HP (Hewlett-Packard) 4100GL manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of HP (Hewlett-Packard) 4100GL, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of HP (Hewlett-Packard) 4100GL one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of HP (Hewlett-Packard) 4100GL. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of HP (Hewlett-Packard) 4100GL should contain:
- informations concerning technical data of HP (Hewlett-Packard) 4100GL
- name of the manufacturer and a year of construction of the HP (Hewlett-Packard) 4100GL item
- rules of operation, control and maintenance of the HP (Hewlett-Packard) 4100GL item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of HP (Hewlett-Packard) 4100GL alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of HP (Hewlett-Packard) 4100GL, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the HP (Hewlett-Packard) service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of HP (Hewlett-Packard) 4100GL.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the HP (Hewlett-Packard) 4100GL item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    access sec ur ity guide www .hp .com/go/hpp r oc ur v e hp pr ocurv e ser ies 4100gl s witc hes[...]

  • Page 2

    [...]

  • Page 3

    HP Procurve Series 4100GL Switches Access Security Guide Software Release G.07.XX or Greater[...]

  • Page 4

    © Copyright 2001-2002 He wlett-Packard Company All Rights Reserved. This document contains inform ation whi c h is protected by copyright. Reproduction, adapta tion, or translation without prior pe rmissio n is prohibited, except as allowed under th e copyr igh t law s. Publication Number 5 990-303 2 Dec e mber 2 002 Edition 2 Applicable Product H[...]

  • Page 5

    Contents Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Ov erv iew of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 6

    2 T ACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Termi n ology Used in TACACS Applicati o ns: . . . . . . . . . . . . . . . . . . .[...]

  • Page 7

    Out line of th e Steps f or Conf igurin g RADI U S Authenticat i on . . . . . . 3-6 1. C o nfi g ure Authen ti cation for the Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 2. Config ur e the Sw itch To Access a RAD I US Server . . . . . . . . . . . . 3-10 3. Configu r e the[...]

  • Page 8

    1. As signing a Local Logi n (Operator ) and Enable (Manager ) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 2. Generat ing the Swi t ch’s Public an d Pr ivate Key Pair . . . . . . . . . . 4-10 3. Providing the Switch ’s Public Key to Clients . . . . . . . . . . . . . . . . . . 4-12 4. Enabl ing SSH on the Swi t ch [...]

  • Page 9

    6 C onfiguring Port-Based Access Control (802.1x) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Why Use P o rt-Based Access Control? . . . . . . . . . . .[...]

  • Page 10

    Ho w R A DIU S/ 802.1x Authent ica tion Affects VL AN Operati on . . 6-43 Static VLAN Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-43 Messages R e lated to 802.1x Operati on . . . . . . . . . . . . . . . . . . . . . . . . 6-47 7 C onfiguring a n d Mon i toring Port Security Contents . . . . . . . . . . . . .[...]

  • Page 11

    Defining Authorized Managem e nt Sta t ions . . . . . . . . . . . . . . . . . . . . . 8-4 Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Menu: Viewing and Co nfiguring IP Author ized Manager s . . . . . . . . . . 8-5 CLI : Viewing and Configu r in g Authorized IP Manager s . . . . . . . . . . . . 8-6[...]

  • Page 12

    [...]

  • Page 13

    Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Ov erv iew of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . xii Comman d Syntax Conve n tio ns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Simulating D[...]

  • Page 14

    Getting Starte d Introduction Introduction This Access Security Guide is int ended for use w i th the follo wing switches: ■ HP Procurv e Switch 4 104G L ■ HP Procurv e Switch 4 108G L T o gether , these two dev i ce s are terme d the HP Procurve Series 4100GL Switches . Overview of Access Security Features ■ Local Manager and Operat or passw[...]

  • Page 15

    Getting Started Overview of Access Sec u rity Features All ows a ccess to the swi tch by a networked devic e having an IP add r ess previousl y con fig ured in the switch as "authorized". HP recommend s th at you use local pa sswor ds together w i th the switch’ s other security feature s to provide a more comp rehensi v e security fabr[...]

  • Page 16

    Getting Starte d Command Synta x Conventions Command Syntax Conventions Thi s guide use s the fol l owing conventi ons for com m and syntax and displ ays. Syntax: aaa port-access authenticator < port-list > [ contro l < authorized | auto | unau tho r ized > ] ■ V e rtical bars ( | ) separate altern ative, mutuall y excl usive elements[...]

  • Page 17

    Getting Started Related Publications Screen Simulations Figures contain ing simulat ed scr e en t e xt and command output look like t his: Figure 1. Exampl e of a Figure Showin g a Sim u lated Screen In some cases, brief comman d- outpu t se quences appear wi thout fig u re iden- tific a tion. F o r ex am pl e: HPswitch(config)# clear public-key HP[...]

  • Page 18

    Getting Starte d Related Publications HP provides a PDF versi o n of thi s gui d e on t he Product Documentati on CD- ROM shi p ped with the swi t ch. Y o u can also download the late st copy fr om th e HP P r ocurve w ebsit e. ( S ee “Get ting Documentat i on Fro m th e W e b” on page xvii.) Comman d Line Interfa ce Refere nce Guide. This guid[...]

  • Page 19

    Getting Started Getting Documentation From the Web Getting Documentation From the W eb 1. Go to the HP Procurve w e bsi te at htt p :// www .hp.com/go / hpprocurve 2. Click on technical support . 3. Click on manual s . 4. Click on the product for whi ch you w a nt to view or downl o ad a manual . 2 3 4 xvi i[...]

  • Page 20

    Getting Starte d Sources for More Information Sources for More Information ■ If you need inform ati on on spec ifi c paramete rs in the menu inte rfa ce, refe r to the online hel p provided in the in terface. Online Help for Menu ■ If yo u need informati o n on a specif ic command in th e CLI, type the comma nd name followed by “help”. For [...]

  • Page 21

    Getting Started Need Only a Quick Start? Need Only a Quick Start? IP Addre s sing. If yo u just want to gi ve the sw it ch an IP address so that it can communicate on your network, or if yo u are not usi ng VLANs, HP recomme n ds that you use the Switch Se tup screen to quickly configure IP add r essin g. T o do so , do one of the follow in g: ■ [...]

  • Page 22

    [...]

  • Page 23

    1 Configuring Username and Password Security Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Configuring Local Pas s word Sec uri ty . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Menu: Setting Passwo r ds . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 24

    Configuring Use r name and Password Security Overview Overview Feature Default Menu CL I We b Set Usernames no user names set — — page 1- 6 Set a Password no passwords set pa ge 1-4 page 1- 5 page 1- 6 De lete Pass word n/a pa ge 1-4 page 1- 6 page 1- 6 Prote c tion Console access includes both the menu interface and the CLI. There are tw o lev[...]

  • Page 25

    Configuring Username and Password Security Overview If you do ste p s 1 and 2, above, the n th e next time a console session is start ed for either the menu interf ace or the CLI, a p r omp t appears f or a passwo r d. Assuming you have prote c te d both the Manag e r and Operator lev e ls, the level of access to the consol e in terface will be det[...]

  • Page 26

    Configuring Use r name and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As n o t e d earl i er in t h is sec t i on, user n a m e s a r e op t i ona l . C o n f ig u r i n g a user - name requi r es ei ther the CLI or the web browser in terface. 1. From the Main Menu select: 3. Co[...]

  • Page 27

    Configuring Username and Password Security Configuring Local Password Security If you have physical access to the switch, press and ho ld the Clear bu tton ( on th e f r ont o f th e swi t ch) fo r a min i mum of on e second to clear al l passwo rd pr otect ion , then ent er new passwo r ds as described earlier in this chapte r . If you do not have[...]

  • Page 28

    Configuring Use r name and Password Security Configuring Local Password Security T o Remove Password Pro t ection . Removing passwo r d p r otect ion means to eliminate password securit y . Thi s com m and pro m pts you to ver ify that you want to remove on e or both passwo r ds, th en clears the indicat ed pa ssword ( s). (This command also cle a [...]

  • Page 29

    2 T ACACS+ Authentication Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Termi n ology Used in TACACS Applicati o ns: . . . . . . . . . . . . . . . . . . . . 2-4 Ge neral S y stem Re qui r ements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 G[...]

  • Page 30

    TACACS+ Authentication Overview Overview Feature Default Men u CL I We b view the switch’ s authentication configuration n/a — page 2-1 0 — view the switc h’ s T A CACS+ ser v er contact configuration n/a — page 2-1 0 — configur e the switch’ s authentica t ion methods disabled — page 2-1 1 — configure the switch to contact T ACA [...]

  • Page 31

    TACACS+ Authentication Overview server and (2) local passwords confi g ured on the switch. That is, with T A CACS+ configured, the switch fir s t tries to contact a designated T ACA CS+ serv er fo r authenti cation ser vic es. If the switch fail s to conne c t to any T A CACS+ serve r , it defaults to its own locally assigned p a sswords for authen[...]

