HP (Hewlett-Packard) Q.11. (2510-24) manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of HP (Hewlett-Packard) Q.11. (2510-24), along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of HP (Hewlett-Packard) Q.11. (2510-24) one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of HP (Hewlett-Packard) Q.11. (2510-24). A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of HP (Hewlett-Packard) Q.11. (2510-24) should contain:
- informations concerning technical data of HP (Hewlett-Packard) Q.11. (2510-24)
- name of the manufacturer and a year of construction of the HP (Hewlett-Packard) Q.11. (2510-24) item
- rules of operation, control and maintenance of the HP (Hewlett-Packard) Q.11. (2510-24) item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of HP (Hewlett-Packard) Q.11. (2510-24) alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of HP (Hewlett-Packard) Q.11. (2510-24), and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the HP (Hewlett-Packard) service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of HP (Hewlett-Packard) Q.11. (2510-24).

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the HP (Hewlett-Packard) Q.11. (2510-24) item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    Access Security Guide 251 0 www .pr ocurv e.com Pr oCurv e Switches Q. 1 1. (25 1 0-2 4) U. 1 1. (25 1 0-48) XX XX[...]

  • Page 2

    [...]

  • Page 3

    ProCurve Series 251 0 Switches Access Security Guide Janu ary 200 8[...]

  • Page 4

    Hewle tt-Pa ckard Comp any 8000 Fo othills Boulevard, m/s 5551 Roseville, Ca lifornia 957 47-5551 http://ww w.p rocurve.c om © Co pyri ght 2 008 Hewl ett- Pack ard Comp any , L.P . The informa tion contai ned herein i s subject to change witho ut notice. Publication Num ber 5991-476 3 January 2008 Applicab le Products ProCurve Switch 251 0-24 (J90[...]

  • Page 5

    iii Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .x ii 1 Getti ng Start ed Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 6

    iv Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 When Secu rity I s Import ant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 Front-Panel Button Functions ‘ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8 Configuring Front-Panel Secur[...]

  • Page 7

    v 4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Ap plications: . . . . . . . . . . . . . . . . . . .[...]

  • Page 8

    vi Config uring the Switch for RADIUS Aut hentica tion . . . . . . . . . . . . . . . . . . 5-6 Outl ine of th e Ste ps fo r Config urin g RA DIUS Authentication . . . . . . 5-7 1. Conf igur e Authe ntica tion for the A cces s Metho ds You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 2. Configure the S[...]

  • Page 9

    vii 4. Enable SSH on the Switc h and Anticip ate SSH Client Contact Be havior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 5. Configur e the Swit ch for SSH Authe ntica tion . . . . . . . . . . . . . . . . . 6-18 6. Use an SSH Client To Access the Sw itch . . . . . . . . . . . . . . . . . . . . . 6-22 Further Inf o[...]

  • Page 10

    viii General Setup Procedure for 802 .1X Access Control . . . . . . . . . . . . . . . . 8-14 Do Th ese St eps Before You Confi gure 8 0 2.1X Operation . . . . . . . . . 8-14 Over view : Confi gurin g 802 .1X Au then tica tion on the Swi tch . . . . . . 8- 15 Configur ing Swi tch Ports as 8 0 2.1X Authentica tors . . . . . . . . . . . . . . . . . 8-[...]

  • Page 11

    ix 9 Configuring a nd Monitoring Port Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Basic Operation . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 12

    x Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9 Configuring One Station Per Authorized Manager IP Entry . . . . . . . 10-9 Configurin g Multiple Sta tions Per Authorize d Manager IP Entry . . 10-10 Addition al Exampl es for Autho rizing Mult iple Stations . . . . . . . . . 10- 12 [...]

  • Page 13

    xi Product Documentation About Y our Sw itch Manual Set The switch ma nual set incl udes the foll owing: ■ Read M e First - a p rinted guid e shipped wit h your swit ch. Provides software up date infor mation, pro duct notes , and other inform ation. ■ Instal lation and Ge tting Started Guide - a printed guide shipped with your sw itch. Th is g[...]

  • Page 14

    xii Prod uct Doc umentatio n Feature Index For the manua l set supportin g your switc h model, the follow ing feature inde x indicat es which manu al to consult fo r informa tion on a given softw are feat ure. Feat ure Mana geme nt and Con figura tio n Advanced T raffic Manageme nt Acces s Secu rity Guide 802.1Q VLAN T agging - X - 802.1p Prio rity[...]

  • Page 15

    xiii Prod uct Doc umentat ion LLDP X - - MAC Addr ess Manag ement X -- Mon itorin g and An aly si s X - - Mul ticas t Filte rin g - X - Netw ork Manage ment App licatio ns (LLDP , SNMP) X - - Passwo rds - - X Ping X - - Port C onfigu rati on X -- Port Sec urity - - X Port St atus X -- Port T runking (LACP) X - - Port -Based Acc ess Co ntrol - - X P[...]

  • Page 16

    xiv Prod uct Doc umentatio n T elnet Acces s X - - TF TP X -- T ime Protocol s (T ime P , S NTP) X - - T roubl eshoot ing X -- VLANs - X - Xmodem X -- Feat ure Mana geme nt and Con figura tio n Advanced T raffic Manageme nt Acces s Secu rity Guide[...]

  • Page 17

    1-1 1 Getting St arted Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Overview of Acc ess Security Feat u res . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Management Access Securit y Protection . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Genera[...]

  • Page 18

    1-2 Getting Started Intr oducti on Introduction This Access Security Guide describ es how to use ProCur ve’ s swit ch secu rity featur es to prot ect ac cess to your switch. This gui de is int ended to sup port the follo wing swit ches: ■ ProCur ve Switch 2510-24 ■ ProCur ve Switch 2510-48 For an ove rview of ot her produ ct docum entation fo[...]

  • Page 19

    1-3 Getting Sta rted Overv iew o f Acces s Se curity Feat ures ■ Port-Bas ed Access Control (8 02.1X) (page 8-1): O n point-t o-poin t connec tions, enab les the switch t o allow or de ny traffic be tween a port and an 802.1X-aware devi ce (suppli cant) att empting to acc ess the switch . Also enables the switch to o perate as a suppli cant for c[...]

  • Page 20

    1-4 Getting Started Overv iew of Acce ss Secur ity Featur es T able 1-1. Manage ment Acce ss Security Protect ion General S witch T ra ffic Sec urity Guid elin es Where the switc h is running multiple security options, it implements network traffic secur ity based on the OSI (Open Systems I nterconnectio n model) preced ence of the individu al opti[...]

  • Page 21

    1-5 Getting Sta rted Conven tion s Conventi ons This guid e uses t he followin g conv entions for comman d syntax and displa yed informati on. Command Syntax Statements Syntax : aaa port -access au thent icator < port-list > [ contr ol < authoriz ed | auto | unaut horized >] ■ V ertica l bars ( | ) separate alternat i ve, mutuall y ex[...]

  • Page 22

    1-6 Getting Started Conv ention s Command Prompts In the defa ult conf iguration, y our switch display s the fol lowing CLI pr ompt: ProCurve Switch 2510-24# T o si mplify r ecogniti on, th is guide uses ProCurve to repr esent comman d prompts for a ll models. For exa mple: ProCurve# (Y ou can use t he hostname command to chan ge the t ext in th e [...]

  • Page 23

    1-7 Getting Sta rted Source s for Mor e Informat ion Sources for More Information For addi tional infor mation abou t switch opera tion and feat ures not covered in this guide, consul t the following sources: ■ For inform ation on w hich produ ct manual t o consult o n a given softwar e featur e, ref er to “P roduc t Docume ntatio n” on page [...]

  • Page 24

    1-8 Getting Started Need Only a Quick Start ? ■ For i nforma tion o n a spe cific comma nd in the C LI, ty pe th e comma nd name follow ed by “help” . For example: Figure 1-3. Getting Help in the CLI ■ For in format ion on spec ific featur es in the W eb br owser inte rface, use the o nline he lp. For more i nform ation, refer to the Manage[...]

  • Page 25

    1-9 Getting Sta rted Need On ly a Quic k Start? T o Set Up and Install the Switch in Y our Network Important! Use the Installation and Getting Started Guide shipp ed with y our switch for the follo wing: ■ Notes, cautions, a nd warnings r elated to install ing and using the switch ■ Instructions for physically installin g the switch in your net[...]

  • Page 26

    1-10 Getting Started Need Only a Quick Start ?[...]

  • Page 27

    2-1 2 Configuri ng Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 28

    2-2 Confi guri ng User name and Pa sswor d Securi ty Overv iew Overview Console a ccess incl udes both the menu interf ace and the CLI. The re are tw o levels o f conso le access: M anager a nd Operato r . For se curity , you can set a password p air (usernam e and passw ord) on each of these l evels. Note Usern ames are op tional . Also, in the me[...]

  • Page 29

    2-3 Config uring Userna me and Passw ord Sec urity Overvi ew T o configure password secu rity: 1. Set a Manage r password pa ir (and an Opera tor password pa ir , if applica- ble for your system). 2. Exit from the curr ent console session. A Manage r password pair will now be need ed for f ull acce ss to the co nsole. If you do steps 1 a n d 2, ab [...]

  • Page 30

    2-4 Confi guri ng User name and Pa sswor d Securi ty Confi gurin g Local Pa ssword Se curit y Configuring Local Password Security Menu: Setting Passwords As noted earlie r in this section, use rnames are option al. Configuring a user- name re quire s eithe r the CL I or t he web br owser interf ace. 1. From the M ain M enu se lect : 3. Con sole Pa [...]

  • Page 31

    2-5 Config uring Userna me and Passw ord Sec urity Configu ring Loc al Passwo rd Security If you h ave physi cal acc ess to the switch , press and h old the Clea r button (on the front of the swit ch) for a mini mum of one second to cle ar all passwor d protect ion, then ent er new password s as described e arlier in this chapter . If you do not ha[...]

  • Page 32

    2-6 Confi guri ng User name and Pa sswor d Securi ty Confi gurin g Local Pa ssword Se curit y T o Remo ve Password P rotecti on. Removi ng passwo rd prote ction mea ns to elimin ate passwor d security . This com mand promp ts you to verif y that yo u want to remo ve one or bot h passwords, then c lears the ind icated passwo rd(s). (This com mand al[...]

  • Page 33

    2-7 Config uring Userna me and Passw ord Sec urity Front- Panel Se curity Front-Panel Security The front -panel sec urity fea tures prov ide the ability to independ ently enab le or disable so me of the function s of the two b uttons lo cated on t he front of the switch for cl earing the password (Clear but ton) or restor ing the switc h to its fac[...]

  • Page 34

    2-8 Confi guri ng User name and Pa sswor d Securi ty Front -Pane l Securit y As a result of i ncrease d security co ncerns, cust omers now ha ve the abil ity to stop someone from removing passwords by disabl ing the C lear and/or Re set but tons on the fron t of the swit ch. Front-Panel Button Functions ‘ The front panel of th e switch includes t[...]

  • Page 35

    2-9 Config uring Userna me and Passw ord Sec urity Front- Panel Se curity Rese t Button Pressing the R eset button alone for one sec ond causes the swit ch to reboot. Figure 2-6. Pre ss and hol d the R eset Butt on for One Se cond T o R eboot th e Switch Restoring the Factory Default Con figuration Y ou can a lso use the R eset butt on together wit[...]

  • Page 36

    2-10 Confi guri ng User name and Pa sswor d Securi ty Front -Pane l Securit y 3. Release the Re set but ton and wait for a bout one second for th e Self- T e st LED to star t flashing. 4. Wh en the Self-T est LED be gins flashin g, rele ase the Cl ear bu tton . This process r estores the sw itch configur ation to the factory defa ult settings. Conf[...]

  • Page 37

    2-11 Config uring Userna me and Passw ord Sec urity Front- Panel Se curity • Modify th e oper ation of the Reset+Clea r combinati on (page 2-9) so that the switch still reboots, but does not restore the switch’ s fac tory default conf iguratio n settings. (Use of the Reset butto n alone, to simply reboot the switch, is not affected.) • Disabl[...]

  • Page 38

    2-12 Confi guri ng User name and Pa sswor d Securi ty Front -Pane l Securit y For ex ample , show front-panel-secur ity produces th e following output when the switch is confi gured with the de fault fro nt-panel secu rity se ttings. Figure 2-7. The Default Front-Pa nel Security Settings Disabling the Clear Password Functio n of the Clear Button on[...]

