HP (Hewlett-Packard) 4100GL manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228

Ir para a página of

Bom manual de uso

As regras impõem ao revendedor a obrigação de fornecer ao comprador o manual com o produto HP (Hewlett-Packard) 4100GL. A falta de manual ou informações incorretas fornecidas ao consumidor são a base de uma queixa por não conformidade do produto com o contrato. De acordo com a lei, pode anexar o manual em uma outra forma de que em papel, o que é frequentemente utilizado, anexando uma forma gráfica ou manual electrónicoHP (Hewlett-Packard) 4100GL vídeos instrutivos para os usuários. A condição é uma forma legível e compreensível.

O que é a instrução?

A palavra vem do latim "Instructio" ou instruir. Portanto, no manual HP (Hewlett-Packard) 4100GL você pode encontrar uma descrição das fases do processo. O objetivo do manual é instruir, facilitar o arranque, a utilização do equipamento ou a execução de determinadas tarefas. O manual é uma coleção de informações sobre o objeto / serviço, um guia.

Infelizmente, pequenos usuários tomam o tempo para ler o manual HP (Hewlett-Packard) 4100GL, e um bom manual não só permite conhecer uma série de funcionalidades adicionais do dispositivo, mas evita a formação da maioria das falhas.

Então, o que deve conter o manual perfeito?

Primeiro, o manual HP (Hewlett-Packard) 4100GL deve conte:
- dados técnicos do dispositivo HP (Hewlett-Packard) 4100GL
- nome do fabricante e ano de fabricação do dispositivo HP (Hewlett-Packard) 4100GL
- instruções de utilização, regulação e manutenção do dispositivo HP (Hewlett-Packard) 4100GL
- sinais de segurança e certificados que comprovam a conformidade com as normas pertinentes

Por que você não ler manuais?

Normalmente, isso é devido à falta de tempo e à certeza quanto à funcionalidade específica do dispositivo adquirido. Infelizmente, a mesma ligação e o arranque HP (Hewlett-Packard) 4100GL não são suficientes. O manual contém uma série de orientações sobre funcionalidades específicas, a segurança, os métodos de manutenção (mesmo sobre produtos que devem ser usados), possíveis defeitos HP (Hewlett-Packard) 4100GL e formas de resolver problemas comuns durante o uso. No final, no manual podemos encontrar as coordenadas do serviço HP (Hewlett-Packard) na ausência da eficácia das soluções propostas. Atualmente, muito apreciados são manuais na forma de animações interessantes e vídeos de instrução que de uma forma melhor do que o o folheto falam ao usuário. Este tipo de manual é a chance que o usuário percorrer todo o vídeo instrutivo, sem ignorar especificações e descrições técnicas complicadas HP (Hewlett-Packard) 4100GL, como para a versão papel.

Por que ler manuais?

Primeiro de tudo, contem a resposta sobre a construção, as possibilidades do dispositivo HP (Hewlett-Packard) 4100GL, uso dos acessórios individuais e uma gama de informações para desfrutar plenamente todos os recursos e facilidades.

Após a compra bem sucedida de um equipamento / dispositivo, é bom ter um momento para se familiarizar com cada parte do manual HP (Hewlett-Packard) 4100GL. Atualmente, são cuidadosamente preparados e traduzidos para sejam não só compreensíveis para os usuários, mas para cumprir a sua função básica de informação

Índice do manual

  • Página 1

    access sec ur ity guide www .hp .com/go/hpp r oc ur v e hp pr ocurv e ser ies 4100gl s witc hes[...]

  • Página 2

    [...]

  • Página 3

    HP Procurve Series 4100GL Switches Access Security Guide Software Release G.07.XX or Greater[...]

  • Página 4

    © Copyright 2001-2002 He wlett-Packard Company All Rights Reserved. This document contains inform ation whi c h is protected by copyright. Reproduction, adapta tion, or translation without prior pe rmissio n is prohibited, except as allowed under th e copyr igh t law s. Publication Number 5 990-303 2 Dec e mber 2 002 Edition 2 Applicable Product H[...]

  • Página 5

    Contents Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Ov erv iew of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 6

    2 T ACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Termi n ology Used in TACACS Applicati o ns: . . . . . . . . . . . . . . . . . . .[...]

  • Página 7

    Out line of th e Steps f or Conf igurin g RADI U S Authenticat i on . . . . . . 3-6 1. C o nfi g ure Authen ti cation for the Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 2. Config ur e the Sw itch To Access a RAD I US Server . . . . . . . . . . . . 3-10 3. Configu r e the[...]

  • Página 8

    1. As signing a Local Logi n (Operator ) and Enable (Manager ) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 2. Generat ing the Swi t ch’s Public an d Pr ivate Key Pair . . . . . . . . . . 4-10 3. Providing the Switch ’s Public Key to Clients . . . . . . . . . . . . . . . . . . 4-12 4. Enabl ing SSH on the Swi t ch [...]

  • Página 9

    6 C onfiguring Port-Based Access Control (802.1x) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Why Use P o rt-Based Access Control? . . . . . . . . . . .[...]

  • Página 10

    Ho w R A DIU S/ 802.1x Authent ica tion Affects VL AN Operati on . . 6-43 Static VLAN Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-43 Messages R e lated to 802.1x Operati on . . . . . . . . . . . . . . . . . . . . . . . . 6-47 7 C onfiguring a n d Mon i toring Port Security Contents . . . . . . . . . . . . .[...]

  • Página 11

    Defining Authorized Managem e nt Sta t ions . . . . . . . . . . . . . . . . . . . . . 8-4 Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Menu: Viewing and Co nfiguring IP Author ized Manager s . . . . . . . . . . 8-5 CLI : Viewing and Configu r in g Authorized IP Manager s . . . . . . . . . . . . 8-6[...]

  • Página 12

    [...]

  • Página 13

    Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Ov erv iew of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . xii Comman d Syntax Conve n tio ns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Simulating D[...]

  • Página 14

    Getting Starte d Introduction Introduction This Access Security Guide is int ended for use w i th the follo wing switches: ■ HP Procurv e Switch 4 104G L ■ HP Procurv e Switch 4 108G L T o gether , these two dev i ce s are terme d the HP Procurve Series 4100GL Switches . Overview of Access Security Features ■ Local Manager and Operat or passw[...]

  • Página 15

    Getting Started Overview of Access Sec u rity Features All ows a ccess to the swi tch by a networked devic e having an IP add r ess previousl y con fig ured in the switch as "authorized". HP recommend s th at you use local pa sswor ds together w i th the switch’ s other security feature s to provide a more comp rehensi v e security fabr[...]

  • Página 16

    Getting Starte d Command Synta x Conventions Command Syntax Conventions Thi s guide use s the fol l owing conventi ons for com m and syntax and displ ays. Syntax: aaa port-access authenticator < port-list > [ contro l < authorized | auto | unau tho r ized > ] ■ V e rtical bars ( | ) separate altern ative, mutuall y excl usive elements[...]

  • Página 17

    Getting Started Related Publications Screen Simulations Figures contain ing simulat ed scr e en t e xt and command output look like t his: Figure 1. Exampl e of a Figure Showin g a Sim u lated Screen In some cases, brief comman d- outpu t se quences appear wi thout fig u re iden- tific a tion. F o r ex am pl e: HPswitch(config)# clear public-key HP[...]

  • Página 18

    Getting Starte d Related Publications HP provides a PDF versi o n of thi s gui d e on t he Product Documentati on CD- ROM shi p ped with the swi t ch. Y o u can also download the late st copy fr om th e HP P r ocurve w ebsit e. ( S ee “Get ting Documentat i on Fro m th e W e b” on page xvii.) Comman d Line Interfa ce Refere nce Guide. This guid[...]

  • Página 19

    Getting Started Getting Documentation From the Web Getting Documentation From the W eb 1. Go to the HP Procurve w e bsi te at htt p :// www .hp.com/go / hpprocurve 2. Click on technical support . 3. Click on manual s . 4. Click on the product for whi ch you w a nt to view or downl o ad a manual . 2 3 4 xvi i[...]

  • Página 20

    Getting Starte d Sources for More Information Sources for More Information ■ If you need inform ati on on spec ifi c paramete rs in the menu inte rfa ce, refe r to the online hel p provided in the in terface. Online Help for Menu ■ If yo u need informati o n on a specif ic command in th e CLI, type the comma nd name followed by “help”. For [...]

  • Página 21

    Getting Started Need Only a Quick Start? Need Only a Quick Start? IP Addre s sing. If yo u just want to gi ve the sw it ch an IP address so that it can communicate on your network, or if yo u are not usi ng VLANs, HP recomme n ds that you use the Switch Se tup screen to quickly configure IP add r essin g. T o do so , do one of the follow in g: ■ [...]

  • Página 22

    [...]

  • Página 23

    1 Configuring Username and Password Security Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Configuring Local Pas s word Sec uri ty . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Menu: Setting Passwo r ds . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Página 24

    Configuring Use r name and Password Security Overview Overview Feature Default Menu CL I We b Set Usernames no user names set — — page 1- 6 Set a Password no passwords set pa ge 1-4 page 1- 5 page 1- 6 De lete Pass word n/a pa ge 1-4 page 1- 6 page 1- 6 Prote c tion Console access includes both the menu interface and the CLI. There are tw o lev[...]

  • Página 25

    Configuring Username and Password Security Overview If you do ste p s 1 and 2, above, the n th e next time a console session is start ed for either the menu interf ace or the CLI, a p r omp t appears f or a passwo r d. Assuming you have prote c te d both the Manag e r and Operator lev e ls, the level of access to the consol e in terface will be det[...]

