Gebruiksaanwijzing /service van het product 6120 van de fabrikant HP (Hewlett-Packard)
Ga naar pagina of 469
Augu st 2 0 09 Pr oC ur v e Ser i es 6 1 20 S w itc he s Acc e ss Se cu rit y Gu ide.
Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 www.procurv e.com © Copyright 2009 Hewlett-Pa ckard Develo pment Compa ny , L.P . The information cont ained herein is subject to cha nge without notice. All Ri ghts Reserv ed.
ii.
iii Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Electronic Publications .
iv 2 Configuring Username and Password Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
v Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 3 Web and MAC Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Overview .
vi Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-60 4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vii Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 RADIUS-Administered CoS and Ra te-Limiting .
viii 2. Configure Accou nting Ty pes and the Controls for Sending Reports to the RADIUS Ser v er . . . . . . . . . . . . . . . . . . . . 5-42 3. (Optional) Configure Session Blocki ng and Interim Updat ing Options . . . . . . . . . . . . . . . . . . .
ix 7 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
x Using DHCP Snooping with Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9 Changing the Remote-id from a MAC to an IP Addr ess . . . . . . . 8-11 Disabling the MAC Address Check . . . . . . . . . . . . . . . . . . . . . . . . 8-11 The DHCP Binding Database .
xi 9 Traffic/Security Filters and Monitors Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xii Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6 General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . . 10-9 Example of the Authenti cation Process . . .
xiii Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-46 Configuring Switch Ports To Oper ate As Supplicants for 802.1X Connections to Other Switches . . . . . . . . . . . . . . . . . . . . . .
xiv Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26 MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26 Port Security and MAC Lock out . . . . .
xv Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10 Configuring One St ation Per Autho rized Manager IP Entry . . . . . . 12-10 Configuring Mult iple Stations Per Authorized Ma nager IP Entry .
xvi.
xvii Product Documentation About Y our Switch Manual Set Note For the latest version of sw itch documentatio n, please visit any of the follow- ing websites: www .procurve.com/manuals www .hp.com/go/blades ystem/documentation h18004.www1.hp. com/products/blades/ components/c-class-tech-installing.
xviii Software Feature Index This feature index indicates whi ch manual to co nsult for info rmation on a given softw are feature. Note This Index does not cover IPv6 capable software features. For informatio n on IPv6 protocol operatio ns and features (such as DHCPv6, DNS for IPv6, and Ping6), refer to the IPv6 Configuration Guide .
xix Downloading Software X Event Log X Factory Default Settings X Flow Control (802.3x) X File T ransfers X Friendly Port Names X GVRP X Identity-Driven Management (IDM) X IGMP X Interface Access (T e.
xx Port Monitoring X Port Security X Port Status X Port T runking (LACP) X Port-Based Access Control (802.1X) X Protocol VLANS X Quality of Service (QoS) X RADIUS Authentication and Accounting X RADIU.
xxi VLANs X W eb Authentication RADIUS Support X W eb-based Authentication X W eb UI X Intelligent Edge Software Features Manual Management and Configuration Advanced T raffic Management Multicast and.
1-1 Security Overview Contents 1 Security Overview Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1-2 Security Overview Introduction Introduction This chapter provides a n overview of th e security features included on your switch. T able 1-1 on page 1- 3 outlines the access security and authentication features, while T able 1-2 on page 1-7 highlights the additional fe atures designed to help secure and p rotect your network.
1-3 Security Overview Access Security Features Access Security Features This section provides an overvi ew of the switch’ s acc ess security features, authentication protocol s, and metho ds. T able 1-1 lists these fea tures and provides summary config uration guideline s.
1-4 Security Overview Access Security Features T elnet and W eb-browser access enabled The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured .
1-5 Security Overview Access Security Features SSL disabled Secure Socket Layer (S SL) and T ransport Layer Security (TLS) provide remote W eb browser access to the switch via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operati on.
1-6 Security Overview Access Security Features 802.1X Access Control none This feature provides port-based or user -based authentication through a RADI US server to protect the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control client access to network services.
1-7 Security Overview Network Security Features Network Security Features This section outlines features and de fence mechanisms for protecting access through the switch to the network. Fo r more detailed information, see the indicated chapters. T able 1-2.
1-8 Security Overview Network Security Features Connection- Rate Filtering based on Virus-Throttling T echnology none This feature helps protect the network from attack and is recommended for use on the network edge.
1-9 Security Overview Getting Started with Access Security Getting Started with Access Security ProCurve switches are designed as “plu g and play” devices, allowing qui ck and easy installation in your netw ork. In its default configurati on the switch is open to unauthorized access of various type s.
1-10 Security Overview Getting Started with Access Security Keeping the switch i n a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional p recautions, you can do the following: ■ Disable or re-enable the password-clear ing func tion of the Clear button .
1-11 Security Overview Getting Started with Access Security The welcome banner appears and the first setup option is displayed ( Operator password ). As you advance throug h the w izard, each setup option displays the cu rrent value in brackets [ ] as shown in Figure 1-1.
1-12 Security Overview Getting Started with Access Security 2. When you enter the wizard, you have the foll owing options: • T o upda te a setting, type in a new val ue, or press [ Enter ] to keep the current value. • T o quit the wizard wi thout saving any change s, press [ CTRL-C ] at any time.
1-13 Security Overview Getting Started with Access Security The W elcome window appears. Figure 1-2. Management Interface Wizard: Welcome Window This page allow s you to choose between two setup type s: • T y pical —provides a multiple page , step -by-step method to configure security settings, with on-screen instructions for each option.
1-14 Security Overview Getting Started with Access Security 4. The summary setup screen displays th e current configuration settings for all setup options (see Figure 1-3).
1-15 Security Overview Getting Started with Access Security SNMP Security Guidelines In the default configuration, the swit ch is open to access by management stations runni ng SNMP (Simple Network Ma.
1-16 Security Overview Getting Started with Access Security If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network , then yo u should implemen t the following security pr.
1-17 Security Overview Precedence of Security Options Precedence of Security Options This section explains ho w port-based securi ty options, and client-based attribute s used for authenti cation , get prioritized on the switch.
1-18 Security Overview Precedence of Security Options value applied to a cli ent session is determined in the following order (from highest to lowe st priority) in which a valu e configured wi th a higher priority overrides a value configured with a l ower priorit y: 1.
1-19 Security Overview Precedence of Security Options The profile of attributes app lied for each client (MAC ad dress) session is stored in the hpicfUsrProf ile MIB, which serves as the configuration interface for Network Immunity Manager . A client prof ile consists of NIM-co nfigured, RADIUS-assigned, and statically configured parameters.
1-20 Security Overview Precedence of Security Options Client-specific conf igurations are applied on a per-parameter basis on a port. In a client-speci fic profile, if D CA de tects that a parameter h.
1-21 Security Overview ProCurve Identity-Driven Manager (IDM) ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plu s (PCM+) and uses RADIUS-based technologies to create a user -cen tric approach to network access management and network activity tr acking and monitoring.
2-1 2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . .
2-2 Configuring Username and Password Security Contents Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation . . . . . . . . . . . . . . . . . . 2-30 Changing the Operation of the Rese t+Clear Combination . . . . . 2-31 Password Recovery .
2-3 Configuring Username and Password Security Overview Overview Console access includes both the menu interface and the CLI. There are two levels of console access: Manager and Operator . For security , you can set a password pair (username and password) on each of these lev els.
2-4 Configuring Username and Password Security Overview T o configure password security: 1. Set a Manager password pair (and an Operator password pair , if applicable for your system). 2. Exit from the cur rent console session. A Manager p assword pair will no w be needed for full acc ess to the console.
2-5 Configuring Username and Password Security Overview Notes The manager and operator passwords and (optio nal) userna mes control access to the menu interface, C LI, and web browser interface.
2-6 Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are opt ional. Configuring a user - name requires either the CLI or the web browser interface.
2-7 Configuring Username and Password Security Configuring Local Password Security T o Delete Password Protection (Incl uding Recovery from a Lost Password): This procedure deletes al l usernames (if configured) and pass- words (Manager an d Operator).
2-8 Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section Configuring M anager and Op erator Passwords. Note Y ou can configure manager and operator passwords in one step.
2-9 Configuring Username and Password Security Configuring Local Password Security If you want to remov e both operator and m anager password p rotection, use the no password all command. W eb: Setting Passwo rds and Usernames In the web browse r interf ace you can enter passwords and (optional) user - names.
2-10 Configuring Username and Password Security Saving Security Credentials in a Config File Saving Security Credentials in a Config File Y ou can store and view the following securi t y settings in i.
2-11 Configuring Username and Password Security Saving Security Credentials in a Config File ■ The chapter on “Switch Memo ry and Configuration ” in the Management and Configuration Guide . ■ “Configuring Lo cal Password Securi ty” on page 2-6 in this guide.
2-12 Configuring Username and Password Security Saving Security Credentials in a Config File Local Manager and Op erator Passwords The informat ion saved t o the running- config fil e when the include.
2-13 Configuring Username and Password Security Saving Security Credentials in a Config File Y ou can enter a manager , operator , or 802.1X port-access password in clear ASCII text or hashed fo rmat.
2-14 Configuring Username and Password Security Saving Security Credentials in a Config File [ priv < priv-pass >] i s the (optional ) hashed privacy password used by a privacy protocol to encrypt SNMPv3 messages between the switch and the station.
2-15 Configuring Username and Password Security Saving Security Credentials in a Config File The password po rt-access values are configured sepa rately from the manager and operator passwords configured with the password manager and password operator commands and used for manageme nt access to the switch.
2-16 Configuring Username and Password Security Saving Security Credentials in a Config File during authenti cation sessions. Both the sw itch and the server have a copy of the key; the key is neve r transmit ted across the network. For more information, refer to “3.
2-17 Configuring Username and Password Security Saving Security Credentials in a Config File Note The ip ssh public-key comm and allows you to co nfigure only one SSH client public-key at a time. The ip ssh public-key command behavior includes an implicit appe nd that never overwrit es existing public -key configurati ons on a running switch.
2-18 Configuring Username and Password Security Saving Security Credentials in a Config File T o displa y the SSH public -key configurations (72 ch aracters per line) stored in a configurat ion file, enter the show config or sho w running-config command.
2-19 Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes Caution ■ When you first enter the include-creden tials command to save th e additional se curity crede ntials to the runnin g configuratio n, these settings are moved from internal storage on th e swit ch to the running-co nfig file.
2-20 Configuring Username and Password Security Saving Security Credentials in a Config File • copy config < source-f ilename > config < target-filename >: Makes a local copy of an exist.
2-21 Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running configur ation with the include-cre dentials command: ■ The private keys o f an SSH host cannot be stor ed in the runnin g configuratio n.
2-22 Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. Y ou can store the password port-access values in the running conf iguration fi le by using the include-credentials command.
2-23 Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel sec urity features provid e the ability to ind ependently ena ble or disable some of t he func.
2-24 Configuring Username and Password Security Front-Panel Security As a result of increased security co ncerns, customers now have the ability to stop someone from r emoving passwords by di sabling the Clear and/or Reset buttons on the f ront of th e switch.
