Ir para a página of
Manuais similares
-
Switch
HP (Hewlett-Packard) M208
224 páginas 0.93 mb -
Switch
HP (Hewlett-Packard) HN220E
8 páginas 0.1 mb -
Switch
HP (Hewlett-Packard) 2000fc
26 páginas 0.69 mb -
Switch
HP (Hewlett-Packard) HP 34970A
429 páginas 9.55 mb -
Switch
HP (Hewlett-Packard) 377707-002
92 páginas 0.82 mb -
Switch
HP (Hewlett-Packard) AA-RW20A-TE
226 páginas 3.16 mb -
Switch
HP (Hewlett-Packard) U.11. (2510-48)
294 páginas 1.87 mb -
Switch
HP (Hewlett-Packard) 5372XL
632 páginas 11.33 mb
Bom manual de uso
As regras impõem ao revendedor a obrigação de fornecer ao comprador o manual com o produto HP (Hewlett-Packard) 4100GL. A falta de manual ou informações incorretas fornecidas ao consumidor são a base de uma queixa por não conformidade do produto com o contrato. De acordo com a lei, pode anexar o manual em uma outra forma de que em papel, o que é frequentemente utilizado, anexando uma forma gráfica ou manual electrónicoHP (Hewlett-Packard) 4100GL vídeos instrutivos para os usuários. A condição é uma forma legível e compreensível.
O que é a instrução?
A palavra vem do latim "Instructio" ou instruir. Portanto, no manual HP (Hewlett-Packard) 4100GL você pode encontrar uma descrição das fases do processo. O objetivo do manual é instruir, facilitar o arranque, a utilização do equipamento ou a execução de determinadas tarefas. O manual é uma coleção de informações sobre o objeto / serviço, um guia.
Infelizmente, pequenos usuários tomam o tempo para ler o manual HP (Hewlett-Packard) 4100GL, e um bom manual não só permite conhecer uma série de funcionalidades adicionais do dispositivo, mas evita a formação da maioria das falhas.
Então, o que deve conter o manual perfeito?
Primeiro, o manual HP (Hewlett-Packard) 4100GL deve conte:
- dados técnicos do dispositivo HP (Hewlett-Packard) 4100GL
- nome do fabricante e ano de fabricação do dispositivo HP (Hewlett-Packard) 4100GL
- instruções de utilização, regulação e manutenção do dispositivo HP (Hewlett-Packard) 4100GL
- sinais de segurança e certificados que comprovam a conformidade com as normas pertinentes
Por que você não ler manuais?
Normalmente, isso é devido à falta de tempo e à certeza quanto à funcionalidade específica do dispositivo adquirido. Infelizmente, a mesma ligação e o arranque HP (Hewlett-Packard) 4100GL não são suficientes. O manual contém uma série de orientações sobre funcionalidades específicas, a segurança, os métodos de manutenção (mesmo sobre produtos que devem ser usados), possíveis defeitos HP (Hewlett-Packard) 4100GL e formas de resolver problemas comuns durante o uso. No final, no manual podemos encontrar as coordenadas do serviço HP (Hewlett-Packard) na ausência da eficácia das soluções propostas. Atualmente, muito apreciados são manuais na forma de animações interessantes e vídeos de instrução que de uma forma melhor do que o o folheto falam ao usuário. Este tipo de manual é a chance que o usuário percorrer todo o vídeo instrutivo, sem ignorar especificações e descrições técnicas complicadas HP (Hewlett-Packard) 4100GL, como para a versão papel.
Por que ler manuais?
Primeiro de tudo, contem a resposta sobre a construção, as possibilidades do dispositivo HP (Hewlett-Packard) 4100GL, uso dos acessórios individuais e uma gama de informações para desfrutar plenamente todos os recursos e facilidades.
Após a compra bem sucedida de um equipamento / dispositivo, é bom ter um momento para se familiarizar com cada parte do manual HP (Hewlett-Packard) 4100GL. Atualmente, são cuidadosamente preparados e traduzidos para sejam não só compreensíveis para os usuários, mas para cumprir a sua função básica de informação
Índice do manual
-
Página 1
access sec ur ity guide www .hp .com/go/hpp r oc ur v e hp pr ocurv e ser ies 4100gl s witc hes[...]
-
Página 2
[...]
-
Página 3
HP Procurve Series 4100GL Switches Access Security Guide Software Release G.07.XX or Greater[...]
-
Página 4
© Copyright 2001-2002 He wlett-Packard Company All Rights Reserved. This document contains inform ation whi c h is protected by copyright. Reproduction, adapta tion, or translation without prior pe rmissio n is prohibited, except as allowed under th e copyr igh t law s. Publication Number 5 990-303 2 Dec e mber 2 002 Edition 2 Applicable Product H[...]
-
Página 5
Contents Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Ov erv iew of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Página 6
2 T ACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Termi n ology Used in TACACS Applicati o ns: . . . . . . . . . . . . . . . . . . .[...]
-
Página 7
Out line of th e Steps f or Conf igurin g RADI U S Authenticat i on . . . . . . 3-6 1. C o nfi g ure Authen ti cation for the Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 2. Config ur e the Sw itch To Access a RAD I US Server . . . . . . . . . . . . 3-10 3. Configu r e the[...]
-
Página 8
1. As signing a Local Logi n (Operator ) and Enable (Manager ) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 2. Generat ing the Swi t ch’s Public an d Pr ivate Key Pair . . . . . . . . . . 4-10 3. Providing the Switch ’s Public Key to Clients . . . . . . . . . . . . . . . . . . 4-12 4. Enabl ing SSH on the Swi t ch [...]
-
Página 9
6 C onfiguring Port-Based Access Control (802.1x) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Why Use P o rt-Based Access Control? . . . . . . . . . . .[...]
-
Página 10
Ho w R A DIU S/ 802.1x Authent ica tion Affects VL AN Operati on . . 6-43 Static VLAN Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-43 Messages R e lated to 802.1x Operati on . . . . . . . . . . . . . . . . . . . . . . . . 6-47 7 C onfiguring a n d Mon i toring Port Security Contents . . . . . . . . . . . . .[...]
-
Página 11
Defining Authorized Managem e nt Sta t ions . . . . . . . . . . . . . . . . . . . . . 8-4 Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Menu: Viewing and Co nfiguring IP Author ized Manager s . . . . . . . . . . 8-5 CLI : Viewing and Configu r in g Authorized IP Manager s . . . . . . . . . . . . 8-6[...]
-
Página 12
[...]
-
Página 13
Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Ov erv iew of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . xii Comman d Syntax Conve n tio ns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Simulating D[...]
-
Página 14
Getting Starte d Introduction Introduction This Access Security Guide is int ended for use w i th the follo wing switches: ■ HP Procurv e Switch 4 104G L ■ HP Procurv e Switch 4 108G L T o gether , these two dev i ce s are terme d the HP Procurve Series 4100GL Switches . Overview of Access Security Features ■ Local Manager and Operat or passw[...]
-
Página 15
Getting Started Overview of Access Sec u rity Features All ows a ccess to the swi tch by a networked devic e having an IP add r ess previousl y con fig ured in the switch as "authorized". HP recommend s th at you use local pa sswor ds together w i th the switch’ s other security feature s to provide a more comp rehensi v e security fabr[...]
-
Página 16
Getting Starte d Command Synta x Conventions Command Syntax Conventions Thi s guide use s the fol l owing conventi ons for com m and syntax and displ ays. Syntax: aaa port-access authenticator < port-list > [ contro l < authorized | auto | unau tho r ized > ] ■ V e rtical bars ( | ) separate altern ative, mutuall y excl usive elements[...]
-
Página 17
Getting Started Related Publications Screen Simulations Figures contain ing simulat ed scr e en t e xt and command output look like t his: Figure 1. Exampl e of a Figure Showin g a Sim u lated Screen In some cases, brief comman d- outpu t se quences appear wi thout fig u re iden- tific a tion. F o r ex am pl e: HPswitch(config)# clear public-key HP[...]
-
Página 18
Getting Starte d Related Publications HP provides a PDF versi o n of thi s gui d e on t he Product Documentati on CD- ROM shi p ped with the swi t ch. Y o u can also download the late st copy fr om th e HP P r ocurve w ebsit e. ( S ee “Get ting Documentat i on Fro m th e W e b” on page xvii.) Comman d Line Interfa ce Refere nce Guide. This guid[...]
-
Página 19
Getting Started Getting Documentation From the Web Getting Documentation From the W eb 1. Go to the HP Procurve w e bsi te at htt p :// www .hp.com/go / hpprocurve 2. Click on technical support . 3. Click on manual s . 4. Click on the product for whi ch you w a nt to view or downl o ad a manual . 2 3 4 xvi i[...]
-
Página 20
Getting Starte d Sources for More Information Sources for More Information ■ If you need inform ati on on spec ifi c paramete rs in the menu inte rfa ce, refe r to the online hel p provided in the in terface. Online Help for Menu ■ If yo u need informati o n on a specif ic command in th e CLI, type the comma nd name followed by “help”. For [...]
-
Página 21
Getting Started Need Only a Quick Start? Need Only a Quick Start? IP Addre s sing. If yo u just want to gi ve the sw it ch an IP address so that it can communicate on your network, or if yo u are not usi ng VLANs, HP recomme n ds that you use the Switch Se tup screen to quickly configure IP add r essin g. T o do so , do one of the follow in g: ■ [...]
-
Página 22
[...]
