Access Security Guide HP ProCurve Series 5300xl Switches Series 3400cl Switches www.hp.
HP Procurve Series 5300xl Switches Series 3400cl Switches September 2004 Access Security Guide
© Copyright 2000-2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another lan gauge without the prior written consent of Hewlett-Packard.
Contents Contents 1 Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 General Switch Traffic Security Guideline . . . . . . . . . . . . . . . . . . . . . . 1-4 Applications for Access Control Lists (ACLs) . . . . .
Contents Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13 Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14 Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation . . . . . 2-16 Changing the Operation of the Reset+Clear Combination . . . . . 2-17 Password Recovery . . . . . . . . . . . . . . . . . . . . .
Contents 4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 General Authentication Setup Procedure . . . . . . . .
Contents Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 5-6 Outline of the Steps for Configuring RADIUS Authentication . . . . . . 5-6 1. Configure Authentication for the Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 2. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 5-10 3. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . .
Contents 7 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 9 Configuring Port-Based Access Control (802.1x) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Why Use Port-Based Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 How 802.
Contents 10 Configuring and Monitoring Port Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 11-5 CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 11-6 Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . 11-8 Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Getting Started Contents 1 Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 General Switch Traffic Security Guideline . . . . . . . . . . . . . . . . . . . . . . 1-4 Applications for Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . 1-4 Command Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . .
Getting Started Introduction Introduction This Access Security Guide is intended for use with the following switches: ■ HP ProCurve Switch 5304xl ■ HP ProCurve Switch 5348xl ■ HP ProCurve Switch 5308xl ■ HP ProCurve Switch 5372xl ■ HP ProCurve Switch 3400cl-24G ■ HP ProCurve Switch 3400cl-48G This guide describes how to configure and use the switch security features covered in the following chapters. The Product Documentation CD-ROM shipped with the switch includes a copy of this guide.
Getting Started Overview of Access Security Features ■ Port-Based Access Control (802.1x) (page 9-1): On point-to-point connections, enables the switch to allow or deny traffic between a port and an 802.1x-aware device (supplicant) attempting to access the switch. Also enables the switch to operate as a supplicant for connections to other 802.1x-aware switches. Includes the option of allowing only the device having the first MAC address detected by a port.
Getting Started General Switch Traffic Security Guideline General Switch Traffic Security Guideline Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port. 1. Disabled/Enabled physical port 2.
Getting Started Command Syntax Conventions Note on ACL Security Use ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.
Getting Started Simulating Display Output Simulating Display Output Commands or command output positioned to simulate displays of switch information in a computer screen are printed in a monospace font. Command Prompts In the default configuration, the switch displays one of the following CLI prompts: HP HP HP HP Procurve Procurve Procurve Procurve Switch Switch Switch Switch 5304# 5308# 3400-24# 3400-48# To simplify recognition, this guide uses HPswitch to represent command prompts for all models.
Getting Started Related Publications Port Numbering Conventions HP ProCurve stackable switches designate individual ports with sequential numbers (1, 2, 3, etc.) HP ProCurve chassis switches designate individual ports with a letter/number combination to show the slot in which the port is found and the sequential number the port has in that slot (A1, A2, B1, B2, etc.) Examples that include port numbering information often include only one of these port numbering conventions.
Getting Started Related Publications Management and Configuration Guide.
Getting Started Getting Documentation From the Web Getting Documentation From the Web 1. 2. 3. 4. 2 Go to the HP Procurve website at http://www.hp.com/go/hpprocurve. Click on technical support. Click on Product manuals. Click on the product for which you want to view or download a manual. 3 4 Figure 1-2.
Getting Started Sources for More Information Sources for More Information ■ If you need information on specific parameters in the menu interface, refer to the online help provided in the interface. Online Help for Menu Figure 1-3.Example of How To Display Online Help for the Menu Interface n If you need information on a specific command in the CLI, type the command name followed by “help”. For example: Figure 1-4.
Getting Started Need Only a Quick Start? Need Only a Quick Start? IP Addressing. If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using VLANs, HP recommends that you use the Switch Setup screen to quickly configure IP addressing. To do so, do one of the following: ■ Enter setup at the CLI Manager level prompt. ■ In the Main Menu of the Menu interface, select HPswitch# setup 8.
Getting Started To Set Up and Install the Switch in Your Network — This page is intentionally unused.
2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 Web: Setting Passwords and Usernames . . . . . . . .
Configuring Username and Password Security Overview Overview Feature Default Menu CLI Web Set Usernames none — — page 2-8 Set a Password none page 2-5 page 2-7 page 2-8 Delete Password Protection n/a page 2-6 page 2-7 page 2-8 show front-panel-security n/a — page 1-13 — — page 1-13 — front-panel-security password-clear enabled — page 1-13 — reset-on-clear disabled — page 1-14 — factory-reset enabled — page 1-15 — password-recovery enabled — page 1-15 — Consol
Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level. That is, if a Manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface. Operator: Access to the Status and Counters menu, the Event Log, and the CLI*, but no Configuration capabilities.
Configuring Username and Password Security Overview Note The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface. If you configure only a Manager password (with no Operator password), and in a later session the Manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session.
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a username requires either the CLI or the web browser interface. 1. From the Main Menu select: 3. Console Passwords Figure 2-1. 2. The Set Password Screen To set a new password: a. Select Set Manager Password or Set Operator Password. You will then be prompted with Enter new password. b.
Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and passwords (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below. Configuring Manager and Operator Passwords. Syntax: [ no ] password [ user-name ASCII-STR ] [ no ] password < all > • Password entries appear as asterisks. • You must type the password entry twice. Figure 2-2. Example of Configuring Manager and Operator Passwords To Remove Password Protection.
Configuring Username and Password Security Front-Panel Security Web: Setting Passwords and Usernames In the web browser interface you can enter passwords and (optional) usernames. To Configure (or Remove) Usernames and Passwords in the Web Browser Interface. 1. Click on the Security tab. Click on [Device Passwords]. 2. 3. Do one of the following: • To set username and password protection, enter the usernames and passwords you want in the appropriate fields.
Configuring Username and Password Security Front-Panel Security When Security Is Important Some customers require a high level of security for information. Also, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires that systems handling and transmitting confidential medical records must be secure.
Configuring Username and Password Security Front-Panel Security Front-Panel Button Functions The front panel of the switch includes the Reset button and the Clear button. Clear Button Reset Button Reset Clear Figure 2-4. Front-Panel Button Locations on an HP ProCurve 5300xl Switch Reset Button (to restore configuration) Clear Button Reset Clear Figure 2-5.
Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-7. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch. To do this: 1. Press and hold the Reset button. Reset 2.
Configuring Username and Password Security Front-Panel Security 3. Release the Reset button and wait for about one second for the Self-Test LED to start flashing. Reset Clear Self Test 4. When the Self-Test LED begins flashing, release the Clear button . Reset Clear Self Test This process restores the switch configuration to the factory default settings.
Configuring Username and Password Security Front-Panel Security Configuring Front-Panel Security Using the front-panel-security command from the global configuration context in the CLI you can: • Disable or re-enable the password-clearing function of the Clear button. Disabling the Clear button means that pressing it does not remove local password protection from the switch.
Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to “Password Recovery Process” on page 2-20.) (Default: Enabled.) CAUTION: Disabling this option removes the ability to recover a password on the switch. Disabling this option is an extreme measure and is not recommended unless you have the most urgent need for high security.