2-25 Configuring Username and Password Security Front-Panel Security Clear Button Pressing the Clear button alone for five seconds resets the password(s) configured on the switch. Figure 2-8. Press the Clear Button for Five Se conds T o Reset the Password(s) Reset Button Pressing the Reset but ton alone for one second causes t he switch to reb oot.
2-26 Configuring Username and Password Security Front-Panel Security 2. While holdin g the Reset bu tton, press and ho ld the Clear button for five seconds. 3. Release the Reset button. 4. If the Clear button is held for greater then 2.5 seconds, configuration will be cleared, and the switch will rebo ot.
2-27 Configuring Username and Password Security Front-Panel Security Configuring Front-Panel Security Using the front-panel-sec urity command from the global configurati on context in the CLI you can: • Disable or re-e nable the passwor d-clearing function of the Clear button.
2-28 Configuring Username and Password Security Front-Panel Security For example, show front-pane l-security produces the followin g output when the switch is configu red with the defa ult front-panel secu rity settings.
2-29 Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button This command displays a Cautio n message in the CLI. If you wa nt to proceed with disabling the Clear button, type [Y] ; otherwise type [N] .
2-30 Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Bu tton and Setting or Changing the “Reset-On-Clear” Operation For example, suppose that password-clear is disabled and you want to restore it to its defaul t configuration (enabled, with reset-on-clear disabled).
2-31 Configuring Username and Password Security Front-Panel Security Figure 2-12. Example of Re-Enabling th e Clear Button’ s Defa ult Operation Changing the Operation of the Reset+Clear Combination.
2-32 Configuring Username and Password Security Password Recovery Figure 2-13. Example of Disabli ng the Factory Reset Option Password Recovery The password recovery feature is enabled by default and .
2-33 Configuring Username and Password Security Password Recovery factory-default configu ration. This can disru pt network operation and make it necessary to temporarily di sconnect the sw itch from the ne twork to prev ent unauthorized access and other pr oblems while it is being reconfigured.
2-34 Configuring Username and Password Security Password Recovery Figure 2-14. Example of the Steps for Di sabling Password-Recovery Password Recovery Process If you have lost the switch’ s manager .
3-1 3 W eb and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Web Authenticati on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3-2 Web and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50 Configuration Co mmands fo r MAC Authentication . . . . . . . . . . . . . . 3-51 Show Commands for MAC-Base d Authentication .
3-3 Web and MAC Authentication Overview Overview W eb and MAC authentication are designed for employment on the “edge” of a network to provide port-based securit y measures for protecting private networks and a switch from unauth or ized access. Because neither method requires clients to run special supplicant software (unlike 802.
3-4 Web and MAC Authentication Overview Note A proxy server is not supported for use by a browser on a client device that accesses the network thr ough a port co nfigured for web authentication. ■ In the login page, a clie nt enters a username and password, whic h the switch forw ards to a RADI US server for authenticatio n.
3-5 Web and MAC Authentication Overview ■ Each new W eb/MAC Auth client al ways initiates a MAC authentica- tion attempt. This same client can also initiat e W eb authent ication at any time before t he MAC authen ticati on succeeds. If either authenti - cation succeeds then the other auth entication (if in progress) is ended.
3-6 Web and MAC Authentication How Web and MAC Authentication Operate clients by using an “unauthorized” VL AN for each session. The unauthorized VLAN ID assignment can be the same fo r all ports, or differ ent, depending on the services an d access you plan to allow for unauthen ticated clients.
3-7 Web and MAC Authentication How Web and MAC Authentication Operate W eb-based Authentication When a client connects to a W eb-Auth enabled port, com munication is redi- rected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their username an d password.
3-8 Web and MAC Authentication How Web and MAC Authentication Operate If the client is authenticated and the maximum number of clients allowed on the port ( client-limit ) has not been reached , the port is assigned to a static, untagged VLAN for network access.
3-9 Web and MAC Authentication How Web and MAC Authentication Operate A client may not be authenticated du e to invali d credentials or a RADIUS server timeout. The max-retries parameter specifies how many time s a client may enter their creden ti als before authentic ation fails.
3-10 Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in pl ace until the session ends. Clients may be forced to reauth enticate after a fixed period of time ( reauth-per iod ) or at any time during a session ( reauthentic ate ).
3-11 Web and MAC Authentication Terminology T erminology Authorized-Cli ent VLAN: L ike the Unauth orized-Client VLAN, t his is a conventional, static, untagged, port-b ased VLAN previously configured on the switch by the System Administrat or . The intent in using this VLAN is to provide authenti cated clients with network acce ss and services.
3-12 Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch suppo rts concurren t 8 02.1X , W eb and MAC authentication operation on a port (with up to 2 clients allowed). However , concur - rent operation of W eb and MAC au thentication w ith other type s of authentication on the same port is not su pported.
3-13 Web and MAC Authentication Operating Rules and Notes 1. If there is a RADIUS-assigned VL AN, then, fo r the duration of t he client session, the p ort belongs to th is VLAN and tempor arily drops all other VLAN memberships.
3-14 Web and MAC Authentication Setup Procedure for Web/MAC Authentication W eb/MAC Authentication and LACP W eb or MAC au thentication a nd LACP ar e not supported at the same time on a port. The switch automatically disables LACP on ports configured for W eb or MAC authentication.
3-15 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Figure 3-4. Example of show port-a ccess config Command Output 3. Determine whether any VLAN assign ments are needed for authentica ted clients.
3-16 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that wh en config uring a RADIUS server to assign a VLAN, you can u s e e i t h e r t h e V L A N ’s n a m e o r V I D .
3-17 Web and MAC Authentication Setup Procedure for Web/MAC Authentication aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff AABBCCDDEEFF AABBCC-DDEEFF AA-BB-CC-DD-EE-FF AA:BB:CC:DD:EE:FF ■ If the device is a swi.
3-18 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Syntax: [no] radius-server [host < ip-addre ss >] [oobm] Adds a server to the RADIUS configuration or (with no ) deletes a server from the configuration. You can config- ure up to three RADIUS serv er addresses.
3-19 Web and MAC Authentication Setup Procedure for Web/MAC Authentication For example, to configure the switch to access a RADIUS server at IP address 192.
3-20 Web and MAC Authentication Configuring Web Authentication Configuring W eb Authentication Overview 1. If you have not already done so, configure a local username and password pair on th e switch. 2. Identify or create a redirect URL for use by authenticated clients.
3-21 Web and MAC Authentication Configuring Web Authentication • Y ou can blo ck only incoming t raffic on a port befo re authentication occurs. Outgoing t raffic with unkno wn destination ad dresses is flooded on unau thenticat ed ports configured fo r web authentication.
3-22 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access < port-list > controlled-directions <both | in > After you enable web-based au thentication on specif.
3-23 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access < port-list > controlled-directions <both | in > — Continued — Notes : ■ For information on how.
3-24 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based < p ort-list > Enables web-based authenti cation on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports.
3-25 Web and MAC Authentication Configuring Web Authentication Figure 6. Adding Web Servers with the aaa port-access w eb-based ews-server Command Specifies the base address/mask for the temporary IP pool used by DHCP. The ba se address can be any valid ip address (not a multicas t address).
3-26 Web and MAC Authentication Configuring Web Authentication Figure 7. Removing a Web Server with the aaa port-access web-based ews- server Command ProCurve Switch (config)# no aaa port-access web-based 47 ewa-serv er 10.
3-27 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access w eb-based < port-list > [reauth-period <0 - 9999999>] Specifies the time period, in seconds, the switch enforces on a client to re-au thenticate. Wh en set to 0 , reauthentication is disa bled.
3-28 Web and MAC Authentication Configuring Web Authentication Show Commands for W eb Authentication Command Page show port-access web-based [ port-list ] 3-28 show port-access web-based clients [ por.
3-29 Web and MAC Authentication Configuring Web Authentication Figure 4. Example of show port-a ccess web-based Comm and Output Figure 5. Example of show port-a ccess web-based clien ts Command Output.
3-30 Web and MAC Authentication Configuring Web Authentication Figure 6. Example of show port-a ccess web-based clien ts detailed Command Ou tput Syntax: show port-access web-based clien ts < port-list > detailed Displays detai led information on the statu s of web- authenticated client sessions on specified switch ports.
3-31 Web and MAC Authentication Configuring Web Authentication Figure 7. Example of show port-a ccess web-based co nfig Command Output Syntax: show port-access web-based con fig [ port-list ] Displays.
3-32 Web and MAC Authentication Configuring Web Authentication Figure 8. Example of show port-a ccess web-based co nfig detail Command Outp ut Syntax: show port-access web-based config < port-list > det ailed Displays more detailed inform ation on the currently config- ured W eb Authentication set tings for specified ports.
3-33 Web and MAC Authentication Configuring Web Authentication Figure 9. Example of show port-a ccess web-based co nfig auth-server Command Output Syntax: show port-access web-based con fig [ port-lis.
3-34 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Customizing W eb Authentication HTML Files (Optional) The W eb Authentication process displays a series of web pages and sta tus messages to the user during login.
3-35 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) ■ T o configure a web server on your network, follow the instructio ns in the documentation provided wi th the server .
3-36 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Customizable HTML T emplates The sample HTML files desc ribed in the follow ing se ctions are customizable templates. T o help you cr eate your own set HTML files, a set of the templates can be found on th e downlo ad page for ‘K’ software.
3-37 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 9. HTML Code for User Login Page T emplate <!-- ProCurve Web Authenticati on Template index.
3-38 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Access Granted Page (accept.html). Figure 9-10. Access Granted Page The accept.html file is the web page used to co nfirm a valid client login. This web page is displayed after a valid username and password are entered and accepted.
3-39 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 11. HTML Code for Access Granted Pa ge T emplate <!-- ProCurve Web Authenticati on Template accept.
3-40 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Authenticating Page (authen.html). Figure 12. Authenticatin g Page The authen.html file is the web page used to process a client login and is refreshed while user credenti als are checked and verified.
3-41 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Invalid Credential s Page (reject_unaut hvlan.html). Figure 10. Invalid Credentia ls Page The reject_ unauthvlan.
3-42 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 14. HTML Code for Invalid Credentia ls Page T emplate <!-- ProCurve Web Authenticati on Template reject_unauthvlan.
3-43 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) T imeout Page (timeout.html). Figure 15. T imeout Page The tim eout.ht ml file is the web page used to return an error message if the RADIUS server is not reachable.
3-44 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Retry Login Page (retry_login.html). Figure 17. Retry Login Page The retry_login.html file is the w eb page displayed to a client tha t has entered an invalid username and/or passw ord, and is given another opportun ity to log in.
3-45 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 18. HTML Code fo r Retry Login Page T emplate <!-- ProCurve Web Authenticati on Template retry_login.
3-46 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) SSL Redirect Page (sslredirect.html). Figure 19. SSL Redirect Page The sslredirect fil e is the web page displayed when a client is redirected to an SSL server to enter cr edentials for W e b Authentication.
3-47 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 20. HTML Code for SSL Redirect Page T emplate <!-- ProCurve Web Authenticati on Template sslredirect.
