HP (Hewlett-Packard) W.14.03 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of HP (Hewlett-Packard) W.14.03, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of HP (Hewlett-Packard) W.14.03 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of HP (Hewlett-Packard) W.14.03. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of HP (Hewlett-Packard) W.14.03 should contain:
- informations concerning technical data of HP (Hewlett-Packard) W.14.03
- name of the manufacturer and a year of construction of the HP (Hewlett-Packard) W.14.03 item
- rules of operation, control and maintenance of the HP (Hewlett-Packard) W.14.03 item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of HP (Hewlett-Packard) W.14.03 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of HP (Hewlett-Packard) W.14.03, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the HP (Hewlett-Packard) service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of HP (Hewlett-Packard) W.14.03.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the HP (Hewlett-Packard) W.14.03 item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    Access Security Guide Pr oCurv e Switches W . 1 4.03 29 10al www .procurv e.com[...]

  • Page 2

    [...]

  • Page 3

    HP ProCurve 2910al Switch February 2009 W.14.03 Access Security Guide[...]

  • Page 4

    © Copyright 2009 Hewlett-Pa ckard Development Company, L.P . The information contain ed herein is subject to ch ange with- out notice. All Ri ghts Reserved. This document contains proprie tary information, which is protected by copyright. No pa rt of this document may be photocopied, reproduced, or translated into another lan- gauge without the pr[...]

  • Page 5

    Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Software Feature[...]

  • Page 6

    2 Configuring Username and Password Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . . .[...]

  • Page 7

    Disabling or Re-Enabling the Password Recovery Process . . . . 2-32 Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 3 Web and MAC Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Overview . . . . . . . . . . . . . [...]

  • Page 8

    4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Viewing the Switch’s Current TAC ACS+ Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applicati ons: . .[...]

  • Page 9

    RADIUS-Administered CoS and Ra te-Limiting . . . . . . . . . . . . . . . . . . . 5-4 SNMP Access to the Switch’s Au thentication Conf iguration MIB . . . 5-4 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . [...]

  • Page 10

    General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43 RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45 RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46 Changing RADIUS-Server Access Order . . . . . . . . . .[...]

  • Page 11

    Configuring th e Switch To Support RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24 Displaying the Current RAD IUS-Assigned ACL Activity Causes of Client D eauth entication Immediately on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 12

    8 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Overview Steps for Configuring and Using SSL for Switch and Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Terminology [...]

  • Page 13

    ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14 What Is the Difference Between Network (or Subnet) Rules for Defining a Match Between a Packet and an A Configured ACL Has No Ef fect Until You Apply It You Can Assign an ACL Name or Number to an Interface Static Port ACL and Dy namic Port AC[...]

  • Page 14

    Configuring Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-44 Configuring Named, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-46 Creating Numbered, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-49 Configurin g Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 15

    10 Configuring Advanc ed Threat Protection Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 16

    11 12 Traffic/Security Filters and Monitors Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 17

    802.1X Port-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 12-5 Alternative To Using a RADIUS Server . . . . . . . . . . . . . . . . . . . . . 12-6 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 18

    13 802.1X Open VLAN O perating Note s . . . . . . . . . . . . . . . . . . . . . . . . . 12-46 Option For Authenti cator Ports: Configure Port-Security To Allow Only 802.1X- Authenticated Devices . . . . . . . . . . . . . . . . . 12-47 Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-48 Confi[...]

  • Page 19

    MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22 Differences Betwee n MAC Lockdown an d Port Security . . . . . . . . 13-24 MAC Lockdown Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 13-25 Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 20

    Using a Web Proxy Server to Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9 Web-Based Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9 Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 21

    Product Documentation About Y our Switch Manual Set Note For the latest version of all ProCur ve switch documentation, including Release Notes covering re cently added features, please v isit the ProCurve Networking W eb site at www .procurve.com, c lick on Cu stomer Care , and then click on Manuals . Printed Publications The publication s listed b[...]

  • Page 22

    Software Feature Index For the software manual se t supporting your 2910al sw itch model, this feature index indicate s which manual to consult for in formation on a given software feature. Note This Index does not cover IPv6 capable software features. Fo r informatio n on IPv6 protocol operations and features (such as DHCPv6 , DNS for IPv6, Ping6,[...]

  • Page 23

    Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide DHCP/Bootp Operation Diagnostic T ools Downloading Software X X X Dynamic ARP Protection Dynamic Configuration Arbiter Eavesdrop Protection Event Log X X X X Factory Default Settings Flow Control (802.3x) F[...]

  • Page 24

    Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide MAC Lockdown X MAC Lockout MAC-based Authentication Management VLAN Monitoring and Analysis Multicast F iltering Multiple Configuration Files Network Management Applications (SNMP) OpenView Device Managemen[...]

  • Page 25

    Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide RMON 1,2,3,9 Routing Routing - IP Static X X X Secure Copy sFlow SFTP SNMPv3 X X X X Software Downloads (SCP/SFTP , TFPT , Xmodem) Source-Port Filters Spanning T ree (STP , RSTP , MSTP) SSHv2 (Secure Shell)[...]

  • Page 26

    Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and Routing Access Security Guide Vo i c e V L A N W eb Authentication RADIUS Support W eb-based Authentication W eb UI Xmodem X X X X X xxiv[...]

  • Page 27

    1 Security Overview Contents Security Overview Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 For More Information . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 28

    Security Overview Introduction Introduction This chapter provides a n overview of th e security features included on your switch. T abl e 1-1 on page 1-3 outlines the acce ss security and authentication features, while T able 1-2 on page 1-7 highlights the additi onal features designed to help secure and prot ect your network. For detail ed informa[...]

  • Page 29

    Security Overview Access Security Features Access Security Features This section provides an overvi ew of the switch’ s access security features, authentication protocol s, and methods. T able 1-1 lists the se features and provides summary con figuration guidel ines. For more in-depth information, see the references provided (all chap ter and pag[...]

  • Page 30

    Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details T elnet and enabled The default remote management protocols enabled on W eb-browser the switch are plain text protocols, which transfer access passwords in open or plain text that is easily captured . T o reduce the chan[...]

  • Page 31

    Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details SSL disabled Secure Socket Layer (S SL) and T ransport Layer Security “Quick Start: Using the (TLS) provide remote W eb browser access to the switch Management Interface via authenticated transactions and encrypted pat[...]

  • Page 32

    Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details RADIUS disabled For each authorized client, RADIUS can be used to Chapter 6, “RADIUS Authentication authenticate operator or manager access privileg es on Authentication and the switch via the serial port (CLI and Menu[...]

  • Page 33

    Security Overview Network Security Features Network Security Features This section outlines features and de fence mechanisms for protecting access through the switch to the network. Fo r more detailed information, see the indicated chapters. T able 1-2. Network Security—Default Settings and Security Gu idelines Feature Default Setting Security Gu[...]

  • Page 34

    Security Overview Network Security Features Feature Default Setting Security Guidelines More Information and Configuration Details Access Control none ACLs can filter traffic to or from a host, a group of hosts, Chapter 10, “IPv4 Access Lists (ACL s) or entire subnets. Layer 3 IP f iltering with Access Control Control Lists (ACLs)” Lists (ACLs)[...]

  • Page 35

    Security Overview Network Security Features Feature Default Setting Security Guidelines More Information and Configuration Details Key none KMS is available in several ProCurve switch models and Chapter 16, “Key Management is designed to configure and maintain key chains for use Management System” System (KMS) with KMS-capable routing protocols[...]

  • Page 36

    Security Overview Getting Started with Access Security Getting Started with Access Security ProCurve switches are designed as “plu g and play” devices, allowing q uick and easy installation in your network . In its default configuration the switch is open to unauthorized access o f various types. Wh en preparing th e switch for network oper ati[...]

  • Page 37

    Security Overview Getting Started with Access Security Keeping th e switch in a lo cked wiring closet or other secure space helps to prevent unauthorized physical access. As additional p recautions, you can do the following: ■ Disable or re-enable the password-clear ing func tion of the Clear button . ■ Configure the Clear bu tton to reboot the[...]

  • Page 38

    Security Overview Getting Started with Access Security CLI: Management Interface W i zard T o configure se curity settings u sing the CLI wizar d, follow the steps belo w: 1. At the command prompt, type setup mgmt -interfaces . The welcome banner appears and the first setup option is displayed ( Operator password ). As you advance throug h the w iz[...]

  • Page 39

    Security Overview Getting Started with Access Security 2. When you enter the wizard, you have the following opt ions: • T o update a setting , type in a new value , or press [ Enter ] to keep the current value. • T o qu it the wizard without saving any changes, press [ CT RL-C ] at any time. • T o access online Help for any option, press [ ? [...]

  • Page 40

    Security Overview Getting Started with Access Security The W elcome window appears. Figure 1-2. Management I nterface Wizard: Welcome Window This page allow s you to choose between two setup t ypes: • T y pical —provides a multiple page , step -by-step method to configure security settings, with on-screen instructions for each option. • Advan[...]

  • Page 41

    Security Overview Getting Started with Access Security 4. The summary setup scre en displays th e current configuration settings for all setup options (see Figure 1-3). Figure 1-3. Management I nterface Wizard: Summary Setup From this screen, you have the fo llowing options: • T o change any setting that is show n, type in a new value or make a d[...]

  • Page 42

    Security Overview Getting Started with Access Security SNMP Security Guidelines In the default configuration, t he swit ch is open to access by management stations run ning SNMP (Simple Network Management Protocol) management application s capabl e of vi ewing and changing the settings and sta tus data in the switch’ s MIB (Manag em ent Informa t[...]

  • Page 43

    Security Overview Getting Started with Access Security If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network , then yo u should implemen t the following security precautions: ■ If SNMP access to the authenticat ion configura tion (hpSwitchA uth) MIB described above is not desirable for your network, use t he followi[...]

  • Page 44

    Security Overview Precedence of Security Options Precedence of Security Options This section explains how port- based security options, and cli ent-based attribu tes used for au thentication , get prioritized on the switch. Precedence of Port-Bas ed Security Options Where the switch is ru nning multiple security option s, it implements network traf[...]

  • Page 45

    Security Overview Precedence of Security Options DCA allows client-specific parameters c onfigured in any of the foll owing ways to be applied and removed a s needed in a specified hierarchy of precedence. When multiple values for an individua l configuration paramete r exist, the value applied to a client session is determin ed in the following o [...]

  • Page 46

    Security Overview Precedence of Security Options NIM also allow s you to configure and ap ply client-specific profile s on ports that are not configured to authenticate clients (unauthorized clients), provided that a client’s MAC add ress is known in the switch’s forwarding da tabase. The profile of attributes applied for each clie nt (MAC ad d[...]

  • Page 47

    Security Overview Precedence of Security Options Client-specific conf igurations are applied on a per-parameter basis on a port. In a client-speci fic profile, if D CA de tects that a parameter has configured values from two o r more levels in th e hierarchy of precedence desc ribed above, DCA decides whi ch parameters to ad d or remove, or whether[...]

  • Page 48

    Security Overview ProCurve Identity-Driven Manager (IDM) ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+) and u ses RADIUS-based technologies to create a user - cen tric approach to network access management and network activity tr acking and monitoring. IDM enables control of access security policy from a cen[...]

  • Page 49

    2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 50

    Configuring Username and Password Security Contents Disabling the Clear Passwo rd Function of the Clear Button on the Switch’s Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Re-Enablin g the Clear Button on the Swit ch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation . . . . . 2-30 Changing [...]

  • Page 51

    Configuring Username and Password Security Overview Overview Feature Default Menu CLI Web Set Usernames non e — — page 2-9 Set a Password none page 2-6 page 2-8 page 2-9 Delete Password Protection n/a page 2-7 page 2-8 page 2-9 show front-panel-security n/a — pag e 1-13 — front-panel-security — pag e 1-13 — password-clear enabled — pa[...]

  • Page 52

    Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interfa ce areas. This is the default level. That is, if a Manager password has not been set prior to starting the current c onsole sess ion, then anyone having access to the console can access any area of the console interface. Operator: Acce[...]

  • Page 53

    Configuring Username and Password Security Overview Notes The manager and operator passwords and (o ptional) usernames cont rol access to the menu interface, C LI, and web browser interface. If you configure only a Manager passw ord (with no Operator password), and in a later session the Mana ger password is not entere d correctly in response to a [...]

  • Page 54

    Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames ar e optional. Configuring a user - name requires either the CLI or the web browser interface. 1. From the Main Menu select: 3. Console Passwords Figure 2-1. The Set P[...]

  • Page 55

    Configuring Username and Password Security Configuring Local Password Security T o Delete Password Protection (Incl uding Recovery from a Lost Password): This procedure deletes al l usernames (if configured) and pass- words (Manager an d Operator). If you have physical access to the swit ch, press and hold the Clear button (on the front of th e swi[...]

  • Page 56

    Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below . Configuring M anager and O perator Password s. Note The password co mmand has changed. Y ou can now configure ma nager and operator passwords in one st ep. See “Sav ing Security Cre[...]

  • Page 57

    Configuring Username and Password Security Configuring Local Password Security If you want to remov e both operator and m anager password p rotection, use the no password all command. W eb: Setting Passwo rds and Usernames In the web browse r interf ace you can enter passwords and (optional) user - names. T o Configure (or Remove) Usernames and Pas[...]

  • Page 58

    Configuring Username and Password Security Saving Security Credentials in a Config File Saving Security Credentials in a Config File Y ou can store and view the following secu rity settings in the ru nning-config file associated with the current software image by entering the incl ude- credentials command (formerly this informat ion was stored only[...]

  • Page 59

    Configuring Username and Password Security Saving Security Credentials in a Config File ■ By storing different secu rity setting s in different files, you can test different security configurations wh en you first download a new software version that supports mu ltiple configuration files, by changing the configuration file used when you reboot t[...]

  • Page 60

    Configuring Username and Password Security Saving Security Credentials in a Config File ■ SNMP security credentials, incl uding SN MPv1 commu nity names and SNMPv3 us ernames, authenti ca tion, and privacy settings ■ 802.1X port-access passwords and usernames ■ T ACACS+ encryption keys ■ RADIUS shared secret (encryption) keys ■ Public key[...]

  • Page 61

    Configuring Username and Password Security Saving Security Credentials in a Config File Password Command Options The password comman d has the follo wing options: Syntax: [no] passwo rd <manager | operator | port-access| all [u ser -name < name >] < hash-t ype > < password >> Set or clear a local username/pa ssword for a giv[...]

  • Page 62

    Configuring Username and Password Security Saving Security Credentials in a Config File SNMP Security Credentials SNMPv1 community names and write-access settings, and SNMPv3 usernames continue to be saved in the running configuration file even when you enter the include-creden tials command. In addition, the follo wing SNMPv3 security p arameters [...]

  • Page 63

    Configuring Username and Password Security Saving Security Credentials in a Config File 802.1X Port-Access Credentials 802.1X authenticator (port-acc ess) credentials can be stored in a configuration file. 802.1X authenticator credentials are used by a port to authenticate supplicants requesting a poi nt-t o-point connec tion to the switch. 802.1X [...]

  • Page 64

    Configuring Username and Password Security Saving Security Credentials in a Config File T ACACS+ server application. (The encryption key is sometimes referred to as “shared secret” or “secret” key .) For more informat ion, see “T ACACS+ Authenticati on” on page 4 -1 in this guide . T ACACS+ shared secret (encryption) keys can be saved i[...]

  • Page 65

    Configuring Username and Password Security Saving Security Credentials in a Config File The SSH secu rity credential t hat is stor ed in the running co nfiguration f ile is configured with the ip ssh pub lic-key command used to authenticate SSH clients for manager or opera tor access, along with the hashed content of each SSH client public -key . S[...]

  • Page 66

    Configuring Username and Password Security Saving Security Credentials in a Config File T o display th e SSH public -key configurations (72 ch aracters per line) stored in a configurat ion file, enter t he show config or sho w running-config command. The following example shows the SSH public keys configured for manager access, along with the hashe[...]

  • Page 67

    Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes Caution ■ When you first enter the include-credentials command to save the additional se curity crede ntials to the runnin g configuratio n, these settings are moved from internal storage on th e switch to the running-conf ig file. Y ou are pro[...]

  • Page 68

    Configuring Username and Password Security Saving Security Credentials in a Config File • copy config < source -filename > config < target-filen ame >: Makes a local copy of an existing star tup-co nfig file by cop y ing the contents of the startup-co nfig file in one memory sl ot to a new startup-config file in another , empty memory[...]

  • Page 69

    Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running conf iguration with the include-credential s command: ■ The private keys o f an SSH host cannot be stored in the runnin g configuratio n. Only the pu[...]

  • Page 70

    Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. Y ou can store the password port-access values in the running conf iguration file by using the include -credentials command. Note that th e password port-access v alues[...]

  • Page 71

    Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel sec urity features pro vide the ability to independently enable or disable some of the f unctions of the two button s located on the front of the switch for clearing the passwo rd (Clear button) or restoring the swi tch to its factory default conf i[...]

  • Page 72

    Configuring Username and Password Security Front-Panel Security As a result of increased security co ncerns, customers now have the ability to stop someone from r emoving passwords by disabling the Cl ear and/or Reset buttons on the f ront of the switch . Front-Panel Button Functions The System Support Modul e (SSM) of th e switch includes the Syst[...]

  • Page 73

    Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset butt on alone for one second cau ses the switch to reboot. Reset Clear Figure 2-8. Press and hold the Reset But ton for One Second T o Reboot the Switch Restoring the Factory Default Configuration Y ou can also use the Reset button together with the Clea[...]

  • Page 74

    Configuring Username and Password Security Front-Panel Security Reset Clear Test 4. When the T est LED to the right of th e Clear button begins fl ashing, release the Clear button. . Reset Clear Test It can take approxima tely 20-25 seconds for the switch to reboot. This process restores the switch configuration to the factory default sett ings. Co[...]

  • Page 75

    Configuring Username and Password Security Front-Panel Security • Modify the operati on of the Reset+ Cl ear combination (page 2-25) so that the switch stil l reboots, but does not restore the switch’ s factory default configuratio n settings. (Use of the Reset button alone, to simply reboot the swit ch, is not affected.) • Disable or re-enab[...]

  • Page 76

    Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to “Password Recovery Process” on page 2-34.) (Default: Enabled .) CAUTION: Disabling this option removes the ability to recover a password on the switch . Disabling this o[...]

  • Page 77

    Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button on the Switch’ s Front Panel Syntax: no front-pa nel-security password-clear In the factory-defaul t configuration, pressi ng the Clear button on the switch’ s front panel erases any local usernames and passwords configured [...]

  • Page 78

    Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’ s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] fro nt-panel-security password-c lear reset-on-clear This command does both of the follow ing: • Re-enables the password-cleari ng function of the Clear[...]

  • Page 79

    Configuring Username and Password Security Front-Panel Security Shows password-clear disabl ed. Enables password-cle ar , with reset-on- clear disabled by the “ no ” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-11. Example of Re-Enablin g the Clear Button’ s Default Operation [...]

  • Page 80

    Configuring Username and Password Security Front-Panel Security The command to di sable the factory-reset oper ation produces this caution. T o complete the command, press [Y] . T o abort the comm and, press [N] . Displays the current front- panel-security con figuration, with Factory Re set disabled. Completes the command to disable the factory r [...]

  • Page 81

    Configuring Username and Password Security Front-Panel Security Caution Disabling password-recovery requires that factory-reset be enable d, and locks out the abi lity to recover a lost man ager username (if configured) and pass- word on the switch. In thi s event, th ere is no way to recover from a lost manager username/password situation wi thout[...]

  • Page 82

    Configuring Username and Password Security Front-Panel Security • If you want to abort the command, press [N] (for “No”) Figure 2-13 shows an example of disabling the password-recovery parameter . Figure 2-13. Example of the Steps for Di sabling Password-Recovery Password Recovery Process If you have lost the switch’ s manager username/pass[...]