  • Página 26

    Configuring Use r name and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As n o t e d earl i er in t h is sec t i on, user n a m e s a r e op t i ona l . C o n f ig u r i n g a user - name requi r es ei ther the CLI or the web browser in terface. 1. From the Main Menu select: 3. Co[...]

  • Página 27

    Configuring Username and Password Security Configuring Local Password Security If you have physical access to the switch, press and ho ld the Clear bu tton ( on th e f r ont o f th e swi t ch) fo r a min i mum of on e second to clear al l passwo rd pr otect ion , then ent er new passwo r ds as described earlier in this chapte r . If you do not have[...]

  • Página 28

    Configuring Use r name and Password Security Configuring Local Password Security T o Remove Password Pro t ection . Removing passwo r d p r otect ion means to eliminate password securit y . Thi s com m and pro m pts you to ver ify that you want to remove on e or both passwo r ds, th en clears the indicat ed pa ssword ( s). (This command also cle a [...]

  • Página 29

    2 T ACACS+ Authentication Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Termi n ology Used in TACACS Applicati o ns: . . . . . . . . . . . . . . . . . . . . 2-4 Ge neral S y stem Re qui r ements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 G[...]

  • Página 30

    TACACS+ Authentication Overview Overview Feature Default Men u CL I We b view the switch’ s authentication configuration n/a — page 2-1 0 — view the switc h’ s T A CACS+ ser v er contact configuration n/a — page 2-1 0 — configur e the switch’ s authentica t ion methods disabled — page 2-1 1 — configure the switch to contact T ACA [...]

  • Página 31

    TACACS+ Authentication Overview server and (2) local passwords confi g ured on the switch. That is, with T A CACS+ configured, the switch fir s t tries to contact a designated T ACA CS+ serv er fo r authenti cation ser vic es. If the switch fail s to conne c t to any T A CACS+ serve r , it defaults to its own locally assigned p a sswords for authen[...]

  • Página 32

    TACACS+ Authentication Terminology Used in TA CACS Applications: T e rminology Used in T ACACS Applications : ■ N A S ( N etwork A c cess Ser v e r ): T h is is a n i nd u s t ry t e rm f o r a T A CACS-aware device that communi cates with a T ACACS server for authentication services. Some other terms you may see in literature de scribing T ACACS[...]

  • Página 33

    TACACS+ Authentication General System Requirements • T A CACS + Authentication: This method ena bles you to use a T ACACS+ s e rver in your network to ass i gn a unique password, user name, a n d privilege le vel to e ach in dividua l or group w ho needs access to one or mor e sw it ches or other T A CACS-aware devices. This all o ws you t o a[...]

  • Página 34

    TACACS+ Authentication General Authentication Setup Procedure Notes The eff e ct i veness of TA C ACS+ se c u r i ty d e p e nds on c o rrectly using your TACACS+ ser v er application. For this reason, HP recommends that you thoroughly tes t all TACACS+ configur ations used in your network. TACACS-aware HP switches include the capability of configu[...]

  • Página 35

    TACACS+ Authentication General Authentication Setu p Procedure 2. Determine th e f o llowing: • The IP address(es) of the T A CACS+ server(s) you want the switch to use for authentication. If you will use more than one server , de termine which ser v er is yo ur first-choice for authentication ser v ices. • The encryption key , if any , for all[...]

  • Página 36

    TACACS+ Authentication General Authentication Setup Procedure Caution Y o u s ho u ld ens u re t h at t h e s w i t ch h a s a l o cal M a n a ger passwo r d. O t her - wise, if authentication through a T ACACS+ server fails for any reason, then unauthorize d access will be a vai la ble throu gh th e con s ol e port or Telnet. 5. Using a termi nal [...]

  • Página 37

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring T ACACS+ on the Switch Before Y ou Begi n If you are new to T AC ACS+ authentication, HP recomm en ds that you read the “General Authenticat ion Setup Pro c edu r e” o n pa ge 2- 6 an d configure your T A CACS+ server( s ) before configur ing authenticati on on the switch. The[...]

  • Página 38

    TACACS+ Authentication Configuring TACACS+ on the Switch V i ewing the Switch’ s Current Authentication Configuration This command lists the n u mber of logi n attemp ts t he swi t ch al lows in a sin gle lo gin session, and the prim ary/secondary access method s confi g ured fo r each type of access. Syntax: show authentica t ion This example sh[...]

  • Página 39

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s Authentication Methods Th e aaa authe n ticati on command configures the access control for conso le port and T e lnet a ccess to the swi t ch . That is, for both access methods, aaa authenticatio n specifies whether to use a T ACACS + server or the switch’ s loc[...]

  • Página 40

    TACACS+ Authentication Configuring TACACS+ on the Switch T able 2-1. AAA Authentication Pa rameters Name Default Range Function console n/a n /a Specifies whether the command is conf igu r in g au thentic ation for the conso l e por t - or - or T e lne t access method for the switch. tel n et enable n/a n /a Specifies the privilege level for the ac[...]

  • Página 41

    TACACS+ Authentication Configuring TACACS+ on the Switch T able 2-2. Prima r y/Secondary Authen tication T abl e Access M e thod and Privilege Level Au thentic ation Op tions Effect on Access Attempts Primary Second ary Console — Log in local none* Local userna me/password access only . tacac s l ocal If T acacs+ server unava i lable, uses local [...]

  • Página 42

    TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of acc e ss options and the corre s ponding comma n ds to configure the m: Console Login (Operat o r o r Read-Only) Access: Pri m ary using T A CACS+ server . Secondary using Local. HPswitch (config)# aaa authentication console login tacacs local Console Login (Oper[...]

  • Página 43

    TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s T A CACS+ Server Access The tacacs-serve r command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one fir s t cho i ce and up to tw o ba cku p s. Desi gnating backup se rvers provides fo r a continuation of authenticat io[...]

  • Página 44

    TACACS+ Authentication Configuring TACACS+ on the Switch Note on Encryption Key s Synta x: tacacs-server host < ip-addr > [key < key - string >] Adds a TACACS+ server an d opt i onally assigns a s erv er-s pecifi c encryption key . [no] tacacs-server host < ip-addr > Remov e s a TACACS+ server assign ment (including its server- sp[...]

  • Página 45

    TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host < ip-addr > [key < key-string > none n/a Specifies the IP address of a device running a T A CACS+ serv er applica t ion. Optionally , can also specify the unique, per - serve r encryptio n key to us e when each assigned server has its own, un iqu e key . Fo[...]

  • Página 46

    TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Name Default Range key < key- s tring > none (nu l l) n/a Specifies the optiona l, global "encryption key" that i s also assigned in the T A CA CS+ server(s) that the switc h will access for authentication. This o p tion is subordinat e to any "pe r -se[...]

  • Página 47

    TACACS+ Authentication Configuring TACACS+ on the Switch T he "10" ser v er is now the " first-choice " T A CACS+ au the n tic a tion devi ce. Figure 2-5. Example of the Switch After Assigning a Different "Fir st-Choice" Server T o re move the 10.28.227.1 5 device as a T ACACS+ ser v er , you would use this comma n d: [...]

  • Página 48

    TACACS+ Authentication How Authe n tication Operates To del e te a per-server e n cry p tion key in the switch, re-enter the tacacs-se rver host co mm and wi thout t h e key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you wa nt to elimi n ate the key , you[...]

  • Página 49

    TACACS+ Authentication How Authentication Operates Using figure 2-6, a b ove, after e i ther sw it ch detec t s an opera t or’ s logon request fr om a remot e or directl y conn ect e d termin al, the foll ow ing events occ u r: 1. The sw itch queries the f irs t- choi ce T ACACS+ ser v er for authentication of the request. • If the swi tc[...]

  • Página 50

    TACACS+ Authentication How Authe n tication Operates Local Authentication Process When the switch is configured to use T ACACS+, it reverts to local authentica - tion only if one of thes e two co nditions exist s : ■ "Local" i s the authenti cation op ti on fo r the access method bei n g used. ■ T A CACS+ is the primary authenticat[...]

  • Página 51

    TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encr yption key (someti me s termed "key", "secre t key", or "s ecret " ) hel p s to preven t unau thori z ed intruders on th e network fr om re adi ng username and password information in T ACACS+ packets movin[...]

  • Página 52

    TACACS+ Authentication Controlling Web Browser Interface Acces s When Using TACACS+ Authentication F o r examp l e, you w ou l d u s e t h e next co mmand to c o nf i g ure a g l obal encryp - tion key in the switc h to match a ke y ente red as north40camp us in tw o target TACACS+ ser v ers. (That is, both servers use the same key for your switch.[...]

  • Página 53

    TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to T ACACS+ Operation The sw it ch gen e rat e s the CL I message s listed below . However , y o u may se e other messages generated in your T ACACS+ server a pplication. For informa - tion on such messages, re fer to the documentation you rec e ive d wi th the applica t [...]

  • Página 54

    TACACS+ Authentication Operating Notes ■ When T ACA C S+ is not enabled on t h e switch—or when the switch ’ s only designated T ACACS+ servers ar e not accessible— setting a local Operator passwo r d with ou t also setting a local Manag er password does not protect the switch from man a ge r - l evel a cc e ss by unautho - rized persons.) [...]

  • Página 55

    3 RADIUS Authentication and Accounting Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Termi n ology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Switch Operating Rules for RAD I US . . . . . . . . . . . . . .[...]