-
Página 23
1 Configuring Username and Password Security Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Configuring Local Pas s word Sec uri ty . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Menu: Setting Passwo r ds . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Página 24
Configuring Use r name and Password Security Overview Overview Feature Default Menu CL I We b Set Usernames no user names set — — page 1- 6 Set a Password no passwords set pa ge 1-4 page 1- 5 page 1- 6 De lete Pass word n/a pa ge 1-4 page 1- 6 page 1- 6 Prote c tion Console access includes both the menu interface and the CLI. There are tw o lev[...]
-
Página 25
Configuring Username and Password Security Overview If you do ste p s 1 and 2, above, the n th e next time a console session is start ed for either the menu interf ace or the CLI, a p r omp t appears f or a passwo r d. Assuming you have prote c te d both the Manag e r and Operator lev e ls, the level of access to the consol e in terface will be det[...]
-
Página 26
Configuring Use r name and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As n o t e d earl i er in t h is sec t i on, user n a m e s a r e op t i ona l . C o n f ig u r i n g a user - name requi r es ei ther the CLI or the web browser in terface. 1. From the Main Menu select: 3. Co[...]
-
Página 27
Configuring Username and Password Security Configuring Local Password Security If you have physical access to the switch, press and ho ld the Clear bu tton ( on th e f r ont o f th e swi t ch) fo r a min i mum of on e second to clear al l passwo rd pr otect ion , then ent er new passwo r ds as described earlier in this chapte r . If you do not have[...]
-
Página 28
Configuring Use r name and Password Security Configuring Local Password Security T o Remove Password Pro t ection . Removing passwo r d p r otect ion means to eliminate password securit y . Thi s com m and pro m pts you to ver ify that you want to remove on e or both passwo r ds, th en clears the indicat ed pa ssword ( s). (This command also cle a [...]
-
Página 29
2 T ACACS+ Authentication Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Termi n ology Used in TACACS Applicati o ns: . . . . . . . . . . . . . . . . . . . . 2-4 Ge neral S y stem Re qui r ements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 G[...]
-
Página 30
TACACS+ Authentication Overview Overview Feature Default Men u CL I We b view the switch’ s authentication configuration n/a — page 2-1 0 — view the switc h’ s T A CACS+ ser v er contact configuration n/a — page 2-1 0 — configur e the switch’ s authentica t ion methods disabled — page 2-1 1 — configure the switch to contact T ACA [...]
-
Página 31
TACACS+ Authentication Overview server and (2) local passwords confi g ured on the switch. That is, with T A CACS+ configured, the switch fir s t tries to contact a designated T ACA CS+ serv er fo r authenti cation ser vic es. If the switch fail s to conne c t to any T A CACS+ serve r , it defaults to its own locally assigned p a sswords for authen[...]
-
Página 32
TACACS+ Authentication Terminology Used in TA CACS Applications: T e rminology Used in T ACACS Applications : ■ N A S ( N etwork A c cess Ser v e r ): T h is is a n i nd u s t ry t e rm f o r a T A CACS-aware device that communi cates with a T ACACS server for authentication services. Some other terms you may see in literature de scribing T ACACS[...]
-
Página 33
TACACS+ Authentication General System Requirements • T A CACS + Authentication: This method ena bles you to use a T ACACS+ s e rver in your network to ass i gn a unique password, user name, a n d privilege le vel to e ach in dividua l or group w ho needs access to one or mor e sw it ches or other T A CACS-aware devices. This all o ws you t o a[...]
-
Página 34
TACACS+ Authentication General Authentication Setup Procedure Notes The eff e ct i veness of TA C ACS+ se c u r i ty d e p e nds on c o rrectly using your TACACS+ ser v er application. For this reason, HP recommends that you thoroughly tes t all TACACS+ configur ations used in your network. TACACS-aware HP switches include the capability of configu[...]
-
Página 35
TACACS+ Authentication General Authentication Setu p Procedure 2. Determine th e f o llowing: • The IP address(es) of the T A CACS+ server(s) you want the switch to use for authentication. If you will use more than one server , de termine which ser v er is yo ur first-choice for authentication ser v ices. • The encryption key , if any , for all[...]
-
Página 36
TACACS+ Authentication General Authentication Setup Procedure Caution Y o u s ho u ld ens u re t h at t h e s w i t ch h a s a l o cal M a n a ger passwo r d. O t her - wise, if authentication through a T ACACS+ server fails for any reason, then unauthorize d access will be a vai la ble throu gh th e con s ol e port or Telnet. 5. Using a termi nal [...]
-
Página 37
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring T ACACS+ on the Switch Before Y ou Begi n If you are new to T AC ACS+ authentication, HP recomm en ds that you read the “General Authenticat ion Setup Pro c edu r e” o n pa ge 2- 6 an d configure your T A CACS+ server( s ) before configur ing authenticati on on the switch. The[...]
-
Página 38
TACACS+ Authentication Configuring TACACS+ on the Switch V i ewing the Switch’ s Current Authentication Configuration This command lists the n u mber of logi n attemp ts t he swi t ch al lows in a sin gle lo gin session, and the prim ary/secondary access method s confi g ured fo r each type of access. Syntax: show authentica t ion This example sh[...]
-
Página 39
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s Authentication Methods Th e aaa authe n ticati on command configures the access control for conso le port and T e lnet a ccess to the swi t ch . That is, for both access methods, aaa authenticatio n specifies whether to use a T ACACS + server or the switch’ s loc[...]
-
Página 40
TACACS+ Authentication Configuring TACACS+ on the Switch T able 2-1. AAA Authentication Pa rameters Name Default Range Function console n/a n /a Specifies whether the command is conf igu r in g au thentic ation for the conso l e por t - or - or T e lne t access method for the switch. tel n et enable n/a n /a Specifies the privilege level for the ac[...]
-
Página 41
TACACS+ Authentication Configuring TACACS+ on the Switch T able 2-2. Prima r y/Secondary Authen tication T abl e Access M e thod and Privilege Level Au thentic ation Op tions Effect on Access Attempts Primary Second ary Console — Log in local none* Local userna me/password access only . tacac s l ocal If T acacs+ server unava i lable, uses local [...]
-
Página 42
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of acc e ss options and the corre s ponding comma n ds to configure the m: Console Login (Operat o r o r Read-Only) Access: Pri m ary using T A CACS+ server . Secondary using Local. HPswitch (config)# aaa authentication console login tacacs local Console Login (Oper[...]
-
Página 43
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s T A CACS+ Server Access The tacacs-serve r command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one fir s t cho i ce and up to tw o ba cku p s. Desi gnating backup se rvers provides fo r a continuation of authenticat io[...]
-
Página 44
TACACS+ Authentication Configuring TACACS+ on the Switch Note on Encryption Key s Synta x: tacacs-server host < ip-addr > [key < key - string >] Adds a TACACS+ server an d opt i onally assigns a s erv er-s pecifi c encryption key . [no] tacacs-server host < ip-addr > Remov e s a TACACS+ server assign ment (including its server- sp[...]
-
Página 45
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host < ip-addr > [key < key-string > none n/a Specifies the IP address of a device running a T A CACS+ serv er applica t ion. Optionally , can also specify the unique, per - serve r encryptio n key to us e when each assigned server has its own, un iqu e key . Fo[...]
-
Página 46
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Name Default Range key < key- s tring > none (nu l l) n/a Specifies the optiona l, global "encryption key" that i s also assigned in the T A CA CS+ server(s) that the switc h will access for authentication. This o p tion is subordinat e to any "pe r -se[...]
-
Página 47
TACACS+ Authentication Configuring TACACS+ on the Switch T he "10" ser v er is now the " first-choice " T A CACS+ au the n tic a tion devi ce. Figure 2-5. Example of the Switch After Assigning a Different "Fir st-Choice" Server T o re move the 10.28.227.1 5 device as a T ACACS+ ser v er , you would use this comma n d: [...]
-
Página 48
TACACS+ Authentication How Authe n tication Operates To del e te a per-server e n cry p tion key in the switch, re-enter the tacacs-se rver host co mm and wi thout t h e key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you wa nt to elimi n ate the key , you[...]
-
Página 49
TACACS+ Authentication How Authentication Operates Using figure 2-6, a b ove, after e i ther sw it ch detec t s an opera t or’ s logon request fr om a remot e or directl y conn ect e d termin al, the foll ow ing events occ u r: 1. The sw itch queries the f irs t- choi ce T ACACS+ ser v er for authentication of the request. • If the swi tc[...]
-
Página 50
TACACS+ Authentication How Authe n tication Operates Local Authentication Process When the switch is configured to use T ACACS+, it reverts to local authentica - tion only if one of thes e two co nditions exist s : ■ "Local" i s the authenti cation op ti on fo r the access method bei n g used. ■ T A CACS+ is the primary authenticat[...]
-
Página 51
TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encr yption key (someti me s termed "key", "secre t key", or "s ecret " ) hel p s to preven t unau thori z ed intruders on th e network fr om re adi ng username and password information in T ACACS+ packets movin[...]
-
Página 52
TACACS+ Authentication Controlling Web Browser Interface Acces s When Using TACACS+ Authentication F o r examp l e, you w ou l d u s e t h e next co mmand to c o nf i g ure a g l obal encryp - tion key in the switc h to match a ke y ente red as north40camp us in tw o target TACACS+ ser v ers. (That is, both servers use the same key for your switch.[...]