  • Page 32

    TACACS+ Authentication Terminology Used in TA CACS Applications: T e rminology Used in T ACACS Applications : ■ N A S ( N etwork A c cess Ser v e r ): T h is is a n i nd u s t ry t e rm f o r a T A CACS-aware device that communi cates with a T ACACS server for authentication services. Some other terms you may see in literature de scribing T ACACS[...]

  • Page 33

    TACACS+ Authentication General System Requirements • T A CACS + Authentication: This method ena bles you to use a T ACACS+ s e rver in your network to ass i gn a unique password, user name, a n d privilege le vel to e ach in dividua l or group w ho needs access to one or mor e sw it ches or other T A CACS-aware devices. This all o ws you t o a[...]

  • Page 34

    TACACS+ Authentication General Authentication Setup Procedure Notes The eff e ct i veness of TA C ACS+ se c u r i ty d e p e nds on c o rrectly using your TACACS+ ser v er application. For this reason, HP recommends that you thoroughly tes t all TACACS+ configur ations used in your network. TACACS-aware HP switches include the capability of configu[...]

  • Page 35

    TACACS+ Authentication General Authentication Setu p Procedure 2. Determine th e f o llowing: • The IP address(es) of the T A CACS+ server(s) you want the switch to use for authentication. If you will use more than one server , de termine which ser v er is yo ur first-choice for authentication ser v ices. • The encryption key , if any , for all[...]

  • Page 36

    TACACS+ Authentication General Authentication Setup Procedure Caution Y o u s ho u ld ens u re t h at t h e s w i t ch h a s a l o cal M a n a ger passwo r d. O t her - wise, if authentication through a T ACACS+ server fails for any reason, then unauthorize d access will be a vai la ble throu gh th e con s ol e port or Telnet. 5. Using a termi nal [...]

  • Page 37

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring T ACACS+ on the Switch Before Y ou Begi n If you are new to T AC ACS+ authentication, HP recomm en ds that you read the “General Authenticat ion Setup Pro c edu r e” o n pa ge 2- 6 an d configure your T A CACS+ server( s ) before configur ing authenticati on on the switch. The[...]

  • Page 38

    TACACS+ Authentication Configuring TACACS+ on the Switch V i ewing the Switch’ s Current Authentication Configuration This command lists the n u mber of logi n attemp ts t he swi t ch al lows in a sin gle lo gin session, and the prim ary/secondary access method s confi g ured fo r each type of access. Syntax: show authentica t ion This example sh[...]

  • Page 39

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s Authentication Methods Th e aaa authe n ticati on command configures the access control for conso le port and T e lnet a ccess to the swi t ch . That is, for both access methods, aaa authenticatio n specifies whether to use a T ACACS + server or the switch’ s loc[...]

  • Page 40

    TACACS+ Authentication Configuring TACACS+ on the Switch T able 2-1. AAA Authentication Pa rameters Name Default Range Function console n/a n /a Specifies whether the command is conf igu r in g au thentic ation for the conso l e por t - or - or T e lne t access method for the switch. tel n et enable n/a n /a Specifies the privilege level for the ac[...]

  • Page 41

    TACACS+ Authentication Configuring TACACS+ on the Switch T able 2-2. Prima r y/Secondary Authen tication T abl e Access M e thod and Privilege Level Au thentic ation Op tions Effect on Access Attempts Primary Second ary Console — Log in local none* Local userna me/password access only . tacac s l ocal If T acacs+ server unava i lable, uses local [...]

  • Page 42

    TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of acc e ss options and the corre s ponding comma n ds to configure the m: Console Login (Operat o r o r Read-Only) Access: Pri m ary using T A CACS+ server . Secondary using Local. HPswitch (config)# aaa authentication console login tacacs local Console Login (Oper[...]

  • Page 43

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s T A CACS+ Server Access The tacacs-serve r command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one fir s t cho i ce and up to tw o ba cku p s. Desi gnating backup se rvers provides fo r a continuation of authenticat io[...]

  • Page 44

    TACACS+ Authentication Configuring TACACS+ on the Switch Note on Encryption Key s Synta x: tacacs-server host < ip-addr > [key < key - string >] Adds a TACACS+ server an d opt i onally assigns a s erv er-s pecifi c encryption key . [no] tacacs-server host < ip-addr > Remov e s a TACACS+ server assign ment (including its server- sp[...]

  • Page 45

    TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host < ip-addr > [key < key-string > none n/a Specifies the IP address of a device running a T A CACS+ serv er applica t ion. Optionally , can also specify the unique, per - serve r encryptio n key to us e when each assigned server has its own, un iqu e key . Fo[...]

  • Page 46

    TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Name Default Range key < key- s tring > none (nu l l) n/a Specifies the optiona l, global "encryption key" that i s also assigned in the T A CA CS+ server(s) that the switc h will access for authentication. This o p tion is subordinat e to any "pe r -se[...]

  • Page 47

    TACACS+ Authentication Configuring TACACS+ on the Switch T he "10" ser v er is now the " first-choice " T A CACS+ au the n tic a tion devi ce. Figure 2-5. Example of the Switch After Assigning a Different "Fir st-Choice" Server T o re move the 10.28.227.1 5 device as a T ACACS+ ser v er , you would use this comma n d: [...]

  • Page 48

    TACACS+ Authentication How Authe n tication Operates To del e te a per-server e n cry p tion key in the switch, re-enter the tacacs-se rver host co mm and wi thout t h e key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you wa nt to elimi n ate the key , you[...]

  • Page 49

    TACACS+ Authentication How Authentication Operates Using figure 2-6, a b ove, after e i ther sw it ch detec t s an opera t or’ s logon request fr om a remot e or directl y conn ect e d termin al, the foll ow ing events occ u r: 1. The sw itch queries the f irs t- choi ce T ACACS+ ser v er for authentication of the request. • If the swi tc[...]

  • Page 50

    TACACS+ Authentication How Authe n tication Operates Local Authentication Process When the switch is configured to use T ACACS+, it reverts to local authentica - tion only if one of thes e two co nditions exist s : ■ "Local" i s the authenti cation op ti on fo r the access method bei n g used. ■ T A CACS+ is the primary authenticat[...]

  • Page 51

    TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encr yption key (someti me s termed "key", "secre t key", or "s ecret " ) hel p s to preven t unau thori z ed intruders on th e network fr om re adi ng username and password information in T ACACS+ packets movin[...]

  • Page 52

    TACACS+ Authentication Controlling Web Browser Interface Acces s When Using TACACS+ Authentication F o r examp l e, you w ou l d u s e t h e next co mmand to c o nf i g ure a g l obal encryp - tion key in the switc h to match a ke y ente red as north40camp us in tw o target TACACS+ ser v ers. (That is, both servers use the same key for your switch.[...]

  • Page 53

    TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to T ACACS+ Operation The sw it ch gen e rat e s the CL I message s listed below . However , y o u may se e other messages generated in your T ACACS+ server a pplication. For informa - tion on such messages, re fer to the documentation you rec e ive d wi th the applica t [...]

  • Page 54

    TACACS+ Authentication Operating Notes ■ When T ACA C S+ is not enabled on t h e switch—or when the switch ’ s only designated T ACACS+ servers ar e not accessible— setting a local Operator passwo r d with ou t also setting a local Manag er password does not protect the switch from man a ge r - l evel a cc e ss by unautho - rized persons.) [...]

  • Page 55

    3 RADIUS Authentication and Accounting Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Termi n ology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Switch Operating Rules for RAD I US . . . . . . . . . . . . . .[...]

  • Page 56

    RADIUS Authenti cation and Accounting Overview Overview Feature Default Menu CL I We b Configuring RADIUS Auth en tication None n /a 3-6 n /a Configuring RADIUS A ccounting None n /a 3-16 n/a Vi ewing RADIUS Statistics n/a n /a 3-23 n/a RADIUS ( Remote Authentication Dial-In User Service ) enables yo u to use up to three servers (one primary server[...]

  • Page 57

    RADIUS Authentication and Accounting Terminology T e rminology CHAP (Ch a l l enge - H a n dsh a ke Auth e n t i c a tion Protoco l ): A chal l e nge - response authentic a tion protocol that uses the Message Digest 5 (MD5) hashi ng scheme to encrypt a response to a ch alle nge from a RAD I US server . EAP(Extensible A u then ticatio n Protocol): A[...]

  • Page 58

    RADIUS Authenti cation and Accounting Switch Ope r ating Rules for RADIUS Switch Operating Rules for RADIUS ■ Y ou must have at least one RA DIU S server accessible to the switc h. ■ The switch supports authentic a tion and ac counting us ing up to three RADIUS ser v ers. The switch accesse s the ser v ers in the order in which they are listed [...]

  • Page 59

    RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to thre e RADIUS server s to support the switch. (That is, one pri m ary server and one or tw o ba ck ups.) Re fer to the documentation provi d ed with the RADIU S server applica t ion. 2. Before configuring the sw itc[...]

  • Page 60

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands Page aaa authentication 3-8 < c onsole | telnet | ssh > < enable | log i n > radius 3-8 < local | none > 3 -8 [no] radius-server host < IP-address > 3-10 [...]