  • Página 56

    RADIUS Authenti cation and Accounting Overview Overview Feature Default Menu CL I We b Configuring RADIUS Auth en tication None n /a 3-6 n /a Configuring RADIUS A ccounting None n /a 3-16 n/a Vi ewing RADIUS Statistics n/a n /a 3-23 n/a RADIUS ( Remote Authentication Dial-In User Service ) enables yo u to use up to three servers (one primary server[...]

  • Página 57

    RADIUS Authentication and Accounting Terminology T e rminology CHAP (Ch a l l enge - H a n dsh a ke Auth e n t i c a tion Protoco l ): A chal l e nge - response authentic a tion protocol that uses the Message Digest 5 (MD5) hashi ng scheme to encrypt a response to a ch alle nge from a RAD I US server . EAP(Extensible A u then ticatio n Protocol): A[...]

  • Página 58

    RADIUS Authenti cation and Accounting Switch Ope r ating Rules for RADIUS Switch Operating Rules for RADIUS ■ Y ou must have at least one RA DIU S server accessible to the switc h. ■ The switch supports authentic a tion and ac counting us ing up to three RADIUS ser v ers. The switch accesse s the ser v ers in the order in which they are listed [...]

  • Página 59

    RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to thre e RADIUS server s to support the switch. (That is, one pri m ary server and one or tw o ba ck ups.) Re fer to the documentation provi d ed with the RADIU S server applica t ion. 2. Before configuring the sw itc[...]

  • Página 60

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands Page aaa authentication 3-8 < c onsole | telnet | ssh > < enable | log i n > radius 3-8 < local | none > 3 -8 [no] radius-server host < IP-address > 3-10 [...]

  • Página 61

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note Th i s st e p assum e s you have a l ready c o n f igu r ed t h e RADIUS serve r (s) t o support the swi t ch. Refer to th e documentation pro vid ed with the RADIUS ser v er documentati on .) • Se r ver IP address • ( Opt i onal ) UDP desti n atio n p[...]

  • Página 62

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication 1. Configure Authentication for the Access Methods Y ou W a nt RADIUS T o Protect This sect i on descr ibes ho w to configure the swi t ch fo r RADIUS authenticati on throu gh the follo wing a ccess m ethod s: ■ Console: Eithe r direct serial-port connecti[...]

  • Página 63

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have alread y configured lo cal passwo r ds on th e switch, but want to use RADIUS to pr ote c t primary T elnet and SSH access withou t a llowi ng a sec onda ry T elnet or SSH acc ess option (w h i ch wo uld be th e switch ’ s lo cal pa[...]

  • Página 64

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication 2. Confi g ure the Switch T o Access a RADIUS Server This section desc ribes how to confi gure the switch to i n teract w i th a RADIUS server fo r both authenticat ion an d accounting servi c es. Note I f y o u w a n t to con f i g u r e RADIUS accou n t i [...]

  • Página 65

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose yo u h ave c o nfi g ure d the swi t ch as shown in fig u re 3 -3 and you now need to make the following chan ges: 1. Change the encrypti on key for the serve r at 10.33.18 .127 to "source0127". 2. Add a RADIUS serv er wi th an IP[...]

  • Página 66

    RADIUS Authenti cation and Accounting Configuring the Switch fo r RADIUS A u the n tication 3. Confi g ure the Switch’ s Global RADIUS Parameters Y ou can configure the switc h for the fo llowing g lob al RADIU S param e ters: ■ Number of lo gin attem p ts: In a given session, specifi e s how many tries at entering the corre c t use r name and [...]

  • Página 67

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 .. 15 > Specifie s the maximum time th e switc h waits for a response to an authenticati on request before counting the attempt as a failure. (Default: 3 seco nds; Range: 1 - 15 seconds ) radius-server retransmit < 1 .. 5 > If[...]

  • Página 68

    RADIUS Authenti cation and Accounting Local Authentication Process Aft er two attempts failing due to username or passwor d entry errors, the switch wil l ter m inate the session . Glo bal RADIU S para meter s from figur e 3-5. These two ser v ers wil l us e th e global encryp t ion key . Serve r -s pecifi c encrypti on key for the RADIUS serv er t[...]

  • Página 69

    RADIUS Authentication and Accounting Controlling Web Browser Interface Acces s When Using RADIUS Authentication For local authenticat ion, the swi t ch uses the Op erator -level an d Manag er -level use r nam e/pa sswo r d set(s) p r eviously co nfigured loca lly on th e switch . (Th e se are the usernames a n d passwords you can configure using th[...]

  • Página 70

    RADIUS Authenti cation and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Command s Page [no] radius- s erver host < ip-ad d ress > 3-19 [ acct-port < port-number >] 3-19 [key < key - string >] 3-19 [no] aaa accounting < exec | network | sy stem > 3-21 < start-stop | stop-only>[...]

  • Página 71

    RADIUS Authentication and Accounting Con f iguring RADIUS Accounting (For 802.1x information fo r the swi t ch, refer to “C onfiguring Port- B ased Acc e ss Co ntrol (802.1x)” on page 6-1.) ■ Ex ec accounti ng : Provides records cont aining t h e i nfo rmat i on lis ted below about lo gin session s (consol e , T eln et , and S S H) o n the sw[...]

  • Página 72

    RADIUS Authenti cation and Accounting Configuring RADIUS Accounting ■ If access to a RADIUS server fails du ring a session, bu t after the cli e nt has been a u the n ticated, the switch continues to assume the server i s available to rec e ive accounting data. Thus, if server access fails during a session, it w ill not receive acco unti n g data[...]

  • Página 73

    RADIUS Authentication and Accounting Con f iguring RADIUS Accounting 1. Configure the Switch T o Access a RADIUS Server Before y ou config ur e the ac tual acco unting pa ram et e rs, yo u should first configure the swi tch to use a RAD IUS serve r . This is the same a s the process de scribed o n pa ge 3-10. Y ou need to repeat t his step here on [...]

  • Página 74

    RADIUS Authenti cation and Accounting Configuring RADIUS Accounting Because the r adius-s erver command inc lu des an acct-p ort elemen t with a non default 1750, the switch assigns this value t o the accounting p ort UDP port n u mbe r s. Because a u th- port was not i ncluded in the comman d , the authenti cat ion UDP port is set to the defa u lt[...]

  • Página 75

    RADIUS Authentication and Accounting Con f iguring RADIUS Accounting ■ Start - Stop : • S e n d a start record ac c ounting not i ce at the b e ginn i n g of the account - ing session and a stop r e cor d noti ce at the end of the se ssio n . Bot h notices include the latest data the switch has co llected for the requested accounting type (N[...]

  • Página 76

    RADIUS Authenti cation and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These opt i onal paramet e rs give you addi ti onal cont ro l ov er accoun ti ng d ata. ■ Updates: I n additi on to us ing a St art - St op or St op -Onl y trigger , yo u can optionally configur e the swi t ch [...]

  • Página 77

    RADIUS Authentication and Accounting Viewing RADIUS Statistics V i ewing RADIUS Statistics General RADIUS Statistics Syntax: show rad i us [ host < ip-add r >] Shows general RADIUS configuration , in cluding the server I P addresses. Optional form shows data for a specific RADIUS host. To use sho w radius , the server’s IP address must be c[...]

  • Página 78

    RADIUS Authenti cation and Accounting Viewi n g RADIUS Statistics Te rm De finition Round T r ip T ime Th e time interval between the mo st recent Accounting-Respo n se and th e Accounting- Request that matched it from th is RADIUS accounting server . PendingRequests The number of RADIUS Accounting-Request packets sent to this se rver that have not[...]

  • Página 79

    RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Stati s tics Syntax: show a u thenticatio n Di splays the pri m ary and secondary authentication methods configured for the Console, T e lnet, Port-Access (80 2. 1x), and SSH methods of acce ssing the switch. Also displays the number of access attempts currently al[...]

  • Página 80

    RADIUS Authenti cation and Accounting Viewi n g RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, "Empty User " supression status, accountin g types, methods, and modes. show rad i us accounting Lists accounting statis tics for the RADIUS server(s) configured in the switch (using [...]

  • Página 81

    RADIUS Authentication and Accounting Changing RADIUS-Ser ver Access Order Figure 3-16. Exampl e Listing of Active RADIUS Accounting Sessions on t he Swi t ch Changing RADIUS-Server Access Order The switch tri e s to a ccess RADIUS ser vers according to the order in wh ich their IP addresses are listed by the show radius comma n d. Also, when you ad[...]

  • Página 82

    RADIUS Authenti cation and Accounting Changing RADIUS-Server Access Order T o excha nge the positions of the addre sse s so that the server a t 10.10.10.003 will be the first choice and the server at 10 .10.10.001 will be the la st, you w o uld do the follo win g: 1. Del e te 10.10.10.003 from the list. This op ens t he thir d (lowest) posit i o[...]

  • Página 83

    RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS serve r is n ot responding to an authentication request. T r y pinging the server to determine wheth er it is accessib le to t he switch. If the server is a[...]

  • Página 84

    [...]

  • Página 85

    4 Configuring Secure Shell (SSH) Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Termi n ology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . [...]

  • Página 86

    Configuring Secure Shell (SSH) Overview Overview Feature Default Menu CL I We b Generating a public/pr i vate key pair on the switc h No n/a page 4-10 n/a Using the switch’ s public key n/a n/a page 4-12 n/a Enabling SSH Disabled n/a page 4-15 n/a Enabling client public-ke y authentication D isabled n/a pages 4-19, n/a 4-2 2 Enabling user authent[...]