-
Página 53
TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to T ACACS+ Operation The sw it ch gen e rat e s the CL I message s listed below . However , y o u may se e other messages generated in your T ACACS+ server a pplication. For informa - tion on such messages, re fer to the documentation you rec e ive d wi th the applica t [...]
-
Página 54
TACACS+ Authentication Operating Notes ■ When T ACA C S+ is not enabled on t h e switch—or when the switch ’ s only designated T ACACS+ servers ar e not accessible— setting a local Operator passwo r d with ou t also setting a local Manag er password does not protect the switch from man a ge r - l evel a cc e ss by unautho - rized persons.) [...]
-
Página 55
3 RADIUS Authentication and Accounting Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Termi n ology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Switch Operating Rules for RAD I US . . . . . . . . . . . . . .[...]
-
Página 56
RADIUS Authenti cation and Accounting Overview Overview Feature Default Menu CL I We b Configuring RADIUS Auth en tication None n /a 3-6 n /a Configuring RADIUS A ccounting None n /a 3-16 n/a Vi ewing RADIUS Statistics n/a n /a 3-23 n/a RADIUS ( Remote Authentication Dial-In User Service ) enables yo u to use up to three servers (one primary server[...]
-
Página 57
RADIUS Authentication and Accounting Terminology T e rminology CHAP (Ch a l l enge - H a n dsh a ke Auth e n t i c a tion Protoco l ): A chal l e nge - response authentic a tion protocol that uses the Message Digest 5 (MD5) hashi ng scheme to encrypt a response to a ch alle nge from a RAD I US server . EAP(Extensible A u then ticatio n Protocol): A[...]
-
Página 58
RADIUS Authenti cation and Accounting Switch Ope r ating Rules for RADIUS Switch Operating Rules for RADIUS ■ Y ou must have at least one RA DIU S server accessible to the switc h. ■ The switch supports authentic a tion and ac counting us ing up to three RADIUS ser v ers. The switch accesse s the ser v ers in the order in which they are listed [...]
-
Página 59
RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to thre e RADIUS server s to support the switch. (That is, one pri m ary server and one or tw o ba ck ups.) Re fer to the documentation provi d ed with the RADIU S server applica t ion. 2. Before configuring the sw itc[...]
-
Página 60
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands Page aaa authentication 3-8 < c onsole | telnet | ssh > < enable | log i n > radius 3-8 < local | none > 3 -8 [no] radius-server host < IP-address > 3-10 [...]
-
Página 61
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note Th i s st e p assum e s you have a l ready c o n f igu r ed t h e RADIUS serve r (s) t o support the swi t ch. Refer to th e documentation pro vid ed with the RADIUS ser v er documentati on .) • Se r ver IP address • ( Opt i onal ) UDP desti n atio n p[...]
-
Página 62
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication 1. Configure Authentication for the Access Methods Y ou W a nt RADIUS T o Protect This sect i on descr ibes ho w to configure the swi t ch fo r RADIUS authenticati on throu gh the follo wing a ccess m ethod s: ■ Console: Eithe r direct serial-port connecti[...]
-
Página 63
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have alread y configured lo cal passwo r ds on th e switch, but want to use RADIUS to pr ote c t primary T elnet and SSH access withou t a llowi ng a sec onda ry T elnet or SSH acc ess option (w h i ch wo uld be th e switch ’ s lo cal pa[...]
-
Página 64
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication 2. Confi g ure the Switch T o Access a RADIUS Server This section desc ribes how to confi gure the switch to i n teract w i th a RADIUS server fo r both authenticat ion an d accounting servi c es. Note I f y o u w a n t to con f i g u r e RADIUS accou n t i [...]
-
Página 65
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose yo u h ave c o nfi g ure d the swi t ch as shown in fig u re 3 -3 and you now need to make the following chan ges: 1. Change the encrypti on key for the serve r at 10.33.18 .127 to "source0127". 2. Add a RADIUS serv er wi th an IP[...]
-
Página 66
RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication 3. Confi g ure the Switch’ s Global RADIUS Parameters Y ou can configure the switc h for the fo llowing g lob al RADIU S param e ters: ■ Number of lo gin attem p ts: In a given session, specifi e s how many tries at entering the corre c t use r name and [...]
-
Página 67
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 .. 15 > Specifie s the maximum time th e switc h waits for a response to an authenticati on request before counting the attempt as a failure. (Default: 3 seco nds; Range: 1 - 15 seconds ) radius-server retransmit < 1 .. 5 > If[...]
-
Página 68
RADIUS Authenti cation and Accounting Local Authentication Process Aft er two attempts failing due to username or passwor d entry errors, the switch wil l ter m inate the session . Glo bal RADIU S para meter s from figur e 3-5. These two ser v ers wil l us e th e global encryp t ion key . Serve r -s pecifi c encrypti on key for the RADIUS serv er t[...]
-
Página 69
RADIUS Authentication and Accounting Controlling Web Browser Interface Acces s When Using RADIUS Authentication For local authenticat ion, the swi t ch uses the Op erator -level an d Manag er -level use r nam e/pa sswo r d set(s) p r eviously co nfigured loca lly on th e switch . (Th e se are the usernames a n d passwords you can configure using th[...]
-
Página 70
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Command s Page [no] radius- s erver host < ip-ad d ress > 3-19 [ acct-port < port-number >] 3-19 [key < key - string >] 3-19 [no] aaa accounting < exec | network | sy stem > 3-21 < start-stop | stop-only>[...]
-
Página 71
RADIUS Authentication and Accounting Con f iguring RADIUS Accounting (For 802.1x information fo r the swi t ch, refer to “C onfiguring Port- B ased Acc e ss Co ntrol (802.1x)” on page 6-1.) ■ Ex ec accounti ng : Provides records cont aining t h e i nfo rmat i on lis ted below about lo gin session s (consol e , T eln et , and S S H) o n the sw[...]
-
Página 72
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting ■ If access to a RADIUS server fails du ring a session, bu t after the cli e nt has been a u the n ticated, the switch continues to assume the server i s available to rec e ive accounting data. Thus, if server access fails during a session, it w ill not receive acco unti n g data[...]
-
Página 73
RADIUS Authentication and Accounting Con f iguring RADIUS Accounting 1. Configure the Switch T o Access a RADIUS Server Before y ou config ur e the ac tual acco unting pa ram et e rs, yo u should first configure the swi tch to use a RAD IUS serve r . This is the same a s the process de scribed o n pa ge 3-10. Y ou need to repeat t his step here on [...]
-
Página 74
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting Because the r adius-s erver command inc lu des an acct-p ort elemen t with a non default 1750, the switch assigns this value t o the accounting p ort UDP port n u mbe r s. Because a u th- port was not i ncluded in the comman d , the authenti cat ion UDP port is set to the defa u lt[...]
-
Página 75
RADIUS Authentication and Accounting Con f iguring RADIUS Accounting ■ Start - Stop : • S e n d a start record ac c ounting not i ce at the b e ginn i n g of the account - ing session and a stop r e cor d noti ce at the end of the se ssio n . Bot h notices include the latest data the switch has co llected for the requested accounting type (N[...]
-
Página 76
RADIUS Authenti cation and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These opt i onal paramet e rs give you addi ti onal cont ro l ov er accoun ti ng d ata. ■ Updates: I n additi on to us ing a St art - St op or St op -Onl y trigger , yo u can optionally configur e the swi t ch [...]
-
Página 77
RADIUS Authentication and Accounting Viewing RADIUS Statistics V i ewing RADIUS Statistics General RADIUS Statistics Syntax: show rad i us [ host < ip-add r >] Shows general RADIUS configuration , in cluding the server I P addresses. Optional form shows data for a specific RADIUS host. To use sho w radius , the server’s IP address must be c[...]
-
Página 78
RADIUS Authenti cation and Accounting Viewi n g RADIUS Statistics Te rm De finition Round T r ip T ime Th e time interval between the mo st recent Accounting-Respo n se and th e Accounting- Request that matched it from th is RADIUS accounting server . PendingRequests The number of RADIUS Accounting-Request packets sent to this se rver that have not[...]
-
Página 79
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Stati s tics Syntax: show a u thenticatio n Di splays the pri m ary and secondary authentication methods configured for the Console, T e lnet, Port-Access (80 2. 1x), and SSH methods of acce ssing the switch. Also displays the number of access attempts currently al[...]
-
Página 80
RADIUS Authenti cation and Accounting Viewi n g RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, "Empty User " supression status, accountin g types, methods, and modes. show rad i us accounting Lists accounting statis tics for the RADIUS server(s) configured in the switch (using [...]
-
Página 81
RADIUS Authentication and Accounting Changing RADIUS-Ser ver Access Order Figure 3-16. Exampl e Listing of Active RADIUS Accounting Sessions on t he Swi t ch Changing RADIUS-Server Access Order The switch tri e s to a ccess RADIUS ser vers according to the order in wh ich their IP addresses are listed by the show radius comma n d. Also, when you ad[...]
-
Página 82
RADIUS Authenti cation and Accounting Changing RADIUS-Server Access Order T o excha nge the positions of the addre sse s so that the server a t 10.10.10.003 will be the first choice and the server at 10 .10.10.001 will be the la st, you w o uld do the follo win g: 1. Del e te 10.10.10.003 from the list. This op ens t he thir d (lowest) posit i o[...]
-
Página 83
RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS serve r is n ot responding to an authentication request. T r y pinging the server to determine wheth er it is accessib le to t he switch. If the server is a[...]