  • Page 39

    2-13 Config uring Userna me and Passw ord Sec urity Front- Panel Se curity Re-Enablin g the Clear Button on the Switch’ s Front Panel and Setting or Chan ging the “Reset-On-Clear” Operation For exam ple, su ppose th at password -clear is disa bled and you want to restore it to its default con figuration (ena bled, with reset-on-c lear disa bl[...]

  • Page 40

    2-14 Confi guri ng User name and Pa sswor d Securi ty Front -Pane l Securit y Figure 2-9. E xample of Re-Enablin g the Clear But ton’ s Default Operation Changing the Operation of the Reset+Clear Combination In their de fault config uration, using the Rese t+Clear butt ons in the comb ina- tion describ ed under “ Restoring the Factory De fault [...]

  • Page 41

    2-15 Config uring Userna me and Passw ord Sec urity Front- Panel Se curity Figure 2-10. Example of Disabling the Factor y Reset Option Password Recovery The password re covery fe ature is ena bled by defaul t and provide s a metho d for regai ning mana gement acc ess to the switch (with out resettin g the switch to its factor y default confi gurat [...]

  • Page 42

    2-16 Confi guri ng User name and Pa sswor d Securi ty Front -Pane l Securit y Steps for Disabli ng Passw ord-Re covery . 1. S et the C LI to the g lobal interfa ce context. 2. Use show front -panel-s ecurit y to dete rmine wheth er the fac tory-reset paramet er is enabled. If it is disabl ed, use the front-panel-sec urity factory- reset command to [...]

  • Page 43

    2-17 Config uring Userna me and Passw ord Sec urity Front- Panel Se curity Figure 2-11. Exam ple of the Steps for Disabl ing Password -Recovery Password Recove ry Process If you have lost the switch ’ s manage r usernam e/password, but passw ord - recovery is enabl ed, then you can u se the Passw ord Recovery P r ocess to gain managem ent access [...]

  • Page 44

    2-18 Confi guri ng User name and Pa sswor d Securi ty Front -Pane l Securit y Note The alternate p assword provi ded by the Pro Curve Custome r Care Center is valid only f or a single login att empt. Y ou cannot use th e same “one-time-use” password if you lose the password a second tim e. Because t he password alg orithm is rando mized based u[...]

  • Page 45

    3-1 3 W eb and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 General Feat ures . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 46

    3-2 Web an d MAC Auth entic ation Overv iew Overview W eb an d MAC Authent icatio n are desig ned for emp loyment on th e “edge” of a network to provid e port-ba sed secur ity measure s for prot ecting pr ivate networks and t he switch itself from unauth orized ac cess. Because neit her method requir es clients to run any special supplica nt so[...]

  • Page 47

    3-3 Web and MA C Auth entic ation Overvi ew password , and grants or den ies network access in the same way tha t it does for clients ca pable of int eractive lo gons. (The pro cess does not use eithe r a client d evice config uration or a logon session .) MAC authe ntication is well- suited fo r clients th at are not capable of providi ng intera c[...]

  • Page 48

    3-4 Web an d MAC Auth entic ation Overv iew General Features W eb and MAC Au thenti cation i nclu des the f ollowi ng: ■ On a port conf igured for W eb or MAC Authen tication, t he switch operate s as a por t-access authenti cator u sing a R ADIUS serve r and the CHA P protoco l. Inbound traf fic is proce ssed by the sw itch alone , until authent[...]

  • Page 49

    3-5 Web and MA C Auth entic ation How Web an d MAC Authen ticat ion Operat e How W eb and MAC Authe ntication Operate Authenticator Operation Before g a ining access t o the net work clien ts firs t present thei r authent ication creden tials to the switch. The swi tch then ve rifies the supplied cr edentia ls with a RADIUS au thentica tion se rver[...]

  • Page 50

    3-6 Web an d MAC Auth entic ation How Web an d MAC Auth enti catio n Operat e Figure 3-2. Pro gress Messa ge During Authentica tion If the clie nt is au thenti cated a nd the maximum n umber of clients a llowed on the po rt ( clie nt-limit ) has not been r eached, th e port is assigned t o a static, untagged V LAN for networ k access. If specif ied[...]

  • Page 51

    3-7 Web and MA C Auth entic ation How Web an d MAC Authen ticat ion Operat e moves have n ot bee n enab led ( clie nt-m oves ) on the po rts, the ses sion ends and the cli ent must reau thentica te for n etwork ac cess. At th e end of the session the port return s to its pre- authentic a tion st ate. Any chan ges to th e port’ s VLAN membershi ps[...]

  • Page 52

    3-8 Web an d MAC Auth entic ation How Web an d MAC Auth enti catio n Operat e 4. If neither 1, 2, or 3, abov e, apply , then the c lient session does not have access to any stati cally co nfigure d, untag ged VLA Ns and clie nt acc ess is bloc ked. The assigned port VLAN remai ns in place until the sessi on ends. Client s may be forced to reauthe n[...]

  • Page 53

    3-9 Web and MA C Auth entic ation Termin olog y T erminology Author ized-Cli ent VLAN: Like the Unauthori zed-Client VLAN, this is a conven tional, static, un tagged, por t-based VL AN previou sly configur ed on the switch by the System A dministrator . The intent in using this VLAN is to prov ide auth entica ted clients with ne twork a ccess and s[...]

  • Page 54

    3-10 Web an d MAC Auth entic ation Opera ting Ru les and N otes Operating Rules and Notes ■ Y ou can config ure on e type of authen ticatio n on a p ort. Th at is, the follo wing auth entica tion typ es are mutually exclusive on a give n port: • W eb Authentic ation • MAC Authen ticatio n • 802.1X ■ Orde r of Pre cedence for Por t Acc ess[...]

  • Page 55

    3-1 1 Web and MA C Auth entic ation Oper ating Rul es and Not es 2. If there is no RADI US-assigned VLA N, then, for th e duration of the cli ent session , the po rt belong s to the Authori zed VLAN ( if config ured) and t emporarily drops al l other VL AN membersh ips. 3. If neither 1 or 2, abov e, apply , but th e port is an un tagge d memb er of[...]

  • Page 56

    3-12 Web an d MAC Auth entic ation Gener al Setu p Proce dur e for We b/MAC Au then ticat ion Note on Web/ MAC Authentication and LACP The switch do es not allo w W eb or M AC Authen tication a nd LACP to both be enabled at th e same time o n the same port. Th e switch autom aticall y disables LACP on ports configure d for W eb or M AC Authent icat[...]

  • Page 57

    3-1 3 Web and MA C Auth entic ation General Setup Procedure for Web/MAC Au thentic ation c. If there is neithe r a RADIUS-a ssigned VLAN or an “Authorize d VLAN” for an authe nticated clie nt session on a po rt, then the port’ s VLAN membersh ip remai ns unchange d during au thenticat ed client ses- sions. In this ca se, configur e the port f[...]

  • Page 58

    3-14 Web an d MAC Auth entic ation Gener al Setu p Proce dur e for We b/MAC Au then ticat ion Addit ional Informat ion for Configuri ng the RADI US Server T o Support MAC Authenti cation On the R ADIUS serve r , configur e the cl ient devic e authenti cation in the same way that you would an y other client, exce pt: ■ Configu re the cl ient dev i[...]

  • Page 59

    3-1 5 Web and MA C Auth entic ation Configu ring the Switch To Acce ss a RADIUS Se rver Configuring the Switch T o Access a RADIUS Server This section describes th e minimal comm ands for c onfiguring a RADIUS server to supp ort W eb-A uth and MAC Auth. F or informat ion on other RADI US comman d options, refer to chapter 5, “RADIUS Authenti cati[...]

  • Page 60

    3-16 Web an d MAC Auth entic ation Confi gurin g the Sw itch To Acces s a RADIUS Server For exam ple, to configur e the swit ch to acce ss a RADI US server at IP a ddress 192.168 .32.11 u sing a ser ver -spe cific shared secret k ey of ‘2Pzo22’ Figure 3-4. Example of Confi guring a Swi tch T o Access a RAD I US Server Syntax: radius -ser ver ho[...]

  • Page 61

    3-1 7 Web and MA C Auth entic ation Confi gurin g Web A uthent ica tion Configuring W eb Authenticat ion Overview 1. If yo u have not already done so , conf igure a lo cal user name a nd password pair on the sw itch. 2. Iden tify or crea te a red irec t URL for u se by au then tica ted cli ents. ProCur ve recom mends th at you pro vide a redirec t [...]

  • Page 62

    3-18 Web an d MAC Auth entic ation Confi gurin g Web A uthent ica tion Configure the Swit ch for W eb-Bas ed Authentication Command Page Config uration Level aaa por t-access web-base d dhcp- addr 3-18 aaa por t-access web-base d dhcp-le ase 3-18 [no] aa a port- access w eb-bas ed [e] < port-list > 3-19 [auth- vid] 3-19 [clien t-limit] 3-1 9 [...]

  • Page 63

    3-1 9 Web and MA C Auth entic ation Confi gurin g Web A uthent ica tion Syntax : [no] aaa por t-access web-based [e ] < port-list > Enables web-based authenti cation on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax : aaa port -access web- based [e] < port-l ist > [...]

  • Page 64

    3-20 Web an d MAC Auth entic ation Confi gurin g Web A uthent ica tion Syntax : aaa port -access web- based [e] < port-l ist > [logoff -period] <60-9999 999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switc[...]

  • Page 65

    3-2 1 Web and MA C Auth entic ation Confi gurin g Web A uthent ica tion Syntax : aaa port -access web- based [e] < port-l ist > [ redirec t-url < url >] no aaa port-a ccess web-ba sed [e] < port-l ist > [redi rect-ur l] Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used[...]

  • Page 66

    3-22 Web an d MAC Auth entic ation Confi gurin g MAC Aut henti catio n on th e Switch Configuring MAC Authenticat ion on the Switch Overview 1. If yo u have not already done so , conf igure a lo cal user name a nd password pair on the sw itch. 2. If you pla n to use m ultiple VLA Ns with M AC Authentica tion, ensure t hat these VLAN s are conf igur[...]

  • Page 67

    3-2 3 Web and MA C Auth entic ation Confi gurin g MAC Aut hen ticat ion on th e Swit ch Configur e the Swit ch for MAC- Based Auth enticat ion Command Page Config uration Level aaa por t-access mac-base d addr-format 3-23 [no] aa a port- access m ac-bas ed [e] < port-list >3 - 2 3 [addr-limit] 3-24 [addr-moves] 3-24 [auth- vid] 3-24 [lo goff-[...]

  • Page 68

    3-24 Web an d MAC Auth entic ation Confi gurin g MAC Aut henti catio n on th e Switch Syntax : aaa port -access mac- based [e] < port-l ist > [addr -lim it <1-2> ] Specifies the maximum number of authenticated MACs to allo w on the port. (Def ault: 1) Syntax : [no] aaa por t-access mac-based [e ] < port-list > [addr -moves] Allows[...]

  • Page 69

    3-2 5 Web and MA C Auth entic ation Confi gurin g MAC Aut hen ticat ion on th e Swit ch Syntax : aaa port -access mac- based [e] < port-l ist > [quiet-pe riod <1 - 65535>] Specifies the time peri od, in seconds, the switch should wait before attempting an authentication request for a MAC address tha t failed authentication. (Default: 60[...]

  • Page 70

    3-26 Web an d MAC Auth entic ation Show Status and Co nfig uratio n of We b-Based A uthenticatio n Show Status and Configuration of W eb-Based Authentication Command Page show port- access [ port-l ist ] web-bas ed 3-26 [clien ts] 3-26 [confi g] 3-26 [confi g [au th-se rver]] 3- 27 [confi g [w eb-serv er]] 3-27 show port- access port -list web- bas[...]

  • Page 71

    3-2 7 Web and MA C Auth entic ation Show Sta tus and Co nfigurat ion of Web-Based Authentic ation Syntax : show port -access [ port-list ] web-b ased [conf ig [a uth-serve r]] Shows Web Authentication settings for all ports or the specified ports, along with the R ADIUS server specific settings for the timeout wai t, the number of timeout failures [...]

  • Page 72

    3-28 Web an d MAC Auth entic ation Show Status and Co nfig uratio n of MA C-Based Auth enticat ion Show Status and Configuration of MAC-Based Authentication Command Page show port- access [ port-list ] mac-ba sed 3-28 [clien ts] 3-28 [confi g] 3-28 [confi g [au th-se rver]] 3- 29 show port- access port-list mac- base d config de tail 3-29 Syntax : [...]