  • Página 87

    Configu r ing Secure Shell (SSH) Terminology Note SSH in the HP Proc ur ve Series 41 00GL swi t ches is based o n the Open SSH software toolki t. Fo r m o re i nfo rmat i on on OpenSS H, visit htt p :// ww w .o penssh.com . Switch SSH and User Password Authentication . This opt i on is a subset of the cli e nt pu blic- key authe nti catio n sh ow i[...]

  • Página 88

    Configuring Secure Shell (SSH) Prerequisite for Using SSH ■ PEM (Privacy E n hanced Mode): Refers to an ASCII-formatted cli e nt p ubl ic-k ey th at has be en encoded fo r por tabi lity and efficiency . SSHv2 cli e nt pu blic- keys ar e typ ica lly store d in the PEM format. See figure s 4- 3 and 4-4 fo r examples of PEM-enc o ded ASCII and non e[...]

  • Página 89

    Configu r ing Secure Shell (SSH) Public Key Formats Public Key Formats Any client ap plication yo u use f or cli e nt public- k ey authenticatio n with th e swi t ch must have the c a pability export public key s . The switc h ca n accept keys in the PEM-Encoded AS CII Format or i n the No n- Encoded ASCII fo rmat . Co mment descr ib ing p ub lic B[...]

  • Página 90

    Configuring Secure Shell (SSH) Steps for Configuring and Using SSH fo r Switc h and Client Authentication Switch Access Lev el Pri m ary S SH Authentication Authenticate Switch Public Key to SSH Clients? Authenticate Client Public Key to th e Switch ? Primary Switch Pas s word Authenticatio n Secondary Switch Pas s word Authentication Manager (Enab[...]

  • Página 91

    Configu r ing Secure Shell (SSH) Ste p s for Configuring and Using SSH for Switch and Client Authentication B. Switch Prep arat ion 1. Assig n a login (Operator) and enable (Manager) passwo r d on th e swi tch (page 4-9 ). 2. Generate a public/pri vate key pa ir on the switc h (page 4-1 0 ). Y ou n e ed t o do t his only once. The k ey remains i[...]

  • Página 92

    Configuring Secure Shell (SSH) General Opera t ing Rules and Notes General Operating Rules and Notes ■ Public keys gen e rat ed on an SSH cl ient must be exportabl e to th e swi tch. The swi t ch can only store 10 keys cli e nt key pairs. ■ Th e swi t ch ’ s ow n public/pri v at e key pai r and th e (optional) cli e nt pu b lic k ey f ile are[...]

  • Página 93

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Sectio n P age show ip ssh 4 -17 show c r ypto c l ient-public-k ey [ke y list-str] [< babble | 4-2 5 fingerprint >] show c r ypto h o st-public -key [< babble | fingerp r int >] 4-14 show a u t[...]

  • Página 94

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: password < manage r | operator | all > Figure 4-6. Exampl e of Config uring Loc a l Password s 2. Generating the Swi t ch’ s Pu blic and Privat e Key Pai r Y ou must generate a public and priva t e ho st key pa ir on the swi t ch. The switc h us es this key pa i[...]

  • Página 95

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you gen e rat e a host ke y pair on the switc h , the switch places the ke y pair in f l ash memo ry (a nd no t in t he running-c o nfi g fil e ). Also, the switch mai ntains th e key pai r across reboots, in cluding p ower cycles. Y ou sho uld consi der this key p[...]

  • Página 96

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generat e and display a new key: Host Public Key for the Switch Ve rsion 1 and V e rsion 2 vie ws of same host publ ic key Figure 4-7. Example of Gen e rating a Public/ Pr i vat e Host K e y P a ir for the Sw itc h The 'sho w crypt o host - public-k e y&apo[...]

  • Página 97

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation di stribut i on t o cl ient s is t o use a di re ct, se rial connection betwee n the sw itch and a management dev i ce (laptop, PC, or UN IX w o rk station), as de scribe d belo w . The publ ic ke y gen e rat e d by the swit ch consi sts of t h ree parts, separated by one bla[...]

  • Página 98

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add a ny data required by your SSH c lient appl ica t io n. For example Before saving the key to an SSH cli e nt’ s "know n hosts" file you may have to inser t the switch’ s IP address: Bit Size Exp onent <e> Modu lus <n > Inserted IP Address Fig[...]

  • Página 99

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation He xadecima l "Fingerpri nt s" of the Same Switch Phoneti c "Has h" of Swi t ch ’ s Public Ke y Figure 4-11. Examples of V i sua l Phonetic and He xadecim a l Conve r sio n s of the Switch’ s Public Key The t w o commands sho w n i n figure 4-11 conver[...]

  • Página 100

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Refer to “5. Configuring the Swi t ch fo r SSH Authenticat i on” on page 4-18. SSH Client Conta ct Behavio r . At the first contact be tw ee n the switch and an SSH client, if you have not co pied th e swi t ch’ s publ i c ke y into the c lient, your cli e nt’ s first c[...]

  • Página 101

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SS H connections (default: 22) . Important: See “Note on Port N u mber” on page 4-17. [timeout < 5 - 120 >] The SSH login timeout va lue (default: 120 seconds). [v ersio n <1 | 2 | 1-or -2 > The versio[...]

  • Página 102

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SS H does not p r otect t h e switch f r om unauthorized a ccess via the we b interface, T e lnet, SNMP , or the seria l port. Wh ile web and T e lnet access can be restric t ed by the u s e of passwo r ds lo cal to the switc h , if you are unsure of th e security t his pr ovi [...]

  • Página 103

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Configures a password method for the primary and secondary enable (Manager) acc ess. If you do not spec- ify an optional secondary method, it defaults to none . Option B: Co nf ig uring the Switc h for Cl ient Pu blic -Key SSH Authentication. If confi g ured with this op ti o[...]

  • Página 104

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: a aa authe n tic a tion ssh enable < local | tacacs | radius > < local | n one > Configures a password method for the primary and secondary enable (Manager) access. I f you do not spec- ify an optional secondary method, it defaults to none . For example, ass[...]

  • Página 105

    Configu r ing Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 4-14 shows how to chec k the results of the above co mmands. Li st s t h e c urr en t SSH authenticati on configuratio n. Shows the conte n ts o f the publi c key fil e downloaded with the copy tftp command in figur e 4-1 3 . In this example, the fil e contains two cli[...]

  • Página 106

    Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Further Information on SSH Client Public-Key Authentication The section titled “5. Config uring the Swi t ch for SSH Au thenticat i on” on p a ge 4-1 8 li sts the steps for co nfiguring SSH a u the n tication on the swi t ch. However , if you are new t o[...]

  • Página 107

    Configu r ing Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 3. If there is not a match , an d yo u ha ve not configu r ed the switc h to a ccept a lo gin passwo r d as a secondary authenticat i on meth od, the switch denies SSH access to the client. 4. If there is a match, the switch: a. Generates a random seque[...]

  • Página 108

    Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Notes Co mments in pu b lic k ey files, suc h as smith@support.cairns.co m in figure 4-15 , may appear in a SSH client applica tio n’ s gen erated p ubl ic key . Whi le such comments may hel p to disti n gui s h one key fro m anoth er , they do no t po se [...]

  • Página 109

    Configu r ing Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Note on Public The actual c onte nt of a public key entry in a publi c key fil e is determined by Key s the SSH client application generating th e key . (Alt hough you can manu ally ad d or edit an y comments the c lient appli cat ion adds t o the end of t[...]

  • Página 110

    Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Syntax: clear crypto pub lic - key Deletes the cli e nt-public-ke y file from the switch. Syntax: clear crypto pub lic - key 3 Deletes the entry with an index of 3 from the client- public-key file on the switch. Ena b l i ng C l i e nt Pu b l i c -Key Authen[...]

  • Página 111

    Configu r ing Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp serve r or not finding the file to download. Causes include such factors as: • Incorrect IP configuration on the switch • In correct IP addre ss in the co[...]

  • Página 112

    Configuring Secure Shell (SSH) Messages Related to SSH Ope r ation Message Meaning Error: Requested keyfile does not ex ist. Th e cl ient key d oes not exist in the switc h. Use cop y tftp to download the key from a T F TP se rver . Generating new RSA host key. If the After you execute the crypt o key generate ssh [rsa ] cache is depleted, this cou[...]

  • Página 113

    5 Configuring Secure Socket Layer (SSL) Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Termi n ology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . .[...]

  • Página 114

    Configuring Secure Socke t Layer (SSL) Overview Overview Feature Default Menu CL I We b Generating a Self Signed Certificate on the switch No n/a page 5- 9 page 5-13 Generating a Certificate Request on the switch No n/a n /a page 5-15 Enabling SSL Disabled n/a page 5-17 page 5-19 The Serie s 4 100G L switc hes use Secure Socket Layer V e rsion 3 (S[...]

  • Página 115

    Configuring Secure Socket Layer (SSL) Terminology HP Switch (SSL Server) SSL Client Brow ser 1. Switc h-t o-Client SSL Ce rt. 2. Us er-to - Switc h (log in passwor d an d enable p a ssword a u the n tication) option s: – Lo cal – T A C ACS+ – R ADIU S Figure 5-1. Switch/Use r Authent ication S SL on the Series 4100GL switch es sup p or ts the[...]