Configuring Username and Password Security Front-Panel Security Indicates the command has disabled the Clear button on the switch’s front panel. In this case the Show command does not include the reseton-clear status because it is inoperable while the Clear Password functionality is disabled, and must be reconfigured whenever Clear Password is re-enabled . Figure 2-9.
Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. • Specifies whether the switch reboots if the Clear button is pressed.
Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-onclear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-10.
Configuring Username and Password Security Front-Panel Security The command to disable the factory-reset operation produces this caution. To complete the command, press [Y]. To abort the command, press [N]. Completes the command to disable the factory reset option. Displays the current frontpanel-security configuration, with Factory Reset disabled. Figure 2-11.
Configuring Username and Password Security Front-Panel Security Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form of the command) disables the ability to recover a lost password. When this feature is enabled, the switch allows management access through the password recovery process described below. This provides a method for recovering from a lost manager username (if configured) and password.
Configuring Username and Password Security Front-Panel Security Figure 2-12. Example of the Steps for Disabling Password-Recovery Password Recovery Process If you have lost the switch’s manager username/password, but passwordrecovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by HP.
3 Web and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . 3-5 Terminology . . . . . . . . . . . . . . . . . . . .
Web and MAC Authentication Overview Overview Feature Default Menu CLI Web Configure Web Authentication n/a — 3-17 — Configure MAC Authentication n/a — 3-22 — Display Web Authentication Status and Configuration n/a — 3-26 — Display MAC Authentication Status and Configuration n/a — 3-27 — Web and MAC Authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized acce
Web and MAC Authentication Overview password, and grants or denies network access in the same way that it does for clients capable of interactive logons. (The process does not use either a client device configuration or a logon session.) MAC authentication is wellsuited for clients that are not capable of providing interactive logons, such as telephones, printers, and wireless access points.
Web and MAC Authentication Overview General Features Web and MAC Authentication on the Series 5300XL switches include the following: 3-4 ■ On a port configured for Web or MAC Authentication, the switch operates as a port-access authenticator using a RADIUS server and the CHAP protocol. Inbound traffic is processed by the switch alone, until authentication occurs.
Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Authenticator Operation Before gaining access to the network clients first present their authentication credentials to the switch. The switch then verifies the supplied credentials with a RADIUS authentication server. Successfully authenticated clients receive access to the network, as defined by the System Administrator.
Web and MAC Authentication How Web and MAC Authentication Operate Figure 3-2. Progress Message During Authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access. If specified, the client is redirected to a specific URL (redirect-url). Figure 3-3. Authentication Completed The assigned VLAN is determined, in order of priority, as follows: 1.
Web and MAC Authentication How Web and MAC Authentication Operate moves have not been enabled (client-moves) on the ports, the session ends and the client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port’s VLAN memberships made while it is an authorized port take affect at the end of the session. A client may not be authenticated due to invalid credentials or a RADIUS server timeout.
Web and MAC Authentication How Web and MAC Authentication Operate 4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked. The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate).
Web and MAC Authentication Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN. Authentication Server: The entity providing an authentication service to the switch.
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ ■ Note on Port Access M a na g e m e nt • Web Authentication • MAC Authentication • 802.1x Order of Precedence for Port Access Management (highest to lowest): • MAC lockout • MAC lockdown or Port Security • Port-based Access Control (802.
Web and MAC Authentication Operating Rules and Notes 2. 3. 4. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (if configured) and temporarily drops all other VLAN memberships. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.
Web and MAC Authentication General Setup Procedure for Web/MAC Authentication N o t e o n Web / MAC A u t h e n t i c a t i on and LACP The switch does not allow Web or MAC Authentication and LACP to both be enabled at the same time on the same port. The switch automatically disables LACP on ports configured for Web or MAC Authentication. General Setup Procedure for Web/MAC Authentication Do These Steps Before You Configure Web/MAC Authentication 3-12 1.
Web and MAC Authentication General Setup Procedure for Web/MAC Authentication c. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN” for an authenticated client session on a port, then the port’s VLAN membership remains unchanged during authenticated client ses sions. In this case, configure the port for the VLAN in which you want it to operate during client sessions. Note that when configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID.
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server ■ Configure the client device’s (hexadecimal) MAC address as both username and password. Be careful to configure the switch to use the same format that the RADIUS server uses. Otherwise, the server will deny access. The switch provides four format options: aabbccddeeff (the default format) aabbcc-ddeeff aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff Note on MAC Addresses Letters in MAC addresses must be in lowercase.
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Syntax: [no] radius-server [host < ip-address >] Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can config ure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (Refer to “RADIUS Authentication and Accounting” on page 5-1.
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Figure 3-4.
Web and MAC Authentication Configuring Web Authentication on the Switch Configuring Web Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. Identify or create a redirect URL for use by authenticated clients. HP recommends that you provide a redirect URL when using Web Authenti cation. If a redirect URL is not specified, web browser behavior following authentication may not be acceptable. 3.
Web and MAC Authentication Configuring Web Authentication on the Switch Configure the Switch for Web-Based Authentication Command Page Configuration Level aaa port-access web-based dhcp-addr 3-18 aaa port-access web-based dhcp-lease 3-18 [no] aaa port-access web-based [e] < port-list > 3-19 [auth-vid] 3-19 [client-limit] 3-19 [client-moves] 3-19 [logoff-period] 3-20 [max-requests] 3-20 [max-retries] 3-20 [quiet-period] 3-20 [reauth-period] 3-20 [reauthenticate] 3-20 [redirect-url
Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: [no] aaa port-access web-based [e] < port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable webbased authentication on the specified ports. Syntax: aaa port-access web-based [e] < port-list> [auth-vid ]] no aaa port-access web-based [e] < port-list> [auth-vid] Specifies the VLAN to use for an authorized client.
Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: aaa port-access web-based [e] < port-list > [logoff-period] <60-9999999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its preauthentication state.
Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: aaa port-access web-based [e] < port-list > [redirect-url ] no aaa port-access web-based [e] < port-list > [redirect-url] Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. HP recommends that you provide a redirect URL when using Web Authentication.
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made. 3.
Web and MAC Authentication Configuring MAC Authentication on the Switch Configure the Switch for MAC-Based Authentication Command Page Configuration Level aaa port-access mac-based addr-format 3-23 [no] aaa port-access mac-based [e] < port-list > 3-23 [addr-limit] 3-24 [addr-moves] 3-24 [auth-vid] 3-24 [logoff-period] 3-24 [max-requests] 3-24 [quiet-period] 3-25 [reauth-period] 3-25 [reauthenticate] 3-25 [server-timeout] 3-25 [unauth-vid] 3-25 Syntax: aaa port-access mac-based ad
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-32>] Specifies the maximum number of authenticated MACs to allow on the port. (Default: 1) Syntax: [no] aaa port-access mac-based [e] < port-list > [addr-moves] Allows client moves between the specified ports under MAC Auth control. When enabled, the switch allows addresses to move without requiring a re-authentica tion.
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [quiet-period <1 - 65535>] Specifies the time period, in seconds, the switch should wait before attempting an authentication request for a MAC address that failed authentication. (Default: 60 seconds) Syntax: aaa port-access mac-based [e] < port-list > [reauth-period <0 - 9999999>] Specifies the time period, in seconds, the switch enforces on a client to re-authenticate.