-
Página 84
[...]
-
Página 85
4 Configuring Secure Shell (SSH) Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Termi n ology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . [...]
-
Página 86
Configuring Secure Shell (SSH) Overview Overview Feature Default Menu CL I We b Generating a public/pr i vate key pair on the switc h No n/a page 4-10 n/a Using the switch’ s public key n/a n/a page 4-12 n/a Enabling SSH Disabled n/a page 4-15 n/a Enabling client public-ke y authentication D isabled n/a pages 4-19, n/a 4-2 2 Enabling user authent[...]
-
Página 87
Configu r ing Secure Shell (SSH) Terminology Note SSH in the HP Proc ur ve Series 41 00GL swi t ches is based o n the Open SSH software toolki t. Fo r m o re i nfo rmat i on on OpenSS H, visit htt p :// ww w .o penssh.com . Switch SSH and User Password Authentication . This opt i on is a subset of the cli e nt pu blic- key authe nti catio n sh ow i[...]
-
Página 88
Configuring Secure Shell (SSH) Prerequisite for Using SSH ■ PEM (Privacy E n hanced Mode): Refers to an ASCII-formatted cli e nt p ubl ic-k ey th at has be en encoded fo r por tabi lity and efficiency . SSHv2 cli e nt pu blic- keys ar e typ ica lly store d in the PEM format. See figure s 4- 3 and 4-4 fo r examples of PEM-enc o ded ASCII and non e[...]
-
Página 89
Configu r ing Secure Shell (SSH) Public Key Formats Public Key Formats Any client ap plication yo u use f or cli e nt public- k ey authenticatio n with th e swi t ch must have the c a pability export public key s . The switc h ca n accept keys in the PEM-Encoded AS CII Format or i n the No n- Encoded ASCII fo rmat . Co mment descr ib ing p ub lic B[...]
-
Página 90
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH fo r Switc h and Client Authentication Switch Access Lev el Pri m ary S SH Authentication Authenticate Switch Public Key to SSH Clients? Authenticate Client Public Key to th e Switch ? Primary Switch Pas s word Authenticatio n Secondary Switch Pas s word Authentication Manager (Enab[...]
-
Página 91
Configu r ing Secure Shell (SSH) Ste p s for Configuring and Using SSH for Switch and Client Authentication B. Switch Prep arat ion 1. Assig n a login (Operator) and enable (Manager) passwo r d on th e swi tch (page 4-9 ). 2. Generate a public/pri vate key pa ir on the switc h (page 4-1 0 ). Y ou n e ed t o do t his only once. The k ey remains i[...]
-
Página 92
Configuring Secure Shell (SSH) General Opera t ing Rules and Notes General Operating Rules and Notes ■ Public keys gen e rat ed on an SSH cl ient must be exportabl e to th e swi tch. The swi t ch can only store 10 keys cli e nt key pairs. ■ Th e swi t ch ’ s ow n public/pri v at e key pai r and th e (optional) cli e nt pu b lic k ey f ile are[...]
-
Página 93
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Sectio n P age show ip ssh 4 -17 show c r ypto c l ient-public-k ey [ke y list-str] [< babble | 4-2 5 fingerprint >] show c r ypto h o st-public -key [< babble | fingerp r int >] 4-14 show a u t[...]
-
Página 94
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: password < manage r | operator | all > Figure 4-6. Exampl e of Config uring Loc a l Password s 2. Generating the Swi t ch’ s Pu blic and Privat e Key Pai r Y ou must generate a public and priva t e ho st key pa ir on the swi t ch. The switc h us es this key pa i[...]
-
Página 95
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you gen e rat e a host ke y pair on the switc h , the switch places the ke y pair in f l ash memo ry (a nd no t in t he running-c o nfi g fil e ). Also, the switch mai ntains th e key pai r across reboots, in cluding p ower cycles. Y ou sho uld consi der this key p[...]
-
Página 96
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generat e and display a new key: Host Public Key for the Switch Ve rsion 1 and V e rsion 2 vie ws of same host publ ic key Figure 4-7. Example of Gen e rating a Public/ Pr i vat e Host K e y P a ir for the Sw itc h The 'sho w crypt o host - public-k e y&apo[...]
-
Página 97
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation di stribut i on t o cl ient s is t o use a di re ct, se rial connection betwee n the sw itch and a management dev i ce (laptop, PC, or UN IX w o rk station), as de scribe d belo w . The publ ic ke y gen e rat e d by the swit ch consi sts of t h ree parts, separated by one bla[...]
-
Página 98
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add a ny data required by your SSH c lient appl ica t io n. For example Before saving the key to an SSH cli e nt’ s "know n hosts" file you may have to inser t the switch’ s IP address: Bit Size Exp onent <e> Modu lus <n > Inserted IP Address Fig[...]
-
Página 99
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation He xadecima l "Fingerpri nt s" of the Same Switch Phoneti c "Has h" of Swi t ch ’ s Public Ke y Figure 4-11. Examples of V i sua l Phonetic and He xadecim a l Conve r sio n s of the Switch’ s Public Key The t w o commands sho w n i n figure 4-11 conver[...]
-
Página 100
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Refer to “5. Configuring the Swi t ch fo r SSH Authenticat i on” on page 4-18. SSH Client Conta ct Behavio r . At the first contact be tw ee n the switch and an SSH client, if you have not co pied th e swi t ch’ s publ i c ke y into the c lient, your cli e nt’ s first c[...]
-
Página 101
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SS H connections (default: 22) . Important: See “Note on Port N u mber” on page 4-17. [timeout < 5 - 120 >] The SSH login timeout va lue (default: 120 seconds). [v ersio n <1 | 2 | 1-or -2 > The versio[...]
-
Página 102
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SS H does not p r otect t h e switch f r om unauthorized a ccess via the we b interface, T e lnet, SNMP , or the seria l port. Wh ile web and T e lnet access can be restric t ed by the u s e of passwo r ds lo cal to the switc h , if you are unsure of th e security t his pr ovi [...]
-
Página 103
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Configures a password method for the primary and secondary enable (Manager) acc ess. If you do not spec- ify an optional secondary method, it defaults to none . Option B: Co nf ig uring the Switc h for Cl ient Pu blic -Key SSH Authentication. If confi g ured with this op ti o[...]
-
Página 104
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: a aa authe n tic a tion ssh enable < local | tacacs | radius > < local | n one > Configures a password method for the primary and secondary enable (Manager) access. I f you do not spec- ify an optional secondary method, it defaults to none . For example, ass[...]
-
Página 105
Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 4-14 shows how to chec k the results of the above co mmands. Li st s t h e c urr en t SSH authenticati on configuratio n. Shows the conte n ts o f the publi c key fil e downloaded with the copy tftp command in figur e 4-1 3 . In this example, the fil e contains two cli[...]
-
Página 106
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Further Information on SSH Client Public-Key Authentication The section titled “5. Config uring the Swi t ch for SSH Au thenticat i on” on p a ge 4-1 8 li sts the steps for co nfiguring SSH a u the n tication on the swi t ch. However , if you are new t o[...]
-
Página 107
Configu r ing Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 3. If there is not a match , an d yo u ha ve not configu r ed the switc h to a ccept a lo gin passwo r d as a secondary authenticat i on meth od, the switch denies SSH access to the client. 4. If there is a match, the switch: a. Generates a random seque[...]
-
Página 108
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Notes Co mments in pu b lic k ey files, suc h as smith@support.cairns.co m in figure 4-15 , may appear in a SSH client applica tio n’ s gen erated p ubl ic key . Whi le such comments may hel p to disti n gui s h one key fro m anoth er , they do no t po se [...]
-
Página 109
Configu r ing Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Note on Public The actual c onte nt of a public key entry in a publi c key fil e is determined by Key s the SSH client application generating th e key . (Alt hough you can manu ally ad d or edit an y comments the c lient appli cat ion adds t o the end of t[...]
-
Página 110
Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Syntax: clear crypto pub lic - key Deletes the cli e nt-public-ke y file from the switch. Syntax: clear crypto pub lic - key 3 Deletes the entry with an index of 3 from the client- public-key file on the switch. Ena b l i ng C l i e nt Pu b l i c -Key Authen[...]
-
Página 111
Configu r ing Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp serve r or not finding the file to download. Causes include such factors as: • Incorrect IP configuration on the switch • In correct IP addre ss in the co[...]
-
Página 112
Configuring Secure Shell (SSH) Messages Related to SSH Ope r ation Message Meaning Error: Requested keyfile does not ex ist. Th e cl ient key d oes not exist in the switc h. Use cop y tftp to download the key from a T F TP se rver . Generating new RSA host key. If the After you execute the crypt o key generate ssh [rsa ] cache is depleted, this cou[...]
-
Página 113
5 Configuring Secure Socket Layer (SSL) Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Termi n ology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . .[...]
-
Página 114
Configuring Secure Socke t Layer (SSL) Overview Overview Feature Default Menu CL I We b Generating a Self Signed Certificate on the switch No n/a page 5- 9 page 5-13 Generating a Certificate Request on the switch No n/a n /a page 5-15 Enabling SSL Disabled n/a page 5-17 page 5-19 The Serie s 4 100G L switc hes use Secure Socket Layer V e rsion 3 (S[...]