  • Page 83

    Configuring Username and Password Security Front-Panel Security Note The alternate password provided by the ProCurve Customer Care Center is valid only for a single login attempt. Y ou cannot use the same “one-time-use” password if you lose the password a s econd time. Because the passwo rd algorithm is rand omized based upon your swit ch'[...]

  • Page 84

    Configuring Username and Password Security Front-Panel Security 2-36[...]

  • Page 85

    3 W eb and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Web Authenticat ion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 86

    Web and MAC Authentication Overview Overview Feature Default Menu CL I We b Configure W eb Aut hentication n/a — 3-18 — Configure MAC Aut hentication n/a — 3-32 — Display W eb Authentication Stat us and Configuration n/a — 3-26 — Display MAC Authentication Stat us and Configuration n/a — 3-36 — W eb and MAC authentication are design[...]

  • Page 87

    Web and MAC Authentication Overview Note A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web authentication. ■ In the login page, a cli ent enters a username and passwor d, which the switch forwards to a RADIUS server for a uthentication. After authenticat- ing a clie[...]

  • Page 88

    Web and MAC Authentication Overview ■ Each new W eb/MAC Auth clien t always ini tiate s a MAC authentication attempt. This same client can also in itiate W eb authenti cation at any time before the MAC authentication succeed s. If e ither au thentication suc- ceeds then the othe r authentication (if in progre ss) is ended. No further W eb/MAC aut[...]

  • Page 89

    Web and MAC Authentication How Web and MAC Authentication Operate Y ou configure access to an optional, un authorized VLAN wh en you configure W eb and MAC authentication on a port. RADIUS-Based Authentication In W eb an d MAC authenti cation, y ou use a RADIUS server to temporarily assign a port to a static VLAN to s upport an au thenticat ed clie[...]

  • Page 90

    Web and MAC Authentication How Web and MAC Authentication Operate W eb-based Authentication When a client connects to a W eb-Auth enabled port, communication is redi- rected to t he switch. A tempora ry IP address is assign ed by the switch a nd a login screen is presented for the cli ent to enter their username and pa ssword. The default User Logi[...]

  • Page 91

    Web and MAC Authentication How Web and MAC Authentication Operate If the client is authentica ted and the maximum number of clients allowed on the port ( client-limit ) has not been reached , the port is assigned to a static, untagged VLAN for network access. After a successful log in, a client may be redirected to a URL if you specify a URL value [...]

  • Page 92

    Web and MAC Authentication How Web and MAC Authentication Operate A client may not be authenticated du e to invali d credentials or a RADIUS server timeout. The max-retries para meter spe cifies how many times a c lient may enter their creden ti als before authentic ation fails. The server-timeout parameter sets how long the switch wa its to receiv[...]

  • Page 93

    Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in pl ace until the session ends. Clients may be forced to reauth enticate after a fixed period of time ( reauth-per iod ) or at any time during a session ( reauthentic ate ). An implicit lo goff period can be se t if there is no activity from the clie [...]

  • Page 94

    Web and MAC Authentication Terminology T erminology Authorized-C lient VLAN: Like the Unauthorized-C lient VLAN, this is a conventional, static, untagged, port-b a sed VLAN previously configured on the switch by the System Administrat or . The intent in using this VLAN is to provide authenti cated clients with netw ork access and services. When the[...]

  • Page 95

    Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports co ncurrent 802.1X, W eb and MAC authentication operation on a port (with up to 2 clients all owed). However , concurrent operation of W eb and MAC authenti cation with other types of authentica- tion on the same port is not su pported. That is, t[...]

  • Page 96

    Web and MAC Authentication Operating Rules and Notes ■ ■ ■ ■ 1. If there is a RADIUS-assigned VL AN, then, for th e duration of th e client session, the p ort belongs to this VLAN and tempor arily drops all other VLAN memberships. 2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, t he port belongs to the [...]

  • Page 97

    Web and MAC Authentication Setup Procedure for Web/MAC Authentication We b / M A C W eb or MAC au thentication a nd LACP ar e not supported at the same time on Authentication a port. The swi tch automatically disables LACP on ports configured for W eb and LACP or MAC authentication. ■ Use the show port-access web-base d commands to display sessio[...]

  • Page 98

    ---- ---------- ------------- -------- -------- Web and MAC Authentication Setup Procedure for Web/MAC Authentication ProCurve(config)# show port-access config Port Access Status Summary Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes Supplicant Authenticator Web Auth Mac Auth Port Enabled Enable[...]

  • Page 99

    Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that whe n configuring a RADI US server to assign a VLAN, you can use either the VL AN’ s name or VID. Fo r example, if a VLAN c onfigured in the switch has a VID of 100 and is named vlan100 , you coul d configure the RADIUS server to use either “10 0” or “vlan100”[...]

  • Page 100

    Web and MAC Authentication Configuring the Switch To Access a RADIUS Server aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff AABBCCDDEEFF AABBCC-DDEEFF AA-BB-CC-DD-EE-FF AA:BB:CC:DD:EE:FF ■ If the device is a switch or other VLAN-capable device, use the base MAC address assigned to the device, and not the MA C address assigned to the VLAN through which the de[...]

  • Page 101

    Web and MAC Authentication Configuring the Switch To Ac cess a RADIUS Server Syntax: [no] radius-server [host < ip-addre ss >] Adds a server to the RADIUS configuration or (with no ) deletes a server from the configuration. You can config- ure up to three RADIUS serv er addresses. The switch uses the first server it successfully accesses. (Re[...]

  • Page 102

    Web and MAC Authentication Configuring Web Authentication Configuring W eb Authentication Overview 1. If you have not already done so, configure a local username and password pair on th e switch. 2. Identify or create a redirec t URL for use by authenticated clients. Pro- Curve recommends that you provid e a redirect URL when using W eb Authenticat[...]

  • Page 103

    Web and MAC Authentication Configuring Web Authentication Configuration Co mmands for W eb Authentication Command Page Configuration Level aaa port-access < po rt-list > controlled-directions <both | in> 3-20 [no] aaa port-access web-based < port-list > 3-22 [auth-vid] 3-22 [clear-statistics] 3-22 [client-limit] 3-22 [client-moves[...]

  • Page 104

    Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access < port-list > con trolled-directions <both | in> After you enable web-based au thentication on specified ports, you can use the aaa port-acc ess controlled-direc- tions command to configure how a port transmit s traffic before it successfully authenticate[...]

  • Page 105

    Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access < port-list > con trolled-directions <both | in> — Continued — Notes : ■ For information on how to config ure the prerequisites for using the aaa port-access contro lled-directions in command, see Chapter 4, “Multi- ple Instance Spanning-T ree O p[...]

  • Page 106

    Web and MAC Authentication Configuring Web Authentication Syntax: Syntax: Syntax: Syntax: [no] aaa port-ac cess web-based < port-list > Enables web-based authenti cation on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. aaa port-access web-b ased < port-list > [auth-vid &[...]

  • Page 107

    Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access web-based < por t-list > [client-moves] Configures whether the client can move between ports. Default: Disabled Syntax: aaa po rt-access web-based [dhc p-addr < ip-address/mask >] Specifies the base address/mask for the temporary IP pool used by DHCP. The[...]

  • Page 108

    Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access web-based < port-list > [m ax-retries <1-10>] Specifies the number of the number of times a client can enter their user name and password bef ore authen- tication fails. This allows the reentry of the user name and password if necessary. (Default: 3) Synt[...]

  • Page 109

    Web and MAC Authentication Configuring Web Authentication Syntax: aaa po rt-access web-based < port-list > [redirect -url < url >] no aaa port-access web-based < p ort-list > [redir ect-url] Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome[...]

  • Page 110

    Web and MAC Authentication Configuring Web Authentication Show Commands for W eb Authentication Command Page show port-access web-based [ port-list ] 3-26 show port-access web-based clients [ port-list ] 3-27 show port-access web-based clients < port-list > detailed 3-28 show port-access web-based con fig [ port-list ] 3-29 show port-access w[...]

  • Page 111

    Web and MAC Authentication Configuring Web Authentication ProCurve(config)# show port-access web-based Port Access Web-Based Status Auth Unauth Untagged Tagged Port % In RADIUS Port Clients Clients VLAN VLANs COS Limit ACL ----- -------- -------- -------- ------ -------- ------ ------ 1 1 1 4006 Yes 70000000 100 Yes 2 2 0 MACbased No Yes Yes Yes 3 [...]

  • Page 112

    Web and MAC Authentication Configuring Web Authentication ProCurve(config)# show port-access web-based clients 1 detailed Port Access Web-Based Client Status Detailed Client Base Details : Port : 1 Session Status : authenticated Session Time(sec) : 6 Username : webuser1 MAC Address : 0010b5-891a9e IP : n/a Access Policy Details : COS Map : 12345678[...]

  • Page 113

    Web and MAC Authentication Configuring Web Authentication Syntax: show po rt-access web-based conf ig [ port-list ] Displays the currently conf igured W eb Authentication settings for all switch ports or specified ports, including: • T emporary DHCP base address and mask • Support for RADIUS-assi gned dynamic VLANs ( Ye s or No ) • Controlled[...]

  • Page 114

    Web and MAC Authentication Configuring Web Authentication Syntax: show po rt-access web-based conf ig < port-list > detailed Displays more detailed inform ation on the currently config- ured W eb Authentication set tings for specified ports. ProCurve(config)# show port-access web-based config 1 detailed Port Access Web-Based Detailed Configur[...]

  • Page 115

    Web and MAC Authentication Configuring Web Authentication Syntax: show po rt-access web-based conf ig [ port-list ] auth-server Displays the currently conf igured W eb Authentication settings for all switch ports or specified ports and includes RADIUS server -specific settings, such as: • T im eout w aiting perio d • Number of timeouts supporte[...]

  • Page 116

    Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on th e switch. 2. If you pla n to use multiple VLANs wi th MAC Authenticatio n, ensure that these VLANs are configured on the sw itch and that[...]

  • Page 117

    Web and MAC Authentication Configuring MAC Authent ication on the Switch Configuration Co mmands for MAC Authentication Command Page Configuration Level aaa port-access mac-based addr -format 3-33 [no] aaa port-access mac-based [e] < port-list > 3 - 3 4 [addr -limit] 3-34 [addr -moves] 3-34 [auth-vid] 3-34 [logoff-period] 3-35 [max-requests] [...]

  • Page 118

    Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: [no] a aa port-access mac-based < port-list > Enables MAC-based authenti cation on the specified ports. Use the no form of the comma nd to disable MAC- based authentication on the specified ports. Syntax: aaa po rt-access mac-based [e] < port-list > [addr -l[...]

  • Page 119

    Web and MAC Authentication Configuring MAC Authent ication on the Switch Syntax: aaa po rt-access mac-based [e] < port-list > [logoff-period] <60-9999999> ] Specifies the period, in seco nds, that the switch enforces for an implicit lo goff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switc[...]

  • Page 120

    Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa po rt-access mac-based [e] < port-list > [unauth-vid < vid >] no aaa port-access mac-based [e ] < port-list > [unauth -vid] Specifies the VLAN to use for a client that fails authen- tication. If unauth- vid is 0 , no VLAN changes occur . Use the no[...]

  • Page 121

    ---- ----------- -------------------- ------------------- ------------- Web and MAC Authentication Configuring MAC Authent ication on the Switch ProCurve(config)# show port-access mac-based Port Access MAC-Based Status Auth Unauth Untagged Tagged Port % In RADIUS Port Clients Clients VLAN VLANs COS Limit ACL ---- ------- ------- -------- ------ ---[...]

  • Page 122

    Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show po rt-access mac-based client s < port-list > detailed Displays detailed informat ion on the status of MAC- authenticated client session s on specified ports. ProCurve(config)# show port-access mac-based clients 1 detailed Port Access MAC-Based Client Status [...]

  • Page 123

    Web and MAC Authentication Configuring MAC Authent ication on the Switch Syntax: show po rt-access mac-based conf ig [ port-list ] Displays the currently conf igured MAC Authentication settings for all switch ports or specified ports, including: • MAC address format • Support for RADIUS-assi gned dynamic VLANs ( Ye s or No ) • Controlled dire[...]

  • Page 124

    Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show po rt-access mac-based conf ig < port-list > detailed Displays more detailed inform ation on the currently config- ured MAC Authentication settings for specified ports. ProCurve(config)# show port-access mac-based config 1 detailed Port Access MAC-Based Detai[...]

  • Page 125

    Web and MAC Authentication Configuring MAC Authent ication on the Switch Syntax: show po rt-access mac-based conf ig [ port-list ] auth-server Displays the currently conf igured W eb Authentication settings for all switch ports or specified ports and includes RADIUS server -specific settings, such as: • T im eout w aiting perio d • Number of ti[...]

  • Page 126

    Web and MAC Authentication Client Status Client Status The table below show s the possible client status in formation that may be reported by a W eb-based or MAC-based ‘ show ... clients’ command. Reported Status Available Network Connection Possible Explanations authenticated Authorized VLAN Client authenticated. Remains connected until logoff[...]

  • Page 127

    4 T ACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applicati ons: . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 General Auth[...]

  • Page 128

    TACACS+ Authentication Overview Overview Feature Default Men u CLI We b view the switch’ s authentication configuration n/a — page 4-9 — view the switch’ s T ACACS+ server contact n/a — page 4- — configuration 10 configure the switch’ s authentication methods disabled — page 4- — 11 configure the switch to contact T ACACS+ server([...]

  • Page 129

    TACACS+ Authentication Terminology Used in TA CACS Applications: T ACACS+ server for authentica tion services. If the swit ch fails to connect to any T ACACS+ serve r , it defaults to its own locally assigned passwords for authentication co ntrol if it has been configured to do so. For bo th Console and Telnet access you can configure a lo gin (rea[...]

  • Page 130

    TACACS+ Authentication Terminology Used in TA CACS Applications: everyone who needs to access the swit ch, and you must configure and manage password protection on a per -switch basi s. (For more on local auth entication, re fer to chapter 2, “Configuring Username and Password Security”.) • T A CACS+ Authentication: This method enables you to[...]

  • Page 131

    TACACS+ Authentication General System Requirements General System Requirements T o use T ACACS+ authentication, you need th e following: ■ A T ACACS+ server applicat ion installed and configured on one or more servers or management stati ons in your network. (There are sever al T ACACS+ softwa re p ackages available.) ■ A switch configured for [...]

  • Page 132

    TACACS+ Authentication General Authentication Setup Procedure Note If a complete access lockou t occurs on the switch as a result of a T ACACS+ configuration, see “T roubleshooting T ACACS+ Op eration” in the T rouble- shooting chapter of the Management and Configuration Gui de for your switch. 1. Famili arize yourself with the r equirements fo[...]

  • Page 133

    TACACS+ Authentication General Authentication Setup Procedure If you are a first-time user of th e T ACACS+ service, ProC urve recom- mends that you configure only the mini mum feature set required by th e T ACACS+ application to pr ovide service in your network environment. After you have success with the minimu m feature set, you may then want to[...]

  • Page 134

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring T ACACS+ on the Switch Before Y ou Begin If you are new to T ACACS+ authentication, ProCur ve recommends that you read the “General Authen tication Se tup Procedure” on page 4-5 and configure your T ACACS+ server(s) before config uring authenticati on on the switch. The switch[...]

  • Page 135

    TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication 4-9 show tacacs 4-10 aaa authentication 4-11 through 4-17 console T elnet num-attempts <1-10 > tacacs-server 4-18 host < ip-addr > 4 - 1 8 key 4 -22 timeout < 1-255 > 4-23 V iewing the Switch’ s Curren[...]

  • Page 136

    TACACS+ Authentication Configuring TACACS+ on the Switch V iewing the Switch’ s Current T ACACS+ Server Contact Configuration This comma nd lists the tim eout period, encryption key , and the IP addre sses of the first-choice and backup T ACACS + servers the switch can contact. Syntax: show tacacs For example, if the switch was configur ed for a [...]

  • Page 137

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s Authentication Methods The aaa authentication command configures ac cess control for t he following access methods: ■ Console ■ Te l n e t ■ SSH ■ We b ■ Port-access (802.1X) However , T ACACS+ authentication is only us ed with the console, T elnet, or SS[...]

  • Page 138

    TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: aaa authen tication < console | telnet | ssh | web | p ort-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level. < login [privilege-mode] > The server grants privileges at the Operator privilege l[...]

  • Page 139

    TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters T able 4-1. AAA Authentication Parameters Parameters Name Default Range Function console, T elnet, n/a n/a Specifies the access method us ed when authentica ting. T ACACS+ SSH, web or po rt- access authentication only uses the consol e, T elnet or SSH access methods.[...]

  • Page 140

    TACACS+ Authentication Configuring TACACS+ on the Switch numbers 0 through 15, with zero allo wing only Operator privileges (and requiring two logins) and 15 representing root privil eges. The root priv ilege level is the only leve l that will a llow Manager le vel access on the switch. Figure 4-4. Advanced T ACACS+ Sett ings Section of the T ACACS[...]

  • Page 141

    TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of the T ACACS+ Server User Setup As shown in the next table, login and en able access is always available locall y through a direct t erminal connection to the switch’ s console port. However , for T elnet access, you can configure T ACACS+ to deny access if a[...]

  • Page 142

    TACACS+ Authentication Configuring TACACS+ on the Switch T able 4-2. Primary/Secondary Authenticat ion T able Access Method and Privilege Level Authentication Options Effect on Access Attempts Primary Secondary Console — Login local none* Local userna me/password access only . tacacs local If T acacs+ server unavailable, uses local username/passw[...]

  • Page 143

    TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of acce ss options and the corre sponding commands to configure them: Console Login (Operator or Re ad-Only) Access: Primary using T ACACS+ server . Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Ma nager or R[...]

  • Page 144

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s T ACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one first- choice and up to two backups. Design ating ba ckup ser vers provides for a continuation of authenticat ion service[...]

  • Page 145

    TACACS+ Authentication Configuring TACACS+ on the Switch tacacs-server key < key-string > Enters the optional gl obal encryption key. [no] tacacs-server key Removes the optional global encryption key. (Does not affect any server-specific en cryption key assignments.) tacacs-server timeout < 1-255 > Changes the wait period for a TACACS s[...]

  • Page 146

    TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host < ip-addr > [key < key-string > none n/a Specifies the IP address of a device running a T ACACS+ serv er application. Optionally , can also specify the unique, per- server encryption key to use when each assigned server has it s own, uniqu e key. For more o[...]

  • Page 147

    TACACS+ Authentication Configuring TACACS+ on the Switch key < key-string > none (null) n/a Name Default Range Specifies the optional, global “e ncryption key” that is also assigned in t he T A CACS+ server(s) that the switch will access for authentication. This option is subor dinate to any “per -server” encryption ke ys you assign, [...]

  • Page 148

    TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “ first-choice ” T ACACS+ authentication device. Figure 4-7. Example of the Switch After Assigni ng a Different “First-Choice” Server T o remove the 10.28.227.1 5 device as a T ACACS+ server , you would use this command: ProCurve (config)# no tacacs-serv[...]

  • Page 149

    TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encry ption key in the switch, re-enter the tacacs-server host comman d without th e key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you wa nt to eliminate the key, you would u[...]

  • Page 150

    TACACS+ Authentication How Authentication Operates How Authentication Operates General Authentication Process Using a T ACACS+ Server Authentication through a T ACACS+ server operates generally as described below . For specific operat ing details, refer to the documentation you received with your T ACACS+ server application. ProCurve Switch Configu[...]

  • Page 151

    TACACS+ Authentication How Authentication Operates 4. When the requesting te rm inal responds to the prompt with a p assword, the switch forwards it to the T ACACS+ server and one of the following actions occurs: • If the username/pass word pair received from the reques ting terminal matches a username/passw ord pair previously stored in the serv[...]

  • Page 152

    TACACS+ Authentication How Authentication Operates attempt limi t without a successful a uthentication , the login session is terminated and the op erator at the re questing te rminal mu st initiate a new session before trying again. Note The switch’ s menu allows yo u to configure only t he local Operator an d Manager passwords, and not any user[...]