3-48 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Access Denied Page (r eject_novlan.html). Figure 11. Access Denied Page The reject_novlan file is the web page displayed after a client login fails and no VLAN is confi gured for unau thorized clients.
3-49 Web and MAC Authentication Customizing Web Authenticat ion HTML Files (Optional) Figure 21. HTML Code for Access Denied Page T emplate <!-- ProCurve Web Authenticati on Template reject_novlan.
3-50 Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on th e switch.
3-51 Web and MAC Authentication Configuring MAC Authent ication on the Switch Configuration Co mmands for MAC Authentication Command Page Configuration Level aaa port-access mac-based addr -format 3-5.
3-52 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: [no] aaa port-access mac-based < p ort-list > Enables MAC-based authentication on the specified ports. Use the no form of the comm and to disable MAC- based authentication on the specified ports.
3-53 Web and MAC Authentication Configuring MAC Authent ication on the Switch Syntax: aaa port-access m ac-based [e] < port-list > [logoff-period] <60-9999999> ] Specifies the period, in seco nds, that the switch enforces for an implicit logoff.
3-54 Web and MAC Authentication Configuring MAC Authentication on the Switch Show Commands for MAC- Based Authentication Syntax: aaa port-access m ac-based [e] < port-list > [unauth-vid < vid >] no aaa port-access mac-b ased [e] < port-list > [unauth-vid ] Specifies the VLAN to use for a client that fails authen- tication.
3-55 Web and MAC Authentication Configuring MAC Authent ication on the Switch Figure 3-22. Example of show port-a ccess mac-based Command Output Figure 4.
3-56 Web and MAC Authentication Configuring MAC Authentication on the Switch Figure 5. Example of show port-a ccess mac-based client s detail Command Outpu t Syntax: show port-access mac-based clien ts < port-list > detailed Displays detai l ed information on the statu s of MAC- authenticated client sessions on specified ports.
3-57 Web and MAC Authentication Configuring MAC Authent ication on the Switch Figure 6. Example of show port-a ccess mac-based config Command Output Syntax: show port-access mac-based con fig [ port-l.
3-58 Web and MAC Authentication Configuring MAC Authentication on the Switch Figure 7. Example of show port-a ccess mac-based config detail Command Outpu t Syntax: show port-access mac-based config < port-list > det ailed Displays more detailed inform ation on the currently config- ured MAC Authentication settings for specified ports.
3-59 Web and MAC Authentication Configuring MAC Authent ication on the Switch Figure 8. Example of show port-a ccess mac-based config auth-server Command Outp ut Syntax: show port-access mac-based con.
3-60 Web and MAC Authentication Client Status Client Status The table below show s the possible client status in formation that may be reported by a W eb-based or MAC-based ‘ show ... clients’ command. Reported Status Available Netwo rk Connection Possible Explanations authenticated Authorized VLAN C lient authenticated.
4-1 4 T ACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applicati ons: . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements .
4-2 TACACS+ Authentication Overview Overview T A CACS+ authentication enables you to use a central server to a llow or deny access to the switches covered in this guide (and other T ACACS-aware devices) in your network.
4-3 TACACS+ Authentication Terminology Used in TA CACS Applications: T A CACS+ server for authentica tion services. If the swit ch fails to connect to any T AC ACS+ server , it defaults to its own locally assigned passwords for authentication co ntrol if it has been configured to do so.
4-4 TACACS+ Authentication Terminology Used in TA CACS Applications: face. (Using the menu interface you can assign a local password, but not a username.
4-5 TACACS+ Authentication General System Requirements General System Requirements T o use T ACACS+ authentication, you need th e following: ■ A T ACACS+ server application instal led and configur ed on one or more servers or management stations in your network.
4-6 TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the T elnet ac cess fails due to a configuration problem.
4-7 TACACS+ Authentication General Authentication Setup Procedure Note on Privilege Levels When a T ACACS+ server au thenticates an access re quest from a switch, it includes a privilege level code for th e switch to use in determining which privilege level to grant to the te rminal requesti ng access.
4-8 TACACS+ Authentication Configuring TACACS+ on the Switch configuration in your T ACACS+ ser ver application fo r mis-configura- tions or missing data that could aff ect the server’ s interoperation with the switch.
4-9 TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section V iewing the Switch’ s Current Authentication Configuration This command lists the n umber of lo gin attemp ts the switch allows in a single login session, and the pr imary/secondary access method s configured for each type of access.
4-10 TACACS+ Authentication Configuring TACACS+ on the Switch V iewing the Switch’ s Current T ACACS+ Server Contact Configuration This comma nd lists the tim eout period, encryption key , and the IP addresses of the first-choice and backup T ACACS + servers the switch can contact.
4-11 TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s Authentication Methods The aaa authentication command configures acc ess control for the foll owing access methods: ■ Console ■ Te l n e t ■ SSH ■ We b ■ Port-access (802.
4-12 TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters T able 4-1. AAA Authentication Pa rameters Syntax: aaa authentica tion < console | telnet | ssh | web | p ort-access > Selects the access method for configuration.
4-13 TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the T ACACS+ Se rver for Single Login In order for the single login feature t o work correctly , you need to check some entries in the User Setu p on the T ACACS+ server . In the User Setup, scroll to the Ad vanced T ACACS+ Settings section.
4-14 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-4. Advanced T ACACS+ Settings Sectio n of the T ACACS+ Server User Setup Then scroll down to t he section that begins with “Shell” (See Figure 4-5). Check the Shell box. Check the Privilege level box and set th e privilege level to 15 to allow “root” privileges.
4-15 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of t he T ACACS+ Server User Setup As shown in the next table, login and en able access is alwa ys available locally through a direct t erminal connecti on to the switch’ s console port.
4-16 TACACS+ Authentication Configuring TACACS+ on the Switch T able 4-2. Prima ry/Secondary Authen tication T able Caution Regarding the Use of Local for Login Primary Access During local authenticat.
4-17 TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corre sponding commands to configure them: Console Login (Operator or Read-Only) Acc ess: Primary using T ACACS+ server . Secondary using Local.
4-18 TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’ s T ACACS+ Server Access The tacacs-server command configures these parameters: ■ The host IP address(es) for up to three T ACACS+ servers; one first- choice and up to two backups.
4-19 TACACS+ Authentication Configuring TACACS+ on the Switch Note on Encryption Keys Encryption keys configured in the swit ch must exactly ma tch the encryption keys configured in T ACACS+ servers th e switch will a ttempt to use for authentication.
4-20 TACACS+ Authentication Configuring TACACS+ on the Switch Specifies the IP address of a device runn ing a T ACACS+ server application. Optionally , can also specify the unique, per-server encryption key to use when each assigned serv er has its own, unique key .
4-21 TACACS+ Authentication Configuring TACACS+ on the Switch Adding, Removing, or Cha nging th e Priority of a T ACACS+ Server . Suppose that the switch was already co nfigured to use T ACACS+ servers at 10.28.227.10 and 10.28.227.15 . In this cas e, 10.
4-22 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-7. Example of the Switch After Assigni ng a Different “First-Choice” Server T o remove the 10.28.227.1 5 device as a T ACACS+ server , you would use this command: ProCurve (config)# no tacacs-server host 10.
4-23 TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encryption key in the switch, re-enter the tacacs-server host command wi thout th e key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.
4-24 TACACS+ Authentication How Authentication Operates How Authentication Operates General Authentication Process Using a T ACACS+ Server Authentication through a T ACACS+ server operates generally as described below . For specific operat ing deta ils, refer to the documentation you received with your T ACAC S+ server application.
4-25 TACACS+ Authentication How Authentication Operates 4. When the requesting te rminal responds to the prompt with a passw ord, the switch forwards it to the T ACACS+ server and one of the following.
4-26 TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is config ured to use T ACACS+, it re verts to local authenti- cation only if on e of these tw o conditions exist s: ■ “Local” is the authentication option for the access method being used.
4-27 TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encr yption key (sometimes term ed “key”, “secret key”, or “secret”) helps.
4-28 TACACS+ Authentication Controlling Web Browser Interface Acces s When Using TACACS+ Authentication For example, you would use the next co mmand to configure a global encryp- tion key in the switc h to match a key entered as north40campus in two target TACACS+ servers.
4-29 TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to T ACACS+ Operation The switch generates the CLI messages l isted below . However , you may see other messages generated in your T ACACS+ server a pplication. For informa- tion on such messages, re fer to the documentation you rec eived with the application .
4-30 TACACS+ Authentication Operating Notes ■ When T ACACS+ is not enabled on th e switch—or when the switch’ s only designated T ACACS+ servers ar e not accessible— setting a local Operator password wi thout also setting a local Manager password does not protect the s witch from manager -level access by unauthor - ized persons.
5-1 5 RADIUS Authentication, Authorization, and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Authentication Services . . . . . . . . . . . . . . . . . . . . .
5-2 RADIUS Authentication, Au thorization, and Accounting Contents Example Configurati on on Cisco Secure ACS for MS Windows 5-30 Example Configuration Usi ng FreeRADIUS . . . . . . . . . . . . . . . . . 5-32 VLAN Assignment in an Authentication Session .
5-3 RADIUS Authentication, Authorization, and Ac counting Overview Overview RADIUS ( Remote Authentication Dial-In User Service ) enables yo u to use up to three servers (one primary server and one or two backups) and mai ntain separate authentication and accountin g for each RADIUS server employed.
5-4 RADIUS Authentication, Au thorization, and Accounting Overview Note The switch does not support RADIUS security for SNM P (network manage- ment) access. For i nformation on blocking access through the web br owser interface, refer to “Controlling W eb Br owser Interfac e Access” on page 5-25.
5-5 RADIUS Authentication, Authorization, and Ac counting Terminology T erminology AAA: Authentication, Authorization, and Accounting group s of services pro - vided by the carrying protocol.
5-6 RADIUS Authentication, Au thorization, and Accounting Switch Operating Rules for RADIUS V endor -Specific Attribute: A v endor -defined value config ured in a RADIUS server to specific an optional switch fe ature assigned by the server during an authenticated cl ient session.
5-7 RADIUS Authentication, Authorization, and Ac counting General RADIUS Setup Proced ure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS server s to support the switch. (That is, one primary server and one or two ba ckups.
5-8 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication Configuring the Switch for RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting.
5-9 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Outline of the Steps fo r Configuring RADIUS Authentication There ar e three ma in steps t o configuring RADIUS authe ntication : 1.
5-10 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication • T imeou t Period: Th e timeout pe riod the switch waits for a RADIUS server to reply .
5-11 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possibil ity of being completely locked out of the swit ch in the event that all primary access methods fail.
5-12 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication Figure 5-2 shows a n example of the show authenticatio n command displaying authorized as the secondary auth entication method for po rt-access, W eb-a uth access, and MAC-auth access.
5-13 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Figure 5-3. Example Confi guration for RADIUS Authent ication Note If you configure the Lo g.
5-14 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication this default behav ior for clients with Enable (manager) access. Tha t is, with privilege-mode enabled, the switch immediat ely allo ws Enable (Manager) access to a clie nt for whom t he RADIUS server specifies this access level.