  • Page 61

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note Th i s st e p assum e s you have a l ready c o n f igu r ed t h e RADIUS serve r (s) t o support the swi t ch. Refer to th e documentation pro vid ed with the RADIUS ser v er documentati on .) • Se r ver IP address • ( Opt i onal ) UDP desti n atio n p[...]

  • Page 62

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication 1. Configure Authentication for the Access Methods Y ou W a nt RADIUS T o Protect This sect i on descr ibes ho w to configure the swi t ch fo r RADIUS authenticati on throu gh the follo wing a ccess m ethod s: ■ Console: Eithe r direct serial-port connecti[...]

  • Page 63

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have alread y configured lo cal passwo r ds on th e switch, but want to use RADIUS to pr ote c t primary T elnet and SSH access withou t a llowi ng a sec onda ry T elnet or SSH acc ess option (w h i ch wo uld be th e switch ’ s lo cal pa[...]

  • Page 64

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication 2. Confi g ure the Switch T o Access a RADIUS Server This section desc ribes how to confi gure the switch to i n teract w i th a RADIUS server fo r both authenticat ion an d accounting servi c es. Note I f y o u w a n t to con f i g u r e RADIUS accou n t i [...]

  • Page 65

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose yo u h ave c o nfi g ure d the swi t ch as shown in fig u re 3 -3 and you now need to make the following chan ges: 1. Change the encrypti on key for the serve r at 10.33.18 .127 to "source0127". 2. Add a RADIUS serv er wi th an IP[...]

  • Page 66

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication 3. Confi g ure the Switch’ s Global RADIUS Parameters Y ou can configure the switc h for the fo llowing g lob al RADIU S param e ters: ■ Number of lo gin attem p ts: In a given session, specifi e s how many tries at entering the corre c t use r name and [...]

  • Page 67

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 .. 15 > Specifie s the maximum time th e switc h waits for a response to an authenticati on request before counting the attempt as a failure. (Default: 3 seco nds; Range: 1 - 15 seconds ) radius-server retransmit < 1 .. 5 > If[...]

  • Page 68

    RADIUS Authenti cation and Accounting Local Authentication Process Aft er two attempts failing due to username or passwor d entry errors, the switch wil l ter m inate the session . Glo bal RADIU S para meter s from figur e 3-5. These two ser v ers wil l us e th e global encryp t ion key . Serve r -s pecifi c encrypti on key for the RADIUS serv er t[...]

  • Page 69

    RADIUS Authentication and Accounting Controlling Web Browser Interface Acces s When Using RADIUS Authentication For local authenticat ion, the swi t ch uses the Op erator -level an d Manag er -level use r nam e/pa sswo r d set(s) p r eviously co nfigured loca lly on th e switch . (Th e se are the usernames a n d passwords you can configure using th[...]

  • Page 70

    RADIUS Authenti cation and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Command s Page [no] radius- s erver host < ip-ad d ress > 3-19 [ acct-port < port-number >] 3-19 [key < key - string >] 3-19 [no] aaa accounting < exec | network | sy stem > 3-21 < start-stop | stop-only>[...]

  • Page 71

    RADIUS Authentication and Accounting Con f iguring RADIUS Accounting (For 802.1x information fo r the swi t ch, refer to “C onfiguring Port- B ased Acc e ss Co ntrol (802.1x)” on page 6-1.) ■ Ex ec accounti ng : Provides records cont aining t h e i nfo rmat i on lis ted below about lo gin session s (consol e , T eln et , and S S H) o n the sw[...]

  • Page 72

    RADIUS Authenti cation and Accounting Configuring RADIUS Accounting ■ If access to a RADIUS server fails du ring a session, bu t after the cli e nt has been a u the n ticated, the switch continues to assume the server i s available to rec e ive accounting data. Thus, if server access fails during a session, it w ill not receive acco unti n g data[...]

  • Page 73

    RADIUS Authentication and Accounting Con f iguring RADIUS Accounting 1. Configure the Switch T o Access a RADIUS Server Before y ou config ur e the ac tual acco unting pa ram et e rs, yo u should first configure the swi tch to use a RAD IUS serve r . This is the same a s the process de scribed o n pa ge 3-10. Y ou need to repeat t his step here on [...]

  • Page 74

    RADIUS Authenti cation and Accounting Configuring RADIUS Accounting Because the r adius-s erver command inc lu des an acct-p ort elemen t with a non default 1750, the switch assigns this value t o the accounting p ort UDP port n u mbe r s. Because a u th- port was not i ncluded in the comman d , the authenti cat ion UDP port is set to the defa u lt[...]

  • Page 75

    RADIUS Authentication and Accounting Con f iguring RADIUS Accounting ■ Start - Stop : • S e n d a start record ac c ounting not i ce at the b e ginn i n g of the account - ing session and a stop r e cor d noti ce at the end of the se ssio n . Bot h notices include the latest data the switch has co llected for the requested accounting type (N[...]

  • Page 76

    RADIUS Authenti cation and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These opt i onal paramet e rs give you addi ti onal cont ro l ov er accoun ti ng d ata. ■ Updates: I n additi on to us ing a St art - St op or St op -Onl y trigger , yo u can optionally configur e the swi t ch [...]

  • Page 77

    RADIUS Authentication and Accounting Viewing RADIUS Statistics V i ewing RADIUS Statistics General RADIUS Statistics Syntax: show rad i us [ host < ip-add r >] Shows general RADIUS configuration , in cluding the server I P addresses. Optional form shows data for a specific RADIUS host. To use sho w radius , the server’s IP address must be c[...]

  • Page 78

    RADIUS Authenti cation and Accounting Viewi n g RADIUS Statistics Te rm De finition Round T r ip T ime Th e time interval between the mo st recent Accounting-Respo n se and th e Accounting- Request that matched it from th is RADIUS accounting server . PendingRequests The number of RADIUS Accounting-Request packets sent to this se rver that have not[...]

  • Page 79

    RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Stati s tics Syntax: show a u thenticatio n Di splays the pri m ary and secondary authentication methods configured for the Console, T e lnet, Port-Access (80 2. 1x), and SSH methods of acce ssing the switch. Also displays the number of access attempts currently al[...]

  • Page 80

    RADIUS Authenti cation and Accounting Viewi n g RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, "Empty User " supression status, accountin g types, methods, and modes. show rad i us accounting Lists accounting statis tics for the RADIUS server(s) configured in the switch (using [...]

  • Page 81

    RADIUS Authentication and Accounting Changing RADIUS-Ser ver Access Order Figure 3-16. Exampl e Listing of Active RADIUS Accounting Sessions on t he Swi t ch Changing RADIUS-Server Access Order The switch tri e s to a ccess RADIUS ser vers according to the order in wh ich their IP addresses are listed by the show radius comma n d. Also, when you ad[...]

  • Page 82

    RADIUS Authenti cation and Accounting Changing RADIUS-Server Access Order T o excha nge the positions of the addre sse s so that the server a t 10.10.10.003 will be the first choice and the server at 10 .10.10.001 will be the la st, you w o uld do the follo win g: 1. Del e te 10.10.10.003 from the list. This op ens t he thir d (lowest) posit i o[...]

  • Page 83

    RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS serve r is n ot responding to an authentication request. T r y pinging the server to determine wheth er it is accessib le to t he switch. If the server is a[...]

  • Page 84

    [...]

  • Page 85

    4 Configuring Secure Shell (SSH) Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Termi n ology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 86

    Configuring Secure Shell (SSH) Overview Overview Feature Default Menu CL I We b Generating a public/pr i vate key pair on the switc h No n/a page 4-10 n/a Using the switch’ s public key n/a n/a page 4-12 n/a Enabling SSH Disabled n/a page 4-15 n/a Enabling client public-ke y authentication D isabled n/a pages 4-19, n/a 4-2 2 Enabling user authent[...]

  • Page 87

    Configu r ing Secure Shell (SSH) Terminology Note SSH in the HP Proc ur ve Series 41 00GL swi t ches is based o n the Open SSH software toolki t. Fo r m o re i nfo rmat i on on OpenSS H, visit htt p :// ww w .o penssh.com . Switch SSH and User Password Authentication . This opt i on is a subset of the cli e nt pu blic- key authe nti catio n sh ow i[...]

  • Page 88

    Configuring Secure Shell (SSH) Prerequisite for Using SSH ■ PEM (Privacy E n hanced Mode): Refers to an ASCII-formatted cli e nt p ubl ic-k ey th at has be en encoded fo r por tabi lity and efficiency . SSHv2 cli e nt pu blic- keys ar e typ ica lly store d in the PEM format. See figure s 4- 3 and 4-4 fo r examples of PEM-enc o ded ASCII and non e[...]

  • Page 89

    Configu r ing Secure Shell (SSH) Public Key Formats Public Key Formats Any client ap plication yo u use f or cli e nt public- k ey authenticatio n with th e swi t ch must have the c a pability export public key s . The switc h ca n accept keys in the PEM-Encoded AS CII Format or i n the No n- Encoded ASCII fo rmat . Co mment descr ib ing p ub lic B[...]