-
Página 115
Configuring Secure Socket Layer (SSL) Terminology HP Switch (SSL Server) SSL Client Brow ser 1. Switc h-t o-Client SSL Ce rt. 2. Us er-to - Switc h (log in passwor d an d enable p a ssword a u the n tication) option s: – Lo cal – T A C ACS+ – R ADIU S Figure 5-1. Switch/Use r Authent ication S SL on the Series 4100GL switch es sup p or ts the[...]
-
Página 116
Configuring Secure Socke t Layer (SSL) Prerequisite for Using SSL ■ C A -Signed Certificate: A c e rtific a t e v e rif i ed by a th i r d p a rty c e rtif - ic ate a u thori t y (CA). Authenti city of CA-Signed certificates can be veri f ied by an audit trail lea ding to a trusted root certificate. ■ R oo t C e rtifi c at e : A trust e d c e r[...]
-
Página 117
Configuring Secure Socket Layer (SSL) Ste p s for Configuring and Using SSL for Switch and Client Authentication 1. Install an SSL capable browser ap plic at i on on a m ana gement st at i on you w a nt to use for access to the sw itch. ( Ref er to th e d ocumentatio n pr ovided with your bro w ser .) Note: The latest ve rsions of Mi croso ft In[...]
-
Página 118
Configuring Secure Socke t Layer (SSL) General Opera t ing Rules and Notes General Operating Rules and Notes ■ Once you g e n e r a te a c e rtific a t e on the sw i t c h you should a v oid re - generating the certificat e without a compelli ng reason. Otherwise , you w ill have to re- i ntroduce the sw i t ch ’ s c e rt i f i c ate on a ll ma[...]
-
Página 119
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section P age web-management ssl show config show c r ypto h o st-cert crypt o key generate cert [rsa] <512 | 768 |1024> zeroize cert crypto host-cert generate self-signed [arg-list] zeroize [...]
-
Página 120
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface T o Confi g ure Local Passwo rds. Y ou can configure both the Op erator an d Manager passw o rd on one screen. T o access the w e b browser interface see the Serie s 4100GL swi t ches Manag e ment and Confi g ura tio n guide C h apter ti [...]
-
Página 121
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’ s Server Host Certificate Y ou must g e nerate a server certificate on the swi t ch before enablei ng SSL. The swit ch us es this serve r ce rt ific ate, along w ith a dynamical ly gen erate d session ke y pai r to negot i ate an encryption me[...]
-
Página 122
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation T o Generate or Erase the Switch’ s Server Certificate with the CLI Bec a use the host certificate is store d in fl ash in stead of th e running-conf ig file, it is n ot nece ssary to use writ e memo ry to save the ce rti f icate . Erasing the host certifica t e autom[...]
-
Página 123
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on certificate fields. The re are a numbe r arguments used in th e ge neration of a server certificate. table 9- 1, “Certi fica te Field D e scriptions” desc ribe s thes e arguments. Field Name Description V a lid Start Date Th is should be the date you desi[...]
-
Página 124
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Notes "Zeroizing" the switch’ s server host ce rtifica t e or key automatically disables S SL (sets web- managemen t ssl to No ). Thus, if you zeroize the serve r host certificate or key and then generate a new key a n d server certificate, you must also re-[...]
-
Página 125
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a S e lf-Signed Host Ce rtificate with the W e b browser interface Y ou can confi g ure SSL f rom the web b r owser interface. For more in formati on on how to access the web browser interf ace see the Series 4100GL sw itches Management and Configuration guide C[...]
-
Página 126
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation For exam ple , to generate a new host certificate via the we b browsers interface : Security T ab SSL button Cer t ificate T y pe Box Key Size Selectio n Cer t ificate Argu ment Create Cer t ificate Bu tton Figure 5-5. Self-Signed Ce rtificate genera tion via SSL Web Br[...]
-
Página 127
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Ho st Certi f ica te Figure 5-6. Web b r owser Int e rface showing c u rrent SSL Host Certif ica te Generate a CA-Signed server host certificate with the W eb browser interface T o in stall a CA-Si g ned server host c e rt if icate from the web browser i n te[...]
-
Página 128
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation The in stallation of a CA-signed c e rti f icate i nvo lves interac t io n with other ent iti es and consi sts of three phases. The first pha s e i s the creation of the C A certificate req ues t, w h ic h is then copied off f r om t h e swi t ch f o r submission t o th[...]
-
Página 129
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Cer t ificate Request Cer t ificate Request Rep ly -----BEGI N CE RTIFICA TE---- - MIICZDCCAc2gA wIB A gIDMA0XMA0GCS q GSIb3DQEBBAUAMIGHMQswCQYD V QQGEwJa QTEiMCAGA1UEC B MZR k9S IFRFU1RJTkc gU FVS U E9TRVMgT0 5M WTEdMBsGA1UEC h MU VGhhd3R l IENlcnRpZmljYXRpb24xFzA V BgN[...]
-
Página 130
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch yo u must generate th e switc h’ s host certificate and key . If you h ave not a l ready done so, refer to “2. Generating the Switch’ s Server Host Certificate” on pag e 5- 9. When configured for SSL, the swi t ch uses its [...]
-
Página 131
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [ no] w eb-management ssl Enables or disables SSL on the swi t ch. [port < 1-65535 | default:443 >] The TCP port number for SS L connections (default: 443). Important: See “Note on Port Number” on page 5-20. show co[...]
-
Página 132
Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and por t nu mbe r Selectio n Figure 5-8. Using the web b r ow ser int e rface to enable SSL an d select T C P port n u mbe r Note on Port HP recommends using the default IP port number (443). How ever , you ca n Num b er use w eb-management ssl tcp-port to s[...]
-
Página 133
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Err o r During Possible Cause Generating host certificate on CLI Y ou have not g enerate d a certificate key (“CLI commands used to generate a Server Host Certificate” on page 5-10) Enabling SSL on the CLI or Web browser interfa ce Y ou hav e not generat[...]
-
Página 134
[...]
-
Página 135
6 Configuring Port-Based Access Control (802.1x) Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Ho w 802.1x O p era t es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Termi n ology . . . . . . . . . . . . . . . . . . . [...]
-
Página 136
Configuring Port-Based Ac ce ss Control (802.1x) Overview Overview Featu re Default Menu CL I We b Configu r in g Switch Ports as 802.1x Authenticators D isabled n/a page 6-14 n/a Configu r ing 802.1x Open VLAN M ode Disabled n/a page 6-20 n/a Configuring Switch Ports to Operate as 802.1x Supplicants Disabled n/a page 6-33 n/a Displaying 802.1x [...]
-
Página 137
Configuring Port-Based Access Control (802.1x ) Overview ■ Loc a l authenti c a t i on of 8 02.1x c li e nts using the sw i t ch ’ s l o c a l user - name and password (as an altern ative to RADIUS au the n tication). ■ T em porary on-demand change of a p o rt ’ s VLAN membershi p statu s to support a current cli e nt ’ s session. (Th is [...]
-
Página 138
Configuring Port-Based Ac ce ss Control (802.1x) Overview Authenticating One Sw itch to Another . 802.1x authentic a tion also enables the swi tch to op erate as a suppl i cant w hen connected to a port on another switch running 802.1x authentic a tion. RAD I US Server LAN Core 802. 1 x- A w ar e Client (Suppl icant) Switch Runni ng 802.1x and Conn[...]
-
Página 139
Configuring Port-Based Access Control (802.1x ) How 802.1x Operates How 802.1x Operates Authenticator Operation This operation pro vid es securi ty on a direct, point-to -point li nk between a singl e cl ie nt and th e swi t ch, where bo th devices are 802.1 x-awa re. (If you exp e ct desirabl e cl ie nts that do not have the necessa ry 8 02.1x sup[...]
-
Página 140
Configuring Port-Based Ac ce ss Control (802.1x) How 802.1x Operates Switch-Port Supplicant Operation Thi s operation provides security on l i nks between 802.1x-a ware switches. For example, suppose that you w a nt to connect two swi tch es, where: ■ Switch "A " h a s port A1 co nfigu r ed for 802.1 x supp licant operation. ■ Y ou wa[...]
-
Página 141
Configuring Port-Based Access Control (802.1x ) Terminology • A "f ai lu re" response cont i nues t h e b loc k o n po rt B5 and cau s es po rt A1 to wait for the "held -time " p e rio d be fore tryi ng again to achi eve authentication th rough p o rt B5. Note Y ou can co nf igure a swi tc h port to op erate as both a suppl i [...]
-
Página 142
Configuring Port-Based Ac ce ss Control (802.1x) Terminology EA P (Ex ten sible Auth entic a tion Prot oco l) : EAP enables network access tha t supports mul t iple authenti cat ion met hod s. EAPOL : Exten s ible Authenticat i on Prot ocol Over LA N, as defined in the 802.1x standard . Fri end ly Clie nt: A cli e nt that does not p o se a s ecurit[...]
-
Página 143
Configuring Port-Based Access Control (802.1x ) General Ope r ating Rules and Notes membe r of that VLAN as long as at least one o ther port on the swi t ch is st a t i c al l y configured as a t a gg e d or untagg e d memb e r of the same Unau - thori z ed-Client VLAN. Untagged VLAN Membership: A port can be an untagged membe r of only one V LAN. [...]
-
Página 144
Configuring Port-Based Ac ce ss Control (802.1x) General Opera t ing Rules and Notes ■ If a client a l ready has access to a swi t ch port when you c o nfi g ure the port for 802.1x authentic a tor operation, the port will block the client from further network access until it can be au thenticated. ■ On a port c o nfi g ured for 802.1x with RAD[...]