  • Page 153

    TACACS+ Authentication Controlling Web Browser Interface Acces s When Using TACACS+ Authentication in the switch must be i d entical to th e encryption key configured in the corresponding TACACS+ serv er. If the key is the same for all TACACS+ servers the switch will use for authenticat ion, then co nfigur e a global key in the switch. If the key i[...]

  • Page 154

    TACACS+ Authentication Messages Related to TACACS+ Operation ■ Configure the switch’ s Authorized IP Manager feature to allow web browser access only from authorized management stations. (The Autho- rized IP Manager featur e does not interfere wi th T ACACS+ operation.) ■ Disable web browser access to the swit ch by going to the System Infor [...]

  • Page 155

    TACACS+ Authentication Operating Notes Operating Notes ■ If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as T ACACS+ servers in the authorized man- ager list. That is, auth entication traffi c between a T ACACS+ server and the switch is not subj ect to Authoriz ed IP Manager controls conf igu[...]

  • Page 156

    TACACS+ Authentication Operating Notes 4-30[...]

  • Page 157

    5 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 158

    RADIUS Authenti cation and Accounting Contents Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34 Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35 Operating Rules for RADIUS Acco unting . . . . . . . . . . . . . . . . . . . . . . 5-37 Steps for Configu ring[...]

  • Page 159

    RADIUS Authentication and Accounting Overview Overview Feature Default Menu CLI We b Configuring RADIUS Auth entication None n/a 5-8 n/a Configuring RADIUS A ccounting None n/a 5-35 n/a Configuring RADIUS Auth orization None n/a 5-26 n/a Viewing RADIUS Statistics n/a n/a 5-43 n/a RADIUS ( Remote Authentication Dial-In User Service ) enables yo u to[...]

  • Page 160

    RADIUS Authenti cation and Accounting Overview Note The switch does not support RADIUS security for SNMP (network manage- ment) access. For i nformation on blocking access through the web browser interface, refer to “Controlling W e b Br owser Interface Access” on page 5-2 5. Accounting Services RADIUS accounting on the switch col lects resourc[...]

  • Page 161

    RADIUS Authentication and Accounting Terminology T erminology AAA: Authentication, Authorization, and Account ing groups of services pro - vided by the carrying protocol . CHAP (Challenge-Handshake Authe ntication Protocol): A challenge- response authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a [...]

  • Page 162

    RADIUS Authenti cation and Accounting Switch Operating Rules for RADIUS Shared Secret Key: A text value used for en crypting data in RADIUS packets. Both the RADIUS client and the RADIUS server have a copy of the key , and the key is never transmitted across the network. V endor -Specific Attribute: A vendor -defined value config ured in a RADIUS s[...]

  • Page 163

    RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS server s to support the switch. (That is, one primary server and one or two ba ckups.) Refer to the documentation provided with the RADIUS server application. 2. Before configuring the switch, co llect th [...]

  • Page 164

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying anoth er RADIUS server or quitting. (This depends on how many RADIUS servers you hav e configured the switch to access.) • Determine whether you want to bypass a R[...]

  • Page 165

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps fo r Configuring RADIUS Authentication There ar e three main step s to configuring RAD IUS authenticati on: 1. Configure RADIUS authentication fo r controlling access through one or more of the followin g • Serial port • T e l n e t • S [...]

  • Page 166

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication • T imeout Pe riod: The ti meout pe riod the swit ch waits for a RADIUS server to reply . (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no serv er response to a RADIUS au thentication request. (Defau[...]

  • Page 167

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possib ility of being completely locked out of the swit ch in the event that all primary access methods fail. Syntax: aaa authentication < console | te lnet | ssh | web | < enab le | login <local | rad[...]

  • Page 168

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication Figure 5-2 shows a n example of the show authentication command displ aying authorized as the secondary auth entication method for po rt-acc ess, W eb-auth access, and MAC-auth access. Since the configuration of au thorized means no authentication will be perf o[...]

  • Page 169

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-3. Example Confi guration for RADIUS Authent ication The switch now allows T elnet and SSH authentication only through RADIUS. Note: The We bu i access task shown in this figure is available only on th e switches covered in this guid e. Note If you config[...]

  • Page 170

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication this default beh avior for clients with Enable (manager) access. Tha t is, with privilege-mode enabled, the switch immediat ely allo ws Enable (Manager) access to a clie nt for whom the RADIUS server specifies this access level. Syntax: [no] aaa authe ntication [...]

  • Page 171

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch T o Access a RADIUS Server This section desc ribes how to con figure the switch to interact with a RADIUS server for both authenticat ion and accounting services. Note If you want to configure RADIUS accounti ng on the switch, go to page 5-[...]

  • Page 172

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication [key < key-string > ] Optional. Specifies an encry ption key for use during authentication (or accounting) s essions with the specified server . This key must match the encryption key used on the RADIUS server . Use this comma nd only if the specified serv[...]

  • Page 173

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-4. Sample Confi guration for RADIUS Server Before Changing the Key and Adding Another Server T o make the cha nges listed prior to fi gure 5-4, you would do the following: Changes the key for the existing server to “source0127” (step 1, above). Adds t[...]

  • Page 174

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication ■ Global server key: The server key the switch will use for contacts with all RADIUS servers for which there is not a server -specific key configured by radius-server host < ip-address > key < key-string > . This key is optional if you configure a [...]

  • Page 175

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 - 15 > Specifies the maximum time the swi tch waits for a response to an authenticati on request before counting the attempt as a failure. (D efault: 3 seconds; Range: 1 - 15 seconds) radius-server retransmit < 1 - 5 > If a RA[...]

  • Page 176

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS Authentication After two attempts failing due to username or pa ssword entry errors, the switch will termin ate the session. Global RADIU S parameters from figure 5-6. These two servers will use the global encr yption key . Server -specific en cryption key for the RADIUS serve[...]

  • Page 177

    Security Notes RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features Using SNMP T o Vi ew and Configure Switch Authentication Features SNMP MIB object acce ss is available fo r switch authe ntication conf iguration (hpSwitchAuth ) f eatures. This means that the sw itches cove red by this Guide allow , [...]

  • Page 178

    RADIUS Authenti cation and Accounting Using SNMP To View and Configur e Switch Authentication Features Changing and Vi ewing the SNMP Access Configuration Syntax: snmp-server mib hpsw itchauthmib < excluded | inclu ded > included: Enables manager -level SN MP read/write access to the switch’ s authentication conf iguration (hpSwitchAuth) MI[...]

  • Page 179

    RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features An alternate me thod of determ ining the current Authentication MIB access state is t o use the show run command. ProCurve(config)# show run Running configuration: ; J8715A Configuration Editor; Created on release #W.14. XX hostname "ProCurve&q[...]

  • Page 180

    RADIUS Authenti cation and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to l ocal authentication only if one of these two conditions exists: ■ Local is the authentic ation option for the access method be ing used. ■ The switch has been con figured to query one o r m[...]

  • Page 181

    RADIUS Authentication and Accounting Controlling Web Browser Interface Access Controlling W eb Browser Interface Access T o help prevent unauthorized access th rough the web browser interface, do one or more of the following: ■ Configure the switch to suppor t RADIUS authentication for web browser interface access (See chapter 3, “W eb and MAC [...]

  • Page 182

    RADIUS Authenti cation and Accounting Commands Authorization Commands Authorization The RADIUS proto col combines user au thentication and authorization steps into one phase. The user must be su ccessfully authenticated be fore the RADIUS server will send aut horization information (from th e user’ s profile) to the Network Access Server (NAS). A[...]

  • Page 183

    RADIUS Authentication and Accounting Commands Authorization Enabling Authorization T o configure authorization for controlling access to the CLI commands, enter this command at the CL I. Syntax: [no] aaa authoriza tion <commands> <radius | n one> Configures authorization for controlling access to CLI commands. When enabled, the swit ch [...]

  • Page 184

    RADIUS Authenti cation and Accounting Commands Authorization Displaying Authorization Information Y ou can show the authorization info rmation by entering this command: Syntax: show authorization Configures authorization for controlling access to CLI commands. When enabled, the swit ch checks the list of commands supplied by the RADIUS server du ri[...]

  • Page 185

    RADIUS Authentication and Accounting Commands Authorization The results of using the HP-Command-St ring and HP-Command-Exception attributes in various combinations are shown below . HP-Command-String HP-Command-Exception Description Not present Not present If comm and authorization is enabled and the RADIUS server does not provide any authorization[...]

  • Page 186

    RADIUS Authenti cation and Accounting Commands Authorization Example Configuratio n on Cisco Secure ACS fo r MS W indows It is necessary to create a dictionary fi le that defines the VSAs so that the RADIUS server application can determin e which VSAs to add to its user interfac e. The VSAs will appear below the standard attrib utes that can be con[...]

  • Page 187

    RADIUS Authentication and Accounting Commands Authorization Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini dictiona ry file to c: program filescisco acs 3.2 utils (or the utils directory wher ever acs i s installed). 3. From the command prompt ex ecute the following comma [...]

  • Page 188

    RADIUS Authenti cation and Accounting Commands Authorization 6. Right click and then select New > key . Ad d the vendor Id number that you determined in step 4 (100 in the example ). 7. Restart all Cisco se rvices. 8. The newly crea ted HP RADIUS VSA ap pears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select[...]

  • Page 189

    RADIUS Authentication and Accounting Commands Authorization # # dictionary.hp # # As posted to the lis t by User <user_email> # # Version: $Id: dictio nary.hp, v 1.0 2006/02/23 17:07:07 # VENDOR Hp 11 # HP Extensions ATTRIBUTE Hp-Command-String 2 string Hp ATTRIBUTE Hp-Command-Exception 3 integer Hp # Hp-Command-Exception Attribute Values VAL[...]

  • Page 190

    RADIUS Authenti cation and Accounting Commands Authorization Additional RADI US Attributes The followin g attributes are inc luded in Access-Request and Access-Account- ing packets sent from the switch to the RADIUS server to adve rtise switch capabilities, report informat ion on authentication sessi ons, and dynamically 42reconfigure authenticatio[...]

  • Page 191

    RADIUS Authentication and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 5 - 3 8 [acct-port < port-number >] 5-38 [key < key-string >] 5-38 [no] aaa accounting < exec | network | system | command s> 5-41 < start-stop | stop-only[...]

  • Page 192

    RADIUS Authenti cation and Accounting Configuring RADIUS Accounting ■ Exec accounti ng: Provides reco rds holding the in formation listed below about login session s (console, T elnet, and SSH) on the switch: • Acct-Authentic • Acct-Status-T ype • NAS-Identifier • Acct-Delay-T ime • Acct-T erminate-Cause • NAS-IP-Address • Acct-Sess[...]

  • Page 193

    RADIUS Authentication and Accounting Configuring RADIUS Accounting Operating Rules for RADIUS Accounting ■ Y ou can confi gure up to four types of accounti ng to run simulta- neously: exec, system, network, and commands. ■ RADIUS servers used for accounting are also used fo r authentication. ■ The switch must be configured to acce ss at least[...]

  • Page 194

    RADIUS Authenti cation and Accounting Configuring RADIUS Accounting must match the encrypti on key used on the specified RADIUS server . For more information, refer to the “ [key < key-string >] ” parameter on page 5-15. (Default: null) 2. Configure accounting ty pes and the co ntrols for sendin g reports to the RADIUS server . • Accoun[...]

  • Page 195

    RADIUS Authentication and Accounting Configuring RADIUS Accounting [key < key-string >] Optional. Specifies an encryption key for use during accounting or authenticati on sessions with the speci- fied server . This key must match the encryption key used on the RADIUS server . Use this command only if the specified server requires a different [...]

  • Page 196

    RADIUS Authenti cation and Accounting Configuring RADIUS Accounting The radius-server command as shown in figure 5-11, above, configures the switch to use a RADIUS serv er at IP a ddress 10.33.18.151 , with a (non-de fault) UDP accounting port of 1750, and a server -specific key of “source0151”. 2. Configure Accounting T ype s and the Controls [...]

  • Page 197

    RADIUS Authentication and Accounting Configuring RADIUS Accounting ■ Stop-Only: • Send a stop record accounting noti ce at the end of the accounting session. The notice includes the latest data the switch has co llected for the requested accounting type (Network, Exec, Commands, or System). • Do not wait fo r an acknowledgment. The system opt[...]

  • Page 198

    RADIUS Authenti cation and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additi onal control ov er accounting data. ■ Updates: I n addition to us ing a Start-Stop or St op-Only trigger , you can optionally configur e the switch to send periodic acc[...]

  • Page 199

    RADIUS Authentication and Accounting Viewing RADIUS Statistics V iewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration , including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius , the server’s IP address must be configure[...]

  • Page 200

    RADIUS Authenti cation and Accounting Viewing RADIUS Statistics Figure 5-15. RADIUS Server Information From the Show Radius Host Command Te r m Definition Round T rip T ime The time interval between the mo st recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server . PendingRequests The number of RAD[...]

  • Page 201

    RADIUS Authentication and Accounting Viewing RADIUS Statistics Requests The number of RADIUS Accounti ng-Request packets sent. This does not include retransmissions. Te r m Definition AccessChallenges Th e number of RA DIUS Access-Challenge packets (valid or invalid) received from this server . AccessAccepts The number of RADIUS Access-Accept packe[...]

  • Page 202

    RADIUS Authenti cation and Accounting Viewing RADIUS Statistics Figure 5-17. Example of RADIUS Aut hentication Inform ation from a Specific Server RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres- sion status, accounting ty pes, methods, and modes. show radius accounting Lists accou[...]

  • Page 203

    RADIUS Authentication and Accounting Changing RADIUS-Ser ver Access Order Figure 5-19. Example of RADIUS Account ing Information for a Spe cific Server Figure 5-20. Example Listing of Active RADIUS Accounting Sessions on t he Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS ser vers according to the order in which their [...]

  • Page 204

    RADIUS Authenti cation and Accounting Changing RADIUS-Server Access Order RADIUS server IP addresses li sted in the order in which the switch will try to access them. In this case, the server at IP address 1.1.1.1 is first. Note: If the switch succe ssfully accesses the first server , it does not try to ac cess any other servers in the l ist, even [...]

  • Page 205

    RADIUS Authentication and Accounting Changing RADIUS-Ser ver Access Order Removes the “003” and “001” addresses from the RADIUS se rver list. Inserts the “003” address in the first position in the RADIUS server list, and inserts the “001” address in the last position in the li st. Shows the new order in which the switch searches for[...]

  • Page 206

    RADIUS Authenti cation and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. T ry pinging the server to determine whether it is accessible to t he switch. If the server is acces[...]

  • Page 207

    6 Configuring RADIUS Server Support for Switch Services Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 RADIUS Server Configuration for Viewing the Currently Active Pe r-Port CoS and Rat e-Limiting Contrasting Dy namic (R A DIUS-Assigned) and How a RADIUS Server Applie [...]

  • Page 208

    Configuring RADIUS Se rver Support for Switch Services Contents Configuring th e Switch To Support RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23 Displaying the Current RAD IUS-Assigned ACL Activity Causes of Client D eauth entication Immediately on the Switch . . [...]

  • Page 209

    Configuring RADIUS Server Support for Switch Services Overview Overview This chapter p rovides information that applies to setting up a RADIUS server to configure the foll owing switch features on po rts supporting RADIUS- authenticated clients: ■ CoS ■ Rate-Limiting ■ ACLS Optional Network Mana gement Applications. Per -port CoS and rate- li[...]

  • Page 210

    Configuring RADIUS Se rver Support for Switch Services RADIUS Server Configuration for Per-Por t CoS (802.1p Priority) and Rate-Limiting RADIUS Server Configuration for Per -Port CoS (802.1p Priority) and Rate- Limiting This section provides general guidel in es for configuring a RADIUS server to dynamically apply CoS (Class of Service) and Rate-Li[...]

  • Page 211

    Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Service Control Method and Operating Notes: Rate-Limiting on V endor-Sp ecific Attribute configured in the RADIUS server . inbound traffic ProCurve (HP) vendor -specific ID:11 This feature assigns a VSA: 46 (integer[...]

  • Page 212

    Configuring RADIUS Se rver Support for Switch Services RADIUS Server Configuration for Per-Por t CoS (802.1p Priority) and Rate-Limiting T able 6-2. Examples of Assigned and Ap plied Rate Limits RADIUS-Assigned Bandwidth (Kbps) Applied Increments Applied Rate Limit (Kbps) Difference/Kbps 5,250 100 Kbps 5,200 50 50,250 1 Mbps 50,000 250 Kbps 51,000 [...]

  • Page 213

    Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Syntax: show port-access authenticator [ po rt-list ] show rate-limit all show qos port-priority These commands display the Co S and Rate-Limiting settings specified by the RADIUS server used to grant authentication[...]

  • Page 214

    Configuring RADIUS Se rver Support for Switch Services RADIUS Server Configuration for Per-Por t CoS (802.1p Priority) and Rate-Limiting ProCurve(config)# show qos port-priority Port priorities Port Apply rule | DSCP Priority Radius Override ---- ----------- + ------ ----------- --------------- B1 Priority | 3 No-override B2 No-override | No-overri[...]

  • Page 215

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Configuring and Using RADIUS-Assigned Access Control Lists Introduction A RADIUS-assigned ACL is co nfigured on a RADIUS server and dynamical ly assigned by th e server to filter traffic enterin g th e switch through a specific port af[...]

  • Page 216

    Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists • RADIUS-assigned ACL: dynamic ACL assigned to a port by a RAD IUS server to f ilter inbound t raffic from an authenticated c lient on that port An ACL can be configured on an inte rface as a static port ACL. (RADIUS- assigned ACLs a[...]

  • Page 217

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Permit: An ACE configured with this acti on allows the switch to forward an inbound packet f or which there is a match within an applicable ACL. Permit Any Any: An abbreviated form of permit in ip f rom any to any , which permits any i[...]

  • Page 218

    Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Overview of RADIUS-A ssigned, Dynamic ACLs RADIUS-assigned ACLs enhance network and switch management access security and traffic control by permit ting or denying authenticated client access to specific network resources and to the sw[...]

  • Page 219

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Note A RADIUS-assigned ACL assignment filt ers all inbound IP traffic from an authenticated client on a port, regardless of whether the client’ s IP traffic is to be switched or routed. RADIUS-assigned ACLs can be used either with or[...]

  • Page 220

    Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists RADIUS-assigned ACLs Static Port ACLs Allows one RADIUS-assigned AC L per authenticated client on a port. (Each such ACL filter s traffic from a different, authenticated client.) Note: The switch provides ample resources for supporting[...]

  • Page 221

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists the same username/ password pair . Wh ere the client MAC address is the selection criteria, only the client havi ng that MAC address can use the corre- sponding ACL. When a RADIUS server auth enticates a client, it also assigns the ACL[...]

  • Page 222

    Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists 3. Configure the ACLs on a RADIUS server accessible to the inte nded clients. 4. Configure the switch to use the desi red RADIUS server and to support the desired client authentication sc heme. Options include 80 2.1X, W eb authenticat[...]

  • Page 223

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Operating Rules for RADIUS-Assigned ACLs ■ Relating a Client to a RADIUS-Assigned ACL: A RADIUS-assi gned ACL for a particular cli ent must be configured in the RADIUS ser ver under the authentication credentials the server should ex[...]

  • Page 224

    Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Elements in a RADIUS-assig ned ACL Configuration. A RADIUS- assigned ACL configuration in a RADIUS server ha s the following el ements: ■ vendor and ACL identifiers: • ProCurve (HP) V endor -Specific ID: 11 • V endor -Specific At[...]

  • Page 225

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Configuring ACE Syntax in RADIUS Servers The follow ing syntax and operating inf o rmation applies to ACLs configured in a RADIUS server . ACE Synta x Nas-filter -Rule =”< permit | deny > in <ip | ip-protocol-value > from[...]