5-15 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Note If you want to configure RADIUS accoun ti ng on the swit ch, go to page 5 -37: “Configuring RADIUS Accounting” instead of continuing h ere.
5-16 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication For example, suppose you h ave configured the switch as shown in figure 5-4 and you now need to make the following changes: 1. Change the encryption k ey for the server at 10.
5-17 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Figure 5-4. Sample Confi guration for RADIUS Server Before Changing the Key and Adding Another Server T o make the changes list ed prior to fi gure 5-4, you would do the following: Figure 5-5.
5-18 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication ■ Global server key: The serve r key the switch will use for contacts with all RADIUS servers for which there is not a server -specific key configured by radius-server host < ip-address > key < key-string > .
5-19 RADIUS Authentication, Authorization, and Ac counting Configuring the Switch for RADIUS Authentication Note Where the switch has multiple RADIUS se rvers conf igured to supp ort authen- tication requests, if the firs t server fails to respond, then the switch tries the next server in the list, and so -on.
5-20 RADIUS Authentication, Au thorization, and Accounting Configuring the Switch fo r RADIUS Authentication Figure 5-7. Listings of Globa l RADIUS Parameters Configured In Figure 5-6 After two attempts failing due to username or pa ssword entry errors, the switch will termin ate the session.
5-21 RADIUS Authentication, Authorization, and Ac counting Using SNMP To View and Configure Switch Authentication Features Using SNMP T o V iew and Configure Switch Authentication Features SNMP MIB object acce ss is available fo r switch authe nticat ion config uration (hpSwitchAuth ) f eatures.
5-22 RADIUS Authentication, Au thorization, and Accounting Using SNMP To View and Configur e Switch Authentication Features Changing and Vi ewing the SNMP Access Configuration For example, to disable .
5-23 RADIUS Authentication, Authorization, and Ac counting Using SNMP To View and Configure Switch Authentication Features An alternate me thod of determ ining the current Authentication MIB access state is t o use the show run command.
5-24 RADIUS Authentication, Au thorization, and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to loca l authentication only if one of these two cond itions exist s: ■ Local is the authentic ation opti on for the access method being used.
5-25 RADIUS Authentication, Authorization, and Ac counting Controlling Web Browser Interface Access Controlling W eb Browser Interface Access T o help prevent unauthorized access th rough the web brow.
5-26 RADIUS Authentication, Au thorization, and Accounting Commands Authorization Commands Authorization The RADIUS proto col combines user au thentication and authorization steps into one phase.
5-27 RADIUS Authentication, Authorization, and Ac counting Commands Authorization Enabling Authorization T o configure authorization for controlling access to the CLI commands, enter this command at the CLI.
5-28 RADIUS Authentication, Au thorization, and Accounting Commands Authorization Displaying Authorization Information Y ou can show the authorization info rmation by enteri ng this command: An example of the o utput is shown .
5-29 RADIUS Authentication, Authorization, and Ac counting Commands Authorization The results of using the HP-Command-St ring and HP-Command-Excepti on attributes in various combinations are shown below . Y ou must configure the RADIUS server to provide support for the HP VSAs.
5-30 RADIUS Authentication, Au thorization, and Accounting Commands Authorization Example Configuratio n on Cisco Secure ACS fo r MS W in dows It is necessary to create a dictionary fi le that defines the VSAs so that the RADIUS server application can determin e which VSAs to add to its user interface.
5-31 RADIUS Authentication, Authorization, and Ac counting Commands Authorization Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini diction ary file to c: program filescisco acs 3.2utils (or the utils directory wher ever acs i s installed).
5-32 RADIUS Authentication, Au thorization, and Accounting Commands Authorization 6. Right click and then select New > key . Add the vend or Id number that you determined in step 4 (100 in the example ).
5-33 RADIUS Authentication, Authorization, and Ac counting Commands Authorization 2. Find the location of th e dictionary files used by FreeRADIUS (try /usr/ local/share/freeradius). 3. Copy dictionary .hp to that location. Open the existing dictionary file and add this entry: $ INCLUDE dictionary .
5-34 RADIUS Authentication, Au thorization, and Accounting VLAN Assignment in an Authentication Session VLAN Assignment in an Authentication Session A switch supports co ncurrent 802.1X an d either W eb- or MAC-authenti cation sessions on a port (with up to 32 clients all owed).
5-35 RADIUS Authentication, Authorization, and Ac counting VLAN Assignment in an Authentication Session T agged and Untagge d VLAN Attributes When you configure a user profile on a RAD IUS server to assign a VLAN to an authenticated client , you can use either the VLAN’ s name or VLAN ID (VID) number .
5-36 RADIUS Authentication, Au thorization, and Accounting VLAN Assignment in an Authentication Session Additional RADI US Attributes The follow ing attrib utes are incl uded in Access-Request and Acc.
5-37 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting Configuring RADIUS Accounting Note This section assumes you have already: ■ Configured RADIUS authen ticat io.
5-38 RADIUS Authentication, Au thorization, and Accounting Configuring RADIUS Accounting ■ Exec accounti ng: Provides record s holding the info rmation listed below about login session s (console, T.
5-39 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting Operating Rules for RADIUS Accounting ■ Y ou can configure up t o four types of accounting to run simulta- neously: exec, system, network, and commands. ■ RADIUS servers used for accounting are also used fo r authentication.
5-40 RADIUS Authentication, Au thorization, and Accounting Configuring RADIUS Accounting must match the en cryption key us ed on the specified RADIUS server . For more information, refer to the “ [key < key-string >] ” parameter on page 5-14.
5-41 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting (For a more complete d escription of the radius-server command and its options, turn to page 5-14.) [key < key-string >] Optional. Specifies an encryption key for use during accounting or authenticati on sessions with the speci- fied server .
5-42 RADIUS Authentication, Au thorization, and Accounting Configuring RADIUS Accounting For example, suppose you want to th e switch t o use the RADIUS server described below for both authenti cation and acco unting purposes . ■ IP address: 10.33.18.
5-43 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting Note that there is no time sp an associated w ith using the system option. It simply causes the switch to tr ansmit whatever acc ounting data it currently has when one of the above events occurs.
5-44 RADIUS Authentication, Au thorization, and Accounting Configuring RADIUS Accounting For example, to configure RADIUS accounting on the switch with start-stop for exec fu nctions and stop-only for system functio ns: Figure 5-12. Example of Configu ring Accounting T ypes 3.
5-45 RADIUS Authentication, Authorization, and Ac counting Configuring RADIUS Accounting T o continue the example in figure 5-12, suppose that you wanted the switch to: ■ Send updates every 10 minutes on in-progress accounting sessions. ■ Block accounting for unknown users (no username).
5-46 RADIUS Authentication, Au thorization, and Accounting Viewing RADIUS Statistics V iewing RADIUS Statistics General RADIUS Statistics Figure 5-14. Example of General RADI US Information from Show Radius Command Syntax: show radius [host < ip-add r >] Shows general RADIUS configuration , including the server IP addresses.
5-47 RADIUS Authentication, Authorization, and Ac counting Viewing RADIUS Statistics Figure 5-15. RADIUS Server Information From the Show Radius Host Command Te r m Definition Round T rip T ime The time interval between the mo st recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server .
5-48 RADIUS Authentication, Au thorization, and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Figure 5-16. Example of Login Attempt and Primary/Se condary Authenticatio n Information from the Show Aut hentication Command Requests The number of RADIUS Accou nti ng-Request packets sent.
5-49 RADIUS Authentication, Authorization, and Ac counting Viewing RADIUS Statistics Figure 5-17. Example of RADIUS Aut hentication Inform ation from a Specific Server RADIUS Accounting Statistics Figure 5-18.
5-50 RADIUS Authentication, Au thorization, and Accounting Changing RADIUS-Server Access Order Figure 5-19. Example of RADIUS Account ing Information fo r a Specific Server Figure 5-20.
5-51 RADIUS Authentication, Authorization, and Ac counting Changing RADIUS-Ser ver Access Order Figure 5-21. Search Order fo r Accessing a RADIUS Server T o exchange the positions of the addre sses so that the serv er at 10.10.10.003 will be the first choice and the server at 10.
5-52 RADIUS Authentication, Au thorization, and Accounting Changing RADIUS-Server Access Order Figure 5-22. Example of New RADIUS Server Search Order Removes the “003” and “001” addresses from the RADIUS se rver list .
5-53 RADIUS Authentication, Authorization, and Ac counting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request.
6-1 6 Configuring Secure Shell (SSH) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-2 Configuring Secure Shell (SSH) Overview Overview The switches co vered in this gui de us e Secure Shell version 2 (SSHv2) to provide remote access to manageme nt functions on the sw itches via encrypted paths between th e swi tch and management station clients capable of SSH operation.
6-3 Configuring Secure Shell (SSH) Terminology Note SSH in ProCurve switches is based on t he OpenSSH software toolkit. Fo r more informatio n on OpenSSH, visit www .o penssh.com . Switch SSH and User Password Authentication . This option is a subset of the client pu blic-key authe ntication shown in figure 6 -1.
6-4 Configuring Secure Shell (SSH) Terminology ■ Enable Level: Manager privileges on the switch. ■ Login Level: Operator privilege s on the switch. ■ Local password or username: A Manage r - level or Operator -level password configured in the switch.
6-5 Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH se rver , you must install a publicly or commercially avail able SSH client application on the computer(s) yo u use for management access to the switch.
6-6 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH fo r Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication be tween the switch and an SSH client, you must use the logi n (O perator) level.
6-7 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Prep aratio n 1. Assign a login (Operator) and enable (Manager) password on th e switch (page 6-10). 2. Generate a public/private key pa ir on the switch (page 6-10).
6-8 Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be expor table to the switch.
6-9 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 6-19 show crypto client-publi.
6-10 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, ProCurve recommends that you alwa ys assign at leas t a Manager password to the switch.
6-11 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When you generate a host key pair on the switch, the switch places the key pair in flash memory (a nd not in the running-config file). A lso, the switch maintains the key pai r across reboots, incl uding power cycles.
6-12 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generat e and display a new key: Figure 6-5. Example of Gen erating a Public/Pr ivate Host Key Pair for the.
6-13 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes "Zeroizing" the switch’ s key au tomatically di sables SSH (sets ip ssh to no). Thus, if you zeroize the key and then ge nerate a new key , you must also re- enable SSH with the ip ssh command before the s witch c an resume SSH operation.
6-14 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation (The generated public key on the switch is always 896 bits.) W ith a dire ct serial connection from a management station to the switch : 1.
6-15 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation ■ Non-encoded ASCII numeric string: Requires a client ability to display the keys in the “known host s” file in the ASCI I format. This method is tedi ous and error -prone due to the l ength of the keys.
6-16 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note Before enabling SSH on the switch you must generate the switch’ s public/ private key pair . If you have not alread y done so, refer to “2. Generating the Switch’ s Public and Privat e Key Pair” on page 6-1 0.