  • Page 90

    Configuring Secure Shell (SSH) Steps for Configuring and Using SSH fo r Switc h and Client Authentication Switch Access Lev el Pri m ary S SH Authentication Authenticate Switch Public Key to SSH Clients? Authenticate Client Public Key to th e Switch ? Primary Switch Pas s word Authenticatio n Secondary Switch Pas s word Authentication Manager (Enab[...]

  • Page 91

    Configu r ing Secure Shell (SSH) Ste p s for Configuring and Using SSH for Switch and Client Authentication B. Switch Prep arat ion 1. Assig n a login (Operator) and enable (Manager) passwo r d on th e swi tch (page 4-9 ). 2. Generate a public/pri vate key pa ir on the switc h (page 4-1 0 ). Y ou n e ed t o do t his only once. The k ey remains i[...]

  • Page 92

    Configuring Secure Shell (SSH) General Opera t ing Rules and Notes General Operating Rules and Notes ■ Public keys gen e rat ed on an SSH cl ient must be exportabl e to th e swi tch. The swi t ch can only store 10 keys cli e nt key pairs. ■ Th e swi t ch ’ s ow n public/pri v at e key pai r and th e (optional) cli e nt pu b lic k ey f ile are[...]

  • Page 93

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Sectio n P age show ip ssh 4 -17 show c r ypto c l ient-public-k ey [ke y list-str] [< babble | 4-2 5 fingerprint >] show c r ypto h o st-public -key [< babble | fingerp r int >] 4-14 show a u t[...]

  • Page 94

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: password < manage r | operator | all > Figure 4-6. Exampl e of Config uring Loc a l Password s 2. Generating the Swi t ch’ s Pu blic and Privat e Key Pai r Y ou must generate a public and priva t e ho st key pa ir on the swi t ch. The switc h us es this key pa i[...]

  • Page 95

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you gen e rat e a host ke y pair on the switc h , the switch places the ke y pair in f l ash memo ry (a nd no t in t he running-c o nfi g fil e ). Also, the switch mai ntains th e key pai r across reboots, in cluding p ower cycles. Y ou sho uld consi der this key p[...]

  • Page 96

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generat e and display a new key: Host Public Key for the Switch Ve rsion 1 and V e rsion 2 vie ws of same host publ ic key Figure 4-7. Example of Gen e rating a Public/ Pr i vat e Host K e y P a ir for the Sw itc h The 'sho w crypt o host - public-k e y&apo[...]

  • Page 97

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation di stribut i on t o cl ient s is t o use a di re ct, se rial connection betwee n the sw itch and a management dev i ce (laptop, PC, or UN IX w o rk station), as de scribe d belo w . The publ ic ke y gen e rat e d by the swit ch consi sts of t h ree parts, separated by one bla[...]

  • Page 98

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add a ny data required by your SSH c lient appl ica t io n. For example Before saving the key to an SSH cli e nt’ s "know n hosts" file you may have to inser t the switch’ s IP address: Bit Size Exp onent <e> Modu lus <n > Inserted IP Address Fig[...]

  • Page 99

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation He xadecima l "Fingerpri nt s" of the Same Switch Phoneti c "Has h" of Swi t ch ’ s Public Ke y Figure 4-11. Examples of V i sua l Phonetic and He xadecim a l Conve r sio n s of the Switch’ s Public Key The t w o commands sho w n i n figure 4-11 conver[...]

  • Page 100

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Refer to “5. Configuring the Swi t ch fo r SSH Authenticat i on” on page 4-18. SSH Client Conta ct Behavio r . At the first contact be tw ee n the switch and an SSH client, if you have not co pied th e swi t ch’ s publ i c ke y into the c lient, your cli e nt’ s first c[...]

  • Page 101

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SS H connections (default: 22) . Important: See “Note on Port N u mber” on page 4-17. [timeout < 5 - 120 >] The SSH login timeout va lue (default: 120 seconds). [v ersio n <1 | 2 | 1-or -2 > The versio[...]

  • Page 102

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SS H does not p r otect t h e switch f r om unauthorized a ccess via the we b interface, T e lnet, SNMP , or the seria l port. Wh ile web and T e lnet access can be restric t ed by the u s e of passwo r ds lo cal to the switc h , if you are unsure of th e security t his pr ovi [...]

  • Page 103

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Configures a password method for the primary and secondary enable (Manager) acc ess. If you do not spec- ify an optional secondary method, it defaults to none . Option B: Co nf ig uring the Switc h for Cl ient Pu blic -Key SSH Authentication. If confi g ured with this op ti o[...]

  • Page 104

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: a aa authe n tic a tion ssh enable < local | tacacs | radius > < local | n one > Configures a password method for the primary and secondary enable (Manager) access. I f you do not spec- ify an optional secondary method, it defaults to none . For example, ass[...]

  • Page 105

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 4-14 shows how to chec k the results of the above co mmands. Li st s t h e c urr en t SSH authenticati on configuratio n. Shows the conte n ts o f the publi c key fil e downloaded with the copy tftp command in figur e 4-1 3 . In this example, the fil e contains two cli[...]

  • Page 106

    Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Further Information on SSH Client Public-Key Authentication The section titled “5. Config uring the Swi t ch for SSH Au thenticat i on” on p a ge 4-1 8 li sts the steps for co nfiguring SSH a u the n tication on the swi t ch. However , if you are new t o[...]

  • Page 107

    Configu r ing Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 3. If there is not a match , an d yo u ha ve not configu r ed the switc h to a ccept a lo gin passwo r d as a secondary authenticat i on meth od, the switch denies SSH access to the client. 4. If there is a match, the switch: a. Generates a random seque[...]

  • Page 108

    Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Notes Co mments in pu b lic k ey files, suc h as smith@support.cairns.co m in figure 4-15 , may appear in a SSH client applica tio n’ s gen erated p ubl ic key . Whi le such comments may hel p to disti n gui s h one key fro m anoth er , they do no t po se [...]

  • Page 109

    Configu r ing Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Note on Public The actual c onte nt of a public key entry in a publi c key fil e is determined by Key s the SSH client application generating th e key . (Alt hough you can manu ally ad d or edit an y comments the c lient appli cat ion adds t o the end of t[...]

  • Page 110

    Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Syntax: clear crypto pub lic - key Deletes the cli e nt-public-ke y file from the switch. Syntax: clear crypto pub lic - key 3 Deletes the entry with an index of 3 from the client- public-key file on the switch. Ena b l i ng C l i e nt Pu b l i c -Key Authen[...]

  • Page 111

    Configu r ing Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp serve r or not finding the file to download. Causes include such factors as: • Incorrect IP configuration on the switch • In correct IP addre ss in the co[...]

  • Page 112

    Configuring Secure Shell (SSH) Messages Related to SSH Ope r ation Message Meaning Error: Requested keyfile does not ex ist. Th e cl ient key d oes not exist in the switc h. Use cop y tftp to download the key from a T F TP se rver . Generating new RSA host key. If the After you execute the crypt o key generate ssh [rsa ] cache is depleted, this cou[...]

  • Page 113

    5 Configuring Secure Socket Layer (SSL) Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Termi n ology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . .[...]

  • Page 114

    Configuring Secure Socke t Layer (SSL) Overview Overview Feature Default Menu CL I We b Generating a Self Signed Certificate on the switch No n/a page 5- 9 page 5-13 Generating a Certificate Request on the switch No n/a n /a page 5-15 Enabling SSL Disabled n/a page 5-17 page 5-19 The Serie s 4 100G L switc hes use Secure Socket Layer V e rsion 3 (S[...]

  • Page 115

    Configuring Secure Socket Layer (SSL) Terminology HP Switch (SSL Server) SSL Client Brow ser 1. Switc h-t o-Client SSL Ce rt. 2. Us er-to - Switc h (log in passwor d an d enable p a ssword a u the n tication) option s: – Lo cal – T A C ACS+ – R ADIU S Figure 5-1. Switch/Use r Authent ication S SL on the Series 4100GL switch es sup p or ts the[...]

  • Page 116

    Configuring Secure Socke t Layer (SSL) Prerequisite for Using SSL ■ C A -Signed Certificate: A c e rtific a t e v e rif i ed by a th i r d p a rty c e rtif - ic ate a u thori t y (CA). Authenti city of CA-Signed certificates can be veri f ied by an audit trail lea ding to a trusted root certificate. ■ R oo t C e rtifi c at e : A trust e d c e r[...]

  • Page 117

    Configuring Secure Socket Layer (SSL) Ste p s for Configuring and Using SSL for Switch and Client Authentication 1. Install an SSL capable browser ap plic at i on on a m ana gement st at i on you w a nt to use for access to the sw itch. ( Ref er to th e d ocumentatio n pr ovided with your bro w ser .) Note: The latest ve rsions of Mi croso ft In[...]

  • Page 118

    Configuring Secure Socke t Layer (SSL) General Opera t ing Rules and Notes General Operating Rules and Notes ■ Once you g e n e r a te a c e rtific a t e on the sw i t c h you should a v oid re - generating the certificat e without a compelli ng reason. Otherwise , you w ill have to re- i ntroduce the sw i t ch ’ s c e rt i f i c ate on a ll ma[...]