Web and MAC Authentication Show Status and Configuration of Web-Based Authentication Show Status and Configuration of WebBased Authentication Command Page show port-access [port-list] web-based 3-26 [clients] 3-26 [config] 3-26 [config [auth-server]] 3-27 [config [web-server]] 3-27 show port-access port-list web-based config detail Syntax: 3-27 show port-access [port-list] web-based Shows the status of all Web-Authentication enabled ports or the specified ports.
Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-server]] Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.
Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] mac-based [clients]] Shows the port address, MAC address, session status, and elapsed session time for attached clients on all ports or the specified ports. Ports with multiple clients have an entry for each attached client. Ports without any attached clients are not listed.
Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Connection Possible Explanations authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires. authenticating Switch only Pending RADIUS request.
Web and MAC Authentication Client Status — This page is intentionally unused.
4 TACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 4-5 Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . .
TACACS+ Authentication Overview Overview Feature Default Menu CLI Web view the switch’s authentication configuration n/a — page 4-9 — view the switch’s TACACS+ server contact configuration n/a — page 4-10 — configure the switch’s authentication methods disabled — page 4-11 — configure the switch to contact TACACS+ server(s) disabled — page 4-15 — TACACS+ authentication enables you to use a central server to allow or deny access to the switches covered by this guide (and other TACACS
TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/ write) privilege level access. N o t e s R eg a r d i ng Software Release E.05.
TACACS+ Authentication Terminology Used in TACACS Applications: ■ 4-4 Authentication: The process for granting user access to a device through entry of a user name and password and comparison of this username/password pair with previously stored username/password data. Authentication also grants levels of access, depending on the privileges assigned to a user name and password pair by a system administrator.
TACACS+ Authentication General System Requirements General System Requirements To use TACACS+ authentication, you need the following: Notes ■ A TACACS+ server application installed and configured on one or more servers or management stations in your network. (There are several TACACS+ software packages available.) ■ A switch configured for TACACS+ authentication, with access to one or more TACACS+ servers.
TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation” in the Troubleshooting chapter of the Management and Configuration Guide for your switch. 1.
TACACS+ Authentication General Authentication Setup Procedure Note on Privil ege Levels When a TACACS+ server authenticates an access request from a switch, it includes a privilege level code for the switch to use in determining which privilege level to grant to the terminal requesting access. The switch interprets a privilege level code of “15” as authorization for the Manager (read/write) privilege level access. Privilege level codes of 14 and lower result in Operator (read-only) access.
TACACS+ Authentication Configuring TACACS+ on the Switch configuration in your TACACS+ server application for mis-configura tions or missing data that could affect the server’s interoperation with the switch. 8. After your testing shows that Telnet access using the TACACS+ server is working properly, configure your TACACS+ server application for console access. Then test the console access.
TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication 4-9 show tacacs 4-10 aaa authentication pages 4-11 through 4-14 console Telnet num-attempts <1-10 > tacacs-server pages 4-15 host < ip-addr > pages 4-15 key 4-19 timeout < 1-255 > 4-20 Viewing the Switch’s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary acce
TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact.
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied).
TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-1. AAA Authentication Parameters Name Default Range Function console - or telnet n/a n/a Specifies whether the command is configuring authentication for the console port or Telnet access method for the switch. enable - or login n/a n/a Specifies the privilege level for the access method being configured.
TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Privilege Level Authentication Options Console — Login Console — Enable Telnet — Login Telnet — Enable Effect on Access Attempts Primary Secondary local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. local none* Local username/password access only.
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. HPswitch (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server. Secondary using Local.
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these parameters: Note ■ The host IP address(es) for up to three TACACS+ servers; one firstchoice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server. ■ An optional encryption key.
TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string >] Adds a TACACS+ server and optionally assigns a server-specific encryption key. [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its serverspecific encryption key, if any). tacacs-server key Enters the optional global encryption key. [no] tacacs-server key Removes the optional global encryption key.
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host [key none n/a Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, perserver encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key” on page 4-23 and the documentation provided with your TACACS+ server application.
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range key none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server” key.
TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-5. Example of the Switch After Assigning a Different “First-Choice” Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: HPswitch(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.
TACACS+ Authentication How Authentication Operates To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: HPswitch(config)# tacacs-server host 10.28.227.104 Note The show tacacs command lists the global encryption key, if configured.
TACACS+ Authentication How Authentication Operates Using figure 4-6, above, after either switch detects an operator’s logon request from a remote or directly connected terminal, the following events occur: 1. The switch queries the first-choice TACACS+ server for authentication of the request. • If the switch does not receive a response from the first-choice TACACS+ server, it attempts to query a secondary server.
TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentica tion only if one of these two conditions exists: ■ “Local” is the authentication option for the access method being used. ■ TACACS+ is the primary authentication mode for the access method being used.
TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “secret key”, or “secret”) helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.
TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to configure a global encryp tion key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.
TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa tion on such messages, refer to the documentation you received with the application.
TACACS+ Authentication Operating Notes ■ 4-26 When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unautho rized persons.
5 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Authentication and Accounting Overview Overview Feature Default Menu CLI Web Configuring RADIUS Authentication None n/a 5-6 n/a Configuring RADIUS Accounting None n/a 5-16 n/a n/a n/a 5-24 n/a Viewing RADIUS Statistics RADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one primary server and one or two backups) and maintain separate authentication and accounting for each RADIUS server employed.
RADIUS Authentication and Accounting Terminology Terminology CHAP (Challenge-Handshake Authentication Protocol): A challengeresponse authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a challenge from a RADIUS server. EAP (Extensible Authentication Protocol): A general PPP authentication protocol that supports multiple authentication mechanisms.
RADIUS Authentication and Accounting Switch Operating Rules for RADIUS Switch Operating Rules for RADIUS 5-4 ■ You must have at least one RADIUS server accessible to the switch. ■ The switch supports authentication and accounting using up to three RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius (page 5-24). If the first server does not respond, the switch tries the next one, and so-on.
RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: Table 5-1. 1. Configure one to three RADIUS servers to support the switch. (That is, one primary server and one or two backups.) Refer to the documentation provided with the RADIUS server application. 2. Before configuring the switch, collect the information outlined below.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands aaa authentication < console | telnet | ssh > < enable | login > radius < local | none > [no] radius-server host < IP-address > Page 5-8 5-8 5-8 5-10 [auth-port < port-number >] 5-10 [acct-port < port-number >] 5-10, 5-19 [key < server-specific key-string >] 5-10 [no] radius-server key < global key-string > 5-12 radius-server timeout
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note This step assumes you have already configured the RADIUS server(s) to support the switch. Refer to the documentation provided with the RADIUS server documentation.) 3.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 1. Configure Authentication for the Access Methods You Want RADIUS To Protect This section describes how to configure the switch for RADIUS authentication through the following access methods: ■ Console: Either direct serial-port connection or modem connection. ■ Telnet: Inbound Telnet must be enabled (the default). ■ SSH: To employ RADIUS for SSH access, you must first configure the switch for SSH operation.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch’s local passwords): The switch now allows Telnet and SSH authentication only through Figure 5-2.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 5-16: “Configuring RADIUS Accounting” instead of continuing here.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have configured the switch as shown in figure 5-3 and you now need to make the following changes: 1. Change the encryption key for the server at 10.33.18.127 to “source0127”. 2. Add a RADIUS server with an IP address of 10.33.18.119 and a serverspecific encryption key of “source0119”. Figure 5-3.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch’s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters: ■ Number of login attempts: In a given session, specifies how many tries at entering the correct username and password pair are allowed before access is denied and the session terminated. (This is a general aaa authentication parameter and is not specific to RADIUS.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication dead-time < 1 - 1440 > Optional. Specifies the time in minutes during which the switch will not attempt to use a RADIUS server that has not responded to an earlier authentication attempt. (Default: 0; Range: 1 - 1440 minutes) radius-server timeout < 1 - 15 > Specifies the maximum time the switch waits for a response to an authentication request before counting the attempt as a failure.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-5. Example of Global Configuration Exercise for RADIUS Authentication After two attempts failing due to username or password entry errors, the switch will terminate the session. Global RADIUS parameters from figure 5-5. Server-specific encryption key for the RADIUS server that will not use the global encryption key. These two servers will use the global encryption key. Figure 5-6.
RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: ■ “Local” is the authentication option for the access method being used. ■ The switch has been configured to query one or more RADIUS servers for a primary authentication request, but has not received a response, and local is the configured secondary option.
RADIUS Authentication and Accounting Controlling Web Browser Interface Access When Using RADIUS Authentication Controlling Web Browser Interface Access When Using RADIUS Authentication Configuring the switch for RADIUS authentication does not affect web browser interface access.
RADIUS Authentication and Accounting Configuring RADIUS Accounting Note This section assumes you have already: ■ Configured RADIUS authentication on the switch for one or more access methods ■ Configured one or more RADIUS servers to support the switch If you have not already done so, refer to “General RADIUS Setup Procedure” on page 5-5 before continuing here.
RADIUS Authentication and Accounting Configuring RADIUS Accounting The switch forwards the accounting information it collects to the designated RADIUS server, where the information is formatted, stored, and managed by the server. For more information on this aspect of RADIUS accounting, refer to the documentation provided with your RADIUS server. Operating Rules for RADIUS Accounting ■ You can configure up to three types of accounting to run simulta neously: exec, system, and network.
RADIUS Authentication and Accounting Configuring RADIUS Accounting – 2. 3. Optional—if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are desig nating, configure a server-specific key. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server.
RADIUS Authentication and Accounting Configuring RADIUS Accounting Syntax: [no] radius-server host < ip-address > Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. [acct-port < port-number >] Optional. Changes the UDP destination port for accounting requests to the specified RADIUS server. If you do not use this option, the switch automatically assigns the default accounting port number. (Default: 1813) [key < key-string >] Optional.
RADIUS Authentication and Accounting Configuring RADIUS Accounting Because the radius-server command includes an acct-port element with a nondefault 1750, the switch assigns this value to the accounting port UDP port numbers. Because auth-port was not included in the command, the authentication UDP port is set to the default 1812. Figure 5-7.
RADIUS Authentication and Accounting Configuring RADIUS Accounting ■ Start-Stop: • Send a start record accounting notice at the beginning of the account ing session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type (Network, Exec, or System). • Do not wait for an acknowledgement.
RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additional control over accounting data. ■ Updates: In addition to using a Start-Stop or Stop-Only trigger, you can optionally configure the switch to send periodic accounting record updates to a RADIUS server. ■ Suppress: The switch can suppress accounting for an unknown user having no username.
RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Configuring RADIUS Accounting” on page 5-16.) Figure 5-10.
RADIUS Authentication and Accounting Viewing RADIUS Statistics Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the AccountingRequest that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Syntax: show authentication Displays the primary and secondary authentication meth ods configured for the Console, Telnet, Port-Access (802.1x), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config ured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch. Figure 5-14.
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order To exchange the positions of the addresses so that the server at 10.10.10.003 will be the first choice and the server at 10.10.10.001 will be the last, you would do the following: 1. Delete 10.10.10.003 from the list. This opens the third (lowest) position in the list. 2. Delete 10.10.10.001 from the list. This opens the first (highest) position in the list. 3. Re-enter 10.10.10.003.
RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch. If the server is accessible, then verify that the switch is using the correct encryption key and that the server is correctly configured to receive an authentication request from the switch.
6 Configuring Secure Shell (SSH) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Secure Shell (SSH) Overview Overview Feature Generating a public/private key pair on the switch Using the switch’s public key Default Menu CLI Web No n/a page 6-10 n/a n/a n/a page 6-12 n/a Enabling SSH Disabled n/a page 6-15 n/a Enabling client public-key authentication Disabled n/a pages 6-19, 6-22 n/a Enabling user authentication Disabled n/a page 6-18 n/a The switches covered by this guide use Secure Shell version 1 or 2 (SSHv1 or SSHv2) to provide remote access
Configuring Secure Shell (SSH) Terminology Note SSH in HP Procurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http://www.openssh.com. Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 6-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.
Configuring Secure Shell (SSH) Terminology 6-4 ■ PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted client public-key that has been encoded for portability and efficiency. SSHv2 client public-keys are typically stored in the PEM format. See figures 6-3 and 6-4 for examples of PEM-encoded ASCII and nonencoded ASCII keys. ■ Private Key: An internally generated key used in the authentication process. A private key generated by the switch is not accessible for viewing or copying.
Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 6-2), then the client program must have the capability to generate or import keys.
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 6-1.
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch (page 6-9). 2. Generate a public/private key pair on the switch (page 6-10). You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. (You can remove or replace this key pair, if necessary.) 3.
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes 6-8 ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store 10 keys client key pairs. ■ The switch’s own public/private key pair and the (optional) client public key file are stored in the switch’s flash memory and are not affected by reboots or the erase startup-config command.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 6-17 show crypto client-public-key [keylist-str] [< babble | fingerprint >] 6-25 show crypto host-public-key [< babble | fingerprint >] 6-14 show authentication 6-21 crypto key < generate | zeroize > ssh [rsa] 6-11 ip ssh 6-16 key-size < 512 | 768 | 1024 > 6-16 port < 1 - 65535|default > 6-16 timeout < 5 - 120 > 6-16 versi
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-5. Example of Configuring Local Passwords 2. Generating the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be “permanent”; that is, avoid re-generating the key pair without a compelling reason.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch Version 1 and Version 2 views of same host public key Figure 6-6. Example of Generating a Public/Private Host Key Pair for the Switch The 'show crypto host-public-key' displays it in two different formats because your client may store it in either of these formats after learning the key.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Inserted IP Address Bit Size Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Exponent Modulus Figure 6-9. Example of a Switch Public Key Edited To Include the Switch’s IP Address For more on this topic, refer to the documentation provided with your SSH client application.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 6-10. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 6-10 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host” file. The switch has only one RSA host key.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you have not copied the switch’s public key into the client, your client’s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (default: 22). Important: See “Note on Port Number” on page 6-17. [timeout < 5 - 120 >] The SSH login timeout value (default: 120 seconds). [version <1 | 2 | 1-or-2 > The version of SSH to accept connections from. (default: 1-or-2) The ip ssh key-size command affects only a per-session, internal server key the switch creates, uses, and discards.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution Protect your private key file from access by anyone other than yourself. If someone can access your private key file, they can then penetrate SSH security on the switch by appearing to be you. SSH does not protect the switch from unauthorized access via the web interface, Telnet, SNMP, or the serial port.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< local | none >] Configures a password method for the primary and second ary login (Operator) access. If you do not specify an optional secondary method, it defaults to none. aaa authentication ssh enable < local | tacacs | radius>[< local | none >] Configures a password method for the primary and second ary enable (Manager) access.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution To allow SSH access only to clients having the correct public key, you must configure the secondary (password) method for login public-key to none. Otherwise a client without the correct public key can still gain entry by submitting a correct local login password.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-13 shows how to check the results of the above commands. Lists the current SSH authentication configuration. Client Key Index Number Shows the contents of the public key file downloaded with the copy tftp command in figure 6-12. In this example, the file contains two client public-keys. Figure 6-13. SSH Configuration and Client-Public-Key Listing From Figure 6-12 6.