6-17 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation T o disabl e SSH on the switch, do either of the following: ■ Execute no ip ssh . ■ Zeroize the switch’ s existing key pair . (page 6-11). Syntax: [no] ip ssh Enables or disables SSH on the switch.
6-18 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [mac <mac-type>] Allows configuration of the set of MACs that can be selected. V alid types are: • hmac-md5 • hmac-sha1 • hmac-sha1-96 • hmac-md5-96 Default: All MAC ty pes are available.
6-19 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note on Port Number ProCurve recommends using the default TCP port number (22). However , you can use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes .
6-20 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation access to the serial port (and the Cl ear button, whic h removes local password protection), keep physical access to th e switch restricted to authorized per - sonnel.
6-21 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option B: Config uring the Switch for Cl ient Public-Key SSH Authentication. If configured with this option, the switch uses its public key to authenticate itself to a client, bu t the c lient must al so provide a clie nt public-key f or the switch to authenticate .
6-22 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, assume that you have a client public-key fil e named Client- Keys.
6-23 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-11. Configuring for SSH Access Requ iring a Client Public-Key Match an d Manager Passwords Figure 6-12 shows how to check the results of the above commands. Figure 6-12.
6-24 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 6. Use an SSH Client T o Access the Switch T est the SSH co nfigurati on on the switch to ensure that you have achieved the level of SSH operatio n you want for the switch.
6-25 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 1. The client sends its public key to the switch with a re quest for authenti- cation. 2. The switch compares the client’ s public key to those stored in the switch’ s client-public-key file.
6-26 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication T o C reate a Client-Pub lic-Key T ext File. These steps describe how to copy client-public-ke ys into the switch for challenge-respon se authentication, and require an understandi ng of how to use you r SSH client app lication.
6-27 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication 2. Copy the client’ s public key into a text file ( filename .txt ). (For example, you can use the Notepad editor includ e d with the Microsof t® W indo ws® software.
6-28 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication Note copy usb pub-key file can al so be used as a method for copying a public key file to the switch. The operator option replaces the key(s) for operator access (default); follow with the ‘append’ option to add the key(s).
6-29 Configuring Secure Shell (SSH) Further Information on SSH Cli ent Public-Key Authentication For example, if you wanted t o copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 an d then display th e file contents: Figure 6-14.
6-30 Configuring Secure Shell (SSH) Messages Related to SSH Operation Caution T o enable client public-key authenti cation to bl ock SSH cli ents whose p ublic keys are not in the client -pub lic-key file copied into the switch , you must configure the Logi n Secondary as none .
6-31 Configuring Secure Shell (SSH) Messages Related to SSH Operation Logging Messages There ar e event l og messages when a ne w key is generated and zeroized for the server: ssh: New <num-bits>.
6-32 Configuring Secure Shell (SSH) Messages Related to SSH Operation Debug Logging T o add ssh messages to the debug log outp ut, enter this command: ProCurve# debug ssh LOGLEVEL where LOGLEVEL is on.
7-1 7 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7-2 Configuring Secure Socket Layer (SSL) Overview Overview The switches covered in this guide use Secure Socket Layer V ersion 3 (SSLv3) and support for T ransport Lay er Security(TLSv1) to provide rem ote web access to the switches via encrypted paths betw een the switch and manage- ment station client s capable of SSL/TLS operation.
7-3 Configuring Secure Socket Layer (SSL) Terminology Figure 7-1. Switch/User Auth entication SSL on the switches covered in this guide supports these data encryption methods: ■ 3DES (168-bit, 112 E.
7-4 Configuring Secure Socket Layer (SSL) Terminology ■ Root Certificate: A trusted certificate used by certificate authorit ies to sign certificates (CA-Signed Certificat es) and used later on to verify that authenticity of those si gned certificates.
7-5 Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL se rver , you must install a publicly or commercially available SSL enabled we b browser application on the com- puter(s) you use for manage ment acce ss to the switch.
7-6 Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re- generating the certi ficate without a compelling reason.
7-7 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation 1. Assigning a Local Login (Operator) and Enabling (Manager) Password At a minimum, ProCu rve recommends th at you always assign at least a Manager password to the switch.
7-8 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-2. Example of Configuri ng Local Passwords 1. Proceed to the securi ty tab an d select device passwords button. 2. Click in the appr opriate box in t he Device Passwords windo w and enter user names and passwords.
7-9 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation to connect via SSL to the switch . (The session key pai r mentioned above is not visible on the switch. It is a temporary , internally gener ated pai r used for a particular switch/cli ent se ssion, and then disc arded.
7-10 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. T o generate a host certi ficate from the CLI: i. Generate a certificate key pair . This is done with the crypto key generate cert command.
7-11 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T able 7-1. Cert ificate Field Descriptions For example, to generate a ke y and a new host certificate : Figure 7-3. Example of Generating a Self-Sig ned Server Host certificate on the CLI for the Switch.
7-12 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. T o view the current host certif icate from the CLI you use the sh ow crypto host- cert command. For example, to display the new server host certificate: Figure 7-4.
7-13 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation T o generate a self signed host certif icate fr om the web brow ser interface: i. Proceed to the Securi ty tab then the SSL button. The SSL config- uration screen is split up into two halves .
7-14 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the we b browsers inter - face: Figure 7-5. Self-Signed Certifi cate generation via SSL Web Browser Interface Scree n T o view the current host certifi cate in the web browser interface: 1.
7-15 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-6. Web browser Interface showing current SSL Host Certifica te Generate a CA-Signed server host certificate with the W eb browser interface T o install a CA-Si gned server host certificate from the web browser i nterface.
7-16 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA- signed certif ic ate involves in teraction with o ther entities and consi sts of three phases.
7-17 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-7. Request for Verified Host Certificate Web Browser Interface Screen 3.
7-18 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch yo u must genera te the switch’ s ho st certificate and key . If you h ave not a lready done so, refer to “2. Generating the Switch’ s Server Host Certificate” on page 7 -8.
7-19 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL T o enable SSL o n the switch 1. Generate a Host certificate if you h ave not already done so. (Refer to “2. Generating the Switch’ s Server Host Certificate” on page 7-8.
7-20 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Figure 7-8. Using the web browser interface to e nable SSL and select TCP port numbe r Note on Port Number ProCurve recommends usin g the default IP port number (443).
7-21 Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CL I Y ou have not generated a certificate key . (Refer to “CLI commands used to generate a Server Host Certificate” on page 7-10.
8-1 8 Configuring Advanced Threat Protection Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8-2 Configuring Advanced Threat Protection Contents Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26 Adding an IP-to- MAC Binding to th e DHCP Binding Database . . . . . 8-28 Potential Issues with Bindings .
8-3 Configuring Advanced Threat Protection Introduction Introduction As your network ex pands to include an increasing number of mobile devices, continuous Internet access, and new classes of users (s.
8-4 Configuring Advanced Threat Protection DHCP Snooping • Attempts to exhaust system resources so that sufficie nt resources are not available to transmit legitimate traffic, indicated by an unusua.
8-5 Configuring Advanced Threat Protection DHCP Snooping DHCP snooping accomplishe s this by allowing yo u to distinguish bet ween trusted ports con nected to a DHCP server or swi tch and untruste d ports connected to end-users. DHCP packet s are forwarded betw een trusted ports without inspect ion.
8-6 Configuring Advanced Threat Protection DHCP Snooping T o display the DHCP snooping conf iguratio n, enter this command: ProCurve(config)# show dhcp-snooping An example of the o utput is shown below .
8-7 Configuring Advanced Threat Protection DHCP Snooping Figure 8-2. Example of Show DHCP Snooping Stati stics Enabling DHCP Snooping on VLANS DHCP snooping on VLANs is disabled by d efault.
8-8 Configuring Advanced Threat Protection DHCP Snooping Configuring DHCP Snoo ping T rusted Ports By default, all p orts are untrusted. T o configure a por t or range of ports as trusted, enter this .
8-9 Configuring Advanced Threat Protection DHCP Snooping Configuring Authorized Server Addresses If authori zed server a ddresses ar e configu red, a packet from a DHCP server must be received on a trusted port A ND have a source address in the autho- rized server list in order to be consider ed valid.
8-10 Configuring Advanced Threat Protection DHCP Snooping Note DHCP snoo ping only ov errides the Optio n 82 settings on a VLAN that has snooping enabl ed, not o n VLANS witho ut snooping enabled.
8-11 Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the swit ch as the remote - id in Option 82 additions.
8-12 Configuring Advanced Threat Protection DHCP Snooping Figure 8-7. Example Showing the DHCP Snoopin g V erif y MAC Setting The DHCP Binding Database DHCP snooping maintains a database of up to 8192 DHCP bindings on untrusted ports.
8-13 Configuring Advanced Threat Protection DHCP Snooping A message is logged in the system event log if the DHCP binding database fails to update. T o displa y the contents of the DHCP snooping bi nding database , enter this command.
8-14 Configuring Advanced Threat Protection DHCP Snooping ■ ProCurve recommends running a time synchr onization protocol such as SNTP in order to track lease times accurately . ■ A remote server must be used to sa ve lease information or there may be a loss of connectivity after a switch reboot.
8-15 Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay inform ation logs for <duration>. More than one DHCP client packet received on an untrusted port with a relay in formation field was dropped.
8-16 Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynami c ARP protection ensures that only valid ARP requests and resp ons es are relayed or used to update the local ARP cache.
8-17 Configuring Advanced Threat Protection Dynamic ARP Protection • If a binding is valid, the switch updates its local ARP cache and forwards the packet. • If a binding is invali d, the switch drops the packet, preventing oth er network device s from receiving th e invalid IP-to-MAC info rmation.
8-18 Configuring Advanced Threat Protection Dynamic ARP Protection Enabling Dynamic ARP Protection T o enable dynami c ARP protection for VLAN traffi c on a routing sw itch, enter the arp-protect vlan command at the global configuration l evel.
8-19 Configuring Advanced Threat Protection Dynamic ARP Protection Figure 8-9. Configuring T rusted Ports for Dynamic ARP Protect ion T a ke into account the following conf iguration guidelines when you use dynamic ARP prot ection in your ne twork: ■ Y ou should conf igure port s connected to other s witches in t he network as trusted po rts.
8-20 Configuring Advanced Threat Protection Dynamic ARP Protection Adding an IP-to-MAC Bind ing to the DHCP Database A routing switch mai ntains a DHCP binding datab ase, which is used f or DHCP and ARP packet validation.
8-21 Configuring Advanced Threat Protection Dynamic ARP Protection Configuring Additional V alidation Checks on ARP Packets Dynamic ARP protection can b e configured to perfo rm additional vali dation checks on ARP packets. By default, no additional ch ecks are performed.
8-22 Configuring Advanced Threat Protection Dynamic ARP Protection Figure 8-1. The show arp-prot ect Command Displaying ARP Packet Statistics T o display statistics about forwarde d ARP packets, dro pped ARP packets, MAC validation failure, and IP validation failures, ente r the show arp-protect statistics command: Figure 8-2.
8-23 Configuring Advanced Threat Protection Dynamic IP Lockdown Monitoring Dynamic ARP Protection When dynamic ARP prot ection is enab led, you can monitor and troublesh oot the validation of AR P packets with the debug arp-protect command.