  • Page 119

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section P age web-management ssl show config show c r ypto h o st-cert crypt o key generate cert [rsa] <512 | 768 |1024> zeroize cert crypto host-cert generate self-signed [arg-list] zeroize [...]

  • Page 120

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface T o Confi g ure Local Passwo rds. Y ou can configure both the Op erator an d Manager passw o rd on one screen. T o access the w e b browser interface see the Serie s 4100GL swi t ches Manag e ment and Confi g ura tio n guide C h apter ti [...]

  • Page 121

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’ s Server Host Certificate Y ou must g e nerate a server certificate on the swi t ch before enablei ng SSL. The swit ch us es this serve r ce rt ific ate, along w ith a dynamical ly gen erate d session ke y pai r to negot i ate an encryption me[...]

  • Page 122

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation T o Generate or Erase the Switch’ s Server Certificate with the CLI Bec a use the host certificate is store d in fl ash in stead of th e running-conf ig file, it is n ot nece ssary to use writ e memo ry to save the ce rti f icate . Erasing the host certifica t e autom[...]

  • Page 123

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on certificate fields. The re are a numbe r arguments used in th e ge neration of a server certificate. table 9- 1, “Certi fica te Field D e scriptions” desc ribe s thes e arguments. Field Name Description V a lid Start Date Th is should be the date you desi[...]

  • Page 124

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Notes "Zeroizing" the switch’ s server host ce rtifica t e or key automatically disables S SL (sets web- managemen t ssl to No ). Thus, if you zeroize the serve r host certificate or key and then generate a new key a n d server certificate, you must also re-[...]

  • Page 125

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a S e lf-Signed Host Ce rtificate with the W e b browser interface Y ou can confi g ure SSL f rom the web b r owser interface. For more in formati on on how to access the web browser interf ace see the Series 4100GL sw itches Management and Configuration guide C[...]

  • Page 126

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation For exam ple , to generate a new host certificate via the we b browsers interface : Security T ab SSL button Cer t ificate T y pe Box Key Size Selectio n Cer t ificate Argu ment Create Cer t ificate Bu tton Figure 5-5. Self-Signed Ce rtificate genera tion via SSL Web Br[...]

  • Page 127

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Ho st Certi f ica te Figure 5-6. Web b r owser Int e rface showing c u rrent SSL Host Certif ica te Generate a CA-Signed server host certificate with the W eb browser interface T o in stall a CA-Si g ned server host c e rt if icate from the web browser i n te[...]

  • Page 128

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation The in stallation of a CA-signed c e rti f icate i nvo lves interac t io n with other ent iti es and consi sts of three phases. The first pha s e i s the creation of the C A certificate req ues t, w h ic h is then copied off f r om t h e swi t ch f o r submission t o th[...]

  • Page 129

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Cer t ificate Request Cer t ificate Request Rep ly -----BEGI N CE RTIFICA TE---- - MIICZDCCAc2gA wIB A gIDMA0XMA0GCS q GSIb3DQEBBAUAMIGHMQswCQYD V QQGEwJa QTEiMCAGA1UEC B MZR k9S IFRFU1RJTkc gU FVS U E9TRVMgT0 5M WTEdMBsGA1UEC h MU VGhhd3R l IENlcnRpZmljYXRpb24xFzA V BgN[...]

  • Page 130

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch yo u must generate th e switc h’ s host certificate and key . If you h ave not a l ready done so, refer to “2. Generating the Switch’ s Server Host Certificate” on pag e 5- 9. When configured for SSL, the swi t ch uses its [...]

  • Page 131

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [ no] w eb-management ssl Enables or disables SSL on the swi t ch. [port < 1-65535 | default:443 >] The TCP port number for SS L connections (default: 443). Important: See “Note on Port Number” on page 5-20. show co[...]

  • Page 132

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and por t nu mbe r Selectio n Figure 5-8. Using the web b r ow ser int e rface to enable SSL an d select T C P port n u mbe r Note on Port HP recommends using the default IP port number (443). How ever , you ca n Num b er use w eb-management ssl tcp-port to s[...]

  • Page 133

    Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Err o r During Possible Cause Generating host certificate on CLI Y ou have not g enerate d a certificate key (“CLI commands used to generate a Server Host Certificate” on page 5-10) Enabling SSL on the CLI or Web browser interfa ce Y ou hav e not generat[...]

  • Page 134

    [...]

  • Page 135

    6 Configuring Port-Based Access Control (802.1x) Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Ho w 802.1x O p era t es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Termi n ology . . . . . . . . . . . . . . . . . . . [...]

  • Page 136

    Configuring Port-Based Ac ce ss Control (802.1x) Overview Overview Featu re Default Menu CL I We b Configu r in g Switch Ports as 802.1x Authenticators D isabled n/a page 6-14 n/a Configu r ing 802.1x Open VLAN M ode Disabled n/a page 6-20 n/a Configuring Switch Ports to Operate as 802.1x Supplicants Disabled n/a page 6-33 n/a Displaying 802.1x [...]

  • Page 137

    Configuring Port-Based Access Control (802.1x ) Overview ■ Loc a l authenti c a t i on of 8 02.1x c li e nts using the sw i t ch ’ s l o c a l user - name and password (as an altern ative to RADIUS au the n tication). ■ T em porary on-demand change of a p o rt ’ s VLAN membershi p statu s to support a current cli e nt ’ s session. (Th is [...]

  • Page 138

    Configuring Port-Based Ac ce ss Control (802.1x) Overview Authenticating One Sw itch to Another . 802.1x authentic a tion also enables the swi tch to op erate as a suppl i cant w hen connected to a port on another switch running 802.1x authentic a tion. RAD I US Server LAN Core 802. 1 x- A w ar e Client (Suppl icant) Switch Runni ng 802.1x and Conn[...]

  • Page 139

    Configuring Port-Based Access Control (802.1x ) How 802.1x Operates How 802.1x Operates Authenticator Operation This operation pro vid es securi ty on a direct, point-to -point li nk between a singl e cl ie nt and th e swi t ch, where bo th devices are 802.1 x-awa re. (If you exp e ct desirabl e cl ie nts that do not have the necessa ry 8 02.1x sup[...]

  • Page 140

    Configuring Port-Based Ac ce ss Control (802.1x) How 802.1x Operates Switch-Port Supplicant Operation Thi s operation provides security on l i nks between 802.1x-a ware switches. For example, suppose that you w a nt to connect two swi tch es, where: ■ Switch "A " h a s port A1 co nfigu r ed for 802.1 x supp licant operation. ■ Y ou wa[...]

  • Page 141

    Configuring Port-Based Access Control (802.1x ) Terminology • A "f ai lu re" response cont i nues t h e b loc k o n po rt B5 and cau s es po rt A1 to wait for the "held -time " p e rio d be fore tryi ng again to achi eve authentication th rough p o rt B5. Note Y ou can co nf igure a swi tc h port to op erate as both a suppl i [...]

  • Page 142

    Configuring Port-Based Ac ce ss Control (802.1x) Terminology EA P (Ex ten sible Auth entic a tion Prot oco l) : EAP enables network access tha t supports mul t iple authenti cat ion met hod s. EAPOL : Exten s ible Authenticat i on Prot ocol Over LA N, as defined in the 802.1x standard . Fri end ly Clie nt: A cli e nt that does not p o se a s ecurit[...]

  • Page 143

    Configuring Port-Based Access Control (802.1x ) General Ope r ating Rules and Notes membe r of that VLAN as long as at least one o ther port on the swi t ch is st a t i c al l y configured as a t a gg e d or untagg e d memb e r of the same Unau - thori z ed-Client VLAN. Untagged VLAN Membership: A port can be an untagged membe r of only one V LAN. [...]

  • Page 144

    Configuring Port-Based Ac ce ss Control (802.1x) General Opera t ing Rules and Notes ■ If a client a l ready has access to a swi t ch port when you c o nfi g ure the port for 802.1x authentic a tor operation, the port will block the client from further network access until it can be au thenticated. ■ On a port c o nfi g ured for 802.1x with RAD[...]

  • Page 145

    Configuring Port-Based Access Control (802.1x ) Gen e ral Setup Procedure for Port - B ased Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) Do These Steps Before Y ou Configure 802.1x Operation 1. Configure a local username a n d pa ssword o n th e sw it ch for both the Operato r (l ogin) and Manager (en a bl [...]

  • Page 146

    Configuring Port-Based Ac ce ss Control (802.1x) General Setup Procedure fo r Port-B ased Acc e ss Control (802.1x) Overview: Configuri n g 802. 1x Authentication on the Switch This sect i on out line s th e steps for configuring 802 .1x on the switch. For detaile d i nfo rmat i on on each step, re fe r to “Co n figuring the Swi t ch fo r RADIUS [...]

  • Page 147

    Configuring Port-Based Access Control (802.1x ) Gen e ral Setup Procedure for Port - B ased Access Control (802.1x) 7. If you a re usi n g Port S ecurity on the switch, conf igure the swi t ch to allow only 8 02.1x access on ports config ured for 802.1x operati on, a n d (i f de sired) the ac tion to take if an unauthorize d devi ce attempts access[...]