  • Página 116

    Configuring Secure Socke t Layer (SSL) Prerequisite for Using SSL ■ C A -Signed Certificate: A c e rtific a t e v e rif i ed by a th i r d p a rty c e rtif - ic ate a u thori t y (CA). Authenti city of CA-Signed certificates can be veri f ied by an audit trail lea ding to a trusted root certificate. ■ R oo t C e rtifi c at e : A trust e d c e r[...]

  • Página 117

    Configuring Secure Socket Layer (SSL) Ste p s for Configuring and Using SSL for Switch and Client Authentication 1. Install an SSL capable browser ap plic at i on on a m ana gement st at i on you w a nt to use for access to the sw itch. ( Ref er to th e d ocumentatio n pr ovided with your bro w ser .) Note: The latest ve rsions of Mi croso ft In[...]

  • Página 118

    Configuring Secure Socke t Layer (SSL) General Opera t ing Rules and Notes General Operating Rules and Notes ■ Once you g e n e r a te a c e rtific a t e on the sw i t c h you should a v oid re - generating the certificat e without a compelli ng reason. Otherwise , you w ill have to re- i ntroduce the sw i t ch ’ s c e rt i f i c ate on a ll ma[...]

  • Página 119

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section P age web-management ssl show config show c r ypto h o st-cert crypt o key generate cert [rsa] <512 | 768 |1024> zeroize cert crypto host-cert generate self-signed [arg-list] zeroize [...]

  • Página 120

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface T o Confi g ure Local Passwo rds. Y ou can configure both the Op erator an d Manager passw o rd on one screen. T o access the w e b browser interface see the Serie s 4100GL swi t ches Manag e ment and Confi g ura tio n guide C h apter ti [...]

  • Página 121

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’ s Server Host Certificate Y ou must g e nerate a server certificate on the swi t ch before enablei ng SSL. The swit ch us es this serve r ce rt ific ate, along w ith a dynamical ly gen erate d session ke y pai r to negot i ate an encryption me[...]

  • Página 122

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation T o Generate or Erase the Switch’ s Server Certificate with the CLI Bec a use the host certificate is store d in fl ash in stead of th e running-conf ig file, it is n ot nece ssary to use writ e memo ry to save the ce rti f icate . Erasing the host certifica t e autom[...]

  • Página 123

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on certificate fields. The re are a numbe r arguments used in th e ge neration of a server certificate. table 9- 1, “Certi fica te Field D e scriptions” desc ribe s thes e arguments. Field Name Description V a lid Start Date Th is should be the date you desi[...]

  • Página 124

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Notes "Zeroizing" the switch’ s server host ce rtifica t e or key automatically disables S SL (sets web- managemen t ssl to No ). Thus, if you zeroize the serve r host certificate or key and then generate a new key a n d server certificate, you must also re-[...]

  • Página 125

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a S e lf-Signed Host Ce rtificate with the W e b browser interface Y ou can confi g ure SSL f rom the web b r owser interface. For more in formati on on how to access the web browser interf ace see the Series 4100GL sw itches Management and Configuration guide C[...]

  • Página 126

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation For exam ple , to generate a new host certificate via the we b browsers interface : Security T ab SSL button Cer t ificate T y pe Box Key Size Selectio n Cer t ificate Argu ment Create Cer t ificate Bu tton Figure 5-5. Self-Signed Ce rtificate genera tion via SSL Web Br[...]

  • Página 127

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Ho st Certi f ica te Figure 5-6. Web b r owser Int e rface showing c u rrent SSL Host Certif ica te Generate a CA-Signed server host certificate with the W eb browser interface T o in stall a CA-Si g ned server host c e rt if icate from the web browser i n te[...]

  • Página 128

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation The in stallation of a CA-signed c e rti f icate i nvo lves interac t io n with other ent iti es and consi sts of three phases. The first pha s e i s the creation of the C A certificate req ues t, w h ic h is then copied off f r om t h e swi t ch f o r submission t o th[...]

  • Página 129

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Cer t ificate Request Cer t ificate Request Rep ly -----BEGI N CE RTIFICA TE---- - MIICZDCCAc2gA wIB A gIDMA0XMA0GCS q GSIb3DQEBBAUAMIGHMQswCQYD V QQGEwJa QTEiMCAGA1UEC B MZR k9S IFRFU1RJTkc gU FVS U E9TRVMgT0 5M WTEdMBsGA1UEC h MU VGhhd3R l IENlcnRpZmljYXRpb24xFzA V BgN[...]

  • Página 130

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch yo u must generate th e switc h’ s host certificate and key . If you h ave not a l ready done so, refer to “2. Generating the Switch’ s Server Host Certificate” on pag e 5- 9. When configured for SSL, the swi t ch uses its [...]

  • Página 131

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [ no] w eb-management ssl Enables or disables SSL on the swi t ch. [port < 1-65535 | default:443 >] The TCP port number for SS L connections (default: 443). Important: See “Note on Port Number” on page 5-20. show co[...]

  • Página 132

    Configuring Secure Socke t Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and por t nu mbe r Selectio n Figure 5-8. Using the web b r ow ser int e rface to enable SSL an d select T C P port n u mbe r Note on Port HP recommends using the default IP port number (443). How ever , you ca n Num b er use w eb-management ssl tcp-port to s[...]

  • Página 133

    Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Err o r During Possible Cause Generating host certificate on CLI Y ou have not g enerate d a certificate key (“CLI commands used to generate a Server Host Certificate” on page 5-10) Enabling SSL on the CLI or Web browser interfa ce Y ou hav e not generat[...]

  • Página 134

    [...]

  • Página 135

    6 Configuring Port-Based Access Control (802.1x) Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Ho w 802.1x O p era t es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Termi n ology . . . . . . . . . . . . . . . . . . . [...]

  • Página 136

    Configuring Port-Based Ac ce ss Control (802.1x) Overview Overview Featu re Default Menu CL I We b Configu r in g Switch Ports as 802.1x Authenticators D isabled n/a page 6-14 n/a Configu r ing 802.1x Open VLAN M ode Disabled n/a page 6-20 n/a Configuring Switch Ports to Operate as 802.1x Supplicants Disabled n/a page 6-33 n/a Displaying 802.1x [...]

  • Página 137

    Configuring Port-Based Access Control (802.1x ) Overview ■ Loc a l authenti c a t i on of 8 02.1x c li e nts using the sw i t ch ’ s l o c a l user - name and password (as an altern ative to RADIUS au the n tication). ■ T em porary on-demand change of a p o rt ’ s VLAN membershi p statu s to support a current cli e nt ’ s session. (Th is [...]

  • Página 138

    Configuring Port-Based Ac ce ss Control (802.1x) Overview Authenticating One Sw itch to Another . 802.1x authentic a tion also enables the swi tch to op erate as a suppl i cant w hen connected to a port on another switch running 802.1x authentic a tion. RAD I US Server LAN Core 802. 1 x- A w ar e Client (Suppl icant) Switch Runni ng 802.1x and Conn[...]

  • Página 139

    Configuring Port-Based Access Control (802.1x ) How 802.1x Operates How 802.1x Operates Authenticator Operation This operation pro vid es securi ty on a direct, point-to -point li nk between a singl e cl ie nt and th e swi t ch, where bo th devices are 802.1 x-awa re. (If you exp e ct desirabl e cl ie nts that do not have the necessa ry 8 02.1x sup[...]

  • Página 140

    Configuring Port-Based Ac ce ss Control (802.1x) How 802.1x Operates Switch-Port Supplicant Operation Thi s operation provides security on l i nks between 802.1x-a ware switches. For example, suppose that you w a nt to connect two swi tch es, where: ■ Switch "A " h a s port A1 co nfigu r ed for 802.1 x supp licant operation. ■ Y ou wa[...]

  • Página 141

    Configuring Port-Based Access Control (802.1x ) Terminology • A "f ai lu re" response cont i nues t h e b loc k o n po rt B5 and cau s es po rt A1 to wait for the "held -time " p e rio d be fore tryi ng again to achi eve authentication th rough p o rt B5. Note Y ou can co nf igure a swi tc h port to op erate as both a suppl i [...]

  • Página 142

    Configuring Port-Based Ac ce ss Control (802.1x) Terminology EA P (Ex ten sible Auth entic a tion Prot oco l) : EAP enables network access tha t supports mul t iple authenti cat ion met hod s. EAPOL : Exten s ible Authenticat i on Prot ocol Over LA N, as defined in the 802.1x standard . Fri end ly Clie nt: A cli e nt that does not p o se a s ecurit[...]

  • Página 143

    Configuring Port-Based Access Control (802.1x ) General Ope r ating Rules and Notes membe r of that VLAN as long as at least one o ther port on the swi t ch is st a t i c al l y configured as a t a gg e d or untagg e d memb e r of the same Unau - thori z ed-Client VLAN. Untagged VLAN Membership: A port can be an untagged membe r of only one V LAN. [...]

  • Página 144

    Configuring Port-Based Ac ce ss Control (802.1x) General Opera t ing Rules and Notes ■ If a client a l ready has access to a swi t ch port when you c o nfi g ure the port for 802.1x authentic a tor operation, the port will block the client from further network access until it can be au thenticated. ■ On a port c o nfi g ured for 802.1x with RAD[...]

  • Página 145

    Configuring Port-Based Access Control (802.1x ) Gen e ral Setup Procedure for Port - B ased Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) Do These Steps Before Y ou Configure 802.1x Operation 1. Configure a local username a n d pa ssword o n th e sw it ch for both the Operato r (l ogin) and Manager (en a bl [...]