  • Page 73

    3-2 9 Web and MA C Auth entic ation Show Sta tus and C onfigu ration of MAC-B ased Aut henti cation Syntax : show port -access [ port-list ] mac-b ased [conf ig [a uth-serve r]] Shows MAC Authentication settings for all ports or the specified ports, along with the Radius server specific settings for the timeout wai t, the number of timeout failures[...]

  • Page 74

    3-30 Web an d MAC Auth entic ation Show Cli ent St atus Show Client Statu s The table below shows the possib le client status infor mation that may be reported by a W eb-based or MAC-based ‘ show ... clients’ comma nd. Reporte d Status A vail able Net work Conn ection Possi ble Expla natio ns authen ticat ed Author ized VLAN Clie nt authe ntic [...]

  • Page 75

    4-1 4 T ACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Ap plications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3 General System Require ments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 76

    4-2 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch Overview T ACA CS+ au then ticat ion en ables you t o use a cent ral se rver t o allo w or de ny acce ss to the switch (a nd other T ACA CS-awa re devi ces) in your network . This means that yo u can use a central database to create multip le uniqu e username/ password sets with ass[...]

  • Page 77

    4-3 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch tion se rvice s. If t he swit ch fa ils to co nnect to any T ACA CS+ se rver , it defa ults to its own locally assig ned password s for authenti cation contro l if it has been config ured to do so. For both Console and Tel net access you can conf igure a login (r ead-o nly) and an e[...]

  • Page 78

    4-4 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch • Local Authe nticatio n: This metho d uses username /password pairs con figured l ocally on the switch ; one pair e ach for mana ger - level an d opera tor -level acc ess to the switch. Y ou can assign lo cal user names an d pass words thro ugh the CLI or web b rowse r inter- fac[...]

  • Page 79

    4-5 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch General System Requirements T o u se T ACA CS+ authen ticati on, you need th e foll owing: ■ A T ACA CS+ se rver appl icat ion i nsta lled and config ured on on e or more servers o r mana gement st ations in your network. (There ar e several T ACACS+ software pa ckages avail able.[...]

  • Page 80

    4-6 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch other ac cess type ( console , in thi s case) op en in ca se the T elnet access f ails due to a conf iguratio n problem. T he following procedure outlines a general set up pr ocedur e. Note If a comp lete acc ess lockout occurs on the switch as a resu lt of a T ACACS+ config uration[...]

  • Page 81

    4-7 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Note on Privilege L evels When a T ACAC S+ server au thenticat es an acces s request fr om a switch, it include s a privile ge level c ode for the switch to use in determin ing which privile ge leve l to gran t to the ter minal req uesting a ccess. The switch interp rets a privi leg[...]

  • Page 82

    4-8 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch configuration in your T ACACS+ server application for mi s-configura- tions or missing data t hat could affect the server’ s inte roperation with the switch. 8. After you r testing shows that T elnet access using the T ACACS+ server is working properl y , configure you r T ACACS+ [...]

  • Page 83

    4-9 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch CLI C omma nds D esc ribed in th is Sect ion V iewing the Switch’ s Current Authentication Configuratio n This command list s the numbe r of login att empts the switc h allows in a single login session, an d the primary /seconda ry access method s config ured for each type of acce[...]

  • Page 84

    4-10 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch Vi ewing the Switch’ s Current T ACACS + Server Contact Confi guration This comma nd lists the t imeout perio d, encry ption key , and the I P addresse s of the f irst-choice and backup T AC ACS+ server s the switch can contact . Synta x: show tacacs For exam ple, if the switch w[...]

  • Page 85

    4-11 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Configuring the Switch’ s Authenticati on Methods The aaa au thent ication command c onfigures t he access cont rol for consol e port an d T elnet access to the switch. That i s, for bot h access metho ds, aaa authenticatio n spe cifies whethe r to use a T ACA CS+ serv er or the [...]

  • Page 86

    4-12 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch T able 4-1. AAA Au thenticat ion Pa rameters As shown in the next ta ble, login and en able ac cess is alwa ys availab le locall y throug h a direct t erminal conn ection to t he switch’ s console po rt. However , for T elnet access, yo u can conf igure T ACA CS+ to deny access i[...]

  • Page 87

    4-13 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch T able 4-2. Primary/Sec ondary Auth enticatio n T abl e Caution Reg arding the Use of Loca l for Login P r imary Access During loc al auth enticat ion (whic h uses password s conf igured in the switc h instea d of i n a T ACACS + server ), the swi tch gr ants read- only acc ess if [...]

  • Page 88

    4-14 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch For examp le, here i s a set of access opti ons and th e corres ponding c o mman ds to co nfigu re them : Console Lo gin (Operator or Rea d-Only) Acc ess: Prim ary usin g T ACACS+ server . S econdar y using Local. ProCurve (config)# aaa authentication console login tacacs local Con[...]

  • Page 89

    4-15 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Configuring the Switch’ s T A CACS+ Server Access The tacacs- serve r command configu res these para meters: ■ The host IP add ress(es) for up to thr ee T ACACS+ ser vers; one first- choice and up to two backups. Designa ting backup ser vers provide s for a c ontinuati on of au[...]

  • Page 90

    4-16 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch Note on Encryption Key s Encr ypti on keys conf igur ed in the sw itch mus t exac tly mat ch the en cryp tion keys configur ed in T ACACS + servers the switch w ill attempt to use fo r auth enti cati on. If you confi gure a glob al encryp tion key , the switch uses it only with ser[...]

  • Page 91

    4-17 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch T able 4-3. Details on Configuring T ACACS Ser vers and Key s Name Defaul t Rang e tacacs -serve r host < ip- addr > none n/a This command spec ifies the IP addr ess of a devi ce runnin g a T ACACS + server ap plicat ion. O ptional ly, it can also spec ify the un ique , per -[...]

  • Page 92

    4-18 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch Adding, Removing, or C hanging the Pr iority o f a T ACACS+ Se rver . Suppos e that the sw itch wa s already c onfig ured to u se T ACACS + servers a t 10.2 8.227 .10 a nd 10.28. 227. 15. I n this ca se, 10.28. 227.1 5 was en tere d first , and so is li sted as th e first-c hoice s[...]

  • Page 93

    4-19 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Figure 4-5. Exam ple of the Switch Af ter Assi gning a Differen t “Firs t-Choice ” Serv er T o r emove t he 10.28 .227.15 d evice as a T ACACS+ se rver , you would use this comm and: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key . Use an enc[...]

  • Page 94

    4-20 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch To delete a per-serv er encryption k ey in the swi tch, re-en ter the t acacs-ser ver host comm and with out the key pa rameter . For exam ple, if you h ave no rth01 configu red as the e ncrypti on key f or a TACACS + server with an IP addr ess of 10.28. 227.104 an d you wa nt to e[...]

  • Page 95

    4-21 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Figure 4-6. Usin g a T ACACS+ Server for Au thentic ation Using fi gure 4-6, abov e, afte r either switch d etects an operato r’ s log on reque st from a r emote o r direct ly connected ter minal, the foll owing events o ccur: 1. The swit ch queries the first-ch oice T ACACS+ ser[...]

  • Page 96

    4-22 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch Local A uthentication Pro cess When the switch is co nfigured to use T ACAC S+, it reve rts to loc al authe nti- cation o nly if one o f these t wo cond itions e xists: ■ “Loc al” is the au thenticat ion option for t he access me thod be ing used. ■ T ACACS+ is t h e pri ma[...]

  • Page 97

    4-23 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Using the Encryption Key General Operation When us ed, the en crypti on key ( sometimes termed “key”, “secret k ey”, or “secret” ) helps to p revent u nauthor ized intrude rs on th e networ k from re ading username a nd password inf ormation in T A CACS+ pack ets movin [...]

  • Page 98

    4-24 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch For ex ample, you would u se the next comma nd to confi gure a global encry p - tion k ey in the switch to m atch a k ey ente red as north 40c ampus in two target TACACS+ servers. (That is, both server s use t he same key for your switch.) Note that you do not need the ser ver IP a[...]

  • Page 99

    4-25 TACACS + Authenti cation Con figurin g TAC ACS+ on the Sw itch Messages Related to T ACACS+ Operation The swi tch gene rates th e CLI me ssages listed below . However , you ma y see other messa ges generated in your T ACACS+ serve r application. F or informa - tion o n such messages, refer to the do cumentat ion you r eceived wi th the applica[...]

  • Page 100

    4-26 TACACS+ Authen ticat ion Confi gurin g TACAC S+ on th e Switch ■ When T AC ACS+ is not enabl ed on t he sw itch —or when the sw itc h’ s only de signated T ACACS + servers are n ot accessi ble— settin g a local Operator p assword without a lso setting a loca l Manager pa ssword does not prot ect the swit ch from man ager -lev el access[...]

  • Page 101

    5-1 5 RADIUS Authenticatio n and Accounti ng Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Switch Operating Rules for RADIUS . . . . . . . . . . . .[...]

  • Page 102

    5-2 RADIUS Au thentic ation a nd Accou nting Overv iew Overview RADIUS ( Remote Authentication Dial-In User Service ) en ables you t o use up to thre e server s (one pr imary se rver and one or tw o backu ps) and m aintain separa te authenticati on and accoun ting f or each RA DIUS ser ver empl oyed. For auth enticati on, this allows a different pa[...]

  • Page 103

    5-3 RADIUS Aut hentica tion and Acc ountin g Termin olog y T erminology CHAP (C hall enge- Hands hake A uthenticat ion P rotoc ol): A chall enge- response authenti cation prot ocol t hat uses t he Messag e Diges t 5 (MD 5) hashing scheme to encrypt a respon se to a ch allenge from a RA DIUS server . EAP (Exten sibl e Au thenti cati on Pr otoc ol): [...]

  • Page 104

    5-4 RADIUS Au thentic ation a nd Accou nting Switc h Operatin g Rules for RADI US Switch Operating Rules for RADIUS ■ Y ou must have at least one RADIU S serv er accessib le to the switch. ■ The swit ch sup ports au thenti cation and ac counting using u p to thre e RADI US se rvers . The s witch acce sses the servers in the order in whic h they[...]

  • Page 105

    5-5 RADIUS Aut hentica tion and Acc ountin g General RAD IUS Setup Proced ure General RADIUS Setup Procedur e Preparat ion: 1. Configure one to three R ADIUS servers to supp ort the switch. (T hat is, one prim ary server an d one or two ba ckups.) Refer t o the documen tation provided with t he RADIUS server a pplicat ion. 2. B efore con figuring t[...]

  • Page 106

    5-6 RADIUS Au thentic ation a nd Accou nting Config uring the Switch for RADIU S Authen ticatio n Configurin g the S witch for RADIUS Authentication • Dete rmine w hether you can use on e, global encr yptio n key for all RAD IUS servers or if un ique key s will be requi red for spe cific s ervers. W ith mult iple R ADIUS ser vers, if one key app [...]

  • Page 107

    5-7 RADIUS Aut hentica tion and Acc ountin g Confi gurin g the Switch f or RADI US Aut henti cati on Outli ne of the Steps for Confi g uri ng RADIU S Authenticati on There a re three m ain steps to confi guring RADI US authen ticatio n: 1. Config ure RADIUS a uthentica tion for co ntrolling access thro ugh one or more of th e fol lowi ng • Se ria[...]

  • Page 108

    5-8 RADIUS Au thentic ation a nd Accou nting Config uring the Switch for RADIU S Authen ticatio n out on a serv er that is unav ailable. If you wa nt to use this fe ature, select a dead-ti me peri od of 1 to 1440 minutes. (Defau lt: 0—disab led; range: 1 - 1440 min utes.) If your first-cho ice server was initially unavai lable, but then be comes [...]

  • Page 109

    5-9 RADIUS Aut hentica tion and Acc ountin g Confi gurin g the Switch f or RADI US Aut henti cati on For examp le, suppose you have alread y configur ed local pa sswords on t he switch, but want to use RADIUS to protect prima ry T e lnet an d SSH access without allow ing a second ary T elnet or SSH ac cess option (whic h would be the switch’ s lo[...]

  • Page 110

    5-10 RADIUS Au thentic ation a nd Accou nting Config uring the Switch for RADIU S Authen ticatio n 2. Configure the Switch T o Access a RADIUS Se rver This section desc ribes how to c onfigure the sw itch to interac t with a RADIUS server for both authent ication an d accoun ting services. Note If you want to configure RAD IUS accountin g on the sw[...]

