wit hout pr ior w r it te n per mission is p r ohib ited ex ce pt as all o w ed unde r t he cop yr i gh t la[...]