  • Page 226

    Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists any: • Specifies any IPv4 destin ation address if one of the following is true: – the A CE uses the standard attribute ( Nas-f ilter -Rule ). For example: Nas-filter-Rule=”permit in tcp from any to any 23” Nas-filter-Rule+=”p[...]

  • Page 227

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists 1. Enter the ACL standard at tr ibute in the FreeRADI US dictionary .rfc4849 file. ATTRIBUTE Nas-FILTER-Rule 92 2. Enter the switch IP address, NAS (Network Attached Server) type, and the key used in the FreeRADIU S client s.conf file.[...]

  • Page 228

    Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists 1. Enter the ProCurve vendor -specifi c ID and the ACL VSA in the FreeRADIUS dictionary file: VENDOR HP 11 ProCurve (HP) V endor -Specific ID BEGIN-VENDOR HP ATTRIBUTE HP-IP-FILTER-RAW 61 STRING END-VENDOR HP ProCurve (HP) Vendor -Spec[...]

  • Page 229

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Note For syntax details on RADIUS-assigned ACLs, refer to the ne xt section, “Format Details for ACEs Configur ed in a RADIUS-Assigned ACL”. Client’ s Use rname (802.1X or Web Authenticatio n) Client’ s Password (802.1X or Web [...]

  • Page 230

    Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Configuration Notes Explicitly Permitting Any IP T raffic. Entering a permit in ip from any to any (permit any any) ACE in an ACL permits all IP traffic not previously permitted or denied by that ACL. Any ACEs listed af ter that point [...]

  • Page 231

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Note Refer to the documentati on provided with your RADIUS server for infor - mation on how th e server receives and manag es network accounti ng informatio n, and how to perform any configurati on steps necessary to enable the server [...]

  • Page 232

    Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Displaying the Current RA DIUS-Assigned ACL Activity on the Switch These commands output data i ndicating the current ACL activity i mposed per - port by RADIUS server responses to client authentic ation. Syntax: show access-list radiu[...]

  • Page 233

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Syntax: show port-a ccess authenti cator < port-list > For ports, in < port-lis t > that are configured for authentication, th is command indicates whether there are any RADIUS-assigned features active on the port(s). (Any [...]

  • Page 234

    Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists ProCurve(config)# show port-access aut henticator 2-3 Port Access Authenticator Status Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Auth Unauth Untagged Tagged Kbps In RADIUS Cntrl [...]

  • Page 235

    Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-A ssigned Acc ess Control Lists Event Log Messages Message Meaning ACE parsing error, permit/deny keyword < ace-# > client < mac-address > port < port-# > . Could not add ACL entry. Could not create ACL entry. Could not add ACL, client mac < mac-[...]

  • Page 236

    Configuring RADIUS Se rver Support for Switch Services Configuring and Using RADIUS -Assigned Access Control Lists Message Meaning Invalid Access-list entry length, Notifies that the string conf igured for an ACE entry on the client < mac-add ress > port < port-# > . Radius server exceeds 80 characters. Memory allocation failure for IDM[...]

  • Page 237

    7 Configuring Secure Shell (SSH) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 238

    Configuring Secure Shell (SSH) Overview Overview Feature Default Menu CLI We b Generating a public/private key pair on the switch No n/a page 7-9 n/a Using the switch’ s public key n/a n/a page 7-12 n/a Enabling SSH Disabled n/a page 7-15 n/a Enabling client public-key authentication Disabled n/a pages 7-20, n/a 7-23 Enabling user authentication [...]

  • Page 239

    Configuring Secure Shell (SSH) Terminology Switch SSH and User Password Authentication . This option is a subset of the client pu blic-key authe ntication shown in figure 7-1. It occurs if the switch has SSH enabled but does not have login access ( login pub lic-key ) configured to authenticate the client’ s key . As in figure 7-1, the switch aut[...]

  • Page 240

    Configuring Secure Shell (SSH) Prerequisite for Using SSH ■ Local password or username: A Manager - level or Operator -le vel pass- word configured in the swit ch. ■ SSH Enabled: (1) A publ ic/private key pair has been generated on the switch ( generate ssh [dsa | rsa] ) and (2) SSH is enabled ( ip ssh ). (Y ou can generate a key pair without e[...]

  • Page 241

    Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication be tween the switch and an SSH client, you must use the logi n (O perator) level. T able 7-1. SSH Options Switch Access Level Primary SSH Authenti[...]

  • Page 242

    Configuring Secure Shell (SSH) Steps for Configuring and Using SSH fo r Switch and Client Authentication B. Switch Prep aration 1. Assign a login (Operator) and enable (Manager) password on th e switch (page 7-8). 2. Generate a public/private key pair on the switch (page 7-9 ). Y ou need to do this only once. The k ey remains in the switch even if [...]

  • Page 243

    Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generat ed on an SSH client must be exportab le to the switch. The switch can on ly store 10 client key pa irs. ■ The switch’ s own public/p rivate key pair and the (optional) cli ent public key file are stored in the switch’ s f[...]

  • Page 244

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section P age show ip ssh 7-18 [keylist-str] [< babble | fingerprint>] cert [rsa] <keysize> | ssh [ dsa | rsa [bits <keysize>]] aaa authentication ssh < public key file > [<append |[...]

  • Page 245

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation T o Configure Local Passwords. Y ou can configure b oth the Operato r and Manager password with one command. Syntax: password < manager | operator | a ll > Figure 7-4. Example of Config uring Local Passwords 2. Generating the Switch’ s Pu blic and Privat e Key Pair Y ou[...]

  • Page 246

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When you generate a host key pair on the switch, the switch places the key pair in flash memory ( and not in the running-config file). Also, the switch maintains the key pai r across reboots, including power cycles. Y ou should consider this key pair to be “permanent ”[...]

  • Page 247

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation show crypto host-public -key Displays switch’s public ke y. Displays the version 1 and version 2 views of the key. See “SSH Client Public-Ke y Authentication” on page 2-16 in this guide for info rmation about public keys saved in a configuration file. [ babble ] Displays [...]

  • Page 248

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation hosts file, note that the fo rmatting and comments need not match. For version 1 keys, the three numeric values bit size , exponent <e>, an d modulus <n> must match; for PEM keys, only th e PEM-en coded string itself must match. Notes "Zeroizing" the switc[...]

  • Page 249

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation The public key gen erated by the switch consists of t hree parts, separated by one blank space each: Bit Size Exponent <e> Modulus <n> 896 35 427199470766077426366625060579924214851527933248752021855126493 293407540704782860432930458032140273304999167004670769854352[...]

  • Page 250

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add a ny data required by your SSH c lient application. For example Before saving the key to an SSH client’ s "known hosts" file you may have to insert the switch’ s IP address: Bit Size Exponent <e> Modulu s <n> Inserted IP Address Figure 7-8. Exam[...]

  • Page 251

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Hexadecimal "Fingerpri nts" of the Same Switch Phonetic "Hash" of Switch’ s Public Key Figure 7-9. Examples of Visual Phoneti c and Hexadecimal Con versions of the Switch’ s Pub lic Key The two commands shown in figure 7-9 convert the displayed format of[...]

  • Page 252

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavio r . At the first contact be tween the switch and an SSH client, if the swit ch’ s pu blic ke y has not been copied into the client, then the client’ s first connection to th e switch will question the connec tion and, for security reasons, provide[...]

  • Page 253

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher <cipher-type>] Specify a cipher type to use for connection. V alid types are: • aes128-cbc • 3des-cbc • aes192-cbc • aes256-cbc • rijndael-cbc@lysator .liu.se • aes128-ctr • aes192-ctr • ae[...]

  • Page 254

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (default: 22). Important: See “Note on Port Number” on page 7-18. [public-key <manager | operator> ] Configures a client public key. manager : Select manager public keys (ASCII formatted). oper[...]

  • Page 255

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution Protect your private key file from ac cess by anyone other than yoursel f. If someone can access your private key file, they can then penetrate SSH security on the switch by ap pearing to be you. SSH does not prot ect the switch fr om unauthorized access via the web int[...]

  • Page 256

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option A: Configuring SSH Access for Password-Only SSH Authentication. When configured with this option, the sw itch uses its pub- lic key to authenticate itself to a clie nt, but uses only p asswords for client authentication. Syntax: aaa authentication ssh login < local | [...]

  • Page 257

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: copy tftp pub-key-file < ipv4-address | ipv6-address > < filename > Copies a public key fi le into the switch. aaa authentication ssh login public-key Configures the switch to authenticate a cl ient public-key at the login level with an opti onal secondary p[...]

  • Page 258

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation ProCurve(config)# password manager us er-name leader Configures Manager user- name and password. Configures the switch to allow SSH access only for a client whos e public key matches one of the keys in the p ublic key file. Configures the primary and secondary password methods [...]

  • Page 259

    Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 6. Use an SSH Client T o Access the Switch T est the S SH configuration o n the switch to ensure that you have achieved the level of SSH operatio n you want for the switch. If you have probl ems, refer to "RADIUS-R elated Problem s" in the T rouble[...]

  • Page 260

    Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication If you enable client public-key auth entication, the follow ing events occur when a client tries to acc ess the switch using SSH: 1. The client sends its public key to the switch with a re quest for authenti- cation. 2. The switch compares the client’ s pu[...]

  • Page 261

    Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication T o Crea te a Client-Publi c-Key T e xt File. These steps describe how to copy client-public-ke ys into the switch for challenge-respon se authentication, and require an understandi ng of how to use you r SSH client application. Figure 7-13. Exa mple of a Cl[...]

  • Page 262

    Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 2. Copy the client’ s public key into a text file ( filename .txt ). (For example, you can use the Notepad editor includ e d with the Microsof t® W indows® software. If you want several client s to use client public-key authentica- tion, copy a public k [...]

  • Page 263

    Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication The babble option converts the key data to phonetic hashes that are easier fo r visual comparisons. The fingerprint option converts the ke y data to hexadec- imal hashes that are for the same purpose. The keylist-str selects keys to display (comma-delimited [...]

  • Page 264

    Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Syntax: clear crypto public-key Deletes the client-public-ke y file from the swi tch. Syntax: clear crypto public-key 3 Deletes the entry with an index of 3 from the client-public-key fi le on the switch. Enabling Client Pub lic -Key Authentication. After yo[...]

  • Page 265

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. File transfe r did not occur . Indicates an error in communicating with the tftp server or not finding the file to download. Causes incl ude such factors as: • Incorrect IP configuration on the switch • I n[...]

  • Page 266

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Generating new RSA host key. If the After you execu te the generate ssh [dsa | rsa] Message Meaning cache is depleted, this could t ake up to comman d, the switch displays this message while it two minutes. is gene rating the k ey . Host RSA key file corrupt or not found. Th e switch?[...]

  • Page 267

    8 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . .[...]

  • Page 268

    Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu CLI We b Generating a Self Signed Certificate on the switch No n/a page 8-8 page 8-12 Generating a Certificate Request on the switch No n/a n/a page 8-15 Enabling SSL Disabled n/a page 8-17 page 8-19 The switches covered in this guide use Secure Socket Layer V ersion 3 (SS[...]

  • Page 269

    Configuring Secure Socket Layer (SSL) Terminology ProCurve Switch (SSL Server) SSL Client Browser 1. Switch-to-Cl ient SSL Cert. 2. User -to-Sw itch (login password an d enable password authe ntication) options: – Local – T ACACS+ – R ADIUS Figure 8-1. Switch/ User Authentication SSL on the switches covered in this guide supp orts these data [...]

  • Page 270

    Configuring Secure Socket Layer (SSL) Terminology ■ Root Certificate: A trusted certificate used by certificate author ities to sign certificates (CA-Signed Certificat es) and used later on to verify that authenticity of those si gned certificates. T rusted certificates are distrib- uted as an integral part of most po pular web clients. (see brow[...]

  • Page 271

    Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL se rver , you must install a publicly or commercially available SSL enabled we b browser application on the com- puter(s) you use for manage ment acce ss to the switch. Steps for Configuring and Using SSL for Switch and Clie[...]

  • Page 272

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes 4. Use your SSL enabled brow ser to acc ess the switch using the sw itch’ s IP address or DNS name (if allowed by your browser). Refer to the documentatio n provided with the browser appl ication. General Operating Rules and Notes ■ Once you generate a certificate on the sw[...]

  • Page 273

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 8-19 show config page 8-19 show crypto host-cert 8-12 crypto key generate cert [rsa] <5 12 | 768 |1024> 8-10 zeroize cert 8-10 crypto host-cert generate s[...]

  • Page 274

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Security T ab Password Button Figure 8-2. Example of Configurin g Local Passwords 1. Proceed to the security tab an d select device passwords button. 2. Click in the appropr iate box in the Device Passwords wi ndow and enter user names and passwords. Y ou will be require[...]

  • Page 275

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The server cert ificate is stored in the switch’ s flash memory . The server certificate should be added to your certi ficate folder on th e SSL clients who you want to have access to the switch. Most browser applications automati- cally add the switch’ s host certif[...]

  • Page 276

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. Syntax: crypto key generate cert [rsa] < 512 | 768 |1024 > Generates a key pair for use in the certificate. crypto key zeroize cert Erases the switch’ s certificat e key and disa bles SSL opera- tion. crypt[...]

  • Page 277

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T able 8-1.Certificate Field Descrip tions Field Name Description V alid Start Date This should be the date you desire to begin using the SSL functionality . V alid End Date This can be any future date, however good security practices would suggest a valid duration of ab[...]

  • Page 278

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. Syntax : show crypto host-cert Displays switch’s host certificate T o view the current host certif icate from the C LI you use the show crypt o host- cert command. For example, to display the new server host certificate: Show host[...]

  • Page 279

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T o generate a self signed host certif icate from the web b rowser interface: i. Proceed to the Security tab then the SSL bu tton. The SSL config- uration screen is split up into two halve s. The left ha lf is used in creating a new certificate key pa ir and (self-sign e[...]

  • Page 280

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web brow sers inter - face: Certificate T ype Box Key Size Selection Certificate Argu ments Figure 8-5. Self-Signed Certificate generat i on via SSL Web Browser Interface Screen T o view the current host certifi cat[...]

  • Page 281

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 8-6. Web browser Interface showing curren t SSL Host Certificate Generate a CA-Signed server host certificate with the W eb browser interface T o install a CA-Signed server host c ertificate from the web browser interface. For more inf[...]

  • Page 282

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation that involves having the certificate authority verify the certifi cate request and then digitally signing the request to gen erate a certific ate response (the usable server host certificate). The third phase is the down load phase consisting of pasting to the switch web[...]

  • Page 283

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation -----BEGIN C ERTIFICA TE----- MIICZDCCAc2gA wIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgU FVSUE9TRVMgT05MWTEd MBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzA V BgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb2 90MB4X[...]

  • Page 284

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch yo u must genera te the switch’ s host certificate and key . If you h ave not already done so, refer to “2. Generating the Switch’ s Server Host Certificate” on page 8-8. When configured for SSL, the switch uses its host cer[...]

  • Page 285

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443). Important: See “Note on Port Number” on page 8-20. show config [...]

  • Page 286

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Sele ction Figure 8-8. Using the web b rowser interface to enable SSL an d select TCP port number Note on Port ProCurve recommends using the default IP port number (443). However , you Number can use web-management ssl tcp-port to specify any T[...]

  • Page 287

    Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CL I Y ou have not generated a certificate key . (Refer to “CLI commands used to generate a Server Host Certificate” on page 8-10.) Enabling SSL on the CLI or Web browse r interface Y ou have not[...]

  • Page 288

    Configuring Secure Socket Layer (SSL) Common Errors in SSL setup 8-22[...]

  • Page 289

    9 IPv4 Access Control Lists (ACLs) Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 What Is the Difference Between Network (or Subnet) Rules for Defining a Match Between a Packet and an Overview of Options for Applying IPv4 ACLs on the Switch . . . . . . 9-6 Static ACLS . [...]

  • Page 290

    IPv4 Access Control Lists (ACLs) Contents Configuring and Assigning a n IPv4 ACL . . . . . . . . . . . . . . . . . . . . . . . 9-34 A Configured ACL Has No Ef fect Until You Apply It You Can Assign an ACL Name or Number to an Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-34 [...]

  • Page 291

    IPv4 Access Control Lists (ACLs) Contents Displaying ACL Configuration D ata . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-85 Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-86 Display the Content of All ACL s on the Switch . . . . . . . . . . . . . . . . . . 9-87 Display Static Port ACL As[...]

  • Page 292

    IPv4 Access Control Lists (ACLs) Introduction Introduction An Access Control List (ACL) is a list of one or more Access Control Entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing th e switch’ s interface s. This chapter describes how to config ure, apply , an d edit IPv4 ACLs in [...]

  • Page 293

    IPv4 Access Control Lists (ACLs) Introduction Notes IPv4 ACLs can enhance network security by blocking se lected traffic, and can serve as part of your netwo rk security program. However , because ACLs do not provide user or device authentica tion, or protectio n from malic ious manipulation of data carried in IPv4 packet transmissions, they should[...]

  • Page 294

    IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Overview of Options for Applying IPv4 ACLs on the Switch T o apply IPv4 ACL filtering, assign a configured IPv4 ACL to the interface on which you want traffic filt ering to occur . Port tr affic ACLs can be a pplied either statically or dynamically (using a RA[...]

  • Page 295

    9-49 9-76 IPv4 Access Control Lists (ACLs) Overview of Options for Appl ying IPv4 ACLs on the Switch Create a Standard, ProCurve(config)# access-list < 1-99 > < deny | permit > Numbered ACL < any | host < SA > | SA /< mask-length > | SA < mask >> or [ log ] 2 Add an ACE to the End of an Existing Standard, Numbere[...]

  • Page 296

    IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch T able 9-2. Command Summary for I Pv4 Extended ACLs Action Comman d(s) Page Create an Extended, Named ACL or Add an ACE to the End of an Existing, Extended ACL ProCurve(config)# ip access-list extended < name-str | 100-199 > 9-55 ProCurve(config-std-nacl[...]

  • Page 297

    IPv4 Access Control Lists (ACLs) Overview of Options for Appl ying IPv4 ACLs on the Switch Enter or Remove a ProCurve(config)# ip access-list extended < name-str | 100-199 > 9-81 Action Comman d(s) Page Remark ProCurve(config-ext-nacl)# [ remark < remark-str > | no remark ] 9-83 For numbered, extended ACLs only , the following remark co[...]

  • Page 298

    IPv4 Access Control Lists (ACLs) Terminology T erminology Access Control Entry (ACE): A policy consi sting of criter ia and an action (permit or deny) to execute on a p acket if it meets the criteria. The elements co mposing the crit eria include: • source IPv4 address and mask (standard and extended ACLs) • destination IP v4 address and mask ([...]

  • Page 299

    IPv4 Access Control Lists (ACLs) Terminology ACL Mask: Follows any IPv4 address ( source or destination) lis ted in an ACE. Defines which bits in a packet’ s corresponding IPv4 addressin g must exactly match the addressing in the ACE, and which bits need not match (wildcards). See also “How an ACE Us es a Mask T o Screen Packets for Matches” [...]

  • Page 300

    IPv4 Access Control Lists (ACLs) Terminology Inbound T raffic: For the purpose of defining where the switch applies IPv4 ACLs to filter traffic, in bound traffic is a packet that meets one of the following crit eria: • Static Port ACL: Inbound traffic is a packet entering the switch on the port. • Dynamic Port ACL: Where a RA DIUS server has au[...]

  • Page 301

    IPv4 Access Control Lists (ACLs) Terminology whether there is a match betwee n a packet and the ACE. In an extended ACE, this is the first of two IPv4 ad dresses used by the ACE to determine whether there is a match between a p acket and the ACE. See also “DA”. seq-# : The term used in ACL syntax st atements to repr esent the sequence number va[...]