  • Page 111

    5-11 RADIUS Aut hentica tion and Acc ountin g Confi gurin g the Switch f or RADI US Aut henti cati on For examp le, suppos e you have con figure d the switch as shown in figure 5-3 and you no w need to ma ke the follo wing chang es: 1. C hange the encryp tion key for the server at 10.33. 18.127 to “sourc e0127”. 2. A dd a RADI US server with an[...]

  • Page 112

    5-12 RADIUS Au thentic ation a nd Accou nting Config uring the Switch for RADIU S Authen ticatio n 3. Configure the Switch’ s Global RADIUS Parameters Y ou can config ure th e switch for the followin g glob al RADIU S param eters: ■ Number of logi n attempts: In a given session, specifies how many tries at e ntering t he cor rect user name an d[...]

  • Page 113

    5-13 RADIUS Aut hentica tion and Acc ountin g Confi gurin g the Switch f or RADI US Aut henti cati on Note Where the sw itch has mul tiple RADIU S serv ers co nfigu red to s upport au then - ticatio n requests, if the first ser ver fails to respon d, then th e switch tries the next serv er in the list, and so-on. If non e of th e servers resp ond, [...]

  • Page 114

    5-14 RADIUS Au thentic ation a nd Accou nting Config uring the Switch for RADIU S Authen ticatio n For exam ple, su ppose t hat your switch is c o nfigur ed to us e three RA DIUS servers for authenticat i ng acc ess throug h T elnet and SS H. T wo of these serve rs use t he sa me encr ypt ion key . In this case your pl an is t o config ure th e swi[...]

  • Page 115

    5-15 RADIUS Aut hentica tion and Acc ountin g Confi gurin g the Switch f or RADI US Aut henti cati on Figure 5-6. Listing s of Gl obal RADI US Paramet ers Confi gured In Figure 5-5 ProCurve# show authentication Status and Counters - Authentication In formation Login Attempts : 2 Respect Privilege : Disabled | Login Login En able Enable Access Task [...]

  • Page 116

    5-16 RADIUS Au thentic ation a nd Accou nting Loca l Authen ticatio n Pro cess Local Authentication Process When the switch is conf igured to use R ADIUS, it reverts to local authe nticat ion only if one of these two condition s exists: ■ “Loc al” is the au thenticat ion option for t he access me thod be ing used. ■ The swi tch has been c o[...]

  • Page 117

    5-17 RADIUS Aut hentica tion and Acc ountin g Contr ollin g Web Br owser In terf ace Acce ss Whe n Using RA DIU S Authe ntica tion Controlling W eb Browser Interface Access When Using RADIUS Authentication T o prevent unau thorized access thro ugh the we b browser interface, do one or more of th e follow ing: ■ Config ure local a uthentic ation ([...]

  • Page 118

    5-18 RADIUS Au thentic ation a nd Accou nting Confi gurin g RADI US Acco untin g Note This sec tion a ssumes you ha ve alre ady: ■ Configu red RA DIUS auth entica tion on the swit ch for one or more access me thods ■ Configure d one or mor e RADIUS servers to supp ort the switch If you h ave not a lread y done so, re fer to “General R A DIUS [...]

  • Page 119

    5-19 RADIUS Aut hentica tion and Acc ountin g Confi guring RAD IUS Ac coun ting The swit ch forwa rds the accounti ng info rmation it coll ects to t he design ated RADIUS ser ver , w here the informa tion is f ormatted , stored, a nd mana ged by the ser ver . For mo re infor mation o n this aspect of RADIUS account ing, ref er to the docu mentatio [...]

  • Page 120

    5-20 RADIUS Au thentic ation a nd Accou nting Confi gurin g RADI US Acco untin g – Opt ional—if yo u are also configur ing the switch fo r RADIUS authe nticatio n, and need a unique encryp tion key fo r use duri ng auth entica tion se ssion s with th e RADI US serv er yo u are des ig- nating, configure a se rver -specif ic key . This ke y overr[...]

  • Page 121

    5-21 RADIUS Aut hentica tion and Acc ountin g Confi guring RAD IUS Ac coun ting (For a mo re complet e descripti on of the ra dius- serv er co mmand a nd its options, t urn to p age 5-10.) For exam ple, su ppose y ou want to th e switch to use the RADIU S server describe d below for both authen ticat ion and acco unting pu rposes. ■ IP addr ess: [...]

  • Page 122

    5-22 RADIUS Au thentic ation a nd Accou nting Confi gurin g RADI US Acco untin g Figur e 5-7 . Exam ple of Config uring f or a RAD IUS Server wi th a Non -De faul t Accou nting UDP Port Num ber The radius-serv er comman d as shown in fig ure 5- 7, abov e, confi gures t he switch to use a R ADIUS ser ver at I P address 10 .33.18 .151, wit h a (non -[...]

  • Page 123

    5-23 RADIUS Aut hentica tion and Acc ountin g Confi guring RAD IUS Ac coun ting ■ Start- Stop: • Send a s tart rec ord ac countin g noti ce at th e begi nning o f the accoun t- ing session and a stop record notice at the end of the se ssion. B oth notices include the latest data the swit ch has collec ted for th e reque sted acco unting type (N[...]

  • Page 124

    5-24 RADIUS Au thentic ation a nd Accou nting Confi gurin g RADI US Acco untin g 3. (Optional ) Configure Session Blocking and I nterim Updat ing Opti ons These op tional pa rameter s give you additiona l control ov er acco unting da ta. ■ Updates: In add ition to using a Start-Stop o r Stop-Only tr igger , you can opt ionally conf igure the swit[...]

  • Page 125

    5-25 RADIUS Aut hentica tion and Acc ountin g Viewin g RADIUS Statistics V iewing RADIUS Statistics General RADIUS Statistics Figure 5-10. Example of Genera l RADIUS Info rmation from Sh ow Radius Command Syntax: sh ow radius [host < ip-addr >] Shows general RADIUS configuration , i ncluding the server IP addresses. Opti onal form shows data [...]

  • Page 126

    5-26 RADIUS Au thentic ation a nd Accou nting View ing RAD IUS St atis tics Figure 5-11. RADIUS Server Inf ormation From the Show Ra dius Host Com mand[...]

  • Page 127

    5-27 RADIUS Aut hentica tion and Acc ountin g Viewin g RADIUS Statistics T able 5-2. V alues for Sho w Radi us Host O utput ( Figure 5- 11) Te r m Definition Round T ri p T ime The time int erval be twee n the most re cent Ac coun ting-Re spon se and the Account ing- Reques t that matche d it from thi s RADIUS acc ounting se rver . Pendin g Requ es[...]

  • Page 128

    5-28 RADIUS Au thentic ation a nd Accou nting View ing RAD IUS St atis tics RADIUS Authenticati on Statistics Figure 5-12. Examp l e of Login Att empt an d Prima ry/Seco ndary Aut henticat ion Info rmation from the Show Auth entication Co mmand Figur e 5-13 . Exam ple of RADIUS A uthe ntic ation Inform ation from a Sp ecifi c Serve r Syntax: show a[...]

  • Page 129

    5-29 RADIUS Aut hentica tion and Acc ountin g Viewin g RADIUS Statistics RADIUS A ccounting Statisti cs Figure 5-14. Listing the Accounting Configuration in the Switch Figure 5-15. Example of RADIUS Accounting In formation f or a Specific Server Syntax: sh ow acco unting Lists configured accounting interval, “Empty User” suppres- sion status, a[...]

  • Page 130

    5-30 RADIUS Au thentic ation a nd Accou nting Changin g RADIUS-Serve r Access Order Figure 5-16. Example Listing of Active RADI US Account ing Sessions on t he Switch Changing RADIUS-Server Access Order The switch tries t o access RADIUS serv ers a ccording t o the ord er in whi ch their IP addresses are listed by the show r adiu s comm and. Also, [...]

  • Page 131

    5-31 RADIUS Aut hentica tion and Acc ountin g Changin g RADIUS-Serv er Access Orde r T o exchange the position s of the a ddresses so that the serv er at 10.10.1 0.003 will be t he first c hoice and the server a t 10.10.10.001 wil l be the last, you wou ld do the follow ing: 1. Delete 1 0.10.10.003 from t he list. Thi s opens the thir d (lowes t) p[...]

  • Page 132

    5-32 RADIUS Au thentic ation a nd Accou nting Messa ges Rela ted to RA DIUS O perat ion Messages Related to RADIUS Operation Message Me anin g Can’t reach RADIUS server < x.x.x.x >. A desi gnate d RADI US serv er is not re spondin g to an authen ticat ion re quest. T ry pinging th e serv er to deter mine whethe r it i s acce ssibl e to the [...]

  • Page 133

    6-1 6 Configuri ng Secure Sh ell (S SH) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . .[...]

  • Page 134

    6-2 Config uring Secu re Shell (SSH) Overv iew Overview The ProCur ve switch es covered in thi s guide u se Secur e Shell ve rsion 1 or 2 (SSH v1 or SSHv2 ) to pr ovide remote acce ss to manag ement func tions on th e switch es via en crypte d paths be tween the switc h and managem ent stati on clie nts capa ble of SSH opera tion. SSH provides T el[...]

  • Page 135

    6-3 Configu ring Se cure Shell (SS H) Overvi ew Note SSH in the Pro Curve is based on the OpenSSH software toolkit. For mor e information on OpenSSH, visit www .openssh. com . Switch S SH and Us er Passwor d Authenti cation . This option is a subset of the client pu blic-key authenti cation sho w in figu re 6-1. It occurs if the switch has SSH e na[...]

  • Page 136

    6-4 Config uring Secu re Shell (SSH) Termin olog y T erminology ■ SSH S erver: A ProCu rve switch wi th SSH enabled. ■ Key Pair: A pair of k eys gener ated b y the switch or an S SH client appli cation. Each pai r inc ludes a p ublic k ey , that can be re ad by anyone and a private key , that is held int ernally in the switch or by a clien t. ?[...]

  • Page 137

    6-5 Configu ring Se cure Shell (SS H) Prere quisi te for Us ing S SH Prerequisite for Using SSH Before usin g the switch as an SSH server , you must install a publ icly or commercia lly availabl e SSH client application on the co mputer(s) you use for manageme nt access to the switch. If you wa nt client publ ic-key au thentica tion (page 6-2), the[...]

  • Page 138

    6-6 Config uring Secu re Shell (SSH) Steps f or Conf igur ing an d Using S SH for Switch and Cli ent Au thent icati on Steps for Configuring and Using SSH for Switch and Client Authentication For two -way authen ticatio n betwee n the switc h and an SSH client, yo u must use t he logi n (Op erator ) level. T able 6-1. SSH Options The gen eral st ep[...]

  • Page 139

    6-7 Configu ring Se cure Shell (SS H) Steps for Co nfigurin g and Usin g SSH for Swit ch and Cli ent Authentic a tio n B. Swit ch Prepar ation 1. A ssign a lo gin (Oper ator) and en able (Ma nager) pa ssword on the switch (page 6 -9). 2. Gene rate a p ublic/p rivat e key pa ir on th e switc h (pag e 6-10) . Y ou need to do th is only onc e. The key[...]

  • Page 140

    6-8 Config uring Secu re Shell (SSH) Gener al Oper ating Rule s and Notes General Operating Rules and Notes ■ Public key s generat ed on an SSH clie nt must be ex portable to th e switch. Th e switch can onl y store t en client k ey pairs. ■ The switch’ s own public/pr ivate key pair a nd the (opt ional) client public key file are store d in [...]

  • Page 141

    6-9 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion Configuring the Switch for SSH Operation 1. Assign Local Login (Operator) and Enable ( Manager) Password At a mi nimum , ProCur ve recom mends that you alwa ys assign at least a Manager p assword to the sw itch. Otherwise, un der some circ umstances, anyone with T el[...]

  • Page 142

    6-10 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on Figur e 6-5 . Exampl e of Config uring L ocal Pas swo rds 2. Generate the Sw itch’ s Public and Pri vate Key Pa ir Y ou must generate a public and private host key pair on the sw itch. The swit ch uses this key pai r , along with a dyn amically generat ed session [...]

  • Page 143

    6-11 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion Notes When you genera te a host key pair o n the switc h, the sw itch place s the key pair in flas h memory (a nd not in the ru nning-conf ig file). Al so, the switch maintains the key pair across rebo ots, includin g power cycles. Y ou should conside r this key pai[...]

  • Page 144

    6-12 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on For ex ample, to gen erate an d disp lay a new key: Figure 6-6. Example of Generating a P ublic/Private Host Key Pa ir for the S witch The 'show crypto ho st-public- key' displays dat a in two differen t formats because yo ur client may store it in either [...]