-
Página 145
Configuring Port-Based Access Control (802.1x ) Gen e ral Setup Procedure for Port - B ased Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) Do These Steps Before Y ou Configure 802.1x Operation 1. Configure a local username a n d pa ssword o n th e sw it ch for both the Operato r (l ogin) and Manager (en a bl [...]
-
Página 146
Configuring Port-Based Ac ce ss Control (802.1x) General Setup Procedure fo r Port-B ased Acc e ss Control (802.1x) Overview: Configuri n g 802. 1x Authentication on the Switch This sect i on out line s th e steps for configuring 802 .1x on the switch. For detaile d i nfo rmat i on on each step, re fe r to “Co n figuring the Swi t ch fo r RADIUS [...]
-
Página 147
Configuring Port-Based Access Control (802.1x ) Gen e ral Setup Procedure for Port - B ased Access Control (802.1x) 7. If you a re usi n g Port S ecurity on the switch, conf igure the swi t ch to allow only 8 02.1x access on ports config ured for 802.1x operati on, a n d (i f de sired) the ac tion to take if an unauthorize d devi ce attempts access[...]
-
Página 148
Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Configuring Switch Ports as 802.1x Authenticators 802.1x Authentication Commands Page [no] aaa port-access authent icator < [ethernet] < port-list > 6-15 [ control | quiet-period | tx-period | supplicant- t imeout | 6-1 5 server -timeout | ma[...]
-
Página 149
Configuring Port-Based Access Control (802.1x ) Configuring Switch Ports as 802.1x Authenticators 1. Enabl e 802.1x Authenti cation on Selected Ports Thi s task configures the indivi dual ports you wa nt to operate as 802.1x aut h ent i cato r s f or poin t-to-point li nks to 802.1x- awa re cli e nts or swi t ches. (Actual 8 02.1x operation do es n[...]
-
Página 150
Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access auth enticator < po rt-list > (Syntax Conti nued ) [quiet-period < 0 .. 65535 > ] Sets the period during whi c h the por t does not try to acquire a supplicant. The period begins after the last attempt auth or iz ed by th e[...]
-
Página 151
Configuring Port-Based Access Control (802.1x ) Configuring Switch Ports as 802.1x Authenticators aaa port-access auth enticator < po rt-list > (Syntax Conti nued ) [ unauth-vid < vlan -id >] Co nf ig ur es an e xsi ti ng st atic VLA N to be th e U naut hori zed- Clien t VLAN. T h is enables you to p r ovide a p a th f o r client s with[...]
-
Página 152
Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 3. Configure the 802.1x Authentication Method This t a sk spe cif ies ho w the switch will authenticate the cr ed entials provided by a suppl i cant conn e c t e d to a s w itch port configured as an 80 2 .1x authenti - cator . Synta x: aaa authentica[...]
-
Página 153
Configuring Port-Based Access Control (802.1x ) Configuring Switch Ports as 802.1x Authenticators 4. Enter the RADIUS Host IP Address(es) If you selecte d ei ther e ap-rad i us or c hap-radiu s for th e authentication m ethod, configure the swi t ch to use 1 to 3 RADIUS serve rs for authentic a tion. The following syntax shows th e basic comma n ds[...]
-
Página 154
Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode 802.1x Open VLAN Mode 802.1x Authentication Commands page 6-14 802.1x Supplicant Commands page 6-34 802.1x Open VLAN Mode Commands [no] aaa port-access authenticator [ e ] < port-list > pag e 6-29 [ auth-vi d < vlan-id > ] [ u nauth-vid < vlan-id > ] 802.1x-[...]
-
Página 155
Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode ■ 1st Priority: The port join s a VLAN to w hic h it has been assigned by a RADIU S server during authentication. ■ 2n d Priority: If RADIUS a u the n tication does not incl ude assigning a VLAN to the port, then the switch a ssigns the port to the VLAN entere d in the port?[...]
-
Página 156
Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode T able 6-1. 802.1x Open VLAN Mode Options 802.1x Per - Port Configuration Port Response No Ope n VLAN mode: T he port auto m atically blo c ks a client that cannot initiate an au th en ti ca ti on sessi on. Open VLAN mod e with both of the f o llow i ng configure d: Una u thoriz[...]
-
Página 157
Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode 802.1x Per - Port Configuration Port Response Open VLAN Mode wi th Only a n Unau thorized-Clie nt VLAN Configu r ed : • • • Wh en the port de te cts a c lient, it automa t ically beco mes an un tagged member of this VLAN. T o limit security risks, the netwo rk service s and[...]
-
Página 158
Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode Operating Rules for Au thorized-Client and Unauthorized-Client VLANs Conditio n Rul e Static VLANs use d as Authorize d- Client or Unautho r ized-Client VLANs VLAN Assignment Received fro m a R ADIUS S erv er T e mp ora r y VLAN Membership During a Client Sessio n Effect of Una [...]
-
Página 159
Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode Conditio n Rul e Multiple Authe n ticator Po rts Using Y ou can use the same sta t ic VLAN as the Unauthorized-Clie nt VLAN the Same Unautho r ized-Client a nd for all 802.1x authenticato r ports configured on the switch. Similarly , Autho r ized-Client VLANs you ca n use t he sa[...]
-
Página 160
Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode Setting Up and Configurin g 802.1x Open VLAN Mode Preparati o n. This section assumes use of bot h the Unau thorized-Cl i ent and Authorize d-C lient VLANs. Re fer to T a ble 6-1 on page 6- 22 for other options. Before y ou config ur e the 80 2.1x Open VLAN mod e on a port : ■[...]
-
Página 161
Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode Note tha t as an alternative , you can configure the swi t ch to use loca l passwo r d authen tication inste a d o f RADIUS authenticat i on. How e ver , this is less d e sirab l e because it me ans that all clients use the same passwords and have the same access priv il eges. Al[...]
-
Página 162
Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode 3. If you selected either e ap-rad i us or c hap-ra diu s for step 2, use the radius host command to configure up to thr ee RADIUS server IP addre s s(es) on the swi t ch. Syntax : rad i us host < ip-address > Adds a server to the RADIUS configurati o n. [ key < server [...]
-
Página 163
Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode Confi gur ing 802.1 x Op en VLAN Mode . Use these co mmands to actually configure Open VLAN mode. For a listi n g of the steps needed to pre pare the swi t ch for using Open VLAN mode, re fer to “Preparation” on page 6-26. Syntax: aaa p o rt-access a u th enticato r [e] < [...]
-
Página 164
Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode Inspe c ting 802.1 x Op en VLAN Mode Op erati o n. For informati on an d an example on viewing curre nt Open VLAN mode operation, refer to “Viewing 802.1x Open VLAN M ode Status” on page 6-38. 802.1x Open VLAN Operating Notes ■ Although you can configu r e Open VL AN mode [...]
-
Página 165
Configuring Port-Based Access Control (802.1x ) Option For Authenticator Ports: Configur e Port-Security To Allow Only 802.1x Devices ■ If a n authenticat ed c lient l o ses authenti cati on during a session in 802.1 x Open VLAN mode , the port VLAN membershi p reverts back to the Unauthori zed -Client VLAN. Option For Authenticator Ports: Config[...]
-
Página 166
Configuring Port-Based Ac ce ss Control (802.1x) Option For Authenticator Ports: Configure Po rt-Security To Allow Only 802.1x Devices Note on If the port’ s 802. 1x authentic a tor c ontrol mode i s co nfigured to auth o rized (as Blocking a Non- shown bel ow , instead o f au to ), then the first sour ce MAC address from any 8 02.1 x Device devi[...]
-
Página 167
Configuring Port-Based Access Control (802.1x ) Configuring Switch Por t s To Oper ate As Supplicants for 802.1x Connections to Othe r Switches Configuring Switch Ports T o Operate As Supplicants for 802.1x Connections to Other Switches 802.1x Authentication Commands page 6-14 802.1x Supplicant Commands [no] aaa port-access < supp licant < [e[...]
-
Página 168
Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports To Operate As Suppli cants for 802.1x Connections to Other Switches 1. When port A1 on switch " A " is f i rst connected to a port on switch "B" , or if the ports a r e a l ready connec te d and ei ther swi t ch reboot s, port A1 begins sending sta rt pack[...]
-
Página 169
Configuring Port-Based Access Control (802.1x ) Configuring Switch Por t s To Oper ate As Supplicants for 802.1x Connections to Othe r Switches Confi g uring a Supplicant S w itch Port. N o te that you must e n a b le suppl i - cant operation on a port before y o u ca n change the supplic ant configuration. Thi s means you must e x ecute the supp l[...]
-
Página 170
Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports To Operate As Suppli cants for 802.1x Connections to Other Switches aaa port-access supplicant [ eth e rnet ] < port-list > (Syntax Continu ed) [ auth-timeout < 1 - 300 > ] Sets the period of time the por t waits to receive a challenge from the authentica tor . If[...]
-
Página 171
Configuring Port-Based Access Control (802.1x ) Displaying 802.1x Con f igurat ion, Statistics, and Counters Displaying 802.1x Configuration, Statistics, and Counters 802.1x Authentication Commands 802.1x Supplicant Commands 802.1x Open VLAN Mode Commands 802.1x-Related Sho w Command s show port-access authenticator show port-access sup p licant De[...]