  • Page 148

    Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Configuring Switch Ports as 802.1x Authenticators 802.1x Authentication Commands Page [no] aaa port-access authent icator < [ethernet] < port-list > 6-15 [ control | quiet-period | tx-period | supplicant- t imeout | 6-1 5 server -timeout | ma[...]

  • Page 149

    Configuring Port-Based Access Control (802.1x ) Configuring Switch Ports as 802.1x Authenticators 1. Enabl e 802.1x Authenti cation on Selected Ports Thi s task configures the indivi dual ports you wa nt to operate as 802.1x aut h ent i cato r s f or poin t-to-point li nks to 802.1x- awa re cli e nts or swi t ches. (Actual 8 02.1x operation do es n[...]

  • Page 150

    Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access auth enticator < po rt-list > (Syntax Conti nued ) [quiet-period < 0 .. 65535 > ] Sets the period during whi c h the por t does not try to acquire a supplicant. The period begins after the last attempt auth or iz ed by th e[...]

  • Page 151

    Configuring Port-Based Access Control (802.1x ) Configuring Switch Ports as 802.1x Authenticators aaa port-access auth enticator < po rt-list > (Syntax Conti nued ) [ unauth-vid < vlan -id >] Co nf ig ur es an e xsi ti ng st atic VLA N to be th e U naut hori zed- Clien t VLAN. T h is enables you to p r ovide a p a th f o r client s with[...]

  • Page 152

    Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 3. Configure the 802.1x Authentication Method This t a sk spe cif ies ho w the switch will authenticate the cr ed entials provided by a suppl i cant conn e c t e d to a s w itch port configured as an 80 2 .1x authenti - cator . Synta x: aaa authentica[...]

  • Page 153

    Configuring Port-Based Access Control (802.1x ) Configuring Switch Ports as 802.1x Authenticators 4. Enter the RADIUS Host IP Address(es) If you selecte d ei ther e ap-rad i us or c hap-radiu s for th e authentication m ethod, configure the swi t ch to use 1 to 3 RADIUS serve rs for authentic a tion. The following syntax shows th e basic comma n ds[...]

  • Page 154

    Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode 802.1x Open VLAN Mode 802.1x Authentication Commands page 6-14 802.1x Supplicant Commands page 6-34 802.1x Open VLAN Mode Commands [no] aaa port-access authenticator [ e ] < port-list > pag e 6-29 [ auth-vi d < vlan-id > ] [ u nauth-vid < vlan-id > ] 802.1x-[...]

  • Page 155

    Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode ■ 1st Priority: The port join s a VLAN to w hic h it has been assigned by a RADIU S server during authentication. ■ 2n d Priority: If RADIUS a u the n tication does not incl ude assigning a VLAN to the port, then the switch a ssigns the port to the VLAN entere d in the port?[...]

  • Page 156

    Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode T able 6-1. 802.1x Open VLAN Mode Options 802.1x Per - Port Configuration Port Response No Ope n VLAN mode: T he port auto m atically blo c ks a client that cannot initiate an au th en ti ca ti on sessi on. Open VLAN mod e with both of the f o llow i ng configure d: Una u thoriz[...]

  • Page 157

    Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode 802.1x Per - Port Configuration Port Response Open VLAN Mode wi th Only a n Unau thorized-Clie nt VLAN Configu r ed : • • • Wh en the port de te cts a c lient, it automa t ically beco mes an un tagged member of this VLAN. T o limit security risks, the netwo rk service s and[...]

  • Page 158

    Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode Operating Rules for Au thorized-Client and Unauthorized-Client VLANs Conditio n Rul e Static VLANs use d as Authorize d- Client or Unautho r ized-Client VLANs VLAN Assignment Received fro m a R ADIUS S erv er T e mp ora r y VLAN Membership During a Client Sessio n Effect of Una [...]

  • Page 159

    Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode Conditio n Rul e Multiple Authe n ticator Po rts Using Y ou can use the same sta t ic VLAN as the Unauthorized-Clie nt VLAN the Same Unautho r ized-Client a nd for all 802.1x authenticato r ports configured on the switch. Similarly , Autho r ized-Client VLANs you ca n use t he sa[...]

  • Page 160

    Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode Setting Up and Configurin g 802.1x Open VLAN Mode Preparati o n. This section assumes use of bot h the Unau thorized-Cl i ent and Authorize d-C lient VLANs. Re fer to T a ble 6-1 on page 6- 22 for other options. Before y ou config ur e the 80 2.1x Open VLAN mod e on a port : ■[...]

  • Page 161

    Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode Note tha t as an alternative , you can configure the swi t ch to use loca l passwo r d authen tication inste a d o f RADIUS authenticat i on. How e ver , this is less d e sirab l e because it me ans that all clients use the same passwords and have the same access priv il eges. Al[...]

  • Page 162

    Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode 3. If you selected either e ap-rad i us or c hap-ra diu s for step 2, use the radius host command to configure up to thr ee RADIUS server IP addre s s(es) on the swi t ch. Syntax : rad i us host < ip-address > Adds a server to the RADIUS configurati o n. [ key < server [...]

  • Page 163

    Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode Confi gur ing 802.1 x Op en VLAN Mode . Use these co mmands to actually configure Open VLAN mode. For a listi n g of the steps needed to pre pare the swi t ch for using Open VLAN mode, re fer to “Preparation” on page 6-26. Syntax: aaa p o rt-access a u th enticato r [e] < [...]

  • Page 164

    Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode Inspe c ting 802.1 x Op en VLAN Mode Op erati o n. For informati on an d an example on viewing curre nt Open VLAN mode operation, refer to “Viewing 802.1x Open VLAN M ode Status” on page 6-38. 802.1x Open VLAN Operating Notes ■ Although you can configu r e Open VL AN mode [...]

  • Page 165

    Configuring Port-Based Access Control (802.1x ) Option For Authenticator Ports: Configur e Port-Security To Allow Only 802.1x Devices ■ If a n authenticat ed c lient l o ses authenti cati on during a session in 802.1 x Open VLAN mode , the port VLAN membershi p reverts back to the Unauthori zed -Client VLAN. Option For Authenticator Ports: Config[...]

  • Page 166

    Configuring Port-Based Ac ce ss Control (802.1x) Option For Authenticator Ports: Configure Po rt-Security To Allow Only 802.1x Devices Note on If the port’ s 802. 1x authentic a tor c ontrol mode i s co nfigured to auth o rized (as Blocking a Non- shown bel ow , instead o f au to ), then the first sour ce MAC address from any 8 02.1 x Device devi[...]

  • Page 167

    Configuring Port-Based Access Control (802.1x ) Configuring Switch Por t s To Oper ate As Supplicants for 802.1x Connections to Othe r Switches Configuring Switch Ports T o Operate As Supplicants for 802.1x Connections to Other Switches 802.1x Authentication Commands page 6-14 802.1x Supplicant Commands [no] aaa port-access < supp licant < [e[...]

  • Page 168

    Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports To Operate As Suppli cants for 802.1x Connections to Other Switches 1. When port A1 on switch " A " is f i rst connected to a port on switch "B" , or if the ports a r e a l ready connec te d and ei ther swi t ch reboot s, port A1 begins sending sta rt pack[...]

  • Page 169

    Configuring Port-Based Access Control (802.1x ) Configuring Switch Por t s To Oper ate As Supplicants for 802.1x Connections to Othe r Switches Confi g uring a Supplicant S w itch Port. N o te that you must e n a b le suppl i - cant operation on a port before y o u ca n change the supplic ant configuration. Thi s means you must e x ecute the supp l[...]

  • Page 170

    Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports To Operate As Suppli cants for 802.1x Connections to Other Switches aaa port-access supplicant [ eth e rnet ] < port-list > (Syntax Continu ed) [ auth-timeout < 1 - 300 > ] Sets the period of time the por t waits to receive a challenge from the authentica tor . If[...]

  • Page 171

    Configuring Port-Based Access Control (802.1x ) Displaying 802.1x Con f igurat ion, Statistics, and Counters Displaying 802.1x Configuration, Statistics, and Counters 802.1x Authentication Commands 802.1x Supplicant Commands 802.1x Open VLAN Mode Commands 802.1x-Related Sho w Command s show port-access authenticator show port-access sup p licant De[...]

  • Page 172

    Configuring Port-Based Ac ce ss Control (802.1x) Displaying 802.1x C onfiguration, Stat istics, and Counters show port-access au the n ticator (Syntax Continue d) config [ [ e] < port-list >] S how s: • W hether port-access authenticator i s active • T he 802.1x configuration of the ports configured as 802 . 1x authen tic a tors If you do[...]

  • Page 173

    Configuring Port-Based Access Control (802.1x ) Displaying 802.1x Con f igurat ion, Statistics, and Counters An Unau th VLAN ID appear i ng in the Cur r ent VLA N ID column for the same p ort i ndicate s an un authenticated clien t is connecte d to thi s port. (As s umes that the po rt i s not a stati c ally configured member of V L AN 100.) Items [...]