  • Página 146

    Configuring Port-Based Ac ce ss Control (802.1x) General Setup Procedure fo r Port-B ased Acc e ss Control (802.1x) Overview: Configuri n g 802. 1x Authentication on the Switch This sect i on out line s th e steps for configuring 802 .1x on the switch. For detaile d i nfo rmat i on on each step, re fe r to “Co n figuring the Swi t ch fo r RADIUS [...]

  • Página 147

    Configuring Port-Based Access Control (802.1x ) Gen e ral Setup Procedure for Port - B ased Access Control (802.1x) 7. If you a re usi n g Port S ecurity on the switch, conf igure the swi t ch to allow only 8 02.1x access on ports config ured for 802.1x operati on, a n d (i f de sired) the ac tion to take if an unauthorize d devi ce attempts access[...]

  • Página 148

    Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Configuring Switch Ports as 802.1x Authenticators 802.1x Authentication Commands Page [no] aaa port-access authent icator < [ethernet] < port-list > 6-15 [ control | quiet-period | tx-period | supplicant- t imeout | 6-1 5 server -timeout | ma[...]

  • Página 149

    Configuring Port-Based Access Control (802.1x ) Configuring Switch Ports as 802.1x Authenticators 1. Enabl e 802.1x Authenti cation on Selected Ports Thi s task configures the indivi dual ports you wa nt to operate as 802.1x aut h ent i cato r s f or poin t-to-point li nks to 802.1x- awa re cli e nts or swi t ches. (Actual 8 02.1x operation do es n[...]

  • Página 150

    Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access auth enticator < po rt-list > (Syntax Conti nued ) [quiet-period < 0 .. 65535 > ] Sets the period during whi c h the por t does not try to acquire a supplicant. The period begins after the last attempt auth or iz ed by th e[...]

  • Página 151

    Configuring Port-Based Access Control (802.1x ) Configuring Switch Ports as 802.1x Authenticators aaa port-access auth enticator < po rt-list > (Syntax Conti nued ) [ unauth-vid < vlan -id >] Co nf ig ur es an e xsi ti ng st atic VLA N to be th e U naut hori zed- Clien t VLAN. T h is enables you to p r ovide a p a th f o r client s with[...]

  • Página 152

    Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 3. Configure the 802.1x Authentication Method This t a sk spe cif ies ho w the switch will authenticate the cr ed entials provided by a suppl i cant conn e c t e d to a s w itch port configured as an 80 2 .1x authenti - cator . Synta x: aaa authentica[...]

  • Página 153

    Configuring Port-Based Access Control (802.1x ) Configuring Switch Ports as 802.1x Authenticators 4. Enter the RADIUS Host IP Address(es) If you selecte d ei ther e ap-rad i us or c hap-radiu s for th e authentication m ethod, configure the swi t ch to use 1 to 3 RADIUS serve rs for authentic a tion. The following syntax shows th e basic comma n ds[...]

  • Página 154

    Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode 802.1x Open VLAN Mode 802.1x Authentication Commands page 6-14 802.1x Supplicant Commands page 6-34 802.1x Open VLAN Mode Commands [no] aaa port-access authenticator [ e ] < port-list > pag e 6-29 [ auth-vi d < vlan-id > ] [ u nauth-vid < vlan-id > ] 802.1x-[...]

  • Página 155

    Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode ■ 1st Priority: The port join s a VLAN to w hic h it has been assigned by a RADIU S server during authentication. ■ 2n d Priority: If RADIUS a u the n tication does not incl ude assigning a VLAN to the port, then the switch a ssigns the port to the VLAN entere d in the port?[...]

  • Página 156

    Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode T able 6-1. 802.1x Open VLAN Mode Options 802.1x Per - Port Configuration Port Response No Ope n VLAN mode: T he port auto m atically blo c ks a client that cannot initiate an au th en ti ca ti on sessi on. Open VLAN mod e with both of the f o llow i ng configure d: Una u thoriz[...]

  • Página 157

    Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode 802.1x Per - Port Configuration Port Response Open VLAN Mode wi th Only a n Unau thorized-Clie nt VLAN Configu r ed : • • • Wh en the port de te cts a c lient, it automa t ically beco mes an un tagged member of this VLAN. T o limit security risks, the netwo rk service s and[...]

  • Página 158

    Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode Operating Rules for Au thorized-Client and Unauthorized-Client VLANs Conditio n Rul e Static VLANs use d as Authorize d- Client or Unautho r ized-Client VLANs VLAN Assignment Received fro m a R ADIUS S erv er T e mp ora r y VLAN Membership During a Client Sessio n Effect of Una [...]

  • Página 159

    Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode Conditio n Rul e Multiple Authe n ticator Po rts Using Y ou can use the same sta t ic VLAN as the Unauthorized-Clie nt VLAN the Same Unautho r ized-Client a nd for all 802.1x authenticato r ports configured on the switch. Similarly , Autho r ized-Client VLANs you ca n use t he sa[...]

  • Página 160

    Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode Setting Up and Configurin g 802.1x Open VLAN Mode Preparati o n. This section assumes use of bot h the Unau thorized-Cl i ent and Authorize d-C lient VLANs. Re fer to T a ble 6-1 on page 6- 22 for other options. Before y ou config ur e the 80 2.1x Open VLAN mod e on a port : ■[...]

  • Página 161

    Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode Note tha t as an alternative , you can configure the swi t ch to use loca l passwo r d authen tication inste a d o f RADIUS authenticat i on. How e ver , this is less d e sirab l e because it me ans that all clients use the same passwords and have the same access priv il eges. Al[...]

  • Página 162

    Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode 3. If you selected either e ap-rad i us or c hap-ra diu s for step 2, use the radius host command to configure up to thr ee RADIUS server IP addre s s(es) on the swi t ch. Syntax : rad i us host < ip-address > Adds a server to the RADIUS configurati o n. [ key < server [...]

  • Página 163

    Configuring Port-Based Access Control (802.1x ) 802.1x Open VLAN Mode Confi gur ing 802.1 x Op en VLAN Mode . Use these co mmands to actually configure Open VLAN mode. For a listi n g of the steps needed to pre pare the swi t ch for using Open VLAN mode, re fer to “Preparation” on page 6-26. Syntax: aaa p o rt-access a u th enticato r [e] < [...]

  • Página 164

    Configuring Port-Based Ac ce ss Control (802.1x) 802.1x Open VLAN Mode Inspe c ting 802.1 x Op en VLAN Mode Op erati o n. For informati on an d an example on viewing curre nt Open VLAN mode operation, refer to “Viewing 802.1x Open VLAN M ode Status” on page 6-38. 802.1x Open VLAN Operating Notes ■ Although you can configu r e Open VL AN mode [...]

  • Página 165

    Configuring Port-Based Access Control (802.1x ) Option For Authenticator Ports: Configur e Port-Security To Allow Only 802.1x Devices ■ If a n authenticat ed c lient l o ses authenti cati on during a session in 802.1 x Open VLAN mode , the port VLAN membershi p reverts back to the Unauthori zed -Client VLAN. Option For Authenticator Ports: Config[...]

  • Página 166

    Configuring Port-Based Ac ce ss Control (802.1x) Option For Authenticator Ports: Configure Po rt-Security To Allow Only 802.1x Devices Note on If the port’ s 802. 1x authentic a tor c ontrol mode i s co nfigured to auth o rized (as Blocking a Non- shown bel ow , instead o f au to ), then the first sour ce MAC address from any 8 02.1 x Device devi[...]

  • Página 167

    Configuring Port-Based Access Control (802.1x ) Configuring Switch Por t s To Oper ate As Supplicants for 802.1x Connections to Othe r Switches Configuring Switch Ports T o Operate As Supplicants for 802.1x Connections to Other Switches 802.1x Authentication Commands page 6-14 802.1x Supplicant Commands [no] aaa port-access < supp licant < [e[...]

  • Página 168

    Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports To Operate As Suppli cants for 802.1x Connections to Other Switches 1. When port A1 on switch " A " is f i rst connected to a port on switch "B" , or if the ports a r e a l ready connec te d and ei ther swi t ch reboot s, port A1 begins sending sta rt pack[...]

  • Página 169

    Configuring Port-Based Access Control (802.1x ) Configuring Switch Por t s To Oper ate As Supplicants for 802.1x Connections to Othe r Switches Confi g uring a Supplicant S w itch Port. N o te that you must e n a b le suppl i - cant operation on a port before y o u ca n change the supplic ant configuration. Thi s means you must e x ecute the supp l[...]

  • Página 170

    Configuring Port-Based Ac ce ss Control (802.1x) Configuring Switch Ports To Operate As Suppli cants for 802.1x Connections to Other Switches aaa port-access supplicant [ eth e rnet ] < port-list > (Syntax Continu ed) [ auth-timeout < 1 - 300 > ] Sets the period of time the por t waits to receive a challenge from the authentica tor . If[...]

  • Página 171

    Configuring Port-Based Access Control (802.1x ) Displaying 802.1x Con f igurat ion, Statistics, and Counters Displaying 802.1x Configuration, Statistics, and Counters 802.1x Authentication Commands 802.1x Supplicant Commands 802.1x Open VLAN Mode Commands 802.1x-Related Sho w Command s show port-access authenticator show port-access sup p licant De[...]

  • Página 172

    Configuring Port-Based Ac ce ss Control (802.1x) Displaying 802.1x C onfiguration, Stat istics, and Counters show port-access au the n ticator (Syntax Continue d) config [ [ e] < port-list >] S how s: • W hether port-access authenticator i s active • T he 802.1x configuration of the ports configured as 802 . 1x authen tic a tors If you do[...]