  • Page 145

    6-13 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion distribut ion to clients is to use a direct , serial con nection between the switch and a managem ent de vice (lap top, PC , or UNIX workst ation), a s descri bed below . The public key generate d by the switch con sists of three parts, separa ted by one blan k spac[...]

  • Page 146

    6-14 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on 4. Add an y data re quire d by you r SSH clie nt appli cation . For exa mple B efore saving the key t o an SSH c lient ’ s "known hosts" fi le you ma y have to i nsert the switch’ s IP address: Figure 6-9. Example of a Swi tch Public Ke y Edited T o In[...]

  • Page 147

    6-15 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion Figure 6-10. Examp l es o f Vi sual Pho netic and Hexa decimal C onversion s of the Switch’ s Public Key The two co mman ds shown in figure 6-10 con vert the di splayed f ormat of th e switch ’ s (host ) publi c key for easi er visu al compar ison of the swit ch[...]

  • Page 148

    6-16 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on SSH Client Contact Behavior . At the fir st contac t betwee n the swit ch and an SSH client , if you have not copie d the switch’ s public key int o the client, your client’ s first connect ion to the switch will quest ion the connect ion and, for sec urity re a[...]

  • Page 149

    6-17 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion Note on Port Number ProCur ve rec ommen ds using the de fault TC P port num ber (22 ). However , you can use i p ssh por t to speci fy any TCP port for SSH conn ections exc ept those reserve d for o ther pu rposes. E xamples of reserved IP po rts are 23 (T elnet) an[...]

  • Page 150

    6-18 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on Caution Pro tect you r privat e key file fro m access b y anyone other tha n yoursel f. If someone can acc ess your private key file, the y can then pene trate SSH secu rity on the swi tch by appear ing to b e you. SSH do es not pr otect the swit ch from u nauth ori[...]

  • Page 151

    6-19 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion Option B: Configur ing the Swit ch for Cli ent Public-Key SSH Auth entic ation. If configured with this option, the swi tch uses its public key to au then tica te it self t o a clien t, but th e clie nt must also pr ovide a clien t public- key fo r the sw itch to au[...]

  • Page 152

    6-20 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on W ith steps 1 - 3 , above, c ompleted a nd SSH prop erly co nfigured on the swit ch, if an SSH client contac ts the switch , log in auth enti cati on auto matica lly o ccurs first, using the swit ch and client public -keys. After the client gains login access, th e [...]

  • Page 153

    6-21 Configu ring Se cure Shell (SS H) Config uring the Sw itch fo r SSH Operat ion Figure 6-12. Con figuring f or SSH Access Requ iring a Clie nt Publ ic-Key Ma tch and Manage r Passwords Figure 6-1 3 shows how t o check the re sults of the abov e command s. Figure 6-13. SSH C onfigura tion and Cli ent-Public-Key Listing From Fig ure 6-12 Conf igu[...]

  • Page 154

    6-22 Config uring Secu re Shell (SSH) Confi gurin g the Sw itch f or SSH Operati on 6. Use an SSH Client T o Ac cess the Switch T e st the SSH configur ation on the swit ch to ensure that you hav e achie ved the level of S SH oper ation you w ant for th e switch . If you hav e problems, re fer to "RADIU S-Relate d Problems " in the T r ou[...]

  • Page 155

    6-23 Configu ring Se cure Shell (SS H) Furt her I nfo rmati on o n SSH Clie nt Pu blic -Key Authe ntica tion Further Informatio n on SSH Client Public-Key Authentication The section t itled “5. Con figure the Switch fo r SSH Authe ntication” on page 6-18 lists the st eps f or co nfiguri ng SSH au thenti cati on on t he sw itch. Howe ver , if yo[...]

  • Page 156

    6-24 Config uring Secu re Shell (SSH) Furthe r Info rmation on SS H Client Public-Key Authent icati on 3. If ther e is not a match, a nd yo u have not configur ed the switch to acce pt a log in pass word as a sec ondary authe nticat ion metho d, the sw itch d enies SSH acc ess to the cli ent. 4. If there is a match, the switch: a. Generates a r and[...]

  • Page 157

    6-25 Configu ring Se cure Shell (SS H) Furt her I nfo rmati on o n SSH Clie nt Pu blic -Key Authe ntica tion Notes Comments in p ublic key files, suc h as smith@support.cairn s.com in fi gure 6-14 , may appea r in a SSH client a pplication’ s g enerated pub lic key . While such comme nts may help t o disti ngui sh one ke y from anot her , they do[...]

  • Page 158

    6-26 Config uring Secu re Shell (SSH) Furthe r Info rmation on SS H Client Public-Key Authent icati on Copying a client-public -key into the switch requires th e following: ■ One or mor e client-g enerat ed public keys. Re fer to the docume ntatio n provide d with your SS H client appli cation. ■ A copy of ea ch client public key (u p to t en) [...]

  • Page 159

    6-27 Configu ring Se cure Shell (SS H) Furt her I nfo rmati on o n SSH Clie nt Pu blic -Key Authe ntica tion For example , if you wanted to copy a client public -key file na med clientkey s.txt from a TF TP server at 10.3 8.252. 195 and th en display th e file co ntents: Figur e 6- 15. Exampl e of Cop ying and Disp laying a C lient Pub lic-K ey F i[...]

  • Page 160

    6-28 Config uring Secu re Shell (SSH) Furthe r Info rmation on SS H Client Public-Key Authent icati on Caution T o enable client pu blic-key a uthentic ation to bloc k SSH clie nts whose public keys are not in t he clien t-public- key file copie d into the switch, yo u must config ure the L ogin Seco ndary a s non e . Otherwise, the switch allows s[...]

  • Page 161

    6-29 Configu ring Se cure Shell (SS H) Messa ges Rela ted to SS H Oper ation Messages Related to SSH Operation Message Me anin g 00000K Peer unreachable. Indica tes an error in co mmunicati ng with the tftp server or not f inding the fi le to downlo ad. Ca uses i nclude such factor s as: • Incor rect IP co nfigura tion on the switch • Incor rec[...]

  • Page 162

    6-30 Config uring Secu re Shell (SSH) Messages Rela ted to SS H Operat ion Generating new RSA host key. If the cache is depleted, this could take up to two minutes. After you execute the crypto key gene rate ssh [rsa] command , the switch d isplay s thi s mess age while it is gene rating the key . Host RSA key file corrupt or not found. Use 'c[...]

  • Page 163

    7-1 7 Configuri ng Secure So cket Layer ( SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Prerequisite for Using SSL . . . . . . . . . . . . . . [...]

  • Page 164

    7-2 Config uring Se cure Sock et Laye r (SSL) Overv iew Overview The ProCur ve switch es covered by this manual u se Secur e Socket Layer V ersio n 3 (SSLv3) and sup port for T r ansport La yer Securit y(TLS v1) to provid e remote we b access t o the switc hes via encrypted paths bet ween the switch and mana gement stat ion clien ts capable of SSL/[...]

  • Page 165

    7-3 Conf igur ing Secu re Sock et Lay er (SSL) Termin olog y Figure 7-1. Switch/User Auth entication SSL on the ProC urve swit ches support s these data enc ryption metho ds: ■ 3DES (1 68-bit, 1 12 Effective) ■ DES ( 56-bit ) ■ RC4 (40- bit, 128-bit) Note: ProCurve switche s use RSA public key algorithms and Diffie-Hellman . All refere nces t[...]

  • Page 166

    7-4 Config uring Se cure Sock et Laye r (SSL) Termin olog y ■ Self -Sign ed C erti fica te: A certificat e not verifie d by a thir d-par ty certifica te authority (CA ). Self-signed ce rtificates provide a reduced level o f securi ty compa red to a C A -sign ed cert ificate . ■ CA-Signe d Certificate : A certifi cate ve rified b y a third party[...]

  • Page 167

    7-5 Conf igur ing Secu re Sock et Lay er (SSL) Prer equisit e fo r Usi ng SS L Prerequisite for Using SSL Before usin g the switch a s an SSL server , you must in stall a publicl y or comm ercially av ailable SSL enabled w eb browser applicat ion on the co m- puter (s) you u se for m anageme nt access to the swi tch. Steps for Configuring and Using[...]

  • Page 168

    7-6 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes General Operating Rules and Notes ■ Once yo u gener ate a certifica te on th e switch you sho uld avoi d re- gener ating the certific ate with out a co mpellin g reaso n. Otherw i se, you will hav e to re-introdu ce the switch’ s cert ificate on all ma nage- ment[...]

  • Page 169

    7-7 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes Configuring the Switch for SSL Operation 1. Assig n Local Login (Operator) and Enable (M anager) Password At a mi nimum , ProCur ve recom mends that you alwa ys assign at least a Manager p assword to the sw itch. Otherwise, un der some circ umstances, anyone with T[...]

  • Page 170

    7-8 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes Using the web browser interface T o Configure Local Passwords. Yo u can config ure bot h the Oper ator an d Manager p assword on o ne scree n. T o access th e web browser interfac e refer to the ch apter title d “Using the W eb Brow ser I nterf ace” in t he Manag[...]

  • Page 171

    7-9 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes to conn ect via SSL to th e switch . (The se ssion key pair men tione d abov e is not visi ble on the swi tch. It is a tem porary , intern ally gene rated pair used for a particul ar switch/clie nt session, an d then discar ded.) The server ce rtifi cate is stored [...]

  • Page 172

    7-10 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes CLI command s used to gene rate a Se rver Host C ertificat e. T o g enerate a host cer tificat e from th e CLI: i. Ge nerate a c ertificat e key pair . This is done w ith the crypto key generat e cert com mand. The default k ey size is 5 12. Note: If a certi ficate [...]

  • Page 173

    7-11 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes T a ble 7-1. Certificate Field Descriptions For exam ple, to gener ate a key and a new host certifica te: Figure 7-3. Example of Gener ating a Self-Signed Serv er Host certificate on the CLI for the Switc h. Notes “Zeroizi ng” th e switch’ s server host ce r[...]

  • Page 174

    7-12 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes CLI Co mmand to vie w host ce rtifica tes. T o v iew the current h ost cer tifica te from th e CLI yo u use the show crypto host-c ert comma nd. For exam ple, to displa y the new serve r host c ertifica te: Figur e 7-4 . Exam ple of show cr ypto h ost- cert co mma n[...]

  • Page 175

    7-13 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes i. Se lect the Security tab then the [SSL ] button. Th e SSL conf iguration screen is div ided into tw o halv es. The left half i s used for creati ng a new ce rtificate k ey pa ir and ( self-sign ed / C A-signed ) ce rtificate . The ri ght half displ ays inf orma[...]

  • Page 176

    7-14 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes For exa mple, to gene rate a new host certif icate via the w eb brow sers i nter- face: Figure 7-5. Self-Signed C ertificate g eneration via SSL Web Browser Inte rface Scre en T o v iew the current h ost cer tifica te in the web browse r inter face: 1. Pr oceed to t[...]

  • Page 177

    7-15 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes Figure 7-6. We b browser Interface showin g current SSL Host Certific ate Generate a CA-Signed server host certificate with the W eb Brow ser Interface This section desc ribes how to install a CA -Signed ser ver host certifica te from the web browse r interface. ([...]

  • Page 178

    7-16 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes that in volves havin g the cert ificat e author ity ver ify the c ertifi cate requ est and then di gitally signing t he requ est to gener ate a ce rtific ate respo nse (th e usable server host certificate) . The thir d phase is the downl oad phase c onsisting of pas[...]

  • Page 179

    7-17 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes Figure 7-7. Example of a Certific ate Req uest and Re ply 3. Enable SSL on the Switch and An ticipate SSL Browser Cont act Behavior T he web-manag ement ssl command enabl es SSL on the switch and mod ifies paramet ers the switch us es for transac tions with client[...]

  • Page 180

    7-18 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes Note Before en ablin g SSL on th e switch yo u must generat e the switch ’ s host certi ficate an d key . If you hav e not already d one so, refe r to “2. Gen erate t he Switc h’ s Serv er Host Certifi cate” on page 7-8. When con figured for SSL , the swi tc[...]

  • Page 181

    7-19 Conf igur ing Secu re Sock et Lay er (SSL) Gener al Ope rating R ules an d Notes Using the CLI inter face to enable SSL T o enab le SSL on the swi tch 1. Gene rate a Host cer tifi cate i f you have n ot al read y done so. ( Ref er to “2 . Generat e the Sw itch’ s Ser ver Host C ertificat e” on pag e 7-8.) 2. Exec ute t he web-management [...]