  • Page 302

    IPv4 Access Control Lists (ACLs) Overview Overview T ypes of IPv4 ACLs A permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, o r on source address plus other factors. Standard ACL: Use a standard ACL when you need to pe rmit or deny IPv4 traffic based on so urce address on ly . St andard ACLs are al so us[...]

  • Page 303

    IPv4 Access Control Lists (ACLs) Overview Static Port ACL and Dyna mic Port ACL Applications An IPv4 static port ACL filt ers any IPv4 traffic inboun d on the designated port, regardless of whether the traf fic is switched or routed. Dynamic (RADIUS-assigned) Port ACL Applications Dynamic (RADIUS-assigned) port ACL s are configured on RADIUS server[...]

  • Page 304

    IPv4 Access Control Lists (ACLs) Overview 802.1X User -Bas ed and Port-Ba sed Applicati ons. User -Based 802.1X access control allows up to 8 individually a uthenticated clients on a given port. However , port-based a ccess contro l does not set a clie nt limit, and requires only one authenticat ed client to open a given p ort (and is recommended f[...]

  • Page 305

    IPv4 Access Control Lists (ACLs) Overview • T h e C L I remark command option allow s you to enter a separate comment for each ACE. ■ A source or destinati on IPv4 addre ss and a mask, together , ca n define a single host, a range of h osts, or all hosts. ■ Every ACL populated with one or more explicit ACEs includes an Implicit Den y as the l[...]

  • Page 306

    IPv4 Access Control Lists (ACLs) Overview General Steps for Planni ng and Configuring ACLs 1. Identify the ACL application to apply . As part of this step, determine the best points at whi ch to apply specific ACL controls. For example, you can improve network perfor mance by filtering unwanted IPv4 traff ic at the edge of the network instead of in[...]

  • Page 307

    IPv4 Access Control Lists (ACLs) Overview For more details on ACL planning consideratio ns, refer to “Planning an ACL Application” on page 9-24. Caution Regarding the Use of Source Routing Source routing is enab led by default on the switch and can be used to override ACLs. For this reason, if you are usin g ACLs to enhance network security , t[...]

  • Page 308

    IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation IPv4 Static ACL Operation Introduction An ACL is a list of one or more Ac cess Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). A static ACL applies onl y to the switch in which it is configured. ACLs operate on assigned interfaces, and [...]

  • Page 309

    IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation ACL. This directs the ACL to permit (f orward) packets that do not have a match with any earlier ACE listed in th e ACL, and prevents these packets from being filtered by the implicit “deny any”. Example. Suppose the ACL in figure 9-2 is a ssigned to filter the IPv4 traffic from an auth[...]

  • Page 310

    IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation Is there a match? Perform action (permit or den y). No T est a packet agains t criteria in first A CE. Ye s No Ye s Deny the packet (invoke an Implici t Deny). End Perform ac tion (permit or deny). End End T est the packet against criteria in second ACE. Is there a match? T est packet again[...]

  • Page 311

    IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation 1. Permit inbound IPv4 traffic from IP address 10.11.11.42. 2. Deny only the inbound T elnet traffi c from address 10.11.11.101. 3. Permit only inbound T elnet traffic fr om IP address 10.11.11.33. 4. Deny all other inbound IPv4 traffic. The following AC L model , wh en assigned to inbound [...]

  • Page 312

    IPv4 Access Control Lists (ACLs) Planning an ACL Application Planning an ACL Application Before creating and im plementing ACLs, you need to defi ne the po licies you want your ACLs to enfor ce, and und erstand how the ACL assignments will impact your network users. Note All IPv4 traffic entering the switch on a giv en interface is filtered by all [...]

  • Page 313

    IPv4 Access Control Lists (ACLs) Planning an ACL Application ■ What are the logical points for mini mizing unw anted traffic, and what ACL application(s) should b e used? In many cases it makes sense to prevent unwant ed traffic from rea chi ng the core of your network by configuring ACLs to dro p the unwanted traffic at or close to the edge of t[...]

  • Page 314

    IPv4 Access Control Lists (ACLs) Planning an ACL Application Caution IPv4 ACLs can enhance network security by blocking selec ted traffic, and can serve as one aspect of ma intaining network security . However , because ACLs do not provide user or device authenti cation, or protectio n fr om malicious manipulation of data carried in IP pa cket tran[...]

  • Page 315

    IPv4 Access Control Lists (ACLs) Planning an ACL Application ■ Generally , you should list ACEs fr om the most speci fic (individual hosts) to the most general (subnets or groups of subnets) unl ess doing so permits traf fic that you want dropped . For example, an ACE allowing a small group o f workstations to use a sp ecialized printer should oc[...]

  • Page 316

    IPv4 Access Control Lists (ACLs) Planning an ACL Application ■ Explicitly Permitting Any IPv4 T raffic: Entering a permit any or a permit ip any any A CE in an ACL pe rmits all IPv4 traffic not previ ously permitted or denied by that ACL. Any ACEs liste d after that point do not have any effect. ■ Explicitly Denyi ng Any IPv4 T raf fic: Enterin[...]

  • Page 317

    IPv4 Access Control Lists (ACLs) Planning an ACL Application Thus, the bi ts set to 1 in a netw ork mask define the part of an IPv4 address to use for the ne twork numb er , and the bits set to 0 in the m ask define th e part of the address to use for the host number . In an ACL, IPv4 addresses and masks pr ovide crite ria for determinin g whether [...]

  • Page 318

    IPv4 Access Control Lists (ACLs) Planning an ACL Application ACL mask to overlap one bit, which allows matches with hosts in two subnets: 31.30.224.0 and 31.30.240.0. Bit Position in the Third Octet of Subnet Mask 255.255.240.0 Bit V alues 128 64 32 1 6 8 4 2 1 Subnet Mask Bits Mask Bit Settings Affecting Subnet Addresses 1 0 1 0 1 0 1 n/a n/a n/a [...]

  • Page 319

    IPv4 Access Control Lists (ACLs) Planning an ACL Application • A group of IPv4 addresses fits t he matching criteria. I n t h i s c a s e you provide bo th the address and the mask. For ex ample: access-list 1 permit 10.28.32.1 0.0.0.31 Address Ma sk 10.28.32.1 0.0.0.31 This policy states tha t: – In the first three octets of a packet’ s SA, [...]

  • Page 320

    IPv4 Access Control Lists (ACLs) Planning an ACL Application dictates that a match occurs onl y when the source address on such packets is identical to the addr ess configured in the ACE. ip access-list standard Fileserver permit 10.28.252.117 0.0.0.0 exit Inbound Packet “A” On VLAN 20 – Destination Address: 10.35.248.184 – Source Address: [...]

  • Page 321

    IPv4 Access Control Lists (ACLs) Planning an ACL Application T able 9-3. Mask Effect on Selected Oct ets of the IPv4 Addresse s in T able 9-2 Addr Octet Mask Octet 128 64 32 16 8 4 2 1 Range A 3 0 all bits 252 1 1 1 1 1 1 0 0 B 3 7 last 3 bits 248-255 1 1 1 1 1 0 or 1 0 or 1 0 or 1 C 4 0 all bits 195 1 1 0 0 0 0 1 1 D 2 15 last 4 bits 32-47 0 0 1 0[...]

  • Page 322

    IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL Configuring and Assigning an IPv4 ACL ACL Feature Page Caution Regarding the Use of IPv4 Source Routing Configuring and Assigning a Standard ACL 9-44 Configuring and Assigning an Extended ACL 9-53 Enabling or Disabling ACL Filtering 9-73 Overview General Steps for Implementing [...]

  • Page 323

    IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Options for Permit/Deny Policies The permit or deny policy for IPv4 traffic you want to f ilter can be based on source address alone, or on source address plus other IPv4 factors. ■ Standard ACL: Uses only a packet's sour ce IPv4 address as a crite- rion for permitting or[...]

  • Page 324

    IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL 3. One or more deny/per mit list entries (ACEs): One entry per line. Element Notes T ype Standard or Extended Identifier • Alphanumeric; Up to 64 Characters, Including Spaces • Numeric: 1 - 99 (Standard) or 100 - 199 (Extended) Remark Allows up to 100 alphanumeric c haracte[...]

  • Page 325

    IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 9-7 shows how to in terpret th e entries in a stand ard ACL. ProCurve(Config)# show running . . . ACL List Heading with List T ype and Identifier (Name o r Number) ip access-list standard “Sample-List” 10 deny 10.28.150.77 0.0.0.0 log 20 permit 10.28.150.[...]

  • Page 326

    IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL ip access-list extended < identifier > [ [ seq-# ] remark < remar k-str >] < permit | deny > < ipv4-protoc ol-type > < SA > < src-acl-mask > < DA > <dest-acl-m ask > [ log ] < permit | deny > tcp < SA > < src-acl-ma[...]

  • Page 327

    IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 9-9 shows how to in terpret the entries in an extende d ACL. Figure 9-9. Example of a Di splayed Extended ACL Confi guration ProCurve(config)# show running Running configuration: ; J9146A Configuration Editor; Created o n release #W.14.XX hostname "ProCu[...]

  • Page 328

    IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL For example, suppose that you have app lied the ACL shown in figure 9-10 to inbound IPv4 traffic on VLAN 1 (the default VLAN): ip access-list extended "Sample-List- 2" 10 deny ip 10.28.235.10 0.0.0.0 0.0.0.0 255.255.255.255 20 deny ip 10.28.245.89 0.0.0.0 0.0.0.0 255.[...]

  • Page 329

    50 IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Line # Action Any packet from any IPv4 SA to an y IPv4 DA will be permitted (forwarded). The only traffic to reach this ACE will be IPv4 packets not specifically per mitted or denied by the earlier ACEs. n/a The Implicit Deny is a function the switch automatically adds as t h[...]

  • Page 330

    IPv4 Access Control Lists (ACLs) Configuring and Assig ning an IPv4 ACL Using the CLI T o Create an ACL Command Page access-list (standard ACLs) 9-44 access-list (extended ACLs) 9-53 Y ou can use either the switch CLI or an offline text editor to create an ACL. This section describes th e CLI method, which is recommended for creating short ACLs. (T[...]

  • Page 331

    IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL T o insert an ACE anywhere in a numbe red ACL, use the same process as described above for inserting an ACE anywhere in a named ACL. For example, to insert an ACE deny ing IPv4 traffic from the host at 10.10.10.77 as line 52 in an existing ACL identifie d (named) with the number[...]

  • Page 332

    IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Standard ACLs T able 9-6. Command Summary for Standard ACLs Action Comman d(s) Page Create a Standard, Named ACL or Add an ACE to the End of an Existing Stan- dard, Named ACL ProCurve(config)# ip access-list standard < name-str > ProCurve(config-std-nacl)# < deny | perm[...]

  • Page 333

    IPv4 Access Control Lists (ACLs) Configuring Standard ACLs A standard ACL uses only source IPv4 a ddresses in its ACEs. This type of ACE is useful when you need to: ■ Permit or deny any IP v4 traffic based on source address only . ■ Quickly control the IPv 4 traffic from a specific address. This allows you to isolate IPv4 traffic problem s gene[...]

  • Page 334

    IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Named, Standard ACLs This section describes th e commands for performing the following: ■ creating and/or entering the c ontext of a named, standard ACL ■ appending an ACE to the end of an ex isting list or enteri ng the first ACE in a new list For other IPv4 ACL topics, re [...]

  • Page 335

    IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring ACEs in an Na med, Standard ACL. Configuring ACEs is done after using the ip access-list standard < name-str > command described above to enter the “Named ACL” ( nacl ) context of an access list. For a standard ACL syntax summary, ref er to table 9-6 on page 9-44 . Syn[...]

  • Page 336

    IPv4 Access Control Lists (ACLs) Configuring Standard ACLs [ log] This option generates an ACL log message if: • The action is deny. • There is a match. • AC L logging is enabled on t he switch. (Refer to “” on page 9-96.) (Use the debug command to direct ACL logging output to the current console session and/or to a Syslog server . Note t[...]

  • Page 337

    -------------------------------------- ----------------------------------------- IPv4 Access Control Lists (ACLs) Configuring Standard ACLs ProCurve(config)# show access-list Sam ple-List Access Control Lists Name: Sample-List Type: Standard Applied: No SEQ Entry 10 Action: permit 20 IP : 10.10.10.104 Action: deny (log) IP : 10.10.10.1 Mask: 0.0.0.[...]

  • Page 338

    IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Creating or Adding to an Stan dard, Numbered ACL. This command is an alternative to u sing ip access-list standard < name-str > and does not use the “Named ACL” ( nacl ) context . For a standard ACL syntax summary, refer to table 9-6 on page 9-44. Syntax: access-list < 1-99 >[...]

  • Page 339

    IPv4 Access Control Lists (ACLs) Configuring Standard ACLs < any | host < SA > | SA < mask | SA / mask-length >> Defines the source IPv4 address (S A) a packet must carry for a match with the ACE. • any — Allows IPv4 packets from any SA. • host < SA > — Specifies only packets having < SA > as the source. Use th[...]

  • Page 340

    ----------------------------------- ------------------------------------------- IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Example of Creating and V iewing a Stand ard ACL. This example cre- ates a standard, numbered ACL with the same ACE content as show in figure 9-11 on p age 9-48. ProCurve(config)# access-list 17 pe rmit host 10.[...]

  • Page 341

    9-55 IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Extended ACLs T able 9-7. Command Summary for E xtended ACLs Action Command(s) Page Create an Extended, Named ACL or Add an ACE to the End of an Existing, Extended ACL ProCurve(config)# ip access-list extended < name-str | 100-199 > ProCurve(config-std-nacl)# < den[...]

  • Page 342

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Action Command(s) Page Enter or Remove a Pro Curve(config)# ip access-list extended < name-str | 100-199 > 9-81 Remark ProCurve(config-ext-nacl)# [ remark < remark-str > | no < 1 - 2147 483647 > remark ] 9-83 For numbered, extended ACLs only , the following remar k command[...]

  • Page 343

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Named, Extended ACLs For a match to occur with an ACE in an extended ACL, a packet must have the source and destination address criter ia specified by the ACE, as well as any IPv4 protocol-specific crit eria included in the command. Use the following general st eps to crea te or[...]

  • Page 344

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Creating a Named, Extended ACL and/ or Entering the “Named ACL” ( nacl ) Context. This command is a prerequisite to entering or editing ACEs in a named, extend ed ACL. (For a summary of the extended ACL synta x options, refer to table 9-7 on page 9-53.) Syntax: ip access-list extend ed [...]

  • Page 345

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configure ACEs in a Named, Ex tended ACL and/or Enter the “Named ACL” ( nacl ) Context. Configuring ACEs is done after using the ip access- list standard < name-str > comman d described on page 9-56 to enter the “Named ACL” ( nacl ) context of an ACL. For an exte nded ACL synt[...]

  • Page 346

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Used after deny or permit to specify the pack et protocol type required for a match. An extend ed ACL must include one of the following: • ip — any IPv4 packet. • ip-protocol — any one of the following IPv4 proto col names: ip-in-ip ipv6-[...]

  • Page 347

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < any | host < DA > | DA/mask -length | DA/ < mask >> This is the second instance of IP v4 addressing in an extended ACE. It follows the first (SA) instance, described earlier , and defines the destination address (D A) that a packet must carry in order to have a match wit[...]

  • Page 348

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ tos < tos-setting > ] This option can be used after th e DA to cause the ACE to match packets with the specified T ype -of-Service (T oS) setting. T oS values can be entered as the fo llowing numeric settings or , in the case of 0, 2, 4, and 8, as alpha numeric names: 0 or normal 2 [...]

  • Page 349

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for TCP and UDP T raffic in Extended ACLs. An ACE designed to permit or deny TCP or UDP traffi c can optionally include port number criteria for either the sour ce or destin ation, or both. Use of TCP criteria al so allows the established option for controlling TCP connection traf f[...]

  • Page 350

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Port Number or Well-Known Port Name: Use the TCP or UDP port number required by your appli- cation. The switch also a ccepts these well-known TCP or UDP port names as an alternative to their port numbers: • TCP : bgp, dns, ftp , http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet • U[...]

  • Page 351

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for ICMP T raffic in Extended ACLs. This option is useful where it is necessary to per mit some types of ICMP traffic and deny other types, instead of si mply permitting or de nying all types of ICM P traffic. That is, an ACE designed to permit or deny ICMP traf fic can optionally i[...]

  • Page 352

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ icmp-type-name ] These name options are an alternative to the [icmp-type [ icmp-code] ] methodology described above . For more infor - mation, visit the IANA website cited above. administratively-prohibited net-tos-unreachable alternate-address net-unreachable conversion-error network-unk[...]

  • Page 353

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Option for IGMP in Extended ACLs. This option is useful where it is nec- essary to permit some typ es of IGMP traffic and den y other types instead of simply permitting or de nying all types of IGMP traffic. That is, an ACE designed to permit or deny IGMP traffic can op tionally include an [...]

  • Page 354

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs For other IPv4 ACL topics, re fer to the follow ing: To p i c Page configuring named, standard ACLs 9-46 configuring numbered, standard ACLs 9-49 configuring named, extended ACLs 9-55 applying or removing an ACL on an interface 9-73 deleting an ACL 9-74 editing an ACL 9-75 sequence numberin[...]

  • Page 355

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs If the ACL does not already ex ist, this command creates the specified ACL and its first ACE. If the ACL already exists, the new ACE is appended to the en d of the config ured list of explicit ACEs. In the default co nfiguration, the ACEs in an ACL will automati cally be a ssigned consecuti[...]

  • Page 356

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Specifies the packet protocol t ype required for a match. An extended ACL must includ e one of the following: • ip — any IPv4 pa cket. • ip-protoco l — any one of the following IPv4 protocol names: ip-in-ip ipv6-in-ip gre esp ah ospf pim [...]

  • Page 357

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs SA Mask Application: The mask is applied to the SA in the ACL to define which bits in a packet’ s source SA must exactly match the address configured in the ACL and which bits need not match. Example: 10.10.10. 1/24 and 10.10.10.1 0.0.0.255 both define any IP address in the range of 10.10[...]

  • Page 358

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ precedence < 0 - 7 | precedenc e-name >] This option causes the ACE to match packets with the specified IP preceden ce value. V alues can be entered as the following IP precedence numbers or alphanumeric names: 0 or routine 1 “ priority 2 “ immediate 3 “ flash 4 “ flash-over[...]

  • Page 359

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Additional Options f or TCP and UDP T raffic. An ACE designed to per - mit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for control ling TCP conn ection traffic. ([...]

  • Page 360

    IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Syntax: access-list < 100 - 199 > < deny | permit > igmp < src-ip > < dest -ip > [ igmp - type ] The IGMP “type” criteria is id entical to the criteria described for IGMP in named, extended ACLs, beginning on page 9-65. 9-72[...]

  • Page 361

    IPv4 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface Adding or Removing an ACL Assignment On an Interface Filtering Inbound IPv4 T raffic Per Port For a given port, po rt list, or static port trunk, you can assign an ACL as a static port ACL to filter any IPv4 traffic entering the sw itch on that interface. Y ou can[...]

  • Page 362

    IPv4 Access Control Lists (ACLs) Deleting an ACL ProCurve(config)# interface b10 ip acce ss-group My-List in ProCurve(config)# interface b10 ProCurve(eth-b10)# ip access-group 155 in Enables a static port ACL ProCurve(eth-b10)# exit from a port context. ProCurve(config)# no interface b10 ip access-group My-List in Disables a static po rt ACL from t[...]

  • Page 363

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL Editing an Existing ACL The CLI provid es the capability for ed iting in the switch by u sing sequence numbers to insert or dele te individual ACEs. An offline method is also avail- able. This section describes using the CL I for editing ACLs. T o use the offline method for editing ACLs, refe[...]

  • Page 364

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL ■ Y ou can delete any ACE from any AC L (named or numb ered) by using the ip access-list command to enter the ACL ’ s context, and then using the no < seq-# > command (page 9- 79). ■ Deleting the last ACE from an ACL l eaves the ACL in memory . In this case, the ACL is “empty”[...]