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Further Information on SSH Client Public-Key Authentication The section titled “5. Configuring the Switch for SSH Authentication” on page 6-18 lists the steps for configuring SSH authentication on the switch. However, if you are new to SSH or need more details on client public-key authentication, this section may be helpful.
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 3. If there is not a match, and you have not configured the switch to accept a login password as a secondary authentication method, the switch denies SSH access to the client. 4. If there is a match, the switch: a. Generates a random sequence of bytes. b. Uses the client’s public key to encrypt this sequence. c. Send these encrypted bytes to the client. 5.
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Notes Comments in public key files, such as smith@support.cairns.com in figure 6-14, may appear in a SSH client application’s generated public key. While such comments may help to distinguish one key from another, they do not pose any restriction on the use of a key by multiple clients and/or users.
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Note on Public K e ys The actual content of a public key entry in a public key file is determined by the SSH client application generating the key. (Although you can manually add or edit any comments the client application adds to the end of the key, such as the smith@fellow at the end of the key in figure 6-14 on page 6-23.
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: clear crypto public-key Deletes the client-public-key file from the switch. Syntax: clear crypto public-key 3 Deletes the entry with an index of 3 from the client-public-key file on the switch. Enabling Client Public-Key Authentication.
Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp server or not finding the file to download. Causes include such factors as: • Incorrect IP configuration on the switch • Incorrect IP address in the command • Case (upper/lower) error in the filename used in the command • Incorrect configuration on the TFTP server • The file is not in the expected location.
Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning Generating new RSA host key. If the cache is depleted, this could take up to two minutes. After you execute the crypto key generate ssh [rsa] command, the switch displays this message while it is generating the key. Host RSA key file corrupt or not found. Use 'crypto key generate ssh rsa' to create new host key. The switch’s key is missing or corrupt.
7 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 Steps for Configuring and Using SSL for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Secure Socket Layer (SSL) Overview Overview Feature Generating a Self Signed Certificate on the switch Generating a Certificate Request on the switch Enabling SSL Default Menu CLI Web No n/a page 7-9 page 7-13 No n/a n/a page 7-15 Disabled n/a page 7-17 page 7-19 The switches covered by this guide use Secure Socket Layer Version 3 (SSLv3) and support for Transport Layer Security(TLSv1) to provide remote web access to the switches via encrypted paths between the switch and manag
Configuring Secure Socket Layer (SSL) Terminology 1. Switch-to-Client SSL Cert. HP Switch SSL Client Browser 2. User-to-Switch (login password and enable password authentication) options: – Local – TACACS+ – RADIUS (SSL Server) Figure 7-1.
Configuring Secure Socket Layer (SSL) Terminology 7-4 ■ Root Certificate: A trusted certificate used by certificate authorities to sign certificates (CA-Signed Certificates) and used later on to verify that authenticity of those signed certificates. Trusted certificates are distrib uted as an integral part of most popular web clients. (see browser docu mentation for which root certificates are pre-installed). ■ Manager Level: Manager privileges on the switch.
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring ssl include: A. Client Preparation 1.
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes 7-6 ■ Once you generate a certificate on the switch you should avoid regenerating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all management stations (clients) you previously set up for SSL access to the switch. In some situations this can temporarily allow security breaches.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 7-19 show config page 7-19 show crypto host-cert page 7-12 crypto key generate cert [rsa] <512 | 768 |1024> page 7-10 zeroize cert page 7-10 crypto host-cert generate self-signed [arg-list] page 7-10 zeroize page 7-10 1.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface, refer to the chapter titled “Using the HP Web Browser Interface” in the Management and Configuration Guide for your switch. Security Tab Password Button Figure 7-2. Example of Configuring Local Passwords 1.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’s Server Host Certificate You must generate a server certificate on the switch before enabling SSL. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch. (The session key pair mentioned above is not visible on the switch.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To Generate or Erase the Switch’s Server Certificate with the CLI Because the host certificate is stored in flash instead of the running-config file, it is not necessary to use write memory to save the certificate. Erasing the host certificate automatically disables SSL. CLI commands used to generate a Server Host Certificate.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on certificate fields. There are a number arguments used in the generation of a server certificate. table 7-1, “Certificate Field Descriptions” describes these arguments. Table 7-1. Certificate Field Descriptions Field Name Description Valid Start Date This should be the date you desire to begin using the SSL functionality.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Notes “Zeroizing” the switch’s server host certificate or key automatically disables SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation. CLI Command to view host certificates.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a Self-Signed Host Certificate with the Web browser interface You can configure SSL from the web browser interface. For more information on how to access the web browser interface refer to the chapter titled “Using the HP Web Browser Interface” in the Management and Configuration Guide for your switch. To generate a self signed host certificate from the web browser interface: i.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers interface: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments Figure 7-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface: 7-14 1. Proceed to the Security tab 2.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 7-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web browser interface To install a CA-Signed server host certificate from the web browser interface.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE----MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMB
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generating the Switch’s Server Host Certificate” on page 7-9.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443). Important: See “Note on Port Number” on page 7-20. show config Shows status of the SSL server. When enabled webmanagement ssl will be present in the config list. To enable SSL on the switch 1.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 7-8. Using the web browser interface to enable SSL and select TCP port number Note on Port Number HP recommends using the default IP port number (443). However, you can use web-management ssl tcp-port to specify any TCP port for SSL connections except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http).
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 7-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host certificate. (Refer to “Generate a SelfSigned Host Certificate with the Web browser interface” on page 7-13.) You may be using a reserved TCP port.
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup — This page is intentionally unused.
8 Traffic/Security Filters Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Using Port Trunks with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Traffic/Security Filters Overview Overview Applicable Switch Models. As of September, 2004, Traffic/Security filters are available on these current HP ProCurve switch models: Switch Models Source-Port Filters Protocol Filters Multicast Filters Yes Yes Yes Series 3400cl Yes No No Series 2800 Yes No No Series 2500 Yes Yes Yes Switch 4000m and 8000m Yes Yes Yes Series 5300xl This chapter describes Traffic/Security filters on the Series 5300xl and Series 3400cl switches.
Traffic/Security Filters Filter Types and Operation Filter Limits The switch accepts up to 101 static filters. These limitations apply: ■ Source-port filters: • Series 5300xl: Up to 78 • Series 3400cl: One per port or port trunk ■ Multicast filters (5300xl only): up to 16 ■ Protocol filters (5300xl only): up to 7 Using Port Trunks with Filters The switch manages a port trunk as a single source or destination for sourceport filtering.
Traffic/Security Filters Filter Types and Operation Source-Port Filters This filter type enables the switch to forward or drop traffic from all end nodes on the indicated source-port to specific destination ports.