  • Page 182

    7-20 Config uring Se cure Sock et Laye r (SSL) Gener al Oper ating Rule s and Notes Figure 7-8. Usin g the web browser interface to enable SSL an d selec t TCP p ort numbe r Note on Port Number ProCu rve reco mmend s using th e defaul t IP port nu mber (443) . However , you can use web-management ssl tcp-port to spec ify a ny TCP po rt for SSL c on[...]

  • Page 183

    7-21 Conf igur ing Secu re Sock et Lay er (SSL) Common Errors in SSL Setu p Common Errors in SSL Setup Error Durin g P ossible Cau se Gene rating host cer tificat e on C LI Y ou have no t gene rated a certif icate key. (Refer to “CLI command s used to genera te a Serv er Host Certif icate” o n page 7-1 0.) Enab ling SS L on the CLI or Web bro w[...]

  • Page 184

    7-22 Config uring Se cure Sock et Laye r (SSL) Common Errors in SSL Setup[...]

  • Page 185

    8-1 8 Configu ring Port-B ased and Client -Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Why Use Po rt-Based o r Client -Based A cce ss Control? . . . . . . . . . . . . 8-2 General Feat ures . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 186

    8-2 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Conte nts Sett ing Up and Co nfigur ing 80 2.1X Op en VLAN Mode . . . . . . . . . . . . 8-33 802.1X Op en VLAN Oper ating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 8-37 Option For A uthenticator Port s: Configure Port-Se curity To Allow Only 802.1X Devices . [...]

  • Page 187

    8-3 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Overvi ew Overview Why Use Port-Based or C lient-Based Access C ontrol? Local Area Networks a re often deploye d in a way that a llows unauth orized clients to a ttach to netw ork devi ces, or allows un authorized use rs to get access to u nattended clie nts on a net work.[...]

  • Page 188

    8-4 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Overv iew Port-Base d acce ss control op tion allo wing au thentic ation by a single clie nt to open t he port. T his optio n does no t force a clie nt limit a nd, on a port op ened by an au thentica ted clien t, allow s unlim ited clien t access wi thout re quiring furth er[...]

  • Page 189

    8-5 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Overvi ew 802.1X Port-Based Access Contro l 802.1X po rt-ba sed access con trol prov ides port- level security that all ows LAN access o nly on p orts where a single 802.1X- capable c lient ( supplic ant) has ente red au thori zed RA DIU S user cred enti als. F or rea sons[...]

  • Page 190

    8-6 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Overv iew access fr om a ma ster databa se in a sin gle server ( although y ou can use up to three RAD IUS server s to provide back ups in case access to the primary server fail s). It a lso means a user ca n enter the same userna me and password pair for authen ticat ion, r[...]

  • Page 191

    8-7 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Termin olog y T erminology 802.1X-A ware: Refe rs to a device t hat i s runn ing e ither 8 02.1X authen ticator software or 802.1X cli ent softw are and is ca pable of intera cting with other device s on the basis of the I EEE 802.1X st andard. Author ized-Cli ent VLAN: Li[...]

  • Page 192

    8-8 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Termin olog y EAPOL: Extensible A uthenticatio n Protocol Over LA N, as defined in the 802.1X standard . Friendly Cl ient: A cli ent that does not po se a securi ty risk if given ac cess to the switc h and your network. MD5: An a lgorith m for calcula ting a unique digi tal [...]

  • Page 193

    8-9 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Termin olog y designa te as th e Unauth orized- Client VLAN.) A p ort co nfigure d to use a given Una uthorize d-Client VL AN does not have to be statically co nfigure d as a mem ber of tha t VLAN as long as at least one oth er port on t he switch is stati cally configu re[...]

  • Page 194

    8-10 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) General 802.1X Authen ticator Ope ration General 802.1X Authen ticator Operation This operation pro vides security on a direct, point -to-point link between a single c lient and the swit ch, where both devi ces are 802.1X-aware. (If you expect desirable c lients that do no [...]

  • Page 195

    8-11 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Gener al 802. 1X Auth enticator O peratio n ii. If the clie nt is su ccessfully authenti cated a nd authorize d to co n- nect to the ne twork, then the switch allows acc ess to the client. Otherwise , access is denied an d the port rema ins blocked. Switch-Port Supplicant[...]

  • Page 196

    8-12 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Gener al Oper ating Rule s and Notes 3. Port A1 repl ies with an MD5 ha sh response base d on its username and password or other u nique crede ntials. Switc h “B” forwa rds this respo nse to the RADIUS server . 4. The RADIUS server then analy zes the respons e and send [...]

  • Page 197

    8-13 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Gener al Ope rating R ules an d Notes port. If anothe r client us es an 802.1 X supplican t applic ation to ac cess the op ened po rt, th en a re -authe ntication o ccurs using th e RADIU S config uration re sponse for the late st client t o authent icate. T o c ontrol ac[...]

  • Page 198

    8-14 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) General Se tup Proce dure for 802.1X Access Contro l General Setup Procedure for 802.1X Access Control Do These Steps Before Y ou Configure 802.1X Oper ation 1. Config ure a local use rname and pa ssword on the switch for both t he Operato r (log in) and Man ager (en able) [...]

  • Page 199

    8-15 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Genera l Setup Pr ocedur e for 802 .1X Ac cess Con trol Overview : Configuri ng 802.1X A uthenticati on on the Switch This sec tion ou tlines th e steps fo r conf iguring 8 02.1X on the switch. For detai led inf ormatio n on ea ch step, refer to “RADIU S Auth enticat io[...]

  • Page 200

    8-16 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) General Se tup Proce dure for 802.1X Access Contro l 7. If you are using P ort Sec urity on the switc h, conf igure t he switch to allo w only 80 2.1X access on ports co nfigure d for 8 02.1X operation, and (if desired ) the ac tion to tak e if an unauthor ized devi ce atte[...]

  • Page 201

    8-17 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Conf iguring Switch Ports as 8 02.1 X Authentic ators Configuring Switch Ports as 802.1X Authenticators 1. Enable 80 2.1X Authentication on Se lected Ports This ta sk conf igures the indi vidual ports yo u want to operate as 802.1X authenti cators for point-to-poin t link[...]

  • Page 202

    8-18 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Configu ring Switch Ports as 802. 1X Au thentic ators A. Enable the S elected Port s as Authenticators and Enable the (Default) Port-B ased Authentication B. Specify Clien t-Based or Return to Port-B ased 802.1X Authe ntic ation Client- Based 802 .1X Authenticati on. Syntax[...]

  • Page 203

    8-19 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Conf iguring Switch Ports as 8 02.1 X Authentic ators Port-Base d 802.1X Auth entication. Example: Configurin g Client-Based 802.1 X Authentication This ex ample ena b les po rts A10- A12 to operate as auth enticat ors, and t hen confi gures the po rts for c lient -based [...]

  • Page 204

    8-20 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Configu ring Switch Ports as 802. 1X Au thentic ators 2. Reconfi gure Settings for Por t-Access The comm ands in thi s section are init ially set by defau lt and can be recon fig- ured as needed . Syntax : aaa port -access auth enticato r < port-list > [cont rol < [...]

  • Page 205

    8-21 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Conf iguring Switch Ports as 8 02.1 X Authentic ators [quiet-peri od < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authoriz ed by the max-reque sts parameter fails (next page). (De[...]

  • Page 206

    8-22 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Configu ring Switch Ports as 802. 1X Au thentic ators [reauth-per iod < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (D efault: 0 second) [unauth- vid < [...]

  • Page 207

    8-23 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Conf iguring Switch Ports as 8 02.1 X Authentic ators 3. Configure the 802.1 X Authentication Method This ta sk specifie s how th e switch w i ll au thenticat e the credentia ls provi ded by a supp licant connec ted to a switch port confi gured as an 8 02.1X authenti - ca[...]

  • Page 208

    8-24 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Configu ring Switch Ports as 802. 1X Au thentic ators 4. Enter the R ADIUS Host IP Addre ss(es) If you se lected either eap-r adius or chap- radius for the a uthent ication method , configu re the swi tch to use 1 to 3 RADIUS ser vers for au thentica tion. T he followin g s[...]

  • Page 209

    8-25 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Conf iguring Switch Ports as 8 02.1 X Authentic ators 6. Optionally Resetting Authentica tor Operation After au thenti cation has be gun oper ating, t hese comm ands can be used to reset auth enticati on and rel ated sta tistics on sp ecific p orts. Syntax : aaa port -acc[...]

  • Page 210

    8-26 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode 802.1X Open VLAN Mode Introduction This secti on describes how to use the 802.1X Ope n VLAN m ode to co nfigure unautho rized-client an d author ized-clien t VLANs on por ts configured as 802 .1X au then tica tors . Configu ring th e 802. 1X Open VLA[...]

  • Page 211

    8-27 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode Note On ports configure d to allow multiple sessions using 802.1X client -based access co ntrol , all cl ients must use t h e same u ntagged VLAN. On a given port where there ar e no cur rently active , authentica ted clients, th e first auth enti -[...]

  • Page 212

    8-28 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode Note After c lient authenti cation, the port resumes m embershi p in an y tagged VLANs for which it is configur ed. If the por t belo ngs to a tagged VLAN used for 1 or 2 above , then it oper ates as an untagged member of that VL AN while the client [...]

  • Page 213

    8-29 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode T able 8-1. 802.1X Open VLAN Mode Options 802.1X Per -Port Configuration Port Response No Open VLAN mod e : The port au tomatical l y blocks a cli ent that canno t initi ate an authen tication session. Open VLAN m ode with both of th e following con[...]

  • Page 214

    8-30 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode Open VLAN Mo de with Only an Un auth orized -Clie nt VL AN Configure d: • When the port detects a client , it automat ically become s an untagged memb er of this VLAN. T o limit security risks, the network service s and access avail able on thi s V[...]

  • Page 215

    8-31 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode Operating Ru les for Authorized-Cli ent and Unauthorized-Client VLANs Open VLAN Mo de with Only an Authorize d-Client VLAN Configur ed: • Port automa ticall y blocks a client that cannot initi ate an authen tication session. • I f the client suc[...]

  • Page 216

    8-32 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode T emporary VLAN Mem bership Duri ng a Client Sessi on • Port membersh ip i n a VLAN assigned to operate as the Unauthor ized- Client VLAN is temporar y, a nd ends wh en the cl ient receiv es authentic ation or the cl ient disc onnects fr om the por[...]

  • Page 217

    8-33 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode IP Addr essing for a Cli ent Conn ected to a Port Co nfigured for 802. x Open VLAN Mode A client can either acq uire an IP ad dress fro m a DHCP server or have a preconf igured, manual IP add ress befor e connect ing to the swit ch. 802.1X Supplican[...]

  • Page 218

    8-34 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode Note If you use th e same VL AN as the U nautho rized-Cli ent VLAN for all authenti - cator ports, una uthentica ted cl ients on d ifferent po rts can co mmunic ate with each othe r . Setting Up and Configuri n g 802. 1X Open VLAN Mode Preparat ion. [...]

  • Page 219

    8-35 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode ■ A clien t must eit h er hav e a valid IP addr ess conf i gured befor e connec ting to the switch, or downloa d one thr ough th e Unauthor ized- Client VLAN from a DHCP server . In the latter case, yo u will need to provide D HCP servi ces on the[...]

  • Page 220

    8-36 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode 2. Con figure the 802.1X authentication type. Options include: 3. If you selected either eap-r adius or chap -rad ius for step 2, use the radiu s host c ommand to configure up to three RADIUS server IP address(es) on the switch. 4. Activate authentic[...]

  • Page 221

    8-37 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode Note If you want to implement th e optiona l port securi ty feature on the switch, you should fi rst ensure that the ports you have conf igured as 8 02.1X authenti cators operate a s expect ed. Then refer to “Optio n For Aut henticat or Ports: C o[...]

  • Page 222

    8-38 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) 802.1 X Open VLAN M ode Inspecting 802.1 X Open VLAN Mode Operation. For informat ion and an ex ample on viewing c urren t Open VLA N mode ope ration, r efer to “ Viewing 802.1X O pen VLAN Mode S tatus” on pa ge 8-50. 802.1X Open V LAN Operating Notes ■ Altho ugh you [...]