8-24 Configuring Advanced Threat Protection Dynamic IP Lockdown Protection Against IP So urce Address Spoofing Many network attacks occur when an atta cker injects packets with forge d IP source addresses into the network. Also , some network services use the IP source address as a component in their authentication scheme s.
8-25 Configuring Advanced Threat Protection Dynamic IP Lockdown ■ The DHCP bind ing database allows V LANs enabled for DHCP snooping to be known on por ts configured for dynamic IP lockdow n.
8-26 Configuring Advanced Threat Protection Dynamic IP Lockdown Assuming that DHCP snooping is enab led and that port 5 is untrusted, dynamic IP lockdown applies the follo wing dynamic VLAN filtering on port 5: Figure 8-4.
8-27 Configuring Advanced Threat Protection Dynamic IP Lockdown • Dynamic IP lockdown only fi lters packets in VLANs t hat are enabled for DHCP snooping . In order for Dynamic IP lockdown to work on a port, the port mu st be config ured fo r at least one VLAN that is enabled for DHCP snooping.
8-28 Configuring Advanced Threat Protection Dynamic IP Lockdown Adding an IP-to-MAC Bind ing to the DHCP Binding Database A switch maintains a DHCP bi nding database , which is used for dynami c IP lockdown as wel l as for DHCP an d ARP packet valid ation.
8-29 Configuring Advanced Threat Protection Dynamic IP Lockdown Adding a Static Binding T o add the static configuration of an IP -to-MAC binding for a port to the leas e database, en ter the ip source-bindin g command at the gl obal configurat ion level.
8-30 Configuring Advanced Threat Protection Dynamic IP Lockdown An example of the show ip source-lockdown status comm and output is show n in Figure 8-5. Note that the operational status of all switch ports is displayed. This information indicates whether or n ot dynamic IP lockdown is supported on a port.
8-31 Configuring Advanced Threat Protection Dynamic IP Lockdown Figure 8-6. Example of show ip source-lockdow n bindings Command Out put In the show ip source-l ockdown bindings command output, the .
8-32 Configuring Advanced Threat Protection Dynamic IP Lockdown Figure 8-7. Example of debu g dynamic-ip-lockd own Command Output ProCurve(config)# debug dynamic -ip-lockdown DIPLD 01/01/90 00:01:25 : denie d ip 192.168.2.100 (0) (PORT 4) -> 192.168.
8-33 Configuring Advanced Threat Protection Using the Instrumentation Mon itor Using the Instrumentation Monitor The instrumentation monitor can be used to detect anomalies caused by security attacks or other irregular op erations on the swi tch.
8-34 Configuring Advanced Threat Protection Using the Instrumentation Monitor Operating Notes ■ T o generate alerts for monitored eve nts, you must en able the instru- mentation monito ring log and/or SNMP trap.
8-35 Configuring Advanced Threat Protection Using the Instrumentation Mon itor Configuring Instrumentation Monitor The following commands and parameters are used to configure the opera- tional thresh olds that a re monitore d on the switch. By defa ult, the inst rumen- tation monitor is disabled.
8-36 Configuring Advanced Threat Protection Using the Instrumentation Monitor T o enable instrum entation monitor usin g the default parame ters and thresh- olds, enter the general instrumenta tion monitor comma nd. T o adjust specific settings, enter the name of the parameter that you wish to modify , and revise the threshold limi ts as needed.
8-37 Configuring Advanced Threat Protection Using the Instrumentation Mon itor V iewing the Current In strumentation Monitor Configuration The show instrumentation monitor config uration command displays the config- ured thresholds for moni tored parameters.
9-1 9 T raffic/Security Filters and Monitors Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9-2 Traffic/Security Filters and Monitors Overview Overview Source-port filters are available on the HP ProCurve switch models covered in this gui de. Introduction Y ou can enhance in-band security and improve control over access to network resources by configur ing static filters to forward (the de fault action) or dro p unwanted t raffic.
9-3 Traffic/Security Fi lters and Monitors Filter Types and Operation Filter T ypes and Operation T able 9-1. Filt er T ypes a nd Criteria Static Filter Ty p e Selection Criteria Source-Port Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per -port (destination) basis.
9-4 Traffic/Security Filters and Monitors Filter Types and Operation Source-Port Filters This filter type enables the switc h to forward or drop tr affic from all end nodes on the indicated source-port to specific destination ports.
9-5 Traffic/Security Fi lters and Monitors Filter Types and Operation ■ When you create a source port filter , all ports and port trunks (if any) on the switch appear as destinat ions on the li st for that filter , even i f routing is disabled and separate VLANs and/or subnets exist.
9-6 Traffic/Security Filters and Monitors Filter Types and Operation Figure 9-3. The Filter for t he Actions Shown in Figure 9-2 Named Source-Port Filters Y ou can specify named source-port filters that may be used on multiple ports and port trunks.
9-7 Traffic/Security Fi lters and Monitors Filter Types and Operation ■ A named source- port filter can only be deleted whe n it is not applied to any ports. Defining and Configuring Named Source-Port Filters The named source-p ort filter command operat es from the glob al configur ation level.
9-8 Traffic/Security Filters and Monitors Filter Types and Operation A named source-port f ilter must f irst be defi ned and configured before it can be applied. In the followin g example two named source-port filt ers are defined, web-only and accounting .
9-9 Traffic/Security Fi lters and Monitors Filter Types and Operation Using Named Source-Port Filters A company wants to manage tr affic to the Internet an d its accounting server on a 26-port switch. Their network is pi ctured i n Figure 9-4. Swi tch port 1 connects to a router that p rovides connectivit y to a W AN and the Intern et.
9-10 Traffic/Security Filters and Monitors Filter Types and Operation Figure 9-5. Applying Example Named Source-Port Filters Once the named source-port filter s have been defined and config ured we now apply them to the switch ports.
9-11 Traffic/Security Fi lters and Monitors Filter Types and Operation Figure 9-7. Example of the sho w filter Command Using the IDX value in the show filter command, we can see how traffic is filtered on a specif ic port ( Va l u e ).The two outputs b elow show a non - accounting and an accou nting switch port.
9-12 Traffic/Security Filters and Monitors Filter Types and Operation Figure 9-8. Example Showing T raffic Filtered on Speci fic Ports The same command, using IDX 26, shows how traffic from the In ternet is handled.
9-13 Traffic/Security Fi lters and Monitors Filter Types and Operation Figure 9-9. Example of S ource Port Filtering wi th Internet T ra ffic As the company grows, mo re resources are requir ed in accounting. T wo additional accounting workstations are added and attached to ports 12 and 13.
9-14 Traffic/Security Filters and Monitors Filter Types and Operation The following revisions to the named so urce-po rt filter definiti ons maintain the desired network traffic management , as shown in the Action column of the show command. Figure 9-11.
9-15 Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Figure 9-12. Named Source-Po rt Filte rs Managing T raffic Configuring T raffic/Security Filters Use this procedure t o specify th e type of filters to use on the switch and whether to forward or dro p filtered pa ckets for each filt er you spe cify .
9-16 Traffic/Security Filters and Monitors Configuring Traffic/Secu rity Filters Configuring a Source -Port T raffic Filter Syntax: [no] filte r [source-port < port-number | trunk-name >] Specifies one inbound port or trunk. T raffic received inbound on this interface from other devices will be filtered.
9-17 Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a source-port filter that drops all traffic received on port 5 wi th a destination of port trunk 1 ( Tr k 1 ) and any port in the range of port 10 to port 15 .
9-18 Traffic/Security Filters and Monitors Configuring Traffic/Secu rity Filters filter on port 5, then create a trunk w ith ports 5 and 6, and display the results, you would see the following: Figure 9-13.
9-19 Traffic/Security Fi lters and Monitors Configuring Traffi c/Security Filters Figure 9-14. Assigning Additi onal Destination Ports to a n Existing Filter For example, suppose you wanted to co nfigure the filters in table 9-2 on a switch. (For more on source-port filt er s, refer to “Configuring a Source-Port T ra ffic Filter” on page 9-16.
9-20 Traffic/Security Filters and Monitors Configuring Traffic/Secu rity Filters new filter will receiv e the index nu mber “2” and the second new filter will receive the index number "4".
10-1 10 Configuring Port-Based and User -Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Why Use Port-Based or User-Based Access Control? . . .
10-2 Configuring Port-Bas ed and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Auth entication Method . . . . . . . . . . . . . . . . 10-24 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 10-25 5.
10-3 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Overview Overview Why Use Port-Based or User -Based Access Control? Local Area Networks are often deployed in a way that allows unauthorized clients to attach to network devices, or allows unauthorized users to get access to unattended clients on a networ k.
10-4 Configuring Port-Bas ed and User-Based Access Control (802.1X) Overview • Port-Based access control op tion allowing auth entication by a si ngle client to open the port . This option does not force a client limit and, on a port opened by an auth enticated cl ient, allows unlimit ed client access without requiring further au thentication .
10-5 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Overview This operat ion improves securit y by opening a given po rt only to indi vidually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenti cat ed.
10-6 Configuring Port-Bas ed and User-Based Access Control (802.1X) Terminology This operat ion unblo cks the port while an authenticated client session is in progress.
10-7 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Terminology a port loses its authenticated client connection, it drops its membership in this VLAN. Note that with m ultiple client s on a port, all su ch clients use the same untagged, port-b ased VLAN membership.
10-8 Configuring Port-Bas ed and User-Based Access Control (802.1X) Terminology Static VLAN: A VLAN that has been configured as “permanent” on the switch by using the CLI vlan < vid > command or the Menu interface. Supplicant: The entity that must provide the proper cred entials to t he switch before receiving access to the network.
10-9 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General 802.1X Aut henticator Operation General 802.1X Authenticator Operation This operation provides security on a po int-to-point link between a client and the switch, where both devices are 802.
10-10 Configuring Port-Bas ed and User-Based Access Control (802.1X) General 802.1X Aut henticator Operation Note The switches c overed in this guide can use either 802.1X port- based authen- tication or 802.1X user -bas ed authentication. For more information, refer to “User Authentication Methods” on page 10-4.
10-11 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General 802.1X Aut henticator Operation Figure 10-1. Priority of VLAN Assignme nt for an Authenticat ed Client No Ye s New Client .
10-12 Configuring Port-Bas ed and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the u ser -based mode, when ther e is an authenticated client on a port, the followin g traffic movement is allowed: • Multicast and bro adcast traffic is allowed on the port.
10-13 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General Operating Rules and Notes ■ If a port on switch “A” is configur ed as an 802.1X supplicant and is connected to a port on anot her switch, “B”, that is not 802.1X-aware, access to switch “B” will occur wit hout 802.
10-14 Configuring Port-Bas ed and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Access Control Do These Steps Before Y ou Configure 802.1X Operation 1. Configure a local username and pa ssword on the switch for both the Operator (login) and Manager (enable) access levels.
10-15 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General Setup Procedure for 802.1X Access Control Figure 10-2. Example of the Password Port -Access Command Y ou can save the port-access password for 802.1 X authentication in the configuratio n file by using the inc lude-credential s command.