  • Page 174

    Configuring Port-Based Ac ce ss Control (802.1x) Displaying 802.1x C onfiguration, Stat istics, and Counters 25 as an authorize d VLAN, then the po rt’ s me mbership in VLAN 1 w ill be tempora r ily suspe n ded wh enever an au th en ticated 802.1x cli e nt is attached to the port. T able 6-1. Open VLAN Mode Sta t us Status Indicator M eaning Port[...]

  • Page 175

    Configuring Port-Based Access Control (802.1x ) Displaying 802.1x Con f igurat ion, Statistics, and Counters Syntax: show vla n < vlan-id > Displa y s the port sta t us for the se lected VLAN , includin g an in dication of which port m e mb erships have been temporarily overridden by Ope n VLAN mod e. Note that ports B1 a nd B3 are not i n th[...]

  • Page 176

    Configuring Port-Based Ac ce ss Control (802.1x) Displaying 802.1x C onfiguration, Stat istics, and Counters Show Commands for Po rt-Access Supplicant Syntax: show port-access supplic ant [ [e] < port-list >] [ statistics ] sho w port-access supplican t [ [e] < po rt-list >] Shows the port-access suppl icant configuration (exclud i n g [...]

  • Page 177

    Configuring Port-Based Access Control (802.1x ) How RADIUS/802.1x Authenticat ion Affects VLAN Operation supplicant port to another without cl eari n g the stati s tic s data from the first po rt, t he authenti cato r’ s MAC address w il l appea r in the suppl i cant sta tis tic s fo r both ports. How RADIUS/802.1x Authentication Affects VLAN Ope[...]

  • Page 178

    Configuring Port-Based Ac ce ss Control (802.1x) How RADIUS/802.1x Authenticat ion Affects VLAN Operation For example, suppose that a RADIUS-au thenticated, 802.1x- awa re cli e nt on port A2 req uires a ccess to VLA N 22, but VLA N 22 is config ured for no access on po rt A2, and VLAN 33 is co nfigured as untagged o n port A2: Scenario: An authori[...]

  • Page 179

    Configuring Port-Based Access Control (802.1x ) How RADIUS/802.1x Authenticat ion Affects VLAN Operation Th is entry show s that p or t A2 is temporaril y untagg ed on VLAN 22 for an 802.1x se ssion. This is to accomodate an 802.1x client’ s access , aut henticated by a RAD I US ser v er , whe re the ser v er i nclude d an instr uct ion to p ut t[...]

  • Page 180

    Configuring Port-Based Ac ce ss Control (802.1x) How RADIUS/802.1x Authenticat ion Affects VLAN Operation When the 802.1x cl ie nt’ s session on port A2 ends, the port discard s the tempora ry untagged VLAN membe r ship. At this time the stati c VLAN actually co nfi g ure d as untagged on the port again bec o mes available. Thus, when th e RADIUS[...]

  • Page 181

    Configuring Port-Based Access Control (802.1x ) Messages Related to 802.1x Operation Messages Related to 802.1x Operation T able 6-2. 802.1x Operating Messages Message Meaning Port < port-list > is not an The ports in the port list ha ve not bee n e nabled as 802.1x authenticator. authenticators. Use this comm and to enable the po rts as auth[...]

  • Page 182

    [...]

  • Page 183

    7 Configuring and Monitoring Port Security Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Basic Op er ati on Blocking Unautho riz ed Tr affi c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Trunk Group Excl us io n . . . . . . . . . . . . . . . .[...]

  • Page 184

    Configuring a nd Monitoring Port Security Overview Overview Feature Default Menu CL I We b Displaying Current Port Security n /a — page 7- 9 page 7-15 Configuring Port Security d isabled — page 7-10 page 7-15 Intrusion Alerts and Alert Flags n/a page 7-21 page 7-19 page 7-22 Using Port Security , you can configure each swi t ch po rt w ith a un[...]

  • Page 185

    Configuring and Monitoring Port Security Basic Operation Gener a l Operation for Port Security . On a per - por t basis, you can configure security measure s to block un authori z ed de vic e s, and to send notic e of security vi olations. O nce you have configured port secu rity , you can then monitor the network for security viol ations t h rough[...]

  • Page 186

    Configuring a nd Monitoring Port Security Basic Ope r ation Switch A Port Securi ty Configured Switch B MAC Address Au tho riz ed by Switch A PC 1 MAC Address Au tho riz ed by Switc h A PC 2 MAC Address NO T Authorized by Switc h A PC 3 MAC Address NO T Autho riz ed by Swi t ch A Switch C MAC Address NO T Au tho riz ed by Switch A Switch A Port Sec[...]

  • Page 187

    Configuring and Monitoring Port Security Planning Port Security Planning Port Security 1. Plan your port securi ty configuration and moni toring according to the follow i ng : a. On which po rts d o y ou want port secu rit y? b. Which dev i ces (MAC addresses) are authorize d on each port (up to 8 per port)? c. For each port, w h at security act io[...]

  • Page 188

    Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n Port Security Command Options and Operation Port Sec u rity Comm ands Used in T h is Section show port-security 7 -9 po rt-security 7-10 < [ethernet] port-list > 7-10 [learn-mod e] [address-limit] [mac-address] [action] [clear -i ntrusion-flag] no port-secu[...]

  • Page 189

    Configuring and Monitoring Port Security Port Security Command Options and Operation T able 7-1. Port Security Parameters Parameter Des c rip tion Port L i st <[ethernet] port-lis t > Identifies the port or ports on which to apply a port security command. Lea rn learn-mode < static | continuous | port-access > Specifies how the port acq[...]

  • Page 190

    Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n Parameter Des c rip tion Act i on actio n <none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a netwo rk management station when Learn Mod e is set to stati c and the port detects an unauth o rized device, or when Lear n Mode is se[...]

  • Page 191

    Configuring and Monitoring Port Security Port Security Command Options and Operation Assigned/Authori zed Addresses. : I f y ou manual ly a ssign a MAC address (using port-security < po rt-nu m ber > address-list < m ac-add r > ) and then exe c ute write mem o ry , the assigned MAC a d dress rema ins in memo ry u nt il you d o on e of t[...]

  • Page 192

    Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n W i th port numbers i n cluded i n th e command , sho w port-securit y displays Learn M o de, A d dress L i m i t , (a l a rm) Ac t i on, and Aut h or i z ed A d dresses f o r the s p ec - ified ports on a switch . The following example lists the full port sec u [...]

  • Page 193

    Configuring and Monitoring Port Security Port Security Command Options and Operation For i nfo rmat i on on th e i ndivid u al control paramet e rs, see t h e P o rt Securi ty Parameter table on page 7-7. Sp eci f ying Au thoriz ed Devices and Intrusio n Responses. Thi s e x ample configures port A1 to au tomaticall y accept the first device (MAC a[...]

  • Page 194

    Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n T he Address Limit has no t b een r eached. Al though the Address Lim i t is set to 2, only one device has been au thorized fo r this port. In thi s ca se you can ad d anot her withou t ha ving to also in cr ease th e Address Limit. Figure 7-4. Example of Add i n[...]

  • Page 195

    Configuring and Monitoring Port Security Port Security Command Options and Operation If yo u are adding a devic e (MAC address) to a port on which th e Authorized Addresse s list is already ful l (as control l ed by the port’ s current Address L imit setting), then you must increase the Address Limit in order to add the device, even if yo u want [...]

  • Page 196

    Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n Note Y ou can reduc e the address limi t below the numbe r of curr en tly authori z ed addresses on a port. Thi s enables you to subsequentl y remove a dev i ce from the “Authorized ” list wit hout openin g the possibility for an unw a nte d dev i ce to autom[...]

  • Page 197

    Configuring and Monitoring Port Security Web: Displaying a nd Configur ing Port Security Features W e b: Displaying and Configuring Port Security Features 1. Cl ic k on the Security tab . 2. Cl ic k on [Port Security] . 3. Select the settings you wa nt and, if you are usi n g the Static Learn Mode, add or edit the Author ized Addresses field. 4. Im[...]

  • Page 198

    Configuring a nd Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags – The show po rt-secur ity i ntr usi o n- log com m and displ a ys th e Intru s ion L og – The log command displays t h e Even t Log • I n the menu interface : – T he Port Status screen inc l ud es a per - port i n trusi on alert – T he E v ent Lo[...]

  • Page 199

    Configuring and Monitoring Port Security Rea d ing Intrusion Alerts and Resetting Alert Flags The log shows the most recent i n trusion at the top of the listing. Y o u cannot dele te Intru s ion Log ent ries ( unless yo u reset the swi t ch to i t s factory - default configuration). Instead, i f the log is fil l ed wh en the switch detects a new i[...]

  • Page 200

    Configuring a nd Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The In trusi on Aler t colum n show s “Y es ” for any port o n whic h a security vio l ation has been detecte d. Figure 7-10. Exampl e of Port Status Sc ree n w ith Intrusion Alert on Po rt A3 2. T y pe [I ] ( I ntrusion lo g ) to di splay the I n tru s[...]

  • Page 201

    Configuring and Monitoring Port Security Rea d ing Intrusion Alerts and Resetting Alert Flags (Th e intru s ion log ho lds up to 20 intr usi on record s and delet e s an intru s ion reco rd only wh en the log becomes ful l and a new i n trusi on is subsequ e ntl y dete cted.) Note also that the “ p r ior to ” text in the record fo r t h e ear l[...]