  • Página 173

    Configuring Port-Based Access Control (802.1x ) Displaying 802.1x Con f igurat ion, Statistics, and Counters An Unau th VLAN ID appear i ng in the Cur r ent VLA N ID column for the same p ort i ndicate s an un authenticated clien t is connecte d to thi s port. (As s umes that the po rt i s not a stati c ally configured member of V L AN 100.) Items [...]

  • Página 174

    Configuring Port-Based Ac ce ss Control (802.1x) Displaying 802.1x C onfiguration, Stat istics, and Counters 25 as an authorize d VLAN, then the po rt’ s me mbership in VLAN 1 w ill be tempora r ily suspe n ded wh enever an au th en ticated 802.1x cli e nt is attached to the port. T able 6-1. Open VLAN Mode Sta t us Status Indicator M eaning Port[...]

  • Página 175

    Configuring Port-Based Access Control (802.1x ) Displaying 802.1x Con f igurat ion, Statistics, and Counters Syntax: show vla n < vlan-id > Displa y s the port sta t us for the se lected VLAN , includin g an in dication of which port m e mb erships have been temporarily overridden by Ope n VLAN mod e. Note that ports B1 a nd B3 are not i n th[...]

  • Página 176

    Configuring Port-Based Ac ce ss Control (802.1x) Displaying 802.1x C onfiguration, Stat istics, and Counters Show Commands for Po rt-Access Supplicant Syntax: show port-access supplic ant [ [e] < port-list >] [ statistics ] sho w port-access supplican t [ [e] < po rt-list >] Shows the port-access suppl icant configuration (exclud i n g [...]

  • Página 177

    Configuring Port-Based Access Control (802.1x ) How RADIUS/802.1x Authenticat ion Affects VLAN Operation supplicant port to another without cl eari n g the stati s tic s data from the first po rt, t he authenti cato r’ s MAC address w il l appea r in the suppl i cant sta tis tic s fo r both ports. How RADIUS/802.1x Authentication Affects VLAN Ope[...]

  • Página 178

    Configuring Port-Based Ac ce ss Control (802.1x) How RADIUS/802.1x Authenticat ion Affects VLAN Operation For example, suppose that a RADIUS-au thenticated, 802.1x- awa re cli e nt on port A2 req uires a ccess to VLA N 22, but VLA N 22 is config ured for no access on po rt A2, and VLAN 33 is co nfigured as untagged o n port A2: Scenario: An authori[...]

  • Página 179

    Configuring Port-Based Access Control (802.1x ) How RADIUS/802.1x Authenticat ion Affects VLAN Operation Th is entry show s that p or t A2 is temporaril y untagg ed on VLAN 22 for an 802.1x se ssion. This is to accomodate an 802.1x client’ s access , aut henticated by a RAD I US ser v er , whe re the ser v er i nclude d an instr uct ion to p ut t[...]

  • Página 180

    Configuring Port-Based Ac ce ss Control (802.1x) How RADIUS/802.1x Authenticat ion Affects VLAN Operation When the 802.1x cl ie nt’ s session on port A2 ends, the port discard s the tempora ry untagged VLAN membe r ship. At this time the stati c VLAN actually co nfi g ure d as untagged on the port again bec o mes available. Thus, when th e RADIUS[...]

  • Página 181

    Configuring Port-Based Access Control (802.1x ) Messages Related to 802.1x Operation Messages Related to 802.1x Operation T able 6-2. 802.1x Operating Messages Message Meaning Port < port-list > is not an The ports in the port list ha ve not bee n e nabled as 802.1x authenticator. authenticators. Use this comm and to enable the po rts as auth[...]

  • Página 182

    [...]

  • Página 183

    7 Configuring and Monitoring Port Security Contents Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Basic Op er ati on Blocking Unautho riz ed Tr affi c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Trunk Group Excl us io n . . . . . . . . . . . . . . . .[...]

  • Página 184

    Configuring a nd Monitoring Port Security Overview Overview Feature Default Menu CL I We b Displaying Current Port Security n /a — page 7- 9 page 7-15 Configuring Port Security d isabled — page 7-10 page 7-15 Intrusion Alerts and Alert Flags n/a page 7-21 page 7-19 page 7-22 Using Port Security , you can configure each swi t ch po rt w ith a un[...]

  • Página 185

    Configuring and Monitoring Port Security Basic Operation Gener a l Operation for Port Security . On a per - por t basis, you can configure security measure s to block un authori z ed de vic e s, and to send notic e of security vi olations. O nce you have configured port secu rity , you can then monitor the network for security viol ations t h rough[...]

  • Página 186

    Configuring a nd Monitoring Port Security Basic Ope r ation Switch A Port Securi ty Configured Switch B MAC Address Au tho riz ed by Switch A PC 1 MAC Address Au tho riz ed by Switc h A PC 2 MAC Address NO T Authorized by Switc h A PC 3 MAC Address NO T Autho riz ed by Swi t ch A Switch C MAC Address NO T Au tho riz ed by Switch A Switch A Port Sec[...]

  • Página 187

    Configuring and Monitoring Port Security Planning Port Security Planning Port Security 1. Plan your port securi ty configuration and moni toring according to the follow i ng : a. On which po rts d o y ou want port secu rit y? b. Which dev i ces (MAC addresses) are authorize d on each port (up to 8 per port)? c. For each port, w h at security act io[...]

  • Página 188

    Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n Port Security Command Options and Operation Port Sec u rity Comm ands Used in T h is Section show port-security 7 -9 po rt-security 7-10 < [ethernet] port-list > 7-10 [learn-mod e] [address-limit] [mac-address] [action] [clear -i ntrusion-flag] no port-secu[...]

  • Página 189

    Configuring and Monitoring Port Security Port Security Command Options and Operation T able 7-1. Port Security Parameters Parameter Des c rip tion Port L i st <[ethernet] port-lis t > Identifies the port or ports on which to apply a port security command. Lea rn learn-mode < static | continuous | port-access > Specifies how the port acq[...]

  • Página 190

    Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n Parameter Des c rip tion Act i on actio n <none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a netwo rk management station when Learn Mod e is set to stati c and the port detects an unauth o rized device, or when Lear n Mode is se[...]

  • Página 191

    Configuring and Monitoring Port Security Port Security Command Options and Operation Assigned/Authori zed Addresses. : I f y ou manual ly a ssign a MAC address (using port-security < po rt-nu m ber > address-list < m ac-add r > ) and then exe c ute write mem o ry , the assigned MAC a d dress rema ins in memo ry u nt il you d o on e of t[...]

  • Página 192

    Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n W i th port numbers i n cluded i n th e command , sho w port-securit y displays Learn M o de, A d dress L i m i t , (a l a rm) Ac t i on, and Aut h or i z ed A d dresses f o r the s p ec - ified ports on a switch . The following example lists the full port sec u [...]

  • Página 193

    Configuring and Monitoring Port Security Port Security Command Options and Operation For i nfo rmat i on on th e i ndivid u al control paramet e rs, see t h e P o rt Securi ty Parameter table on page 7-7. Sp eci f ying Au thoriz ed Devices and Intrusio n Responses. Thi s e x ample configures port A1 to au tomaticall y accept the first device (MAC a[...]

  • Página 194

    Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n T he Address Limit has no t b een r eached. Al though the Address Lim i t is set to 2, only one device has been au thorized fo r this port. In thi s ca se you can ad d anot her withou t ha ving to also in cr ease th e Address Limit. Figure 7-4. Example of Add i n[...]

  • Página 195

    Configuring and Monitoring Port Security Port Security Command Options and Operation If yo u are adding a devic e (MAC address) to a port on which th e Authorized Addresse s list is already ful l (as control l ed by the port’ s current Address L imit setting), then you must increase the Address Limit in order to add the device, even if yo u want [...]

  • Página 196

    Configuring a nd Monitoring Port Security Port Security Command Options and Operatio n Note Y ou can reduc e the address limi t below the numbe r of curr en tly authori z ed addresses on a port. Thi s enables you to subsequentl y remove a dev i ce from the “Authorized ” list wit hout openin g the possibility for an unw a nte d dev i ce to autom[...]

  • Página 197

    Configuring and Monitoring Port Security Web: Displaying a nd Configur ing Port Security Features W e b: Displaying and Configuring Port Security Features 1. Cl ic k on the Security tab . 2. Cl ic k on [Port Security] . 3. Select the settings you wa nt and, if you are usi n g the Static Learn Mode, add or edit the Author ized Addresses field. 4. Im[...]

  • Página 198

    Configuring a nd Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags – The show po rt-secur ity i ntr usi o n- log com m and displ a ys th e Intru s ion L og – The log command displays t h e Even t Log • I n the menu interface : – T he Port Status screen inc l ud es a per - port i n trusi on alert – T he E v ent Lo[...]

  • Página 199

    Configuring and Monitoring Port Security Rea d ing Intrusion Alerts and Resetting Alert Flags The log shows the most recent i n trusion at the top of the listing. Y o u cannot dele te Intru s ion Log ent ries ( unless yo u reset the swi t ch to i t s factory - default configuration). Instead, i f the log is fil l ed wh en the switch detects a new i[...]

  • Página 200

    Configuring a nd Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The In trusi on Aler t colum n show s “Y es ” for any port o n whic h a security vio l ation has been detecte d. Figure 7-10. Exampl e of Port Status Sc ree n w ith Intrusion Alert on Po rt A3 2. T y pe [I ] ( I ntrusion lo g ) to di splay the I n tru s[...]