  • Page 365

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL For example, to append a fourth ACE to the end of the ACL in figure 9-16: P roCurve(config)# ip access-list st andard My-List ProCurve(config-std-nacl)# permit any ProCurve(config-std-nacl)# show run . . . ip access-list standard "My-List" 10 permit 10.10.10.25 0.0.0.0 20 permit 10.[...]

  • Page 366

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL 2. Begin the ACE command with a sequ ence number that identifies the position you want the ACE to occupy . (The sequence number range is 1- 2147483647 .) 3. Complete the ACE with the command syntax appropriate for the type of ACL you are editing. For example, inserting a new ACE between the A[...]

  • Page 367

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL Deleting an ACE from an Existing ACL This action uses ACL sequence numbers to de lete ACEs from an ACL. Syntax: ip access-list < stand ard | extended > < name-str | 1 - 99 | 100 - 199 > no < seq-# > The first command enters the “Named-ACL” context for the specified ACL. [...]

  • Page 368

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL Resequencing the ACEs in an ACL This action reconf igures the starting sequence number for ACEs in an ACL, and resets the numeric interval betw een sequence numbers for ACEs config- ured in the ACL . Syntax: ip access-list resequence < name-str | 1 - 99 | 100 - 199 > < starting-seq-#[...]

  • Page 369

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL Attaching a Remark to an ACE A remark is numbered in the same way as an ACE, and use s the same sequence number as the ACE to which it refers. Th is operation requires that the remark for a given ACE be entered prior to entering the ACE itself. Syntax: access-list < 1 - 99 | 100 - 199 >[...]

  • Page 370

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL Note After a numbered ACL has been created (using access-list < 1 - 99 | 100 - 199 > ), it can be mana ged as either a name d or numbered ACL. For example, in an existing ACL with a numeric identifier of “115”, either of the following c om- mand sets adds an ACE denying IP traffi c [...]

  • Page 371

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL Inserting Remarks and Related ACEs W ithin an Existing List. To insert an ACE with a rem ark within an ACL by specifying a sequ ence number , insert the numbered remark first, then, using the same sequence number , insert the ACE. (This operation applies only to ACLs accessed using the “Nam[...]

  • Page 372

    IPv4 Access Control Lists (ACLs) Editing an Existing ACL Operating Notes for Remarks ■ The resequence command ignores “orphan” remarks that do not have an ACE counterp art with the same sequ ence number . For example, if : • a remark numbered “55” exists in an ACE • there is no ACE numbered “55” in the same ACL • resequence is e[...]

  • Page 373

    IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying ACL Configuration Data ACL Commands Function Page show access-list show access-list config show access-list ports < all | port-list > show access-list < acl-name- str > show access-list resources show access-list radius < all | port-list > show config sh[...]

  • Page 374

    IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display an ACL Summary This command lists the configured IPv 4 ACLs. Syntax: show access-list List a summary table of the name, type, and appl ication status of IPv4 ACLs configured on the switch. For example: ProCurve(config)# show access-list Access Control Lists Type Appl Name --[...]

  • Page 375

    IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display the Content of All ACLs on the Switch This command lists the configurati on details for the IPv4 ACLs in t he running- config file. Syntax: show access-list con fig List the configured syntax for all IPv4 ACLs currently config- ured on the switch. Note Notice that you can us[...]

  • Page 376

    IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display Static Port ACL Assignments This command briefly lists the identificat ion and type(s) of current static port ACL assignments to individual switch po rts and trunks, as configured i n the running-config file . (The switch allows one sta tic port ACL assignment p er port.) Sy[...]

  • Page 377

    -------------------------------------- ---------------------------------------- IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying the Content of a Specific ACL This command displays a specif ic ACL configu red in the run ning config file in an easy-to-read tabular format. Note This information also appears in the show ru[...]

  • Page 378

    -------------------------------------- -------------------------------- : IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data ProCurve(config)# show access-list Lis t-120 Access Control Lists Name: List-120 Type: Extended Indicates whether the AC L is applied to an interface. Applied: No SEQ Entry Indicates source and destin ation en[...]

  • Page 379

    IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data IP Used for Standard ACLs: The source IP address to which the config ured mask is ap plied to determine whether there is a match with a packet. Field Description Src IP Used for Extended ACLs: Same as above. Dst IP Used for Extended ACLs: The source and destination IP addresses to w[...]

  • Page 380

    IPv4 Access Control Lists (ACLs) Monitoring Static ACL Performance Monitoring Static ACL Performance ACL statistics counters provide a mean s for monitoring ACL performance by using coun ters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. Th is can help, for example, to determ[...]

  • Page 381

    IPv4 Access Control Lists (ACLs) Monitoring Static ACL Performance ACE Counter Oper ation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the crit eria in that ACE, and maintain s a running total of the match es since the last counter reset. For example, in ACL line 10 be low, ther[...]

  • Page 382

    IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline Creating or Editing ACLs Offline The section titl ed “Editing an Existi ng ACL” on page 9-75 describes how to use the CLI to edit an ACL, and is m ost applicable in cases where the A CL is short or there is only a minor editi ng task to perform. The offl ine method provides a use[...]

  • Page 383

    10 permit tcp 10.30.133.27 0.0.0.0 eq 23 0.0.0.0 255.255.255.255 IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline If you are replacing an ACL on the sw itch with a n ew ACL that uses th e same number or name syntax, begin th e command file with a no ip access- list c ommand to remove the earlier vers ion of the ACL from th e switch[...]

  • Page 384

    IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enable ACL “Deny” Logging ACL logging enables the sw itch to generate a message w hen IP traffic meets the criteria for a match with an ACE that results in an explic it “deny” action. Y ou can use ACL l ogging to help: ■ T est your network to ensure that your ACL config uratio[...]

  • Page 385

    IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includes both the deny acti on and the optional log parameter , an ACL log me ssage is sent to the desi gnated debug destinat ion. The first time a pa cket matches an ACE with deny and log configured, t[...]

  • Page 386

    IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enabling ACL Loggin g on the Switch 1. If you are using a Syslog server , use the loggin g < ip-addr > command to configure the Syslog server IP address(es). Ensure that the switch can access any Syslog server(s) you specify . 2. Use logging facility syslog to enable th e logging [...]

  • Page 387

    IPv4 Access Control Lists (ACLs) General ACL Operating Notes General ACL Operating Notes ACLs do not provide DNS hostname support. ACLs cannot be config- ured to screen hostname IP traf fic betwee n the switch and a DNS. ACLs Do Not Affect Serial Port Access. ACLs do not apply to the switch’ s serial port. ACL Screening of IPv4 T raffic Generated[...]

  • Page 388

    IPv4 Access Control Lists (ACLs) General ACL Operating Notes Monitoring Shared Resources. Applied ACLs share internal switch resources with several ot her features. The switch provides ample resource s for all featu res. However , if the in tern al resources become fully subscribed, additional ACLs cannot be app lied until the necessary resources a[...]

  • Page 389

    10 Configuring Advanced Threat Protection Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 390

    Configuring Advanced Threat Protection Introduction Introduction As your network ex pands to include an increasing n umber of mobile devices, continuous Internet access, and new classes of users (such as partners, temporary employees, and vi sitors), additional protection from attacks launched from both inside and outside your internal network is o[...]

  • Page 391

    Configuring Advanced Threat Protection DHCP Snooping • Attempts to exhaust system resources so that sufficie nt resources are not available to transmit legitimate traffic, indicated by an unusually high use of specific system resources • Attempts to att ack th e switch’ s CPU and introduce delay in system response time to new network events ?[...]

  • Page 392

    Configuring Advanced Threat Protection DHCP Snooping DHCP snooping a ccomplishes t his by allowing you to distinguish betwe en trusted ports con nected to a DHCP server or switch and untrusted p orts connected to end-users. DHCP packet s are forwarded betw een trusted ports without inspect ion. DHCP packets received on othe r switch ports are inspe[...]

  • Page 393

    ----- ----- Configuring Advanced Threat Protection DHCP Snooping option : Add relay information opti on (Option 82) to DHCP client packets that are being forwarded out truste d ports. The default is yes , add relay information. trust : Configure trusted ports. Only server packets received on trusted ports are forwarded. Default: untr usted . verify[...]

  • Page 394

    Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# show dhcp-snoopin g stats Packet type Action Reason Count ----------- ------- ------------ ---------------- -------- - server forward from trusted port 8 client forward to trusted p ort 8 server drop received on untrusted port 2 server drop unauthorized server 0 client drop dest[...]

  • Page 395

    Configuring Advanced Threat Protection DHCP Snooping Configuring DHCP Snoo ping T r usted Ports By default, all p orts are untrusted. T o configure a port or r ange of ports as trusted, enter t his command: ProCurve(config)# dhcp-snooping trust <port-list> Y ou can also use this command in the in terface context, in which case you are not abl[...]

  • Page 396

    --------------------- Configuring Advanced Threat Protection DHCP Snooping Configuring Authorized Server Addresses If authori zed server addre sses are configu red, a packet f rom a DHCP server must be received on a trusted port A ND have a source address in the autho- rized server list in order to be consider ed valid. If no authorize d servers ar[...]

  • Page 397

    Configuring Advanced Threat Protection DHCP Snooping Note DHCP snoopi ng only ov errides the Option 82 settings o n a VLAN th at has snooping enabl ed, not on VLANS wit hout snooping enabled . If DHCP snooping is enable d on a swi tch where an ed ge switch is also using DHCP snoopi ng, it is desirable to have the packets forwarded so the D HCP bind[...]

  • Page 398

    Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the swit ch as the remote - id in Option 82 additions. The IP address of the VLAN the packet was received on or the IP address of the management VLAN can be used instead b y entering this command [...]

  • Page 399

    Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# dhcp-snooping verify mac ProCurve(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans : 4 Verify MAC : yes Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : subnet-i p Figure 10-7. Exa mple Showing the DHCP Snoo[...]

  • Page 400

    Configuring Advanced Threat Protection DHCP Snooping A message is logged in the system event log if the DHCP binding database fails to update . T o display the co ntents of the DHCP sn ooping bind ing database, en ter this command. Syntax: show dhcp-sno oping binding ProCurve(config)# show dhcp-snooping b inding MacAddress IP VLAN Interface Time le[...]

  • Page 401

    Configuring Advanced Threat Protection DHCP Snooping ■ ProCurve recommends running a time synchr onization protocol such as SNTP in order to track lease times accurately . ■ A remote server must be used to s a ve lease i nformation or there may be a loss of connectivity after a switch reboot. Log Messages Server <ip-address> pack et recei[...]

  • Page 402

    Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay inform ation logs for <duration>. More than one DHCP client packet received on an untrusted port with a relay in formation field was dropped. T o avoid filling the log file w ith repeated attempts, untrusted rela y informatio n packets will no t be lo gged for the sp[...]

  • Page 403

    Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and respons es are relay ed or used to update the local ARP cache. ARP packe ts with invalid IP-to-MAC address bindings adver - tised in the source [...]

  • Page 404

    Configuring Advanced Threat Protection Dynamic ARP Protection ■ V erifi es IP-to-MAC addr ess bindings on untr usted ports with th e informa- tion stored in the lease datab ase maintained by DHCP snooping and user - configured static bi ndings (in non-DHCP environment s): • If a binding is valid, the switch updates its local ARP cache and forwa[...]

  • Page 405

    Configuring Advanced Threat Protection Dynamic ARP Protection Enabling Dynamic ARP Protection T o enabl e dynamic ARP protection for VL AN traffic on a routin g switch, enter the arp protect vlan command at the global configuration level. Syntax: [no] arp prote ct vlan [ vlan-range ] vlan-range Specifi es a VLAN ID or a range of VLAN IDs from one t[...]

  • Page 406

    Configuring Advanced Threat Protection Dynamic ARP Protection Figure 10-9. Confi guring T rusted Ports for Dynamic ARP Protection T ake into ac count the following conf iguration guide lines when you use dynamic ARP prot ection in your ne twork: ■ Y ou should configur e port s connected to other s wit ches in the n etwork as trusted po rts. In th[...]

  • Page 407

    Configuring Advanced Threat Protection Dynamic ARP Protection Adding an IP-to-MAC Bind ing to the DHCP Database A routing switch mai ntains a DHCP binding database, which is used for DHCP and ARP packet validation. Both the DHCP snooping and DHCP Option 82 insertion feature s maintain the lease database by learning the IP-to-MAC bindings on u ntrus[...]

  • Page 408

    Configuring Advanced Threat Protection Dynamic ARP Protection Configuring Additional V alidation Checks on ARP Packets Dynamic ARP protection can b e configured to perform additional val idation checks on ARP packets. By default, no additional ch ecks are performed. T o configure additional validation checks, enter the arp p rotect validate command[...]

  • Page 409

    ----- ----- Configuring Advanced Threat Protection Dynamic ARP Protection ProCurve(config)# show arp protect ARP Protection Information Enabled Vlans : 1-4094 Validate : dst-mac, src-mac Port Trust B1 Yes B2 Yes B3 No B4 No B5 No Figure 10-10.The show arp protec t Command Displaying ARP Packet Statistics T o display statistics about forwarde d ARP [...]

  • Page 410

    Configuring Advanced Threat Protection Dynamic ARP Protection Monitoring Dynamic ARP Protection When dynamic ARP prot ection is enabled, you can moni tor and troubleshoot the validation of AR P packets with the debug arp prot ect command. Use this command when you want to de bug the followin g conditions: ■ The switch is dropping valid ARP packet[...]

  • Page 411

    Configuring Advanced Threat Protection Using the Instrumentation Mon itor Using the Instrumentation Monitor The instrumentation mo nitor can be used to detect anomalies caused by security attacks or other irregular op erations on th e switch. The followin g table shows the operating parameters that can be monitored at pre-deter - mined intervals, a[...]

  • Page 412

    Configuring Advanced Threat Protection Using the Instrumentation Monitor Operating Notes ■ T o generate alerts for monitored eve nts, you must en able the instru- mentation monito ring log and/or SNMP trap. The threshol d for each monitored parameter can be adjusted to minimize false alarms (see “Configuring Instrumentation Monitor” on page 1[...]

  • Page 413

    Configuring Advanced Threat Protection Using the Instrumentation Mon itor Configuring Instrumentation Monitor The following commands and parameters are used to configure the opera- tional thresh olds that are monitore d on the switch. By defaul t, the instru men- tation monit or is disabled. Syntax: [no] instrumentat ion monitor [parameterN ame|all[...]

  • Page 414

    Configuring Advanced Threat Protection Using the Instrumentation Monitor T o enable instrument ation monitor usin g the default parame ters and thresh- olds, enter the general instrumenta tion monitor command . T o adjust specific settings, enter the name of the parameter that you wish to modify , and revise the threshold limi ts as needed. Example[...]

  • Page 415

    Configuring Advanced Threat Protection Using the Instrumentation Mon itor V iewing the Current In strumentation Monitor Configuration The show instrumentation monitor config uration command displays the config- ured thresholds for mo nitored paramet ers. ProCurve# show instrumentation monitor configuration PARAMETER LIMIT ------------------------- [...]

  • Page 416

    Configuring Advanced Threat Protection Using the Instrumentation Monitor 10-28[...]

  • Page 417

    11 T raffic/Security Filters and Monitors Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 418

    Traffic/Security Filters and Monitors Overview Overview Applicable Switch Models . As of June 2007, T raffic/Security fil ters are available on these current ProCurve switch models: Switch Models Source-Port Filters Protocol Filters Multicast Filters Switch 8212 zl Y es Y es Y es Series 6400cl Y es No No Series 5400zl Y es Y es Y es Series 4200vl Y[...]

  • Page 419

    Traffic/Security Fi lters and Monitors Filter Types and Operation Y ou can enhance in-band security and improve control over access to network resources by configur ing static filters to fo rward (the default action) or drop unwanted t raffic. That is, you can co nfig ure a traffic filter to either forward or drop all netwo rk traffic moving to out[...]

  • Page 420

    Traffic/Security Filters and Monitors Filter Types and Operation Source-Port Filters This filter type enables the switc h to forward or drop traf fic from all end nodes on the indicated so urce-port to specific destination ports. End Node “A” Server Switch 8212zl Configured for Source-Port Filtering Hub End Node “B” End Node “C” Port 1 [...]

  • Page 421

    Traffic/Security Fi lters and Monitors Filter Types and Operation ■ When you create a source port filter , all ports and port trunks (if any) on the switch appear as destinat ions on the list for that filter , even if routing is disabled and separate VLANs and/or subnets exist. Where traffic would norm ally be allowed b etween ports and/or tru nk[...]

  • Page 422

    Traffic/Security Filters and Monitors Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to destination port 7 (server "A" ). Notice that the filter allows traffic to move fr om source port 5 to all other destin ation ports. Figure 11-3. The Filter for the A[...]

  • Page 423

    Traffic/Security Fi lters and Monitors Filter Types and Operation ■ T o change the na med source-po rt filter used o n a port or port t runk, the current filter must fi rst be removed, using the no fil ter source-port named-filter <filter-name > command . ■ A named source- port filter can only be deleted whe n it is not applied to any por[...]

  • Page 424

    Traffic/Security Filters and Monitors Filter Types and Operation Syntax: filter source-port nam ed-filter < filter -name > forw ard < destin ation-port-list > Configures the named source-port filter to forward traffic having a destination on the port s and/or port trunks in the < destination-port-list >. Since “forward” is the[...]

  • Page 425

    Traffic/Security Fi lters and Monitors Filter Types and Operation Viewing a Named Source-Port Filter Y ou can list all source-port filters co nfigured in the switch, both named and unnamed, and t heir action using the show command below . Syntax: show filter source-po rt Displays a listing of config ured source-port filters, where each filter entry[...]

  • Page 426

    Traffic/Security Filters and Monitors Filter Types and Operation Defining and Con figuring Example Named Source-Port Filters. While named source-p ort filters may be defined and configured in two steps, this is not necessary . Here w e define and conf igure each of the named source-port filters for ou r example network in a single st ep. ProCurve(c[...]

  • Page 427

    11-11 Traffic/Security Fi lters and Monitors Filter Types and Operation Figure 11-7. Example of the sho w filter Command Using the IDX value in the show filter command, we can see how traffic is filtered on a specif ic port ( Va l u e ).The two o utputs below show a non - accounting and an accou nting switch port. ProCurve(config)# show filter Traf[...]

  • Page 428

    Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 24 ProCurve(config)# show filter 4 Traffic/Security Filters Traffic/Security Filters Filter Type : Source Port Filter Type : Source Port Source Port : 10 Source Port : 5 Dest Port Type | Action Dest Port Type | Action --------- --------- + ----------- ---[...]

  • Page 429

    Traffic/Security Fi lters and Monitors Filter Types and Operation ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- --------- + ------------- ----------- 1 10/100TX | Forward 2 10/100TX | Forward 3 10/100TX | Forward 4 10/100TX | Forward 5 10/100TX | Forward 6 10/10[...]

  • Page 430

    Traffic/Security Filters and Monitors Filter Types and Operation The following revisions to the named so urce-port fi lter definiti ons maintain the desired network traffic management , as shown in the Action column of the show command. ProCurve(config)# filter source-port named-filter accounting forward 8,12,13 ProCurve(config)# filter source-port[...]

  • Page 431

    Traffic/Security Fi lters and Monitors Filter Types and Operation ProCurve(config)# show filter source-por t Traffic/Security Filters Filter Name | Port List | Action -------------------- + ---------------- ---- + -------------------------- web-only | 2-6,9,14-26 | drop 2-26 accounting | 7-8,10-13 | drop 1-6,9,14-26 no-incoming-web | 1 | drop 7-8,1[...]

  • Page 432

    Traffic/Security Filters and Monitors Filter Types and Operation T able 11-2. Multicast Filter Limits Max-VLANs Setting Maximum # of Multicast Filters (Static and IGMP Combined) 1 (the minimum) 420 8 (the default) 413 32 or higher 389 Notes Per -Port IP Multicast Filters. The static multicast filters described in this section filter traffi c having[...]