10-16 Configuring Port-Bas ed and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control 3. Determine whether to us e user -based a ccess control (page 10-4) or port- based access control (page 10-5). 4. Determine whether to use the op tional 802.
10-17 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802. 1X Authentication on the Switch This section outl ines the steps for configuring 802.1X on the switch. For detailed info rmation on each step , refer to the followin g: ■ “802.
10-18 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Note If you want to implement th e optional port security featur e (step 7) on the switch, you should first en sure that the ports you ha ve configured as 8 02.
10-19 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentica tion on Selected Ports This task configures the indivi dual ports you want to operate as 802.1X authenticators for po int-to-poi nt links to 802.
10-20 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User -Based Authen tication or Return to Port- Based Authentication User -Based 802.1X Authentication. Port-Based 802.1X Authentication.
10-21 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring User -Based 802.1X Authentication This example enables ports A10-A1 2 to operate as authenticators, and then configures the ports for us er -based auth en tication.
10-22 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the ma x-requests parameter fails (next page).
10-23 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time af ter which clients connected must be re-authenticated.
10-24 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how th e switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.
10-25 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the auth entication me thod, configure the switch to use 1, 2, or 3 RADIUS se rvers for authentication.
10-26 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentica tion is operating, y ou can use the following aaa port - access authenticator commands to reset 802.
10-27 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports as 802.1X Authenticators ■ The 802.1s Multiple Spanning T ree Protocol (MSTP) or 802. 1w Rapid Spanning T ree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resourc e utilization while maintaining a lo op-free netw ork.
10-28 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Because a port can be con figured for more than one type of authenticat ion to pr.
10-29 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode Introduction This section describes how to use t he 802.1X Open VLAN mode to provide a path for clien ts that need to acquire 802.1X supplica nt software before proceeding with the auth enti cation process.
10-30 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports confi gured to al low multipl e sessions using 802.
10-31 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note After client authenticati on, the port resumes me mbership in any tagged VLANs for which it i s configured.
10-32 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode T able 10-2. 802.1X Open VLAN Mode Options 802.1X Per -Port Configuration Port Response No Open VLAN mode: The port automatically blo cks a client that cannot init iate an authenti cation sessi on.
10-33 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Authorized-Client VLAN • After client authentication, the po rt drops membership in t he Unauthorized-Client VLAN a nd becomes an u ntagged memb er of this VLAN.
10-34 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Open VLAN Mode with Only an Unauthor ized-Cl ient VLAN Configured: • When the po rt detects a client, it aut omatically becomes an untagged member of this VLAN.
10-35 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Open VLAN Mode with Only an Authorized-Client VLAN Con figured: • Port automa tically blocks a client that can not initiate an authentication session .
10-36 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Au thorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorize d- Client or Unauthorized-Client VLANs These must be configured o n the switch before you co nfigure an 802.
10-37 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Effect of Unauthorized-Client VLAN session on untagged port VLAN membership • When an unauth enticated cli.
10-38 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Effect of RADIUS-assigned VLAN This rule assumes no other authenticated clients are already using the port on a different VLAN. The port joins the RADIUS-assigned VLAN as an unta gged member .
10-39 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note If you use the same VLAN as the Unau thorized-Client VLAN for all authenti- cator ports, unauth enticated clients on different ports can communicate wit h each other .
10-40 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of bot h the Unauthorized-Client and Authorized-Client VLANs. Re fer to T able 10-2 on page 10-32 for other options.
10-41 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the swit ch to use local password authen tication inste ad of RADIUS authentication.
10-42 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-ra dius for step 2, use the radius host command to configure up to thr ee RADIUS server IP address(es) on the switch.
10-43 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listin g of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 10-40.
10-44 Configuring Port-Bas ed and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For info rmation and an example on viewing current Open VLAN mode operation, ref er to “Viewing 802.1X Open VLAN Mode Status” on page 10-60.
10-45 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow On ly 802.1X-Authenticated Devices ■ The first client to authen.
10-46 Configuring Port-Bas ed and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-S ecurity To Allo w Only 80 2.1X-Authenticated Devices Port-Security Note If 802.
10-47 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches Configuring Switch Ports T o Operate As Supplicants for 802.1X Connections to Other Switches A switch port can operate as a supplicant in a c onnection to a port on another 802.
10-48 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches • If, after the supplicant port sends the configur ed number of start packets, it does not receive a respons e, it assumes that switch “B” is not 802.
10-49 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Configuring Switch Ports To Operate As Suppli cants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. Y ou can configure a switch port as a supplicant for a p oint-to-point link to an 802.
10-50 Configuring Port-Bas ed and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supp licants for 802.1X Connect ions to Other Switches aaa port-access sup plicant [ethernet.
10-51 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port -Access Authenticator 802.1X Authentication Commands page 10-18 802.
10-52 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Syntax: show port-access authen ticator [ port-list ] [config | statistics | session-counters | vlan | clients | client s detailed • Untagged VLAN : VLAN ID number of the untagged VLAN used in client sessions.
10-53 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-10.Example of show p ort-access authenticat or Command The in.
10-54 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters T able 10-3. Field Descriptions of sho w port-access authe nticator config Comma nd Output (Figure 10-11) Field Description Port-access authenticator activated Whether 802.
10-55 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-12.Example of show p ort-access authenti cator statistics Com.
10-56 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Figure 10-13.Example of show p ort-access authenti cator session-counters Comm and Syntax: show port-access authenticat or session-counters [ port-list ] Displays information for acti ve 802.
10-57 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-14.Example of show p ort-access authenticat or vlan Command Syntax: show port-access authenticat or vlan [ port-list ] Displays the following informat ion on the VLANs configured for use in 802.
10-58 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Figure 10-15. Example of show p ort-access authenti cator clients Command Out put Syntax: show port-acc ess authenticator clients [ port-list ] Displays the session status, name, and address for each 802.
10-59 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-16. Example of show p ort-access authenti cator clients detai led Command Output Syntax: show port-access auth enticator clients < port-list > detailed Displays detai led information on the statu s of 802.
10-60 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters V iewing 802.1X Open VLAN Mode Status Y ou can examine the switch’ s c.
10-61 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Thus, in the output shown in figure 10-17: ■ When the Auth VLAN ID is configured and matches the Current VLAN ID , an authenticated client is co nnected to the port.
10-62 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters T able 10-3. Output for Determ ining Open VLAN Mode Statu s (Figure 10-17, Lower) Status Indicator Meaning Status Closed: Either no client is connected or the connected cl ient has not received authorization through 802.
10-63 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Displaying 802.1X Configurat ion, Statistics, and Counters Figure 10-18.Example of Showing a VLAN wi th Ports Configured for Open VLAN Mode Note that ports B1 and B3 ar e not in the upp er listing, bu t are included und er “Overridden Port VLAN configur ation”.
10-64 Configuring Port-Bas ed and User-Based Access Control (802.1X) Displaying 802.1X C onfiguration, Statistics, and Counters Show Commands for Po rt-Access Supplicant Note on Supplicant Statistics.
10-65 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation supplicant port to another without clearin g the statistics data from the first port, the au thenticator’ s MAC address wi l l appear in the supplicant statistics for both ports.
10-66 Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Note Y ou can use 802.1X (port-based or client -based) authentication and either W eb or MAC authenticati on at the same time on a port, with a maximu m of 32 clients allowed on the port.
10-67 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation • If the port is assigned as a member of an untagged dynamic VLAN that .
10-68 Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation If this tempo rary VLAN assignment cau ses the switch to disable a differe.
10-69 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation For example, suppose that a RADIUS-au thenticated, 802.
10-70 Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Figure 10-20.The Active Configuration for VLAN 22 T emporarily Changes for the 802.
10-71 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation When the 802.1X client’ s session on port A2 ends, the port remov es the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as un tagged on the port becomes available again.
10-72 Configuring Port-Bas ed and User-Based Access Control (802.1X) How RADIUS/802.1X Authenticat ion Affects VLAN Operation Note Any port VLAN-ID changes you make on 802.1X-aware ports during an 802.1 X- authenticated session do not take eff e ct until the sessio n ends.
10-73 Configuring Port-Based and Us er-Based Access C ontrol (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation T able 10-4. 802.1X Operating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.
11-1 11 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11-2 Configuring and Monitoring Port Security Contents Web: Checking for Intrus ions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-37 Operating Notes for Port Security . . . . . . . .
11-3 Configuring and Monitoring Port Security Overview Overview Port Security (Page 11-4). This feature enables you to configure each switch port with a unique list of th e MAC addresses of devices that are authorized to access the network throug h that port.
11-4 Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port sec urity setting for each port is off , or “continuou s”. That is, any dev ice can access a port without causing a security reaction.
11-5 Configuring and Monitoring Port Security Port Security • Static: Enables you to se t a fixed limit on the number of MAC addresses authorized for the port an d to specify some or all of the authorized addresses.
11-6 Configuring and Monitoring Port Security Port Security configuratio n to ports on which h ubs, switches, or other devi ces are connected, and to maintain security while also main taining network acce ss to authorized users. For example: Figure 11-1.
11-7 Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port securi ty configuration and moni toring according to the following: a. On which ports do you want port secu rity? b. Which devices (MAC addresses) are authorized on each port? c.
11-8 Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Comm ands Used in This Section This section descr ibes the CLI port security command an d how the switch acquires a nd maintai ns authorized addresses.
11-9 Configuring and Monitoring Port Security Port Security Displaying Port Se curity Settings. Figure 11-2. Example Port Security Listing (Po rts A7 and A8 Show the Default Setting) W ith port number.
11-10 Configuring and Monitoring Port Security Port Security Figure 11-3. Example of the Port Security Configura tion Display for a Single Port The next exam ple shows the opti on for entering a range of ports, including a series of non-cont iguous ports.
11-11 Configuring and Monitoring Port Security Port Security Figure 11-4. Examples of Show Mac-Address Outputs.
11-12 Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security an d edit security settings. ■ Add or delete devices from the list of authorized addresses for one or more ports.
11-13 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < contin uous | static | port-access | configured | limited- continuous > (Continued) st.
11-14 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < contin uous | static | port-access | configured | limited- continuous > (Continued) Ca.
11-15 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Informatio n configuration screen of the Menu interface or the show system information listing.
11-16 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [< mac-addr >] [< mac-addr >] . . . [< mac -addr >] A vailable for learn-mode with the, static , configured , or limited-continu ous option.
11-17 Configuring and Monitoring Port Security Port Security Retention of Static Addresses Static MAC addresses do not age-o ut. MAC addresses learne d by using learn- mode continuous or learn-mode limited -continuous age out according to the currently configured MAC age ti me.
11-18 Configuring and Monitoring Port Security Port Security ■ Delete it by using no port-security < port-num ber > mac-address < mac-ad dr > . ■ Download a configur ation file th at does not includ e the unwanted MAC address assignment.
11-19 Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. T o simply add a device (MAC address) to a port’ s existing Authorized Addresses list, enter the port numbe r with the mac-add ress parameter and the device’ s MAC address.