Traffic/Security Filters Filter Types and Operation ■ When you create a source port filter, all ports and port trunks (if any) on the switch appear as destinations on the list for that filter, even if routing is disabled and separate VLANs and/or subnets exist. Where traffic would normally be allowed between ports and/or trunks, the switch automatically forwards traffic to the outbound ports and/or trunks you do not specifically configure to drop traffic.
Traffic/Security Filters Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to destination port 7 (server "A"). Notice that the filter allows traffic to move from source port 5 to all other destination ports. Figure 8-3. The Filter for the Actions Shown in Figure 8-2 Static Multicast Filters (5300xl Only) This filter type enables the switch to forward or drop multicast traffic to a specific set of destination ports.
Traffic/Security Filters Filter Types and Operation Table 8-2. Notes: Multicast Filter Limits on the 5300xl Switches Max-VLANs Setting Maximum # of Multicast Filters (Static and IGMP Combined) 1 (the minimum) 420 8 (the default) 413 32 or higher 389 Per-Port IP Multicast Filters. The static multicast filters described in this section filter traffic having a multicast address you specify.
Traffic/Security Filters Configuring Traffic/Security Filters Protocol Filters (5300xl Only) This filter type enables the switch to forward or drop, on the basis of protocol type, traffic to a specific set of destination ports on the switch. Filtered protocol types include: ■ AppleTalk ■ IP ■ ARP ■ IPX ■ DEC LAT ■ NetBEUI ■ SNA Only one filter for a particular protocol type can be configured at any one time.
Traffic/Security Filters Configuring Traffic/Security Filters Configuring a Source-Port Traffic Filter Syntax: [no] filter [source-port < port-number | trunk-name>] Specifies one inbound port or trunk. Traffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the sourceport filter for < port-number > and returns the destination ports for that filter to the Forward action. (Default: Forward on all ports.
Traffic/Security Filters Configuring Traffic/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a source-port filter that drops all traffic received on port 5 with a destination of port trunk 1 (Trk1) and any port in the range of port 10 to port 15.
Traffic/Security Filters Configuring Traffic/Security Filters 5, then create a trunk with ports 5 and 6, and display the results, you would see the following: The *5* shows that port 5 is configured for filtering, but the filtering action has been suspended while the port is a member of a trunk. If you want the trunk to which port 5 belongs to filter traffic, then you must explicitly configure filtering on the trunk.
Traffic/Security Filters Configuring Traffic/Security Filters Figure 8-5. Assigning Additional Destination Ports to an Existing Filter Configuring a Multicast or Protocol Traffic Filter (5300xl Switches Only) Syntax: [no] filter [multicast < mac- address >] (5300xl only.) Specifies a multicast address. Inbound traffic received (on any port) with this multicast address will be filtered. (Default: Forward on all ports.
Traffic/Security Filters Configuring Traffic/Security Filters For example, suppose you wanted to configure the filters in table 8-3 on a 5300xl switch. (The 3400cl switches allow only the source-port filter shown as the first entry in table 8-3. For more on source-port filters, refer to “Config uring a Source-Port Traffic Filter” on page 8-9.) Table 8-3.
Traffic/Security Filters Configuring Traffic/Security Filters Displaying Traffic/Security Filters This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters. Syntax: show filter Lists the filters configured in the switch, with corresponding filter index (IDX) numbers. IDX: An automatically assigned index number used to identify the filter for a detailed information listing.
Traffic/Security Filters Configuring Traffic/Security Filters Lists all filters configured in the switch. Filter Index Numbers (Automatically Assigned) Criteria for Individual Filters Uses the index number (IDX) for a specific filter to list the details for that filter only. Note for the 3400cl Switches: Only the Source-Port filters in this example apply to these switch models. Figure 8-7.
Traffic/Security Filters Configuring Traffic/Security Filters — This page is intentionally unused.
9 Configuring Port-Based Access Control (802.1x) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 How 802.1x Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Port-Based Access Control (802.1x) Overview Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1x Authenticators Disabled n/a page 9-14 n/a Configuring 802.1x Open VLAN Mode Disabled n/a page 9-20 n/a Configuring Switch Ports to Operate as 802.1x Supplicants Disabled n/a page 9-33 n/a n/a n/a page 9-37 n/a n/a n/a page 9-43 n/a Displaying 802.1x Configuration, Statistics, and Counters How 802.
Configuring Port-Based Access Control (802.1x) Overview ■ Local authentication of 802.1x clients using the switch’s local username and password (as an alternative to RADIUS authentication). ■ Temporary on-demand change of a port’s VLAN membership status to support a current client’s session. (This does not include ports that are members of a trunk.) ■ Session accounting with a RADIUS server, including the accounting update interval. ■ Use of Show commands to display session counters.
Configuring Port-Based Access Control (802.1x) Overview Authenticating One Switch to Another. 802.1x authentication also enables the switch to operate as a supplicant when connected to a port on another switch running 802.1x authentication. Switch Running 802.1x and Operating as an Authenticator 802.1x-Aware Client (Supplicant) LAN Core Switch Running 802.1x and Connected as a Supplicant RADIUS Server Figure 9-1. Example of an 802.1x Application Accounting .
Configuring Port-Based Access Control (802.1x) How 802.1x Operates How 802.1x Operates Authenticator Operation This operation provides security on a direct, point-to-point link between a single client and the switch, where both devices are 802.1x-aware. (If you expect desirable clients that do not have the necessary 802.1x supplicant software, you can provide a path for downloading such software by using the 802.1x Open VLAN mode—refer to “802.1x Open VLAN Mode” on page 9-20.
Configuring Port-Based Access Control (802.1x) How 802.1x Operates Switch-Port Supplicant Operation This operation provides security on links between 802.1x-aware switches. For example, suppose that you want to connect two switches, where: ■ Switch “A” has port A1 configured for 802.1x supplicant operation. ■ You want to connect port A1 on switch “A” to port B5 on switch “B”. Switch “B” Port B5 Port A1 Switch “A” Port A1 Configured as an 802.1x Supplicant LAN Core RADIUS Server Figure 9-2.
Configuring Port-Based Access Control (802.1x) Terminology • Note A “failure” response continues the block on port B5 and causes port A1 to wait for the “held-time” period before trying again to achieve authentication through port B5. You can configure a switch port to operate as both a supplicant and an authenticator at the same time. Terminology 802.1x-Aware: Refers to a device that is running either 802.1x authenticator software or 802.
Configuring Port-Based Access Control (802.1x) Terminology EAP (Extensible Authentication Protocol): EAP enables network access that supports multiple authentication methods. EAPOL: Extensible Authentication Protocol Over LAN, 802.1x standard. as defined in the Friendly Client: A client that does not pose a security risk if given access to the switch and your network. MD5: An algorithm for calculating a unique digital signature over a stream of bytes.
Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unau thorized-Client VLAN. Untagged VLAN Membership: A port can be an untagged member of only one VLAN. (In the factory-default configuration, all ports on the switch are untagged members of the default VLAN.) An untagged VLAN membership is required for a client that does not support 802.
Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes ■ On a port configured for 802.1x with RADIUS authentication, if the RADIUS server specifies a VLAN for the supplicant and the port is a trunk member, the port will be blocked. If the port is later removed from the trunk, the port will try to authenticate the supplicant. If authentication is successful, the port becomes unblocked.
Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) Do These Steps Before You Configure 802.1x Operation 1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.
Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) Overview: Configuring 802.1x Authentication on the Switch This section outlines the steps for configuring 802.1x on the switch. For detailed information on each step, refer to “RADIUS Authentication and Accounting” on page 5-1 or “Configuring Switch Ports To Operate As Suppli cants for 802.1x Connections to Other Switches” on page 9-33. 1. Enable 802.
Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) 7. If you are using Port Security on the switch, configure the switch to allow only 802.1x access on ports configured for 802.1x operation, and (if desired) the action to take if an unauthorized device attempts access through an 802.1x port. See page 9-31. 8. If you want a port on the switch to operate as a supplicant in a connection with a port operating as an 802.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Configuring Switch Ports as 802.1x Authenticators 802.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Syntax: aaa port-access authenticator < port-list > Enables specified ports to operate as 802.1x authenti cators with current per- port authenticator configura tion. To activate configured 802.1x operation, you must enable 802.1x authentication. Refer to “5. Enable 802.1x Authentication on the switch” on page 9-12.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Syntax Continued) [server-timeout < 1 - 300 >] Sets the period of time the switch waits for a server response to an authentication request. If there is no response within the configured time frame, the switch assumes that the authentication attempt has timed out.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Syntax Continued) [initialize] On the specified ports, blocks inbound and outbound traffic and restarts the 802.1x authentication process. This happens only on ports configured with control auto and actively operating as 802.1x authenticators.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 3. Configure the 802.1x Authentication Method This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1x authenti cator. Syntax: aaa authentication port-access < local | eap-radius | chap-radius > Determines the type of RADIUS authentication to use.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, refer to chapter 5, “RADIUS Authen tication and Accounting” .
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Open VLAN Mode 802.1x Authentication Commands page 9-14 802.1x Supplicant Commands page 9-34 802.1x Open VLAN Mode Commands [no] aaa port-access authenticator < port-list > page 9-29 [auth-vid < vlan-id >] [unauth-vid < vlan-id >] 802.1x-Related Show Commands page 9-37 RADIUS server configuration pages 9-19 This section describes how to use the 802.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during authentication. 2. 2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the VLAN entered in the port’s 802.1x configuration as an Authorized-Client VLAN, if config ured. 3.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Table 9-2. 802.1x Open VLAN Mode Options 802.1x Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN • When the port detects a client, it automatically becomes an untagged member of this VLAN.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as AuthorizedThese must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1x authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Condition Rule Effect of Authorized-Client VLAN session on untagged port VLAN membership. • When a client becomes authenticated on a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Authorized-Client VLAN (also untagged). While the Authorized-Client VLAN is in use, the port does not have access to the statically configured, untagged VLAN.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Setting Up and Configuring 802.1x Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 9-2 on page 9-22 for other options. Before you configure the 802.1x Open VLAN mode on a port: ■ Caution Statically configure an “Unauthorized-Client VLAN” in the switch.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges. Also, you must use 802.1x supplicant software that supports the use of local switch passwords.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration. [key < server-specific key-string >] Optional. Specifies an encryption key for use with the specified server. This key must match the key used on the RADIUS server.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Configuring 802.1x Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 9-26. Syntax: aaa port-access authenticator < port-list > [auth-vid < vlan-id >] Configures an existing, static VLAN to be the AuthorizedClient VLAN.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Inspecting 802.1x Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1x Open VLAN Mode Status” on page 9-39. 802.1x Open VLAN Operating Notes 9-30 ■ Although you can configure Open VLAN mode to use the same VLAN for both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this is not recommended.
Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices If you use port-security on authenticator ports, you can configure it to learn only the MAC address of the first 802.1x-aware device detected on the port. Then, only traffic from this specific device is allowed on the port. When this device logs off, another 802.
Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices Note on Blocking a Non-802.1x Device If the port’s 802.1x authenticator control mode is configured to authorized (as shown below, instead of auto), then the first source MAC address from any device, whether 802.1x-aware or not, becomes the only authorized device on the port. aaa port-access authenticator < port-list > control authorized With 802.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches 802.1x Authentication Commands page 9-14 802.1x Supplicant Commands [no] aaa port-access < supplicant < [ethernet] < port-list > [auth-timeout | held-period | start-period | max-start | initialize | identity | secret | clear-statistics] page 9-34 page 9-35 802.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches 1. Note When port A1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch “B”. • If, after the supplicant port sends the configured number of start request packets, it does not receive a response, it assumes that switch “B” is not 802.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring a Supplicant Switch Port. Note that you must enable suppli cant operation on a port before you can change the supplicant configuration. This means you must execute the supplicant command once without any other parameters, then execute it again with a supplicant parameter you want to configure.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [auth-timeout < 1 - 300 >] Sets the period of time the port waits to receive a challenge from the authenticator. If the request times out, the port sends another authentication request, up to the number of attempts specified by the max-start parameter. (Default: 30 seconds).
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Displaying 802.1x Configuration, Statistics, and Counters 802.1x Authentication Commands page 9-14 802.1x Supplicant Commands page 9-33 802.1x Open VLAN Mode Commands page 9-20 802.1x-Related Show Commands show port-access authenticator below show port-access supplicant page 9-42 Details of 802.
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters show port-access authenticator (Syntax Continued) config [< port-list >] Shows: • Whether port-access authenticator is active • The 802.1x configuration of the ports configured as 802.1x authenticators If you do not specify < port-list >, the command lists all ports configured as 802.1x port-access authenticators. Does not display data for a specified port that is not enabled as an authenticator.
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Viewing 802.1x Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show portaccess authenticator and show vlan < vlan-id > commands as illustrated in this section. Figure 9-5 shows an example of show port-access authenticator output, and table 9-2 describes the data that this command displays.
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters ■ When the Unauth VLAN ID is configured and matches the Current VLAN ID in the above command output, an unauthenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Unauth VLAN.
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Status Indicator Meaning Unauthorized VLAN < vlan-id >: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated port. ID 0: No unauthorized VLAN has been configured for the indicated port. < vlan-id >: Lists the VID of the static VLAN configured as the authorized VLAN for the indicated port.
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [< port-list >] [statistics] show port-access supplicant [< port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < portlist > ports configured on the switch as supplicants. The Supplicant State can include the following: Connecting - Starting authentication.
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1x Authentication Affects VLAN Operation Static VLAN Requirement. RADIUS authentication for an 802.1x client on a given port can include a (static) VLAN requirement.
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1x-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1x client requires access to VLAN 22 from port A2. However, access to VLAN 22 is blocked (not untagged or tagged) on port A2 and Figure 9-7.
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1x session. This is to accommodate an 802.1x client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22. Note: With the current VLAN configuration (figure 9-7), the only time port A2 appears in this show vlan 22 listing is during an 802.
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation When the 802.1x client’s session on port A2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN actually configured as untagged on the port again becomes available. Thus, when the RADIUS-authenticated 802.1x session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored. After the 802.
Configuring Port-Based Access Control (802.1x) Messages Related to 802.1x Operation Messages Related to 802.1x Operation Table 9-4. 802.1x Operating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.1x authenticators. Use this command to enable the ports as authenticators: HPswitch(config)# aaa port-access authenticator e 10 Port < port-list > is not a supplicant.