  • Page 202

    Configuring a nd Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Intrusio n Aler t on port A1. Figure 7-12. Example of a n Unac knowledged Int r usion Ale r t i n a Port Statu s Displa y If you w ant ed t o see th e deta ils of th e i n trusi on, you would then en ter th e show port-securit y intrusion-log command. For e[...]

  • Page 203

    Configuring and Monitoring Port Security Rea d ing Intrusion Alerts and Resetting Alert Flags Intru s ion Al ert o n por t A 1 is no w cleared . Figure 7-14. Example of Port Status Sc ree n After Ale r t Flags Reset For more on clearing in tru s ions, see “Note on Send -D is able Oper ation” on page 7-17 Using the Event Log T o Find Intrusion A[...]

  • Page 204

    Configuring a nd Monitoring Port Security Operating Notes fo r Port Security From the Menu Interface: In the M a in Menu , c lick on 4. Event Log and use N ext pag e and P rev page to revie w the Eve nt Log contents. For More Event Log Information. See “Using the E vent Log T o Identi fy Problem Sources” in th e " T roubleshooti n g" [...]

  • Page 205

    Configuring and Monitoring Port Security Operating Notes for Port Security W i thout b oth of th e above conf igur ed , the switch detects onl y the proxy server’ s MA C address, and not you r PC or wor k stat i on MAC add r ess , and interp rets your connect ion as unauthori zed . “Prior T o” En tries in the Intrusion Log. If you reset the s[...]

  • Page 206

    [...]

  • Page 207

    8 Using Authorized IP Managers  Contents Using Authorized IP Managers Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Options . . . . . . . . . . .[...]

  • Page 208

    Using Authorized IP Managers Overview Overview Authori zed IP Manager Featu r es Feature D efault M enu CLI W eb Listing (Showing) Authorized Managers n/a page 8-5 page 8-6 page 8-8 Configuring Authorized IP Managers None page 8-5 page 8-6 page 8-8 Building IP Masks n /a page 8-9 page 8-9 page 8-9 Operating and T r oubleshooting n/a page 8-12 page [...]

  • Page 209

    Using Authorized IP Managers Options Options Y ou can conf igur e: ■ Up to 10 a u thorized manager addresses , w her e eac h a d dress applies to either a singl e management stati on or a group o f stati ons ■ Manager or Operator access privi l eges Caution Configu r ing Aut hor ized IP Ma nag e rs does not prote ct access to the swi t ch th ro[...]

  • Page 210

    Using Authorized IP Managers Defining Authorize d M anagement Stations Defining Authorized Management Stations ■ Auth or izing Sin g le Sta tions: The tabl e entry au thor izes a sin g le management stati on to hav e IP acce ss to the swi tch. T o use this method, just enter the IP addre ss o f an authori z ed management sta t ion in the Authori [...]

  • Page 211

    Using Authorized IP Managers Definin g Autho r ized Management Stations rized Man a ger IP address to authori ze f our IP addresses for managem ent station access. The details on how to use IP masks are provided unde r “Bu ildin g IP Masks” on page 8-9. Note The IP Mask is a method fo r recogni z ing whethe r a given IP ad dress is authori z ed[...]

  • Page 212

    Using Authorized IP Managers Defining Authorize d M anagement Stations 2. Enter an Au tho riz ed Man ager IP address h ere. 5. Pr ess [E nter] , then [S ] (for Sav e ) to configur e the IP A u tho riz ed Manage r en try . 3. Use the defa u lt mask to allow access by one man age ment devi ce, o r edit the mask to a llow a ccess by a bl ock of manage[...]

  • Page 213

    Using Authorized IP Managers Definin g Autho r ized Management Stations The above example shows an Authorized IP Ma nager List that allows stations to access the switch a s show n below : IP Mask Authorize d Station IP Address: Access Mode: 255.255.255.252 1 0.28.2 27.100 through 103 M anager 255.255.255.254 1 0.28.2 27.104 through 105 M anager 255[...]

  • Page 214

    Using Authorized IP Managers Web: Configuring IP Authorized Managers The resul t of ente ri ng the pre ceeding example is: • A uthorized Stati on IP Address: 10.28.227.105 • I P Mask: 2 55.255.255.255, w h ich aut hori z es only the specified station (10.28.227.105 in this case ) . (See “C onfiguring Mult iple Stat i ons Per Authorize d Manag[...]

  • Page 215

    Using Authorized IP Managers Buildi n g IP Masks For web -ba sed help on how t o us e t h e w eb bro w ser i nte rface s c reen, cl ic k on th e [?] button pr ovi d ed on the web browser screen. Building IP Masks Th e IP M a sk parameter con t rols how th e switch use s an A u thorized Manager IP value to recogni z e the IP addre sses of authorize [...]

  • Page 216

    Using Authorized IP Managers Building IP Masks Configuring Multiple Statio ns Per Authorized Manager IP Entry The ma sk de te rmines whethe r th e IP address of a station on the ne two r k meets the criteria you specify . Th at i s, for a gi ven Author ize d Manager entry , the switch applies the IP mask to the IP address y o u sp ecify to determin[...]

  • Page 217

    Using Authorized IP Managers Buildi n g IP Masks Figure 8-5. Analy s is o f IP Ma sk fo r M u ltipl e -Sta tion Entries 1s t Oct et 2nd Oct et 3rd Oct et 4t h Oct et Manager -L evel or Ope r ator-Le v el Device Access IP Mask 255 255 255 0 The “255” in the first three octets of the mask spe c ify that only the exa ct Authorized 10 28 22 7 125 v[...]

  • Page 218

    Using Authorized IP Managers Operating Notes Additional Examples for Au thorizing Mult iple Stations Entries for Authorized Manager List Results IP Mask 255 2 55 0 2 55 This combinati on specifies a n authoriz ed IP a ddress of 10.33. xx x .1. It could be Authorized 10 33 24 8 1 applied, for example, to a subnetted netwo rk where each subnet is def[...]

  • Page 219

    Using Authorized IP Managers Ope r ating Notes • E ven i f you need p r oxy server access enabl ed in o r der to u se other application s, you can sti ll elimin ate proxy service fo r web access to the switch. T o do so, add th e IP address or DNS name of the swi t ch t o the non-p r oxy , o r “Exceptions” l i st in the web bro w ser i nte rf[...]

  • Page 220

    [...]

  • Page 221

    Index Numerics 3DES … 4 -3, 5-3 802.1x See port-ba s ed access con t rol . …6 -1 A aaa authentication … 2-9 access levels, authorized IP managers … 8 -3 accounting See RADIUS.- addres s authorized for port security … 7 -3 authentication See TACACS.- authorized addresses for IP m a nagement security … 8 -4 for port security … 7 -3 auth[...]

  • Page 222

    inconsistent value … 7 -12 O ope n VLAN mode See por t ac cess co ntr ol OpenSSH … 4-3, 5-2 oper a ting notes authorized IP managers … 8-12 port security … 7 -22 ope rator pas sw o rd … 1-2, 1- 4 P password browser/c o nsole access … 1-3 case-sensitive … 1-4 caution … 1 -3 delet e … 1 -4 deleting with the Clear butto n … 1 -5 if[...]

  • Page 223

    supplicant , en abling … 6 -34 switch username and password … 6-3 terminolog y…6 -7 troubleshooting, gvrp … 6-43 used with port-security … 6 -31 VLAN operation … 6- 43 prior to … 7 -19, 7-20, 7-23 Privacy Enhanced Mode (PEM) See SS H.- pro xy web ser v er … 7-22 Q quick start … 1-xix R RADIUS accounting … 3-2, 3-16 accounting, c[...]

  • Page 224

    host k ey pair … 4 -11 key, babble … 4 -11 key, fingerprint … 4-11 keys, zeroizing … 4-11 key-size … 4 -17 know n -host file … 4 -13, 4- 15 man-in-the-middle s p oofing … 4 -16 messages, operating … 4 -27 OpenSSH … 4-3 oper a ting rules … 4-8 outbound SSH n o t secure … 4 -8 password security … 4 -18 password-only a u thenti[...]

  • Page 225

    overview … 1 -xii precautions … 2 -6 prepa r ing to configure … 2-9 preventing switch lockout … 2 -1 5 privilege level code … 2 -7 server access … 2-15 server prior i ty … 2 -18 se tup, ge ner al … 2-6 show authentication … 2-9 supported features … 2 -3 syste m requirements … 2 -5 TACACS+ server … 2 -4 testing … 2-6 timeou[...]

  • Page 226

    6 – Index[...]

  • Page 227

    [...]

  • Page 228

    T ec hnical inf o r mation in t his doc ume nt is su bj ec t to c hange w it hou t no tice . ©Cop yr ight He wlett-P ack ar d C om pan y 2000, 200 2 . All r ight r eserved . Re pr odu ction , ada pta tion , or transla tion wit hout pr ior w r it te n per mission is p r ohib ited ex ce pt as all o w ed unde r t he cop yr i gh t la[...]