  • Page 223

    8-39 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) 802.1X Open VLAN M ode RADIUS- assigned VLA N, then a n auth enticated clien t without tagged VLAN cap ability c a n access o nly a staticall y config ured, un tagged VLAN on that port.) ■ When a clie nt’ s au then tica tion a ttemp t on an Una uthori zed-Cl ien t VLA[...]

  • Page 224

    8-40 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Option For Auth enticator Port s: Configure P ort-Security T o Allow Only 802.1X Devices Option For Authen ticator Ports: Configure Port-Security T o Allow Only 802.1X Devices If you use po rt-securit y on auth enticat or ports, you ca n configure it to learn only th e MAC [...]

  • Page 225

    8-41 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Option For A uthen ticator Por ts: Con figure Port -Secur ity T o Allow Only 802.1X De vices Note on Blocking a Non- 802.1X Device If the port’ s 802 .1X authenti cator cont rol mode is config ured to aut horiz ed (as shown below , instead of auto ), then the first so u[...]

  • Page 226

    8-42 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Confi gurin g Swi tch P orts T o Op erat e As S uppl icant s fo r 8 02.1X Con necti ons to Othe r Swi tches Configur e the port a ccess ty pe. Configuring Switch Ports T o Operate As Supplicants for 802.1X Connections to Other Switches Y ou can c onfigur e a switch port to [...]

  • Page 227

    8-43 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Confi guring Sw itch Port s To Opera te As Suppli cant s for 802 .1X Conn ection s to Other Swi tches ■ Switch “A” has port A 1 configur ed for 802 .1X suppl icant ope ration ■ Y ou want to connec t port A1 on switch “A” to po rt B5 on switch “B”. Figure 8[...]

  • Page 228

    8-44 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Confi gurin g Swi tch P orts T o Op erat e As S uppl icant s fo r 8 02.1X Con necti ons to Othe r Swi tches • A “failure ” respon se conti nues the blo ck on por t B5 and causes port A1 to w ait for the “held- time” pe riod be fore tr ying a gain to achieve authen[...]

  • Page 229

    8-45 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Confi guring Sw itch Port s To Opera te As Suppli cant s for 802 .1X Conn ection s to Other Swi tches [identit y < username >] Sets the username and password to p ass to the authen- ticator port whe n a challenge-request packet is received from the authenticator por[...]

  • Page 230

    8-46 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Confi gurin g Swi tch P orts T o Op erat e As S uppl icant s fo r 8 02.1X Con necti ons to Othe r Swi tches [start-period < 1 - 300 >] Sets the time period between Start packet retransmis- sions. That is, after a su pplicant sends a start packet, it waits during t he [...]

  • Page 231

    8-47 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Displ aying 802.1X Configura tion, Stati stics, and C ounter s Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port -Access Authent i cator 802.1 X Authenticat ion Commands page 8-17 802.1 X Supplica nt Co mmands page 8-42 802.1X O pen VLAN Mod[...]

  • Page 232

    8-48 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Displ aying 802.1 X Confi guration, Sta tistics , and Coun ters show po rt-access au thent icator (Syntax Co ntinu ed) config [[e] < port-list >] S hows: • Whether port-access authenticator is active • The 802.1X configuration of the ports configured as 802.1X aut[...]

  • Page 233

    8-49 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Displ aying 802.1X Configura tion, Stati stics, and C ounter s Figure 8-7. Exampl e of sho w port-access aut henticato r config Command T able 8-2. Field De scription s of sho w port- access aut hentica tor config Command Output (Figure 8- 7) Field Description Port -acces[...]

  • Page 234

    8-50 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Displ aying 802.1 X Confi guration, Sta tistics , and Coun ters Vi ewing 80 2.1X Open VLAN Mode Status Y ou can examine the switch ’ s curren t VLAN status by using the show por t - access a uthentic ator and show vlan < vlan-id > com mands as illustrated in t his s[...]

  • Page 235

    8-51 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Displ aying 802.1X Configura tion, Stati stics, and C ounter s ■ When the Unau th VLAN ID is config ured an d matche s the Current VLAN ID in the above c ommand out put, an unauthe nticated clie nt is connect ed to the p ort. ( This assume s the port is not a statical l[...]

  • Page 236

    8-52 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Displ aying 802.1 X Confi guration, Sta tistics , and Coun ters Figure 8-9. Example of Show ing a VLAN with Ports Co nfigured for Open VLAN Mod e Unauth orized VLAN ID < vl an-id >: Li sts the VID of the stat ic VLAN co nfigur ed as the unautho rized VL AN for the i n[...]

  • Page 237

    8-53 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) Displ aying 802.1X Configura tion, Stati stics, and C ounter s Show Commands for Port -Access Suppli cant Note on Su pplicant S tatistic s. For e ach port conf igured a s a supplican t, show port-access supplicant sta tistics [e] < port-list >] displ ays the sou rce[...]

  • Page 238

    8-54 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) How RADIU S/802.1X Au thentic ation Affe cts VLAN Op eration supplican t port to an other with out cleari ng the statist ics data from t he first port, the authent icator ’ s MAC add ress will app ear in the supp licant sta tistics for both por ts. How RADIUS/802.1X Authe[...]

  • Page 239

    8-55 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) How RAD IUS/802.1X Authen tication Affec ts VLAN Operation For exam ple, su ppose t hat a RA DIUS-auth entic ated, 802.1X- aware client o n port A2 req uires access to VLA N 22, but VLAN 22 is configu red for no access on po rt A 2, and VLAN 33 is confi gur ed as unta gge[...]

  • Page 240

    8-56 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) How RADIU S/802.1X Au thentic ation Affe cts VLAN Op eration Figure 8-11. The Active Config uration for VLAN 22 T emporarily Change s for the 802. 1X Session ■ W ith the prec eding in min d, sinc e (stati c) VLAN 33 is co nfigure d as untag ged on po rt A2 (s ee figure 8-[...]

  • Page 241

    8-57 Conf igurin g Por t-Base d and Cl ient- Based Ac cess Co ntro l (802.1X) How RAD IUS/802.1X Authen tication Affec ts VLAN Operation When the 802 .1X cl ient’ s sessi on on po rt A2 e nds, the po rt discar ds the tempora ry untagg ed VLAN m embership. At this time the stati c VLAN actual ly confi gured as un tagged on the port ag ain b ecomes[...]

  • Page 242

    8-58 Config uring Port-Ba sed a nd Clien t-Based Acce ss Co ntrol (802.1X ) Messages Rela ted to 802 .1X Op eratio n Messages Related to 802.1X Operation T able 8-4. 802.1X Operating Messa ges Message Me anin g Port < port-list > is not an authenticator. The por ts in the port list have not been enabl ed as 802.1 X authen ticat ors. Us e this[...]

  • Page 243

    9-1 9 Configuri ng and M onitoring Po rt Securit y Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Blocking Unauthorized Traffic . . . . . . . . . . . . . . .[...]

  • Page 244

    9-2 Config uring an d Mon itoring P ort Security Overv iew Overview Note Port secu rity is not avai lable on por ts running at 10 Mbps or the 1000 Mbps uplinks. It is only available o n ports runn ing at 100 mbp s. Usin g Port Securi ty , you can conf igure ea ch swit ch por t with a uniq ue li st of the MA C addresses of devices th at are a u thor[...]

  • Page 245

    9-3 Config uring and Monitoring Port Se curity Overvi ew General O peration for Port Securit y . On a per -po rt basis, you ca n config ure securit y measu res to block unautho rized devic es, and to sen d notice of securit y violations. On ce you ha ve config ured port sec urity , you can the n monitor the network for security vio lations thro ugh[...]

  • Page 246

    9-4 Config uring an d Mon itoring P ort Security Overv iew Figure 9-1. Examp l e of How Port Security Cont rols Ac cess Note Broa dcas t and Multi cast t raffi c is no t “u naut horize d” traff ic, an d can be rea d by int ruders c onnecte d to a port on whi ch you h ave c onfigured port securit y . T r unk Group Exclusi on Port secu rity does [...]

  • Page 247

    9-5 Config uring and Monitoring Port Se curity Planni ng Port Se curity Planning Port Security 1. Plan your port security configurat ion and mon itoring according to the foll owin g: a. O n which ports do you want port secur ity? b. Which devices (MAC addresses) are authorized on each port and how many devices do you want to allow per port (up to 8[...]

  • Page 248

    9-6 Config uring an d Mon itoring P ort Security Port Se curity C ommand Option s and Opera tion Port Security Co mmand Options and Operation Port Secu rity Comman ds Used in This Se ction This section describe s the CLI port se curity com mand and h ow the switch acquire s and ma intain s authori zed addre sses. Note Use th e global confi guratio [...]

  • Page 249

    9-7 Config uring and Monitoring Port Se curity Port Se curit y Command O ptions and Opera tion Syntax : port-sec urity [e ] < por t-list > learn-m ode < continu ous | static | configu red | port-ac cess > Conti nuous (Default) : Appears in the factory-default setting or when you execute no port -secu rity. Allows the port to learn addre[...]

  • Page 250

    9-8 Config uring an d Mon itoring P ort Security Port Se curity C ommand Option s and Opera tion Syntax : port-sec urity [e] < port-list > (- Cont inued -) learn-m ode < c ontinuous | static | con figured | port-access > Confi gured: The static-configured op tion operates the same as the static-learn option on the preceding pa ge, excep[...]

  • Page 251

    9-9 Config uring and Monitoring Port Se curity Port Se curit y Command O ptions and Opera tion Syntax : port-sec urity [e] < port-list > (- C ontinued -) action < none | send-alarm | send -disabl e > Speci fies whet her an SNMP trap is sent to a network man - agement station. Oper ates when : • Learn mo de is set t o le arn-mode stati[...]

  • Page 252

    9-10 Config uring an d Mon itoring P ort Security Port Se curity C ommand Option s and Opera tion Retention of Stati c MAC Addresses Learned MAC Ad dresses In the foll owing two ca ses, a port in Sta tic learn m ode ( lea rn-mode stati c ) retains a lear ned MAC addr ess even if you later reboo t the switch or disable port se curity for t hat port [...]

  • Page 253

    9-11 Config uring and Monitoring Port Se curity Port Se curit y Command O ptions and Opera tion Using t he CLI T o Displa y Port Se curi ty Setti ngs. Syntax : show por t-securi ty show por t-securi ty [e] <por t numbe r> show po rt-sec urity [ e] [< port n umber >- < port n umber ]. . .[ ,< port number >] W ithout port paramet[...]

  • Page 254

    9-12 Config uring an d Mon itoring P ort Security Port Se curity C ommand Option s and Opera tion The follow ing comm and exam ple shows t he option f or enterin g a range of ports, inclu ding a seri es of non-cont iguous ports. Not e that no spac es are allowe d in the port nu mber portion of the comm and string: ProCurve(config)# show port-securi[...]

  • Page 255

    9-13 Config uring and Monitoring Port Se curity Port Se curit y Command O ptions and Opera tion ProCurve(config)# port-security a1 learn-mode static mac-address 0c0090-123456 action send-disable This example c onfigures por t A5 to: ■ Allow t wo MAC addresses, 00c10 0-7fec0 0 and 0 060b0-8 89e00, as the auth oriz ed d evic es. ■ Send an alarm t[...]

  • Page 256

    9-14 Config uring an d Mon itoring P ort Security Port Se curity C ommand Option s and Opera tion mine d by the c u rr ent ad dress-lim it value) . For ex ample, suppose p ort A1 allows two authorized dev ices, but has only one device in its Authori zed Address list: Figure 9-4. Example of Adding an Authorized Devi ce to a Port W ith the abo ve con[...]

  • Page 257

    9-15 Config uring and Monitoring Port Se curity Port Se curit y Command O ptions and Opera tion Note The message Inconsiste nt value appears if the new MA C addr ess excee ds the curr ent Addr ess Li mit or sp ecif ies a de vice th at is alread y on th e list . If you chan ge a port from st atic to c ontinuou s learn mo de, th e port r etains in me[...]

  • Page 258

    9-16 Config uring an d Mon itoring P ort Security Port Se curity C ommand Option s and Opera tion Caution The add ress-limit setting contro ls how many MAC addresse s are allowe d in the Au thorized A ddresses list for a given p ort. If you re move a M AC addre ss without a lso reducin g the address limi t by 1, the por t may later d etect and acce[...]

  • Page 259

    9-17 Config uring and Monitoring Port Se curity Web: Di spla ying and C onfig uring Por t Secu rity Fe atures The fo llowing command serve s this purpos e by re movin g 0c0090 -123456 and reducin g the Addre ss Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090- 123456 The above c[...]