  • Page 433

    Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Only one filter f or a particular prot ocol type can be configur ed at any one time. For example, a separate protocol filter can be configured for each of the protocol types listed above, b ut only one of those can be an IP filter . Also, the destination po rts for a proto[...]

  • Page 434

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Configuring a Source -Port T raffic Filter Syntax: [no] filter [source-port < port-number | trunk-nam e >] Specifies one inbound port or trunk. T raffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the sourc[...]

  • Page 435

    Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a source-port filter that drops all traffic received on port 5 wi th a destination of port trunk 1 ( Tr k 1 ) and any port in the range of port 10 to port 15 . T o create this fi lter you [...]

  • Page 436

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters filter on port 5, then create a trunk w ith ports 5 and 6, and display the results, you would see the following: The *5* shows that port 5 is configured for fi ltering, but the filtering action has bee n suspended while the port is a membe r of a trunk. If you want the trunk[...]

  • Page 437

    Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Figure 11-15. Assigning Add itional Destinati on Ports to an Existing Filt er Configuring a Multicast or Protocol T raffic Filter Syntax: [no] filter [multicast < mac- address >] Specifies a multicast address. Inbound traffic received (on any port) with this multicas[...]

  • Page 438

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters For example, suppose you wa nted t o configur e the fi lters in table 11-3 on a switch. (For more on source-port filt er s, refer to “Configuring a Source-Port T raffic Filter” on page 11-18.) T able 11-3. Filter Example Filter T ype Filter V alue Actio n Destination Por[...]

  • Page 439

    Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Displaying T raffic/ Security Filters This command displays a listing of all f ilters by index number and also en ables you to use th e index number to display t he details of individual filters. Syntax: show filter Lists the filters configured in the switch, with correspo[...]

  • Page 440

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Filter Inde x Numbers (Automatically Assi gned) Lists all filters con figured in the switch. Uses the index number (IDX) for a specific filter to list the details for that filter onl y . Criteria for Individual Filters Figure 11-17. Example of Displaying Filter Data 11-24[...]

  • Page 441

    12 Configuring Port-Based and User -Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 12-3 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 442

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Auth entication Method . . . . . . . . . . . . . . . . 12-26 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 12-27 5. Enable 802.1X Authentic a tion on the Switch . . . . . . . . . . . . . . . . 12-27 6. Optional: Reset [...]

  • Page 443

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Overview Overview Feature Default Menu CL I We b Configuring Switch Ports as 802.1X Authenticators Disabled n/a page 12-19 n/a Configuring 802.1X Open VLAN Mode Disabled n/a page 12-31 n/a Configuring Switch Ports to Operate as 802.1X Supplicants Disabled n/a page 12- 49 n/a Displayin[...]

  • Page 444

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Overview • Port-Based access control opti on allowing authenticat ion by a single client to open the port . This option does not force a client limit and, on a port opened by an auth enticated clien t, allows unlimit ed client access without requiring further au thentication . • Sup[...]

  • Page 445

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Overview credentials. This op eration improves security by opening a given port only to individually auth enticated clients, while simultan eously blocking access to the same port for clients that cannot be authenticated. All sessions must use the same untagged VLAN. Also, an auth ent[...]

  • Page 446

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Terminology This operat ion unblocks the port while an authenticated client se ssion is in progress. In topologi es wh ere simultaneous, multiple client access i s possible this can allow unauthorized and unauthen ticated access by another cli ent while an authenticated client is usi ng[...]

  • Page 447

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Terminology a port loses its authenticated client connection, it drops its membership in this VLAN. Note that with multiple clie nts on a port, all such clients use the same untagged, port-b ased VLAN membership. Authentication Server: The entity providing an authentication service to[...]

  • Page 448

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Terminology Static VLAN: A VLAN that has been configured as “permanent” on the switch by using the CLI vlan < vid > command or the Menu interfac e. Supplicant: The entity that must provide the proper cred entials to the swit ch before receiving access to the network. This is u[...]

  • Page 449

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General 802.1X Aut henticator Operation General 802.1X Authenticator Operation This operation provides security on a po int-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X suppli[...]

  • Page 450

    Configuring Port-Bas ed and User-Based Access Control (802.1X) General 802.1X Aut henticator Operation Note The switches covered in this guide can use either 802.1X port-based authen- tication or 802.1X user -bas ed authentication. For more information, refer to “User Authentication Methods” on page 12-4. VLAN Membe rship Prio rity Following cl[...]

  • Page 451

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General 802.1X Aut henticator Operation No Ye s New Client Authenticated Untagged VLAN Configured On Port ? RADIUS- Assigned VLAN? Authorized VLAN Configured? Another (Old) Client Already Using Port ? Are All Ol d Clients On Unauthorized VLAN? No No Ye s Ye s Assign New Client to RADI[...]

  • Page 452

    Configuring Port-Bas ed and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the u ser -based mode, when there is an authenticated client on a port, the followin g traffic movement is allowed: • Multicast and bro adcast traffic is allowed on the port. • Unicast traffic to authen ticat[...]

  • Page 453

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General Operating Rules and Notes ■ If a port on switch “A” is configur ed as an 802.1X suppli cant and is connected to a port on anot her switch, “B”, that is not 802.1X-aware, access to switch “B” will occur wit hout 802.1X sec urity protection. ■ On a port configure[...]

  • Page 454

    Configuring Port-Bas ed and User-Based Access Control (802.1X) General Operating Rules and Notes not enabled. That is, any non-authenticating client attempting to access the port after another clien t authenticates with port -based 802.1X would still have to authenticate t hrough W eb-Auth or MAC-Au th. 12-14[...]

  • Page 455

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Access Control Do These Steps Before Y ou Configure 802.1X Operation 1. Configure a local username and pa ssword on the switch for both the Operator (login) and Manager (enable) access levels. (While [...]

  • Page 456

    ---- ---------- ------------- -------- -------- Configuring Port-Bas ed and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control ProCurve(config)# password port-acc ess us er-name Jim s ecret3 Figure 12-2. Exa mple of the Password Port-Acce ss Command Y ou can save the port-access password for 802.1X authentication i[...]

  • Page 457

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) General Setup Procedure for 802.1X Access Control 3. Determine whether to us e user -based access control (pag e 12-4) or port- based access control (page 12-5). 4. Determine whether to use the op tional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for client [...]

  • Page 458

    Configuring Port-Bas ed and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802. 1X Authentication on the Switch This section outl ines the steps for configuring 802.1X on the switch. For detailed info rmation on each step , refer to the followin g: ■ “802.1X User -Based Access Control?[...]

  • Page 459

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators Note If you want to implement the option al port security featur e (step 7) on the switch, you should first en sure that the ports you ha ve configured as 802.1X authenticators oper ate as expected. 7. If you are using Port S ecurity o[...]

  • Page 460

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentica tion on Selected Ports This task configures the indivi dual ports you want to operate as 802.1X authenticators for po int-to-point li nks to 802.1X-aware clients or sw itches, and consists of two ste ps: A. En[...]

  • Page 461

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User -Based Au thentication or Return to Port-Based Authentication User -Based 802.1X Authentication. Syntax: aaa port-acce ss authenticator client-limit < port-list > < 1 -8> Used after executing aaa port-access[...]

  • Page 462

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring User -Based 802.1X Authentication This example enables ports A10-A1 2 to operate as authenticators, and then configures the ports for us er -based auth entic ation. ProCurve(config)# aaa port-access authenticator a10[...]

  • Page 463

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the ma x-requests parameter fails (next page). (Default: 60 seconds) [...]

  • Page 464

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the ma x-requests parameter fails (next page). (Default: 60 seconds) [t[...]

  • Page 465

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time af ter which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disa bled (Default: 0 second) [unauth-vid < vlan-id >] Co[...]

  • Page 466

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how th e switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenti cator Y ou can configure local , chap-ra[...]

  • Page 467

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the au thentication me thod, configure the switch to use 1, 2, or 3 RADIUS se rvers for authentication. The following syntax shows th e basic co[...]

  • Page 468

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentica tion is operating, y ou can use the following aaa port- access authenticator commands to reset 802.1X authentication an d statistics on specified ports. Syntax: aaa port-[...]

  • Page 469

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators ■ The 802.1s Multiple Spanning T ree Protocol (MSTP) or 802.1w Rapi d Spanning T ree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while m aintaining a lo op-free netw ork. For informati on on h[...]

  • Page 470

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Because a port can be con figured for more than one type of authenticat ion to protect the switch from unauth orized access, the last setting you configure with the aaa port-ac cess controlled-directions command is applied to all authen [...]

  • Page 471

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands page 12-51 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator < port-list > page 12-45 [auth-vid < vlan-id >] [unauth-vid < vlan-id >] 802.[...]

  • Page 472

    Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports confi gured to allow multi ple sessions using 802.1X user -based access control, all clients must use the same untagged VLAN. On a given port where there are no currently active, au thenticated clien ts, the first authenti cated client determines the [...]

  • Page 473

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note After client authenticati on, the port resumes me mbership in any tagged VLANs for which it i s configured. If th e port is a tagged membe r of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the clie nt is[...]

  • Page 474

    Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode T able 12-1. 802.1X Open VLAN Mode Options 802.1X Per -Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client t hat cannot initiate an authenti cation session. Open VLAN mode with both of the f ollowing configured: Unauthorized-C[...]

  • Page 475

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode 802.1X Per -Port Configuration Port Response Authorized-Client VLAN • After c lient authentication, the po rt drops membership in the Unauthorized-Client VLAN a nd becomes an u ntagged member of this VLAN. Notes: If the client is running an 802.1X supplicant ap[...]

  • Page 476

    Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per -Port Configuration Port Response Open VLAN Mode with Only an Unauthoriz ed-Client V LAN Configured: • When the port d etects a client, it automatically b ecomes an untagged member of this VLAN. T o limit secu rity risks, the network services and acces[...]

  • Page 477

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Open VLAN Mode with Only an Authorized-Client VLAN Con figured: 802.1X Per -Port Configuration Port Response • Port automatically blocks a client that cannot initiate an authentication session . • If the client su ccessfully completes an authenticat ion sessi[...]

  • Page 478

    Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Au thorized-Client and Unauthorized-Client VLANs T able 12-2. Operating Rules for Client VLANs Condition Rule Static VLANs used as Authorize d- Client or Unauthorized-Client VLANs VLAN Assignment Received fro m a RADIUS Server These must be conf[...]

  • Page 479

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN session on untagged port VLAN membership • When an una uthenticated client conn ects to a port that is already configured with a static, un tagged VLAN, the switch temporarily moves the port to the Una uthorized[...]

  • Page 480

    Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an u ntagged member . This rule assumes no other authenticated clients are already using the port on a different VLAN. IP Addressing for a Client Con nected to a Port Configure[...]

  • Page 481

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Condition Rule Note: Limitation on Using an Unauthorized-Client VLAN on an 802.1X Port Configured to Allow Multiple-Client Access Y ou can optionally ena ble switches to allow up to eight clie nts per - port. The Unauthorized-Client VLAN feature can operat e on a[...]

  • Page 482

    Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of bot h the Unauthorized-Client and Authorized-Client VLANs. Re fer to T able 12-1 on pa ge 12-34 for other options. Before you configu re the 802.1X Open VLAN mode on a por t: [...]

  • Page 483

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the swit ch to use local password auth entication inste ad of RADIUS authentication. However , this is less desirable because it me ans that all clients use the same passwords and have the same access privil eges. Al[...]

  • Page 484

    Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you sel ected either eap-radius or chap-radiu s for step 2, use the radius host command to configure up to thr ee RADIUS server IP address(es) on the switch. Syntax: rad ius host < ip-address > Adds a server to the RADIUS configuration. [key < server[...]

  • Page 485

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listin g of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 12-42. Syntax: aaa p ort-access authenticato r < p[...]

  • Page 486

    Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For info rmation and an example on viewing current Open VLAN mode operatio n, refer to “Viewing 802.1X Open VLAN Mode Status” on page 12-62. 802.1X Open VLAN Operating Notes ■ Although you can configure Open VL AN m[...]

  • Page 487

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow On ly 802.1X-Authenticated Devices reauthenticate itself. If the re are mu ltiple cli ents authenticate d on the port, if one clie nt loses access an d attempts to re-authentica te, that client will be handled as a new c[...]

  • Page 488

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-S ecurity To Allo w Only 80 2.1X-Authenticated Devices Port-Security Note If 802.1X port-access is configured on a given port, th en port-security learn- mode for that port must be set to either continuous (the default) or port-access . In [...]

  • Page 489

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches Configuring Switch Ports T o Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands [no] aaa port-access < supp[...]

  • Page 490

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches • If, after the supplicant port sends the configur ed number of star t packets, it does not receive a respons e, it assumes that switch “B” is not 802.1X-aware, and transi tions to the au[...]

  • Page 491

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. Y ou can configure a switch port as a supplicant for a p oint-to-point link to an 802.1X-aware port on another switch. Con[...]

  • Page 492

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches aaa port-access sup plicant [ethernet] < port-list > (Syntax Conti nued) [secret] Enter secret: < password > Repeat secret: < password > Sets the secret password to be u sed b[...]

  • Page 493

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands page 12-49 802.1X Open VLAN Mode Commands page 12-31 802.1X-Related Show Commands show port-access [...]

  • Page 494

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Syntax: show port-access authen ticator [ port-list ] [config | statistics | session-counters | vlan | clien ts]| detailed] —Continued— • Unt agged VLAN : VLAN ID number of the untagged VLAN used in client sessions. If the[...]

  • Page 495

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters ProCurve(config)# show port-access aut henticator 2-3 Port Access Authenticator Status Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Auth Unauth Untagged Tagged Kbps In RADI[...]

  • Page 496

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Syntax: show port-access authen ticator config [ port-list ] Displays 802.1X port-access au thenticator configuration settings, including: • Whether port-access authentication is enabled • Whether RADIUS-assigned dyn amic VL[...]

  • Page 497

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Access Control Port’ s authentication mode: Auto: Network access is allowed to any connected device that supports 802.1X authentication and provides valid 802.1X credentials. Authorized: Network access is allowed to any devi[...]

  • Page 498

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters ProCurve(config)# show port-acces s authenticator statistics Port Access Authenticator Statistics Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLA Ns [No] : No Source TX TX RX RX RX RX RX P[...]

  • Page 499

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Syntax: show port-access authenticat or vlan [ port-list ] Displays the following informat ion on the VLANs configured for use in 802.1X port-access au thentication on all switch ports, or specified ports, that are enabled as [...]

  • Page 500

    ----- ------------ ------------- --------------- -------------- Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Syntax: show port-a ccess authenticato r clients [ port-list ] Displays the session status, name, and address for each 802.1X port-access-authenticate d client on t[...]

  • Page 501

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Syntax: show port-a ccess authenticato r clients < port-list > detailed Displays detai led information on the status of 802.1X- authenticated client sessions on specified ports. ProCurve (config)# show port-access authen[...]

  • Page 502

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters V iewing 802.1X Open VLAN Mode Status Y ou can examine the switch’ s curre nt VLAN status by using the show port- access authenticator vla n and show port -access authenticat or < port-list > com- mands as illustrated in[...]

  • Page 503

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Thus, in the output shown in figure 12-17: ■ When the Auth VLAN ID is configured and matches the Current VLAN ID , an authenticated client is co nnected to the port. (Th is assumes the port is not a statically configured mem[...]

  • Page 504

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters T able 12-5. Output for Determining Open VLAN Mode Status (Figure 12-18, Lower) Status Indicator Meaning Status Closed: Either no client is connected or the connected cl ient has not received authorization through 802.1X authent[...]

  • Page 505

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Note that ports B1 and B3 are not in the upp er listing, but are included und er “Overridden Port VLAN configur ation”. This shows that s tatic, unta gged VLAN memberships o n ports B1 and B3 have been overridd en by tempo[...]

  • Page 506

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Show Commands for Po rt-Access Supplicant Syntax: show port-a ccess supplicant [< port-list >] [statistics] show port-access supplican t [< port-list >] Shows the port-access suppl icant configuration (excluding the [...]

  • Page 507

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation supplicant port to another without clearin g the statistics data from the first port, the au thenticator’ s MAC address wil l appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Op[...]

  • Page 508

    Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Note Y ou can use 802.1X (port-based or client -based) authentica tion and either W eb or MAC authenticati on at the same time o n a port, with a maxi mum of eight clients allowed on the port. (Th e default is one client.) W eb au[...]

  • Page 509

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation • If the port is assigned as a member of an untagged dynamic VLAN that was learn ed through GVRP , the dynamic VLAN conf iguration must exist on the swit ch at the time o f authenti cation and GVRP- learned dyna mic VLANs for [...]

  • Page 510

    Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation If this tempora ry VLAN assignment cau ses the switch to disable a different untagged static or dynamic VLAN conf igured on the port (as described in the preceding bullet and in “Example of Untag ged VLAN Assignment in a RADIUS-[...]

  • Page 511

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation For example, suppose that a RADIUS-au thenticated, 802.1X-a ware client on port A2 requires access to VLAN 22, but VLA N 22 is config ured for no access on port A2, and VLAN 33 is conf igured as untagged on port A2: Scenario: An[...]

  • Page 512

    Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation This entry sho ws that port A2 is temp orarily untagg ed on VLAN 22 for an 802 .1X sessi on. This is to accommodate an 802.1X client’ s access, authenticated by a RADIUS server , where the server included an instruc tion to put [...]

  • Page 513

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation When the 802.1X client’ s session on port A2 en ds, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as un tagged on the port becomes available again. Ther[...]

  • Page 514

    Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Syntax: aaa port-access gvrp-vlans — Continued — 2. After you enable dynamic VLAN assignment in an authen- tication session, it is reco mmended that you use the interface unknown-vlans command on a per -port basis to prevent d[...]

  • Page 515

    Configuring Port-Based an d Us er-Based Access C ontrol (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation T able 12-6. 802.1X Ope rating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.1X authenticators. Use this comm and to enable th[...]

  • Page 516

    Configuring Port-Bas ed and User-Based Access Control (802.1X) Messages Related to 802.1X Operation 12-76[...]

  • Page 517

    13 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Basic Operation . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 518

    Configuring and Monitoring Port Security Contents Web: Checking for Intrus ions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-40 Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-41 13-2[...]

  • Page 519

    Configuring and Monitoring Port Security Overview Overview Feature Default Menu CLI We b Displaying Current Port S ecurity n/a — page 13-8 page 13-33 Configuring Port Security d isabled — page 13-12 page 13-33 Retention of Static Addresses n/a — page 13-17 n/a MAC Lockdown disabled — page 13-22 MAC Lockout disabled — page 13-30 Intrusion [...]

  • Page 520

    Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default po rt security setting for each port is off , or “continuous”. T hat is, any dev ice can access a port without causing a security reaction. Intruder Protection. A port that detects an “intruder” blocks the intrud[...]

  • Page 521

    Configuring and Monitoring Port Security Port Security • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port an d to specify some or all of the authorized addresses. (If you spec ify on ly some of the authorized addresses, the port learns the re maining authorized addresses from the traffic it receives [...]

  • Page 522

    Configuring and Monitoring Port Security Port Security configuratio n to ports on which h ubs, switches, or othe r devices are connected, and to maintain security while also main taining network a ccess to authorized users. For example: Figure 13-1. Exa mple of How Port Security Contro ls Access Switch A Port Security Configured Switch B MAC Addres[...]

  • Page 523

    Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port securi ty configuration and moni toring according to the following: a. On wh ich ports do you wa nt port securit y? b. Whic h devices (MAC addresses) are authorized on each port? c. For each port, what security act ions do you want? (The switch automatic[...]