11-20 Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is alre ady on the list.
11-21 Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC addresses) fr om the Authorized Addresses list. (An Authoriz ed Address list is available for each port for which Learn Mod e is currently set to “Static”.
11-22 Configuring and Monitoring Port Security MAC Lockdown The following command serves this pu rpose by removing 0c0090-1 23456 and reducing the Address Limit to 1: ProCurve(config)# port-security a.
11-23 Configuring and Monitoring Port Security MAC Lockdown Y ou will need to enter a sepa rate comm and for each MAC/VLAN pair you wish to lock down. If yo u do not specify a VLAN ID (VID) the sw itch inserts a VID of “1”.
11-24 Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pai r cannot be locked do wn on a different po rt. Y ou cannot perform MAC Lockdown and 802.1X authentication on the same port or on t he same MAC address.
11-25 Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safel y code per switch. T o truly lock down a MAC addr ess it wo uld be necessary to use t he MAC Lockdown command fo r every MAC Address and VLAN ID on every switch.
11-26 Configuring and Monitoring Port Security MAC Lockout Deploying MAC Lockdown When you deploy MAC Lockdown you ne ed to consider how you use it wi thin your network topology to ensure security .
11-27 Configuring and Monitoring Port Security MAC Lockout T o use MAC Lockout you must fi rst know the MAC Address you wish t o block. How It W orks. Let’ s say a customer knows there are unauthorized wireless clients who should not have access to the network.
11-28 Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, po rt security , and 802.1X authenti- cation. Y ou cannot use MAC Lockout to lock: • Broadcast or Mu lt.
11-29 Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independ ent of port-security and in fact w ill override it. MAC Lockout is pref erable to port- security to stop access from known devi ces because it can be configured for all ports on the switch with one command.
11-30 Configuring and Monitoring Port Security Web: Displaying and Confi guring Po rt Security Features W eb: Displaying and Configuring Port Security Features 1. Click on th e Security tab. 2. Click on [Port Security] . 3. Select the settings you want and, if you are usi n g the Static Learn Mode, add or edit the Author ized Addresses field.
11-31 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ■ The switch enables notification of the intrusi on through the foll owing means: •I n t h e C L I.
11-32 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most rece nt intrusion at the top of the listing. Y ou cannot delete Intrusio n Log entries (unl ess you reset the switch to its factory-default configuration).
11-33 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interf ace indicates per -port intrusions in the Port Statu s screen, and provides details and t he reset function in the Intru sion Log screen.
11-34 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 11-12 on page 11-33) does not indicate an int rusion for port A1, the alert flag for th e intru- sion on port A1 has already been reset.
11-35 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags In the follow ing ex ample, executi ng show interfac es brief lists the switch ’ s p ort status, whi ch indicates an intru sion alert on port A1. Figure 11-14.
11-36 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags T o clear the intrusion from port A1 and enable the swit ch to enter any subsequent intrusio n for port A1 in the Intr usion Log, execute the port -security clear - intrusion-flag command.
11-37 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Figure 11-17.Example of Log Listi ng With and Without Dete cted Security Violations From the Menu Interface: In the Main Menu, click on 4. Event Log and use N ext page and P rev page to review the Event Log contents.
11-38 Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder .
11-39 Configuring and Monitoring Port Security Operating Notes for Port Security ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configur e LACP on a port on which port security is enabled.
12-1 12 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12-2 Using Authorized IP Managers Overview Overview Authorized IP Manager Features The Authorized IP Managers feature us es IP addresses and masks to deter - mine which station s (PCs or workstat ions) can access the switch through the network.
12-3 Using Authorized IP Managers Options Options Y ou can configure: ■ Up to 10 authorized mana ger addresses , where each addre ss applies to either a single mana gement st ation or a group of sta.
12-4 Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations ■ Authorizing Sin gle Stations: The table entry auth orizes a single ma n- agement station to have IP access to the switch.
12-5 Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authori ze four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Mask s” on page 12-1 0.
12-6 Using Authorized IP Managers Defining Authorized Management Stations Figure 12-2. Example of How T o Add an Authorized Manager Entry (Contin ued) Editing or Dele ting an Au thorized Manage r Entry . Go to the IP Ma nag- ers List screen (figure 12-1), high light the desired entry , and press [E] (for Edi t ) or [D] (for Delete ).
12-7 Using Authorized IP Managers Defining Authorized Management Stations Figure 12-3.Example of the Show IP Auth orized-Manager Display The above example shows an Authorized IP Ma nager List that allows stations to access the switch as shown below: Configuring IP Authorized Managers for the Switch T o Authorize Manager Access.
12-8 Using Authorized IP Managers Defining Authorized Management Stations If you omit th e < mask bits > when adding a new authorized manager , the switch automatically uses 255.255.255.255 . If you do not specify either Manager or Operator access, the switch assign s the Manager access.
12-9 Using Authorized IP Managers Web: Configuring IP Authorized Managers W eb: Configuring IP Authorized Managers In the web browse r interf ace you can configure IP Authorized Managers as described below . T o Add, Modify , or Delete an IP Authorized Manager address: 1.
12-10 Using Authorized IP Managers Building IP Masks Using a W eb Proxy Server to Access the W eb Browser Interface Caution This is NOT recommended. Using a web proxy server between the stations and the switch poses a securi ty risk. If the station uses a web proxy server to connect to the swit ch, any proxy user can access the switch.
12-11 Using Authorized IP Managers Building IP Masks Figure 12-5. Analysis of IP Mask f or Single-Stat ion Entries Configuring Multiple Statio ns Per Authorized Manager IP Entry The mask dete rmines whet he r the IP address of a station on the network meets the criteria you specify .
12-12 Using Authorized IP Managers Building IP Masks Figure 12-6. Analysis of IP Mask for Multiple-Station E ntries Figure 12-7. Example of How the Bitm ap in the IP Mask Defines Auth orized Manager A.
12-13 Using Authorized IP Managers Operating Notes Additional Examples for Au thorizing Mult iple Stations Operating Notes ■ Network Security Precautions: Y ou can enhance your network’ s secu- ri.
12-14 Using Authorized IP Managers Operating Notes • Even if you need proxy server access enabl ed in order to u se other applications, you can still eliminate proxy serv ice for web access to the switch.
Index – 1 Index Numerics 3DES …7 - 3 802.1X access control authenticate users … 10-5 authentication methods … 10-4 authentication, local … 10-6 authentication, user-based … 10-4 authentica.
2 – Index password for port-access … 2-11, 2-21 port, supplicant … 10-16 port-based access … 10-4 client without authentication … 10-5 effect of Web/MAC auth operation … 10-13 enable … 1.
Index – 3 ports … 10-39 untagged … 10-30, 10-33, 10-34 untagged membership … 10-20 VLAN operation … 10-65 VLAN use, multiple clients … 10-7 VLAN, assignment conflict … 5-34, 10-12 VLAN, .
4 – Index root … 7-4 self-signed … 7-3 CHAP …5 - 1 1 chap-radius …5 - 1 1 cipher,SSH …6 - 1 7 Clear button to delete password protection … 2-7 configuration filters … 9-2 port security … 11-7 RADIUS See RADIUS. saving security cred entials in multiple files … 2-20 SSH See SSH.
Index – 5 bpdu protection, none …1 - 8 SSH, disabled … 1-4, 6-2 SSL, disabled … 1-5, 7-2 TACACS+ authentication configuration … 4-9 authentication, disabled … 1-5, 4-2 login attempts, 3 .
6 – Index E Eavesdrop Protection … 11-4 encryption key RADIUS … 2-11, 2-15 TACACS … 2-11, 2-15 event log alerts for monitored events … 8-34 intrusion alerts … 11-36 F filetransfer, S SH .
Index – 7 authenticator operation … 3-6 blocked traffic … 3-3 CHAP defined … 3-11 usage … 3-3 client status … 3-60 concurrent with Web … 3-4 configuration commands … 3-51 configuring o.
8 – Index tracking client authentication failures … 8-33 Web authentication … 10-4 Web/MAC … 10-20 See also 802.1X access control. port scan, detecting …8 - 3 3 port security 802.
Index – 9 server access order, changing … 5-50 servers, multiple … 5-19 service type value … 5-8 service-type value … 5-14 service-type value, null … 5-14 shared secret key, sa ving to con.
10 – Index Option 82 … 8-6, 8-9 statistics … 8-6 untrusted-policy … 8-10 verify … 8-6 source port filters configuring … 9-4 named … 9-6 operating rules … 9-4 See also named source port filters.
Index – 11 prerequisites … 7-5 remove self-signed certificate … 7-9 remove server host certificate … 7-9 reserved TCP port numbers … 7-20 root … 7-4 root certificate … 7-4 self-signed .
12 – Index U untrusted policy, snooping …8 - 1 0 user name cleared … 2-7 SNMP configuration … 2-3 V vendor-specific attribute configuring support for HP VSAs … 5-29 defining … 5-30 virus detection monitoring ARP requests … 8-33 VLAN 802.
ProCurve 5400zl i and *5992-5525* T e chnology for better business outcomes T o learn m or e , visit w w w . hp .com/go /bladesy stem/documentation/ © Cop yri ght 2009 Hewle tt-P ack ard De velopment C ompan y , L.P . The inf orm ation contained here in is subject to change w ithout notice .
Een belangrijk punt na aankoop van elk apparaat HP (Hewlett-Packard) 6120 (of zelfs voordat je het koopt) is om de handleiding te lezen. Dit moeten wij doen vanwege een paar simpele redenen:
Als u nog geen HP (Hewlett-Packard) 6120 heb gekocht dan nu is een goed moment om kennis te maken met de basisgegevens van het product. Eerst kijk dan naar de eerste pagina\'s van de handleiding, die je hierboven vindt. Je moet daar de belangrijkste technische gegevens HP (Hewlett-Packard) 6120 vinden. Op dit manier kan je controleren of het apparaat aan jouw behoeften voldoet. Op de volgende pagina's van de handleiding HP (Hewlett-Packard) 6120 leer je over alle kenmerken van het product en krijg je informatie over de werking. De informatie die je over HP (Hewlett-Packard) 6120 krijgt, zal je zeker helpen om een besluit over de aankoop te nemen.
In een situatie waarin je al een beziter van HP (Hewlett-Packard) 6120 bent, maar toch heb je de instructies niet gelezen, moet je het doen voor de hierboven beschreven redenen. Je zult dan weten of je goed de alle beschikbare functies heb gebruikt, en of je fouten heb gemaakt die het leven van de HP (Hewlett-Packard) 6120 kunnen verkorten.
Maar de belangrijkste taak van de handleiding is om de gebruiker bij het oplossen van problemen te helpen met HP (Hewlett-Packard) 6120 . Bijna altijd, zal je daar het vinden Troubleshooting met de meest voorkomende storingen en defecten #MANUAl# samen met de instructies over hun opplosinge. Zelfs als je zelf niet kan om het probleem op te lossen, zal de instructie je de weg wijzen naar verdere andere procedure, bijv. door contact met de klantenservice of het dichtstbijzijnde servicecentrum.