  • Page 260

    9-18 Config uring an d Mon itoring P ort Security Readi ng Intru s ion Al erts and Re setting Alert Flags When a security v iolatio n occur s on a por t config ured for Port Se curity , t he switch respond s in the following ways to notify you: ■ The switch sets an al ert flag for th at port. This fla g remains set until: • Y ou use eithe r the[...]

  • Page 261

    9-19 Config uring and Monitoring Port Se curity Readin g Intr usion Al erts a nd Reset ting Al ert Flag s (by re settin g the alert f lag) . The othe r entri es gi ve you a h isto ry of pas t intrusions d etected on p ort A1. Figure 9-8. Exampl e of Multiple Intrusion Log Entr ies for the Same Port The log shows the m ost recent intrusi on at the t[...]

  • Page 262

    9-20 Config uring an d Mon itoring P ort Security Readi ng Intru s ion Al erts and Re setting Alert Flags Menu: Checking for Intrusio ns, Listing Intrusion Alerts, and Resetting Alert Flags The menu i nterfac e indicat es per -po rt intru sions in the Port St atus screen , and provide s details and t he reset functi on in the Intrusio n Log screen [...]

  • Page 263

    9-21 Config uring and Monitoring Port Se curity Readin g Intr usion Al erts a nd Reset ting Al ert Flag s The above e xample shows t wo intrusions f or port A3 and on e intrusio n for po rt A1. In this case, only t he most r ecent intrus ion at port A3 ha s not been ac knowled ged (re set). This is indic ated by th e following : • Because the Por[...]

  • Page 264

    9-22 Config uring an d Mon itoring P ort Security Readi ng Intru s ion Al erts and Re setting Alert Flags CLI: Chec king fo r Intrusio ns, Listing I ntrusion A lerts, and Resetting Alert Flags The fol lowing co mmands d isplay po rt status, including wheth er the re are intrusi on alerts fo r any po rt(s), list th e last 20 intrusion s, and either [...]

  • Page 265

    9-23 Config uring and Monitoring Port Se curity Readin g Intr usion Al erts a nd Reset ting Al ert Flag s Figure 9-12. Example of the Intrusio n Log with Multiple Entries for th e Same P ort The ab ove ex ample sho ws three i ntrusions f or port A1. Sinc e the swit ch can show only o ne uncleare d intrusion pe r port, the old er two intrusion s in [...]

  • Page 266

    9-24 Config uring an d Mon itoring P ort Security Readi ng Intru s ion Al erts and Re setting Alert Flags Using the Event Log T o Find Int rusion Alerts The Event Log lists port security intrusions as: W MM/DD/YY HH:MM:SS FFI: port A3 - Security Violation where “ W ” is th e seve rity l evel of the lo g ent ry an d FFI is the syste m module tha[...]

  • Page 267

    9-25 Config uring and Monitoring Port Se curity Operating Notes for Port Se curity W eb: Checking for Intrusions, Listing Intr usion Alerts, and Resetting Alert Flags 1. Check the Alert Log by cli cking on the Status t ab and the [ Overview] button. If there is a “Security Violation” entry , do the following: a. Cl ick on the Security ta b. b. [...]

  • Page 268

    9-26 Config uring an d Mon itoring P ort Security Opera ting Notes for Port Secu rity the aler t flag status for t he port refe renced in the dropped en try . This means that, even i f an entr y is forced off of the Intr usion L og, no ne w int rusions ca n be logg ed on the port ref erenced in that entr y until you reset t h e aler t flags. LACP N[...]

  • Page 269

    9-27 Config uring and Monitoring Port Se curity Confi gurin g Pro tecte d Port s Configuring Protected Ports There a re situatio ns where y ou want to provid e internet access to users but preven t them from accessing ea ch othe r . T o achieve th is control , you can use the pro tected-po rts comm and. The com mand appli es per -port, and filters [...]

  • Page 270

    9-28 Config uring an d Mon itoring P ort Security Confi gur ing Pro tecte d Por ts Figure 9-16. Example Showing P rotected P orts and Unpro tected Ports If you displa y the runnin g config fil e ( show runni ng-conf ig ) you will see the ports that have been selected as protected po rts. Figure 9-17. Example of Runn ing Confi g File Showing P rotec[...]

  • Page 271

    10-1 10 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Access Leve ls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 272

    10-2 Using Au thorized IP Mana gers Overv iew Overview Authoriz ed IP Manage r Featur es The Au thorized IP Mana gers featu re uses IP add resses and m asks to dete r- mine which stati ons (PCs or workstations) ca n acce ss the switch t hrough th e network. This c overs acc ess through the foll owing mean s: – T eln et and other t erminal emulati[...]

  • Page 273

    10-3 Using A uthorized IP Man agers Acces s Levels Configuratio n O ptions Y o u can configur e: ■ Up to 10 authorized manager addresses , where eac h addr ess appli es to either a single mana gement station or a group of stat ions ■ Manag er or Op erator access pr ivilege s (for T elnet, S NMPv1, and SNMPv2c access on ly) Caution Configurin g [...]

  • Page 274

    10-4 Using Au thorized IP Mana gers Defin ing A uthori zed M anagemen t St ation s Defining Authorized Management Stations ■ Auth oriz ing Sing le Sta tio ns: The table entr y author izes a singl e managemen t station t o have IP ac cess to the swi tch. T o use this method, just ent er the IP ad dress of an autho rized managem ent statio n in the[...]

  • Page 275

    10-5 Using A uthorized IP Man agers Defi ning Aut hori zed M anageme nt Stat ions 255.255.255.252 uses th e 4th octet of a given A uthorized Manag er IP addr ess to authorize f our IP addresse s for managem ent station acce ss. The details on how to use IP m asks are provide d under “Bu ilding IP Masks” o n page 10-9 . Note The IP M ask is a me[...]

  • Page 276

    10-6 Using Au thorized IP Mana gers Defin ing A uthori zed M anagemen t St ation s Figure 10-2. Examp l e of How T o Add an Au t horiz ed Manager Entry (Contin ued) Editing or Deleting an Author ized Mana ger Ent ry . G o to the IP Man ag- ers List screen (figu re 10-1), h ighlight th e desired entry , and p ress [E] (for Edit ) or [D] (for Delete [...]

  • Page 277

    10-7 Using A uthorized IP Man agers Defi ning Aut hori zed M anageme nt Stat ions Figure 10-3. Examp l e of the Show IP Authorized -Manager Display The above e xample sho ws an Autho rized IP Man ager List that allow s stations to acce ss the switch as shown b elow: Configuring IP A uthorized Managers for the Switch T o Autho rize Ma nager Ac cess.[...]

  • Page 278

    10-8 Using Au thorized IP Mana gers Defin ing A uthori zed M anagemen t St ation s Simil arly , the nex t comman d author izes man ager -lev el access for any sta tion having an IP addre ss of 10.28. 227.10 1 through 1 03: ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager If you omit th e < mask bits> when [...]

  • Page 279

    10-9 Using A uthorized IP Man agers Web: Co nfigu rin g IP Autho rized Ma nage rs W eb: Configuring IP Authorized Managers In the we b browser i nterface you c an configu re IP Author ized Manage rs as describe d below . T o Add, Modify , or Delete an IP Authorized Manager a ddress: 1. C lick on the Secur ity tab. 2. Clic k on [ Authorized Addresse[...]

  • Page 280

    10-1 0 Using Au thorized IP Mana gers Buildi ng IP Masks T able 10-1. Anal y sis of IP Mask for Single-Sta tion Ent ries Configuri ng Multipl e Stations Per Auth orized Manager IP Entry The mask de termines wh ether the IP addr ess of a station on the net work meets the cr iteria yo u specif y . T hat is, for a given A uthorize d Mana ger ent ry , [...]

  • Page 281

    10-1 1 Using A uthorized IP Man agers Buildin g IP Masks T a ble 10-2. Analy sis of IP Mask for Multiple-Station Entries Figure 10-5. Examp l e of How the Bi tmap i n the IP Mask Defines Au thorized Manager Addresses 1st Octet 2nd Octet 3rd Octet 4th Octet Manager-Lev el or O perat or-Level D evice Access IP Mask 255 255 255 0 The “255 ” in t h[...]

  • Page 282

    10-1 2 Using Au thorized IP Mana gers Opera ting Not es Additional Examples for Authorizi ng Multiple Stations Operating Notes ■ Network S ecurity Pr ecaution s: Y ou can enha nce your netw ork’ s security by keepin g physical access to the swi tch restr icted to au tho- rized personne l, using the pa ssword featur es built into the switch, usi[...]

  • Page 283

    10-1 3 Using A uthorized IP Man agers Oper ating N otes • Even if you n eed prox y server acc ess enabled in order t o use other ap plicatio ns, you can still eli minate prox y servic e for web access to the switch . T o d o so, ad d the IP address or DNS name of the swit ch to the non-p roxy , or “Except ions” list in the web browse r interf[...]

  • Page 284

    10-1 4 Using Au thorized IP Mana gers Opera ting Not es[...]

  • Page 285

    Index – 1 Index Numerics 3DES … 6-3, 7 -3 802.1X See p ort-based acce ss con trol. …8 - 1 802.1X access co ntrol authentica tion methods … 8-4 authent ication , client-b ased … 8-4 auth entica tor … 8-17 client-b ased access … 8-4 See also port based client auth entication … 8-4 clien t lim it … 8-3, 8-4, 8 -41 client-li mit, enab[...]

  • Page 286

    2 – In dex VLAN use, m ultiple c lients … 8 -7 A aaa aut hentic ation … 4-8 aaa port -acce ss See Web or MAC Authenticat ion. access levels , auth orized IP mana gers … 10-3 accoun ting See RADIUS. addres s authorized for port security … 9-3 auth entica tion See TACACS. auth orized ad dresses for IP manage ment security … 10-4 for port [...]

  • Page 287

    Inde x – 3 M MAC Authentic ation authen ticato r operat ion … 3 -5 blocke d traffic … 3 -4 CHAP defi ned … 3- 9 usag e … 3- 4 client sta tus … 3-30 config urat ion co mmands … 3-23 conf iguring on the s witch … 3-2 2 switch for RADIUS access … 3-15 the R ADIUS serv er … 3- 14 featu res … 3-4 gener al setu p … 3- 12 LACP n ot[...]

  • Page 288

    4 – In dex LACP n ot allowed … 8-58 local … 8-23 local u sername and password … 8-4 messages … 8-58 ope n VLAN authoriz ed clien t … 8-2 8 confi gurat ion … 8- 35, 8-3 7 general operat ion … 8- 26 mode … 8-26 oper ating no tes … 8- 38 oper ating rul es … 8- 31 PVID, no … 8-50 secur ity b reach … 8-38 set up … 8-34 status[...]

  • Page 289

    Inde x – 5 SNMP ac cess secu rity not supported … 5-2 statist ics, v iewin g … 5- 25 terminology … 5-3 TLS … 5-4 Web br owser aut hentication … 5-7 web-br owser acces s contr ols … 5- 17 web-bro wser sec urity not s upported … 5-2 , 5-1 7 RADIUS ac counting See RADIUS. reserved port nu mbers … 6-1 7, 7-20 S security authorized IP [...]

  • Page 290

    6 – In dex prere quisites … 7-5 remove self-sign ed certific ate … 7-9 remove serve r host certificate … 7-9 reserved TCP port numbe rs … 7-20 root … 7-4 root certificate … 7-4 self-sign e d … 7 -4, 7-12 self-sign ed certificat e … 7-4 , 7-9, 7- 12 server host certificate … 7-9 SSL serve r … 7-3 SSLv3 … 7 -2 stacki ng, secur[...]

  • Page 291

    Inde x – 7 client sta tus … 3-30 config urat ion co mmands … 3-18 conf iguring on the s witch … 3-1 7 switch for RADIUS access … 3-15 featu res … 3-4 gener al setu p … 3- 12 LACP n ot allowed … 3-11 redirect URL … 3-9 rules of operat ion … 3-1 0 show status and con figur ation … 3-26 terminology … 3-9 web b rowser inter face[...]

  • Page 292

    8 – In dex[...]

  • Page 293

    [...]

  • Page 294

    T echnical information in this docum ent is subject to change without notice. © Copyri ght 2008 Hewlett- Packard Devel opment Company , L.P . All rights reserved. Reproduction, adaptation, or translation without prior written permission is prohibit ed except as allowed under the copyright laws. January 2008 Manual Part Number 5991-4763[...]