  • Página 201

    Configuring and Monitoring Port Security Rea d ing Intrusion Alerts and Resetting Alert Flags (Th e intru s ion log ho lds up to 20 intr usi on record s and delet e s an intru s ion reco rd only wh en the log becomes ful l and a new i n trusi on is subsequ e ntl y dete cted.) Note also that the “ p r ior to ” text in the record fo r t h e ear l[...]

  • Página 202

    Configuring a nd Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Intrusio n Aler t on port A1. Figure 7-12. Example of a n Unac knowledged Int r usion Ale r t i n a Port Statu s Displa y If you w ant ed t o see th e deta ils of th e i n trusi on, you would then en ter th e show port-securit y intrusion-log command. For e[...]

  • Página 203

    Configuring and Monitoring Port Security Rea d ing Intrusion Alerts and Resetting Alert Flags Intru s ion Al ert o n por t A 1 is no w cleared . Figure 7-14. Example of Port Status Sc ree n After Ale r t Flags Reset For more on clearing in tru s ions, see “Note on Send -D is able Oper ation” on page 7-17 Using the Event Log T o Find Intrusion A[...]

  • Página 204

    Configuring a nd Monitoring Port Security Operating Notes fo r Port Security From the Menu Interface: In the M a in Menu , c lick on 4. Event Log and use N ext pag e and P rev page to revie w the Eve nt Log contents. For More Event Log Information. See “Using the E vent Log T o Identi fy Problem Sources” in th e " T roubleshooti n g" [...]

  • Página 205

    Configuring and Monitoring Port Security Operating Notes for Port Security W i thout b oth of th e above conf igur ed , the switch detects onl y the proxy server’ s MA C address, and not you r PC or wor k stat i on MAC add r ess , and interp rets your connect ion as unauthori zed . “Prior T o” En tries in the Intrusion Log. If you reset the s[...]

  • Página 206

    [...]

  • Página 207

    8 Using Authorized IP Managers  Contents Using Authorized IP Managers Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Options . . . . . . . . . . .[...]

  • Página 208

    Using Authorized IP Managers Overview Overview Authori zed IP Manager Featu r es Feature D efault M enu CLI W eb Listing (Showing) Authorized Managers n/a page 8-5 page 8-6 page 8-8 Configuring Authorized IP Managers None page 8-5 page 8-6 page 8-8 Building IP Masks n /a page 8-9 page 8-9 page 8-9 Operating and T r oubleshooting n/a page 8-12 page [...]

  • Página 209

    Using Authorized IP Managers Options Options Y ou can conf igur e: ■ Up to 10 a u thorized manager addresses , w her e eac h a d dress applies to either a singl e management stati on or a group o f stati ons ■ Manager or Operator access privi l eges Caution Configu r ing Aut hor ized IP Ma nag e rs does not prote ct access to the swi t ch th ro[...]

  • Página 210

    Using Authorized IP Managers Defining Authorize d M anagement Stations Defining Authorized Management Stations ■ Auth or izing Sin g le Sta tions: The tabl e entry au thor izes a sin g le management stati on to hav e IP acce ss to the swi tch. T o use this method, just enter the IP addre ss o f an authori z ed management sta t ion in the Authori [...]

  • Página 211

    Using Authorized IP Managers Definin g Autho r ized Management Stations rized Man a ger IP address to authori ze f our IP addresses for managem ent station access. The details on how to use IP masks are provided unde r “Bu ildin g IP Masks” on page 8-9. Note The IP Mask is a method fo r recogni z ing whethe r a given IP ad dress is authori z ed[...]

  • Página 212

    Using Authorized IP Managers Defining Authorize d M anagement Stations 2. Enter an Au tho riz ed Man ager IP address h ere. 5. Pr ess [E nter] , then [S ] (for Sav e ) to configur e the IP A u tho riz ed Manage r en try . 3. Use the defa u lt mask to allow access by one man age ment devi ce, o r edit the mask to a llow a ccess by a bl ock of manage[...]

  • Página 213

    Using Authorized IP Managers Definin g Autho r ized Management Stations The above example shows an Authorized IP Ma nager List that allows stations to access the switch a s show n below : IP Mask Authorize d Station IP Address: Access Mode: 255.255.255.252 1 0.28.2 27.100 through 103 M anager 255.255.255.254 1 0.28.2 27.104 through 105 M anager 255[...]

  • Página 214

    Using Authorized IP Managers Web: Configuring IP Authorized Managers The resul t of ente ri ng the pre ceeding example is: • A uthorized Stati on IP Address: 10.28.227.105 • I P Mask: 2 55.255.255.255, w h ich aut hori z es only the specified station (10.28.227.105 in this case ) . (See “C onfiguring Mult iple Stat i ons Per Authorize d Manag[...]

  • Página 215

    Using Authorized IP Managers Buildi n g IP Masks For web -ba sed help on how t o us e t h e w eb bro w ser i nte rface s c reen, cl ic k on th e [?] button pr ovi d ed on the web browser screen. Building IP Masks Th e IP M a sk parameter con t rols how th e switch use s an A u thorized Manager IP value to recogni z e the IP addre sses of authorize [...]

  • Página 216

    Using Authorized IP Managers Building IP Masks Configuring Multiple Statio ns Per Authorized Manager IP Entry The ma sk de te rmines whethe r th e IP address of a station on the ne two r k meets the criteria you specify . Th at i s, for a gi ven Author ize d Manager entry , the switch applies the IP mask to the IP address y o u sp ecify to determin[...]

  • Página 217

    Using Authorized IP Managers Buildi n g IP Masks Figure 8-5. Analy s is o f IP Ma sk fo r M u ltipl e -Sta tion Entries 1s t Oct et 2nd Oct et 3rd Oct et 4t h Oct et Manager -L evel or Ope r ator-Le v el Device Access IP Mask 255 255 255 0 The “255” in the first three octets of the mask spe c ify that only the exa ct Authorized 10 28 22 7 125 v[...]

  • Página 218

    Using Authorized IP Managers Operating Notes Additional Examples for Au thorizing Mult iple Stations Entries for Authorized Manager List Results IP Mask 255 2 55 0 2 55 This combinati on specifies a n authoriz ed IP a ddress of 10.33. xx x .1. It could be Authorized 10 33 24 8 1 applied, for example, to a subnetted netwo rk where each subnet is def[...]

  • Página 219

    Using Authorized IP Managers Ope r ating Notes • E ven i f you need p r oxy server access enabl ed in o r der to u se other application s, you can sti ll elimin ate proxy service fo r web access to the switch. T o do so, add th e IP address or DNS name of the swi t ch t o the non-p r oxy , o r “Exceptions” l i st in the web bro w ser i nte rf[...]

  • Página 220

    [...]

  • Página 221

    Index Numerics 3DES … 4 -3, 5-3 802.1x See port-ba s ed access con t rol . …6 -1 A aaa authentication … 2-9 access levels, authorized IP managers … 8 -3 accounting See RADIUS.- addres s authorized for port security … 7 -3 authentication See TACACS.- authorized addresses for IP m a nagement security … 8 -4 for port security … 7 -3 auth[...]

  • Página 222

    inconsistent value … 7 -12 O ope n VLAN mode See por t ac cess co ntr ol OpenSSH … 4-3, 5-2 oper a ting notes authorized IP managers … 8-12 port security … 7 -22 ope rator pas sw o rd … 1-2, 1- 4 P password browser/c o nsole access … 1-3 case-sensitive … 1-4 caution … 1 -3 delet e … 1 -4 deleting with the Clear butto n … 1 -5 if[...]

  • Página 223

    supplicant , en abling … 6 -34 switch username and password … 6-3 terminolog y…6 -7 troubleshooting, gvrp … 6-43 used with port-security … 6 -31 VLAN operation … 6- 43 prior to … 7 -19, 7-20, 7-23 Privacy Enhanced Mode (PEM) See SS H.- pro xy web ser v er … 7-22 Q quick start … 1-xix R RADIUS accounting … 3-2, 3-16 accounting, c[...]

  • Página 224

    host k ey pair … 4 -11 key, babble … 4 -11 key, fingerprint … 4-11 keys, zeroizing … 4-11 key-size … 4 -17 know n -host file … 4 -13, 4- 15 man-in-the-middle s p oofing … 4 -16 messages, operating … 4 -27 OpenSSH … 4-3 oper a ting rules … 4-8 outbound SSH n o t secure … 4 -8 password security … 4 -18 password-only a u thenti[...]

  • Página 225

    overview … 1 -xii precautions … 2 -6 prepa r ing to configure … 2-9 preventing switch lockout … 2 -1 5 privilege level code … 2 -7 server access … 2-15 server prior i ty … 2 -18 se tup, ge ner al … 2-6 show authentication … 2-9 supported features … 2 -3 syste m requirements … 2 -5 TACACS+ server … 2 -4 testing … 2-6 timeou[...]

  • Página 226

    6 – Index[...]

  • Página 227

    [...]

  • Página 228

    T ec hnical inf o r mation in t his doc ume nt is su bj ec t to c hange w it hou t no tice . ©Cop yr ight He wlett-P ack ar d C om pan y 2000, 200 2 . All r ight r eserved . Re pr odu ction , ada pta tion , or transla tion wit hout pr ior w r it te n per mission is p r ohib ited ex ce pt as all o w ed unde r t he cop yr i gh t la[...]