-
Página 172
Configuring Port-Based Ac ce ss Control (802.1x) Displaying 802.1x C onfiguration, Stat istics, and Counters show port-access au the n ticator (Syntax Continue d) config [ [ e] < port-list >] S how s: • W hether port-access authenticator i s active • T he 802.1x configuration of the ports configured as 802 . 1x authen tic a tors If you do[...]
-
Página 173
Configuring Port-Based Access Control (802.1x ) Displaying 802.1x Con f igurat ion, Statistics, and Counters An Unau th VLAN ID appear i ng in the Cur r ent VLA N ID column for the same p ort i ndicate s an un authenticated clien t is connecte d to thi s port. (As s umes that the po rt i s not a stati c ally configured member of V L AN 100.) Items [...]
-
Página 174
Configuring Port-Based Ac ce ss Control (802.1x) Displaying 802.1x C onfiguration, Stat istics, and Counters 25 as an authorize d VLAN, then the po rt’ s me mbership in VLAN 1 w ill be tempora r ily suspe n ded wh enever an au th en ticated 802.1x cli e nt is attached to the port. T able 6-1. Open VLAN Mode Sta t us Status Indicator M eaning Port[...]
-
Página 175
Configuring Port-Based Access Control (802.1x ) Displaying 802.1x Con f igurat ion, Statistics, and Counters Syntax: show vla n < vlan-id > Displa y s the port sta t us for the se lected VLAN , includin g an in dication of which port m e mb erships have been temporarily overridden by Ope n VLAN mod e. Note that ports B1 a nd B3 are not i n th[...]
-
Página 176
Configuring Port-Based Ac ce ss Control (802.1x) Displaying 802.1x C onfiguration, Stat istics, and Counters Show Commands for Po rt-Access Supplicant Syntax: show port-access supplic ant [ [e] < port-list >] [ statistics ] sho w port-access supplican t [ [e] < po rt-list >] Shows the port-access suppl icant configuration (exclud i n g [...]
-
Página 177
Configuring Port-Based Access Control (802.1x ) How RADIUS/802.1x Authenticat ion Affects VLAN Operation supplicant port to another without cl eari n g the stati s tic s data from the first po rt, t he authenti cato r’ s MAC address w il l appea r in the suppl i cant sta tis tic s fo r both ports. How RADIUS/802.1x Authentication Affects VLAN Ope[...]
-
Página 178
Configuring Port-Based Ac ce ss Control (802.1x) How RADIUS/802.1x Authenticat ion Affects VLAN Operation For example, suppose that a RADIUS-au thenticated, 802.1x- awa re cli e nt on port A2 req uires a ccess to VLA N 22, but VLA N 22 is config ured for no access on po rt A2, and VLAN 33 is co nfigured as untagged o n port A2: Scenario: An authori[...]
-
Página 179
Configuring Port-Based Access Control (802.1x ) How RADIUS/802.1x Authenticat ion Affects VLAN Operation Th is entry show s that p or t A2 is temporaril y untagg ed on VLAN 22 for an 802.1x se ssion. This is to accomodate an 802.1x client’ s access , aut henticated by a RAD I US ser v er , whe re the ser v er i nclude d an instr uct ion to p ut t[...]
-
Página 180
Configuring Port-Based Ac ce ss Control (802.1x) How RADIUS/802.1x Authenticat ion Affects VLAN Operation When the 802.1x cl ie nt’ s session on port A2 ends, the port discard s the tempora ry untagged VLAN membe r ship. At this time the stati c VLAN actually co nfi g ure d as untagged on the port again bec o mes available. Thus, when th e RADIUS[...]
-
Página 181
Configuring Port-Based Access Control (802.1x ) Messages Related to 802.1x Operation Messages Related to 802.1x Operation T able 6-2. 802.1x Operating Messages Message Meaning Port < port-list > is not an The ports in the port list ha ve not bee n e nabled as 802.1x authenticator. authenticators. Use this comm and to enable the po rts as auth[...]
-
Página 182
[...]
-
Página 183
7 Configuring and Monitoring Port Security Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Basic Op er ati on Blocking Unautho riz ed Tr affi c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Trunk Group Excl us io n . . . . . . . . . . . . . . . .[...]
-
Página 184
Configuring a nd Monitoring Port Security Overview Overview Feature Default Menu CL I We b Displaying Current Port Security n /a — page 7- 9 page 7-15 Configuring Port Security d isabled — page 7-10 page 7-15 Intrusion Alerts and Alert Flags n/a page 7-21 page 7-19 page 7-22 Using Port Security , you can configure each swi t ch po rt w ith a un[...]
-
Página 185
Configuring and Monitoring Port Security Basic Operation Gener a l Operation for Port Security . On a per - por t basis, you can configure security measure s to block un authori z ed de vic e s, and to send notic e of security vi olations. O nce you have configured port secu rity , you can then monitor the network for security viol ations t h rough[...]
-
Página 186
Configuring a nd Monitoring Port Security Basic Ope r ation Switch A Port Securi ty Configured Switch B MAC Address Au tho riz ed by Switch A PC 1 MAC Address Au tho riz ed by Switc h A PC 2 MAC Address NO T Authorized by Switc h A PC 3 MAC Address NO T Autho riz ed by Swi t ch A Switch C MAC Address NO T Au tho riz ed by Switch A Switch A Port Sec[...]
-
Página 187
Configuring and Monitoring Port Security Planning Port Security Planning Port Security 1. Plan your port securi ty configuration and moni toring according to the follow i ng : a. On which po rts d o y ou want port secu rit y? b. Which dev i ces (MAC addresses) are authorize d on each port (up to 8 per port)? c. For each port, w h at security act io[...]
-
Página 188
Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n Port Security Command Options and Operation Port Sec u rity Comm ands Used in T h is Section show port-security 7 -9 po rt-security 7-10 < [ethernet] port-list > 7-10 [learn-mod e] [address-limit] [mac-address] [action] [clear -i ntrusion-flag] no port-secu[...]
-
Página 189
Configuring and Monitoring Port Security Port Security Command Options and Operation T able 7-1. Port Security Parameters Parameter Des c rip tion Port L i st <[ethernet] port-lis t > Identifies the port or ports on which to apply a port security command. Lea rn learn-mode < static | continuous | port-access > Specifies how the port acq[...]
-
Página 190
Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n Parameter Des c rip tion Act i on actio n <none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a netwo rk management station when Learn Mod e is set to stati c and the port detects an unauth o rized device, or when Lear n Mode is se[...]
-
Página 191
Configuring and Monitoring Port Security Port Security Command Options and Operation Assigned/Authori zed Addresses. : I f y ou manual ly a ssign a MAC address (using port-security < po rt-nu m ber > address-list < m ac-add r > ) and then exe c ute write mem o ry , the assigned MAC a d dress rema ins in memo ry u nt il you d o on e of t[...]
-
Página 192
Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n W i th port numbers i n cluded i n th e command , sho w port-securit y displays Learn M o de, A d dress L i m i t , (a l a rm) Ac t i on, and Aut h or i z ed A d dresses f o r the s p ec - ified ports on a switch . The following example lists the full port sec u [...]
-
Página 193
Configuring and Monitoring Port Security Port Security Command Options and Operation For i nfo rmat i on on th e i ndivid u al control paramet e rs, see t h e P o rt Securi ty Parameter table on page 7-7. Sp eci f ying Au thoriz ed Devices and Intrusio n Responses. Thi s e x ample configures port A1 to au tomaticall y accept the first device (MAC a[...]
-
Página 194
Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n T he Address Limit has no t b een r eached. Al though the Address Lim i t is set to 2, only one device has been au thorized fo r this port. In thi s ca se you can ad d anot her withou t ha ving to also in cr ease th e Address Limit. Figure 7-4. Example of Add i n[...]
-
Página 195
Configuring and Monitoring Port Security Port Security Command Options and Operation If yo u are adding a devic e (MAC address) to a port on which th e Authorized Addresse s list is already ful l (as control l ed by the port’ s current Address L imit setting), then you must increase the Address Limit in order to add the device, even if yo u want [...]
-
Página 196
Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n Note Y ou can reduc e the address limi t below the numbe r of curr en tly authori z ed addresses on a port. Thi s enables you to subsequentl y remove a dev i ce from the “Authorized ” list wit hout openin g the possibility for an unw a nte d dev i ce to autom[...]
-
Página 197
Configuring and Monitoring Port Security Web: Displaying a nd Configur ing Port Security Features W e b: Displaying and Configuring Port Security Features 1. Cl ic k on the Security tab . 2. Cl ic k on [Port Security] . 3. Select the settings you wa nt and, if you are usi n g the Static Learn Mode, add or edit the Author ized Addresses field. 4. Im[...]
-
Página 198
Configuring a nd Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags – The show po rt-secur ity i ntr usi o n- log com m and displ a ys th e Intru s ion L og – The log command displays t h e Even t Log • I n the menu interface : – T he Port Status screen inc l ud es a per - port i n trusi on alert – T he E v ent Lo[...]
-
Página 199
Configuring and Monitoring Port Security Rea d ing Intrusion Alerts and Resetting Alert Flags The log shows the most recent i n trusion at the top of the listing. Y o u cannot dele te Intru s ion Log ent ries ( unless yo u reset the swi t ch to i t s factory - default configuration). Instead, i f the log is fil l ed wh en the switch detects a new i[...]
-
Página 200
Configuring a nd Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The In trusi on Aler t colum n show s “Y es ” for any port o n whic h a security vio l ation has been detecte d. Figure 7-10. Exampl e of Port Status Sc ree n w ith Intrusion Alert on Po rt A3 2. T y pe [I ] ( I ntrusion lo g ) to di splay the I n tru s[...]