  • Page 524

    Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Comm ands Used in This Section show port-security 13-9 show mac-address port-security 13-12 < port-list > 13-12 learn-mode 13-12 address-limit 13-15 mac-address 13-16 action 13-16 clear -intrusion-flag 13-17 no port-security 13-17 [...]

  • Page 525

    Configuring and Monitoring Port Security Port Security Displaying Port Se curity Settings. Syntax: show po rt-security show port-security < port nu mber > show port-security [< po rt number >-< port number> ]. . .[,< port number >] The CLI uses the same command to provide two types of port security listings: • All ports on[...]

  • Page 526

    Configuring and Monitoring Port Security Port Security Figure 13-3. Exa mple of the Port Security Config uration Display for a Single Port The next exam ple shows the op tion for entering a ra nge of ports, inc luding a series of non-cont iguous ports. Note that no spaces are allowed in the port number portion of the command string: ProCurve(config[...]

  • Page 527

    Configuring and Monitoring Port Security Port Security Figure 13-4. Exa mples of Show Mac-Address Outputs 13-11[...]

  • Page 528

    Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security an d edit security settings. ■ Add or delete devices from the list of authorized addresses for one or more ports. ■ Clear the Intru sion flag on specific port s Syntax: port-security [e] <port-list>< lear[...]

  • Page 529

    Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < contin uous | static | port-acc ess | configured | limited- continuous > (Continued) static: Enables you to use the mac-addre ss parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (exp[...]

  • Page 530

    Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < contin uous | static | port-acc ess | configured | limited- continuous > (Continued) Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted devi ce to [...]

  • Page 531

    Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Informatio n configuration screen of the Menu interface or the show system information listing. Y ou can set the MAC age out time[...]

  • Page 532

    Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [< mac-addr >] [< mac-addr >] . . . [< mac -addr >] A vailable for learn-mode with the, static , conf igured , or limited-continu ous option. Allows up to eight autho rized devices (MAC addresses) per port, depending on the value s[...]

  • Page 533

    Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) clear -intrusion-flag Clears the intrusion flag for a specific port. (See “Reading Intrusion Alerts and Resetting Alert Flags” on page 13-33.) no port-security <port-list> m ac-address < mac-addr > [ <mac-addr> <mac-addr> ] Removes t[...]

  • Page 534

    Configuring and Monitoring Port Security Port Security ■ Delete it by using no port-security < port-nu mber > mac-address < mac-addr > . ■ Download a configur ation file that does not includ e the unwanted MAC address assignment. ■ Reset the switch to its fac tory-default co nfiguration. Specifying Authoriz ed Devices and Intrusio[...]

  • Page 535

    Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. T o simply add a device (MAC address) to a port’ s existing Authorized Addresses list, enter the port number with the mac-add ress parameter and the device’ s MAC addre ss. This assumes that Learn Mod e is set to static and the Authorized Addresses lis[...]

  • Page 536

    Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is alre ady on the list. Note that if you change a port from st atic to co ntinuous learn m ode, the port retain s in memory any authorized addresses it ha d while in s ta[...]

  • Page 537

    Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC address es) from the Authorized Addresses list. (An Authoriz ed Address list is available for each port for which Learn Mode is currentl y set to “Static”. Refer to the command syn[...]

  • Page 538

    Configuring and Monitoring Port Security MAC Lockdown The following command serves this pu rpose by removing 0c0090-1 23456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090- 123456 The above command sequence results in the following configu ration for po[...]

  • Page 539

    Configuring and Monitoring Port Security MAC Lockdown Y ou will need to enter a separate comm and for each MAC/VLAN pa ir you wish to lock down. If yo u do not specify a VLAN ID (VID) the sw itch inserts a VID of “1”. How It W orks. When a device’ s MAC address is locked down to a port (typically in a pair with a VLAN) all in formation sent t[...]

  • Page 540

    Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pai r cannot be locked do wn on a different po rt. Y ou cannot perform MAC Lockdown and 802.1X authentication on the same port or on t he same MAC address. MAC Lockdown and 802.1X authentication are mutually ex[...]

  • Page 541

    Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Loc kdowns that you can safely code per switch. T o truly lock down a MAC addr ess it would be necessary to use the MAC Lockdown command fo r every MAC Address and VLAN ID on every switch. In reality few netw ork administrato rs wi[...]

  • Page 542

    Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lo ckdown you ne ed to consider how you use it wi thin your network topology to ensure security . In some cases where you are using techniques such as “meshing” or Spannin g T ree Protocol (STP) to speed up network performa nce by providing mu lt ip[...]

  • Page 543

    Configuring and Monitoring Port Security MAC Lockdown ProCurve Switch ProCurve Switch ProCurve Switch ProCurve Switch Internal Core Network Switch 1 Switch 1 Mixed Users Edge Devices Lock Server “A” to these ports. Server “A” Network Edge There is no n eed to lock MAC addresses on switches in the internal core n etwork. Figure 13-10. MAC Lo[...]

  • Page 544

    Configuring and Monitoring Port Security MAC Lockdown The key points for this Model T opology are: • The Core Network is separated fro m the edge by the use of switches which have been “locked down” for security . • All switches connected to the edge (outside us ers) each ha ve only one port they can use to co nnect to th e Core Network and[...]

  • Page 545

    Configuring and Monitoring Port Security MAC Lockdown Figure 13-11. Connectivity Prob lems Using MAC Lockdown with Mult iple Paths M i x e d U s e r s Internal Network External Network Switch 1 Server A Server A is locked down to Switch 1, Upli nk 2 PROBLEM: If this link fails, traffic to Server A will not use the backup path via Switch 3 Switch 2 [...]

  • Page 546

    Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a M AC address on all ports and VLANs for a switch so that any traffic to or from the “l ocked-out” MAC address will be dropped. This means that all data pack ets addressed to or from the given address are stopped by th e switch. MAC Lo ckout is im[...]

  • Page 547

    Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, po rt security , and 802.1X authenti- cation. Y ou cannot use MAC Lockout to l ock: • Broadcast or Mu lticast Addresses (Switches do not learn these) • Switch Agents (T he switch’ s own MAC Address) There ar e limits for the numb er of VLANs, Multi cast F[...]

  • Page 548

    Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independ ent of port-security an d in fact will override it. MAC Lockout is preferab le to port-security to st op access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in [...]

  • Page 549

    Configuring and Monitoring Port Security Web: Displaying and Configur ing Port Security Features W eb: Displaying and Configuring Port Security Features 1. Click on the Security tab. 2. Click on [Port Security] . 3. Select the settings you want and, if you are usi n g the Static Learn Mode, add or edit the Author ized Addresses field. 4. Implement [...]

  • Page 550

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ■ The switch enables notification of the i ntrusion through the following means: • I n t h e C L I : – T h e show po rt-security int rusion-log command displays the Intrusion Log – T h e log command displays the Event Log • In the menu interface: ?[...]

  • Page 551

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Figure 13-12. Example of M ultiple Intrusion Log E ntries for the Same Port The log shows the most rece nt intrusion at the top of the listing. Y ou cannot delete Intrusio n Log entries (unless you reset th e switch to its factory-default configuration). Ins[...]

  • Page 552

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interf ace indicates per -port intrusions in the Port Status screen, and provides details and t he reset function in the In trusion Log screen. 1. From the Main Menu [...]

  • Page 553

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 13-1 3 on page 13-36) does not indicate an int rusion for port A1, the alert fl ag for the intru- sion on port A1 has already been reset. • Since the switch can show only one uncleared intrusion per port, the aler[...]

  • Page 554

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags clear intrusion-flag s Clear intrusion flags on all ports. port-security [e] < port-n umber > clear-intrusion-flag Clear the intrusion flag on one or more specific ports. In the follo wing ex ample, executi ng show interfac es brief lists the switch’[...]

  • Page 555

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags T o clear the intrusi on from port A1 and enable the swit ch to enter any subsequent intrusio n for port A1 in the Intrusion Log, execute th e port-security clear -intrusion-fla g command. If yo u then re-displ ay the port status screen, you will see that th[...]

  • Page 556

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Listing with Security Violati on Detected Log Listing with No Security Violat ion Detected Log Command with “security” for Search Figure 13-18. Example of Log Listi ng With and Without Detecte d Security Violations From the Menu Interface: In the Mai[...]

  • Page 557

    Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder . The Intrusion Log lists detected intrude rs by MAC address. If you are using ProCurve Manage r to manage your network, you can use the d evice properties page to link MAC addresses to their corresp[...]

  • Page 558

    Configuring and Monitoring Port Security Operating Notes for Port Security ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allo w you to configure LACP on a port on whic h port security is enabled. For example: ProCurve(config)# int e a17 lacp p[...]

  • Page 559

    14 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 560

    Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI W eb Listing (Showing) Authorized Managers n/a page 14-5 page 14-6 page 14-8 Configuring Authorized IP Managers None page 14-5 page 14-6 page 14-8 Building IP Masks n/a page 14-10 page 14-10 page 14-10 Operating and T roubleshooting Notes n/a page[...]

  • Page 561

    Using Authorized IP Managers Options Options Y ou can configure: ■ Up to 100 authorized manager addresses , where eac h address applies to either a single ma nagement st ation or a group of station s ■ Manager or Operator access privileges Caution Configuring Authorized IP Ma nagers does not protect access to the switch through a modem or direc[...]

  • Page 562

    Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP column, and leave the IP Mask set to 255.255.255.255 . This is the easie st way to use the Author ized Managers feature . (For more on this topic, see “Configuring One Stat ion Per Authorized Manager IP E ntry” on page 14-10.) ■ Authorizing Mu ltiple Station[...]

  • Page 563

    Using Authorized IP Managers Defining Authorized Management Stations Menu: V iewing and Config uring IP Authorized Managers Only IPv4 is suppor ted when using the m enu to set the manage ment access method. From the console Main Menu, select: 2. Switch Configuration … 6. IP Authorized Managers ProCurve 22-Apr-2008 20:17:5 3 ======================[...]

  • Page 564

    ------------------------ Using Authorized IP Managers Defining Authorized Management Stations Editing or Dele ting an Au thorized Manage r Entry . Go to the IP Manag- ers List screen (figure 14-14-1), high lig ht the desire d entry , and press [E] (f or Edit ) or [D] (for Delete ). CLI: Vi ewing and Configurin g Authorized IP Managers Authorized IP[...]

  • Page 565

    Using Authorized IP Managers Defining Authorized Management Stations ProCurve(config)# ip authorized-managers 10.10.10.2 255.255.255.255 manager Figure 14-4. Exa mple of Configuring IP Authorized Man ager T o Authorize Manager Access. This command autho rizes manager -leve l access for any station with an IP address of 10.2 8.227 .0 through 10.28.2[...]

  • Page 566

    Using Authorized IP Managers Web: Configuring IP Authorized Managers W eb: Configuring IP Authorized Managers In the web browse r interf ace you can configure IP Authorized Mana gers as described below . T o Add, Modify , or Delete an IP Authorized Manager address: 1. Click on the Security tab. 2. Click on the Authorized Addresses but ton . 3. Ente[...]

  • Page 567

    Using Authorized IP Managers Web: Configuring IP Authorized Managers access through a web proxy server requires that you first add the web proxy server to the Authorized Manager IP lis t. This reduces security by opening switch access to anyone who uses the web proxy server . How to Eliminate the W eb Proxy Server There ar e two ways to e liminate [...]

  • Page 568

    Using Authorized IP Managers Building IP Masks Building IP Masks The IP Mask parameter contro ls how th e switch uses an Authorized Manager IP value to recognize the IP addre sses of authorized manager stati ons on your network. Configuring One Station Pe r Authorized Manager IP Entry This is the easiest way to apply a ma sk. If you have ten or few[...]

  • Page 569

    Using Authorized IP Managers Building IP Masks IP list. Thus, in the example shown ab ove, a “255” in an IP Mask octet ( all bit s in the octet are “on”) means only one va lue is allowed for that o ctet—the value you specify in the corresponding octet of the Authorize d Manager IP list. A “0 ” (all bits in the octet are “off”) mea[...]

  • Page 570

    Using Authorized IP Managers Building IP Masks T able 14-3. Example of How the Bitmap in the IP Mask Defines Authorized Man ager Addresses 4th Octet of IP Mask: 4th Octet of Authorized IP Address: 249 5 Bit Numbers Bit Bit Bit Bit Bit Bit Bit Bi t 7 6 5 4 3 2 1 0 Bit V alues 128 64 32 16 8 4 2 1 4th Octet of IP Mask (249) 4th Octet of IP Authorized[...]

  • Page 571

    Using Authorized IP Managers Operating Notes Operating Notes ■ Network Security Precautions: Y ou can enhance your network’ s secu- rity by keeping physical access to th e switch restricted to authorized personnel, usin g the password featu res built into the sw itch, using t he additional sec urity features descri bed in this manu al, and prev[...]

  • Page 572

    Using Authorized IP Managers Operating Notes 14-14[...]

  • Page 573

    15 Key Management System Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2 Configuring Key Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Page 574

    Key Management System Overview Overview The switches co vered in this guide provide suppo rt fo r advanced routing capabilities. Security tu rns out to be e xtremely important as complex ne t- works and the internet grow and become a part of our daily life and business. This fact forces protocol develope rs to improve security mechanisms employed b[...]

  • Page 575

    Key Management System Configuring Key Chain Management Configuring Key Chain Management KMS-Related CLI Commands in This Section Page show key-chain < chain _name > page 15-3 [ no ] key-chain chain_name page 15-3 [ no ] key-chain chain_name key Key_ID page 15-4 The Key Man agement System (KMS) h as three configur ation steps: 1. Create a key [...]

  • Page 576

    Key Management System Configuring Key Chain Managemen t show key-chain Displays the current key chain s on the switch and th eir overall status. For example, to generat e a new key chain entry: Add new key chain Entry “Procurve1”. Display key chain entries. Figure 15-1. Adding a New Key Chain Entry After you add an entry , you can assign key(s)[...]

  • Page 577

    Key Management System Configuring Key Chain Management [ accept-lifetime infinite ] [ send-lifetime infinite ] accept-lifetime inf inite: Allows packets with this key to be accepted at any time fr om boot-up until the key is removed. send-lifetime infi nite: A llows the switch to send this key as authorization, from boot- up until the key is remove[...]

  • Page 578

    Key Management System Configuring Key Chain Managemen t Note [ key-string < key_str > ] This option specifies the ke y value referenced by the protocol using the key. The < key_str > can be any string up to 14 ch aracters in length. accept-lifetime < mm/dd/yy [ yy ] hh:mm:ss | no w > Specifies the start date and time o f the valid[...]

  • Page 579

    Key Management System Configuring Key Chain Management Adds a key with full time and date Adds a key with duration expressed i n seconds. Figure 15-3. Adding T ime-Dependent Keys to a Key Chain Entry Note Given transmission del ays and the variations in the time value from swi tch to switch, it is advisable to include some fle xibility in the Acc e[...]

  • Page 580

    Key Management System Configuring Key Chain Managemen t Y ou can use show key-chain to display the key s tatus at the time the command is issued. Using the info rmation from the example configuration in figures 15-3 and 15-4, if you execute show key-chai n at 8:05 on 01/19/03, the display would appear as fol lows: Figure 15-5. Status of Keys in Key[...]

  • Page 581

    Index Numerics 3DES …8 - 3 802.1X ACL, effect on … 9-16 802.1X access control authenticate users … 12-5, 12-4, 1 2-6, 12-4, 12-20 backend state … 12-62 operation … 12-9 show commands … 12-53, 12-62 unblock port … 12-6 … 12-6, 12-25, 12-22 blocked port, trunked … 12-13 caution, unauthorized-clien t VLAN … 12-39 CHAP … 12-3 chap[...]

  • Page 582

    terminology … 12-6, 12-29, 12 -67, 12-68, 12-69, 12-13, 12-23, 12-24 unauthenticated port … 12- 28, 12-22, 12-25, 12-8, 12-41, 12-25, 12-35, 12-25, 12-33, 12-47 access … 12-4, 12-10 client authentication … 12-5, 12-4, 12-48, 12-21, 12-32, 12-21 enable … 12-20, 12-48 limit … 12-4, 12-21 tagged VLAN … 12-5 VLAN … 12-40, 12-41 Web/MAC [...]

  • Page 583

    configure … 9-65 option … 9-71 traffic … 9-18, 9-72 implicit deny See deny any, implicit. … 9-12, 9-20 See ACL, wildcar d. IPX … 9-26 log function, with mirroring … 9-17 See ACL, lo gging. … 9-17, 9-18, 9-48 described … 9-96 session … 9-17 …9 - 9 9 mask … 9-11, 9-17, 9-29, 9-47 CIDR … 9-43 defined … 9-11 multiple IP addres[...]

  • Page 584

    state … 12-62 authorized addresses for IP management s ecurity … 14-3, 13-5 authorized IP managers access levels … 14-3 building IP masks … 14-10 configuring … 14-6, 14-8, 14-5 definitions of single and multiple … 14-3 effect of duplicate IP addresses … 14-13 IP mask for multiple stations … 1 4-10, 14-4 operating notes … 14-13, 14[...]

  • Page 585

    verify … 10-5 documentation feature matrix … -xx latest versions … -xix printed in-box publications … -xix release notes … -xix duplicate IP address effect on authorized IP managers … 14-13 dynamic ARP protection additional validation checks on ARP packets … 10-20 ARP packet debugging … 10-22 displaying ARP statistics … 10-21 enab[...]

  • Page 586

    address count … 10-23, 14-1 reserved port numbers … 7-18 IP attribute …5 - 3 6 IP masks building … 14-10 for multiple authorized manager stations … 14-10 operation … 14-4 IP routing dynamic ARP protection, enabling … 10-15 validation checks on ARP packets, configuring … 10-20 IP-to-MAC binding … 10-19 IPv4, ACL vendor-specific att[...]

  • Page 587

    O open VLAN mode See 802.1X access control. OpenSSH …7 - 2 OpenSSL …8 - 2 operating notes authorized IP managers … 14-13 port security … 13-41 operator password … 2-4, 2-6, 2-7 saving to configuration file … 2-12 Option 82 snooping … 10-5 P packet validation … 10-5 password 802.1X port-access … 2-12, 2-21 browser/console access ?[...]

  • Page 588

    multiple ACL applicat ion types in use … 6-15 NAS-Prompt-User serv ice-type value … 5-14 network accounting … 5-35 operating rules, switch … 5 -6, 6-7, 6-8, 6-7, 6-8 rate-limiting … 6-4, 6-6, 6-4 security … 5-13, 5-4, 5-37, 5-47, 5-19, 5-8, 5-14, 2-12, 2-16, 5-46, 5-45 SNMP access security not supported … 5-4 statistics, viewing … 5[...]

  • Page 589

    saving security creden tials to configuration file … 2-12, 2-14, 2-21 snooping authorized server … 10-4, 10-8 binding database … 10-11 changing remote-id … 10-10 DHCP … 10-3 disable MAC check … 10-10 Option 82 … 10-5, 10-8 statistics … 10-5 untrusted-policy … 10-9 verify … 10-5 source port filters configuring … 11-4 named … [...]

  • Page 590

    configuration, authenti cation … 4-11, 4-22, 4-18, 4-23, 4-10 encryption key … 4-6, 4-18, 4-19, 4-22, 4-29, 4-26, 4-23, 2-12 general operation … 4-2 IP address, server … 4-18 local manager passwo rd requirement … 4-29 messages … 4-28 NAS … 4-3 precautions … 4-5, 4-8, 4-18, 4-6 server access … 4-18, 4-21, 4- 5, 2-15, 4-8, 4-13, 4-5[...]

  • Page 591

    SSL … 8-18 unsecured access, SSL … 8-18 web server, proxy … 13-41 wildcard See ACL, wildcard. See ACL. wildcard, ACL, defined …6 - 1 1 Index – 11[...]

  • Page 592

    12 – Index[...]

  • Page 593

    [...]

  • Page 594

    © Copyright 2009 Hewlett-Pack ard Development Company , L.P . February 2009 Manual Part Number 5992-5439[...]