-
Página 201
Configuring and Monitoring Port Security Rea d ing Intrusion Alerts and Resetting Alert Flags (Th e intru s ion log ho lds up to 20 intr usi on record s and delet e s an intru s ion reco rd only wh en the log becomes ful l and a new i n trusi on is subsequ e ntl y dete cted.) Note also that the “ p r ior to ” text in the record fo r t h e ear l[...]
-
Página 202
Configuring a nd Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Intrusio n Aler t on port A1. Figure 7-12. Example of a n Unac knowledged Int r usion Ale r t i n a Port Statu s Displa y If you w ant ed t o see th e deta ils of th e i n trusi on, you would then en ter th e show port-securit y intrusion-log command. For e[...]
-
Página 203
Configuring and Monitoring Port Security Rea d ing Intrusion Alerts and Resetting Alert Flags Intru s ion Al ert o n por t A 1 is no w cleared . Figure 7-14. Example of Port Status Sc ree n After Ale r t Flags Reset For more on clearing in tru s ions, see “Note on Send -D is able Oper ation” on page 7-17 Using the Event Log T o Find Intrusion A[...]
-
Página 204
Configuring a nd Monitoring Port Security Operating Notes fo r Port Security From the Menu Interface: In the M a in Menu , c lick on 4. Event Log and use N ext pag e and P rev page to revie w the Eve nt Log contents. For More Event Log Information. See “Using the E vent Log T o Identi fy Problem Sources” in th e " T roubleshooti n g" [...]
-
Página 205
Configuring and Monitoring Port Security Operating Notes for Port Security W i thout b oth of th e above conf igur ed , the switch detects onl y the proxy server’ s MA C address, and not you r PC or wor k stat i on MAC add r ess , and interp rets your connect ion as unauthori zed . “Prior T o” En tries in the Intrusion Log. If you reset the s[...]
-
Página 206
[...]
-
Página 207
8 Using Authorized IP Managers Contents Using Authorized IP Managers Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Options . . . . . . . . . . .[...]
-
Página 208
Using Authorized IP Managers Overview Overview Authori zed IP Manager Featu r es Feature D efault M enu CLI W eb Listing (Showing) Authorized Managers n/a page 8-5 page 8-6 page 8-8 Configuring Authorized IP Managers None page 8-5 page 8-6 page 8-8 Building IP Masks n /a page 8-9 page 8-9 page 8-9 Operating and T r oubleshooting n/a page 8-12 page [...]
-
Página 209
Using Authorized IP Managers Options Options Y ou can conf igur e: ■ Up to 10 a u thorized manager addresses , w her e eac h a d dress applies to either a singl e management stati on or a group o f stati ons ■ Manager or Operator access privi l eges Caution Configu r ing Aut hor ized IP Ma nag e rs does not prote ct access to the swi t ch th ro[...]
-
Página 210
Using Authorized IP Managers Defining Authorize d M anagement Stations Defining Authorized Management Stations ■ Auth or izing Sin g le Sta tions: The tabl e entry au thor izes a sin g le management stati on to hav e IP acce ss to the swi tch. T o use this method, just enter the IP addre ss o f an authori z ed management sta t ion in the Authori [...]
-
Página 211
Using Authorized IP Managers Definin g Autho r ized Management Stations rized Man a ger IP address to authori ze f our IP addresses for managem ent station access. The details on how to use IP masks are provided unde r “Bu ildin g IP Masks” on page 8-9. Note The IP Mask is a method fo r recogni z ing whethe r a given IP ad dress is authori z ed[...]
-
Página 212
Using Authorized IP Managers Defining Authorize d M anagement Stations 2. Enter an Au tho riz ed Man ager IP address h ere. 5. Pr ess [E nter] , then [S ] (for Sav e ) to configur e the IP A u tho riz ed Manage r en try . 3. Use the defa u lt mask to allow access by one man age ment devi ce, o r edit the mask to a llow a ccess by a bl ock of manage[...]
-
Página 213
Using Authorized IP Managers Definin g Autho r ized Management Stations The above example shows an Authorized IP Ma nager List that allows stations to access the switch a s show n below : IP Mask Authorize d Station IP Address: Access Mode: 255.255.255.252 1 0.28.2 27.100 through 103 M anager 255.255.255.254 1 0.28.2 27.104 through 105 M anager 255[...]
-
Página 214
Using Authorized IP Managers Web: Configuring IP Authorized Managers The resul t of ente ri ng the pre ceeding example is: • A uthorized Stati on IP Address: 10.28.227.105 • I P Mask: 2 55.255.255.255, w h ich aut hori z es only the specified station (10.28.227.105 in this case ) . (See “C onfiguring Mult iple Stat i ons Per Authorize d Manag[...]
-
Página 215
Using Authorized IP Managers Buildi n g IP Masks For web -ba sed help on how t o us e t h e w eb bro w ser i nte rface s c reen, cl ic k on th e [?] button pr ovi d ed on the web browser screen. Building IP Masks Th e IP M a sk parameter con t rols how th e switch use s an A u thorized Manager IP value to recogni z e the IP addre sses of authorize [...]
-
Página 216
Using Authorized IP Managers Building IP Masks Configuring Multiple Statio ns Per Authorized Manager IP Entry The ma sk de te rmines whethe r th e IP address of a station on the ne two r k meets the criteria you specify . Th at i s, for a gi ven Author ize d Manager entry , the switch applies the IP mask to the IP address y o u sp ecify to determin[...]
-
Página 217
Using Authorized IP Managers Buildi n g IP Masks Figure 8-5. Analy s is o f IP Ma sk fo r M u ltipl e -Sta tion Entries 1s t Oct et 2nd Oct et 3rd Oct et 4t h Oct et Manager -L evel or Ope r ator-Le v el Device Access IP Mask 255 255 255 0 The “255” in the first three octets of the mask spe c ify that only the exa ct Authorized 10 28 22 7 125 v[...]
-
Página 218
Using Authorized IP Managers Operating Notes Additional Examples for Au thorizing Mult iple Stations Entries for Authorized Manager List Results IP Mask 255 2 55 0 2 55 This combinati on specifies a n authoriz ed IP a ddress of 10.33. xx x .1. It could be Authorized 10 33 24 8 1 applied, for example, to a subnetted netwo rk where each subnet is def[...]
-
Página 219
Using Authorized IP Managers Ope r ating Notes • E ven i f you need p r oxy server access enabl ed in o r der to u se other application s, you can sti ll elimin ate proxy service fo r web access to the switch. T o do so, add th e IP address or DNS name of the swi t ch t o the non-p r oxy , o r “Exceptions” l i st in the web bro w ser i nte rf[...]
-
Página 220
[...]
-
Página 221
Index Numerics 3DES … 4 -3, 5-3 802.1x See port-ba s ed access con t rol . …6 -1 A aaa authentication … 2-9 access levels, authorized IP managers … 8 -3 accounting See RADIUS.- addres s authorized for port security … 7 -3 authentication See TACACS.- authorized addresses for IP m a nagement security … 8 -4 for port security … 7 -3 auth[...]
-
Página 222
inconsistent value … 7 -12 O ope n VLAN mode See por t ac cess co ntr ol OpenSSH … 4-3, 5-2 oper a ting notes authorized IP managers … 8-12 port security … 7 -22 ope rator pas sw o rd … 1-2, 1- 4 P password browser/c o nsole access … 1-3 case-sensitive … 1-4 caution … 1 -3 delet e … 1 -4 deleting with the Clear butto n … 1 -5 if[...]
-
Página 223
supplicant , en abling … 6 -34 switch username and password … 6-3 terminolog y…6 -7 troubleshooting, gvrp … 6-43 used with port-security … 6 -31 VLAN operation … 6- 43 prior to … 7 -19, 7-20, 7-23 Privacy Enhanced Mode (PEM) See SS H.- pro xy web ser v er … 7-22 Q quick start … 1-xix R RADIUS accounting … 3-2, 3-16 accounting, c[...]
-
Página 224
host k ey pair … 4 -11 key, babble … 4 -11 key, fingerprint … 4-11 keys, zeroizing … 4-11 key-size … 4 -17 know n -host file … 4 -13, 4- 15 man-in-the-middle s p oofing … 4 -16 messages, operating … 4 -27 OpenSSH … 4-3 oper a ting rules … 4-8 outbound SSH n o t secure … 4 -8 password security … 4 -18 password-only a u thenti[...]
-
Página 225
overview … 1 -xii precautions … 2 -6 prepa r ing to configure … 2-9 preventing switch lockout … 2 -1 5 privilege level code … 2 -7 server access … 2-15 server prior i ty … 2 -18 se tup, ge ner al … 2-6 show authentication … 2-9 supported features … 2 -3 syste m requirements … 2 -5 TACACS+ server … 2 -4 testing … 2-6 timeou[...]
-
Página 226
6 – Index[...]
-
Página 227
[...]
-
Página 228
T ec hnical inf o r mation in t his doc ume nt is su bj ec t to c hange w it hou t no tice . ©Cop yr ight He wlett-P ack ar d C om pan y 2000, 200 2 . All r ight r eserved . Re pr odu ction , ada pta tion , or transla tion wit hout pr ior w r it te n per mission is p r ohib ited ex ce pt as all o w ed unde r t he cop yr i gh t la[...]