Configuring Port-Based Access Control (802.1x) Messages Related to 802.1x Operation — This page is intentionally unused.
10 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Eavesdrop Protection (Series 5300xl Switches Only) . . . . . . . . . . . . 10-4 Blocking Unauthorized Traffic . . .
Configuring and Monitoring Port Security Overview Overview Feature Displaying Current Port Security Default Menu CLI Web n/a — page 10-7 page 10-31 disabled — page 10-10 page 10-31 n/a — page 10-15 n/a MAC Lockdown disabled — page 10-20 MAC Lockout disabled — page 10-28 n/a page 10-37 page 10-35 Configuring Port Security Retention of Static Addresses Intrusion Alerts and Alert Flags page 10-38 Port Security (Page 10-3).
Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port security setting for each port is off, or “continuous”. That is, any device can access a port without causing a security reaction. Intruder Protection. A port that detects an “intruder” blocks the intruding device from transmitting to the network through that port. Eavesdrop Protection (Series 5300xl Switches Only).
Configuring and Monitoring Port Security Port Security ■ • Limited-Continuous: Sets a finite limit ( 1 - 32 ) to the number of learned addresses allowed per port. • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses. (If you specify only some of the authorized addresses, the port learns the remaining authorized addresses from the traffic it receives from connected devices.
Configuring and Monitoring Port Security Port Security Blocking Unauthorized Traffic Unless you configure the switch to disable a port on which a security violation is detected, the switch security measures block unauthorized traffic without disabling the port. This implementation enables you to apply the security configuration to ports on which hubs, switches, or other devices are connected, and to maintain security while also maintaining network access to authorized users.
Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to the following: a. On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port? c. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmit ting to the network.
Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 10-7 show mac-address port-security 10-10 < port-list > 10-10 learn-mode 10-10 address-limit 10-13 mac-address 10-13 action 10-14 clear-intrusion-flag 10-14 no port-security 10-14 This section describes the CLI port security command and how the switch acquires and maintains authorized addresses.
Configuring and Monitoring Port Security Port Security Figure 10-2. Example Port Security Listing (Ports A7 and A8 Show the Default Setting) With port numbers included in the command, show port-security displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the spec ified ports on a switch. The following example lists the full port security configuration for a single port: Figure 10-3.
Configuring and Monitoring Port Security Port Security Listing Authorized and Detected MAC Addresses. Syntax: show mac-address [ port-list | mac-address | vlan < vid >] Without an optional parameter, show mac-address lists the authorized MAC addresses that the switch detects on all ports. mac-address: Lists the specified MAC address with the port on which it is detected as an authorized address. port list: Lists the authorized MAC addresses detected on the specified port(s).
Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security and edit security settings. ■ Add or delete devices from the list of authorized addresses for one or more ports. ■ Clear the Intrusion flag on specific ports Syntax: port-security [e] < learn-mode | address-limit | mac-address | action | clear-intrusion-flag > : Specifies a list of one or more ports to which the port-security command applies.
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limitedcontinuous > (Continued) static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port.
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limitedcontinuous > (Continued) Caution: When you use the static parameter with a device limit greater than the number of MAC addresses you specify with mac-address, an unwanted device can become “authorized”.
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limitedcontinuous > (Continued) limited-continuous (continued): The default address-limit is 1 but may be set for each port to learn up to 32 addresses. The default action is none.
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) action < none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port. none: Prevents an SNMP trap from being sent. none is the default value. send-alarm: Sends an intrusion alarm.
Configuring and Monitoring Port Security Port Security Retention of Static Addresses Static MAC addresses do not age-out. MAC addresses learned by using learnmode continuous or learn-mode limited-continuous age out according to the currently configured MAC age time. (For information on the mac-age-time command, refer to the chapter titled “Interface Access and System Informa tion” in the Management and Configuration Guide for your switch. Learned Addresses.
Configuring and Monitoring Port Security Port Security Specifying Authorized Devices and Intrusion Responses. This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port. (The default device limit is 1.) It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port.
Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s existing Authorized Addresses list, enter the port number with the mac-address parameter and the device’s MAC address. This assumes that Learn Mode is set to static and the Authorized Addresses list is not full (as determined by the current Address Limit value).
Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. Note that if you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode.
Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list. (An Authorized Address list is available for each port for which Learn Mode is currently set to “Static”. Refer to the command syntax listing under “Configuring Port Security” on page 10-10.
Configuring and Monitoring Port Security MAC Lockdown The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: HPswitch(config)# port-security a1 address-limit 1 HPswitch(config)# no port-security a1 mac-address 0c0090123456 The above command sequence results in the following configuration for port A1: Figure 10-9.
Configuring and Monitoring Port Security MAC Lockdown You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you do not specify a VLAN ID (VID) the switch inserts a VID of “1”. How It Works. When a device’s MAC address is locked down to a port (typically in a pair with a VLAN) all information sent to that MAC address must go through the locked-down port. If the device is moved to another port it cannot receive data.
Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair cannot be locked down on a different port. You cannot perform MAC Lockdown and 802.1x authentication on the same port or on the same MAC address. MAC Lockdown and 802.1x authentication are mutually exclusive. Lockdown is permitted on static trunks (manually configured link aggrega tions).
Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as “meshing” or Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths.
Configuring and Monitoring Port Security MAC Lockdown Internal Core Network There is no need to lock MAC addresses on switches in the internal core network. Server “A” 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch Network Edge Lock Server “A” to these ports. Switch 1 Switch 1 Edge Devices Mixed Users Figure 10-10.MAC Lockdown Deployed At the Network Edge Provides Security Basic MAC Lockdown Deployment.
Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fails, traffic to Server A will not use the backup path via Switch 3 Switch 3 Server A Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 External Network M ixed Users Figure 10-11.Connectivity Problems Using MAC Lockdown with Multiple Paths The resultant connectivity issues would prevent you from locking down Server A to Switch 1.
Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so that any traffic to or from the “locked-out” MAC address will be dropped. This means that all data packets addressed to or from the given address are stopped by the switch. MAC Lockout is implemented on a per switch assignment. You can think of MAC Lockout as a simple blacklist. The MAC address is locked out on the switch and on all VLANs.
Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1x authenti cation.
Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in conjunction with port-security.
Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features 1. Click on the Security tab. 2. Click on [Port Security]. 3. Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field. 4. Implement your new data by clicking on [Apply Changes]. To access the web-based Help provided for the switch, click on [?] in the web browser screen.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ■ The switch enables notification of the intrusion through the following means: • • • • In the CLI: – The show port-security intrusion-log command displays the Intrusion Log – The log command displays the Event Log In the menu interface: – The Port Status screen includes a per-port intrusion alert – The Event Log includes per-port entries for security viola tions In the web browser interface: – The Ale
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen. 1. From the Main Menu select: 1. Status and Counters 4. Port Status The Intrusion Alert column shows “Yes” for any port on which a security violation has been Figure 10-13.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 10-13 on page 10-34) does not indicate an intrusion for port A1, the alert flag for the intru sion on port A1 has already been reset. • Since the switch can show only one uncleared intrusion per port, the alert flag for the older intrusion for port A3 in this example has also been previously reset.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Clear intrusion flags on all ports. port-security [e] < port-number > clear-intrusion-flag Clear the intrusion flag on one or more specific ports. In the following example, executing show interfaces brief lists the switch’s port status, which indicates an intrusion alert on port A1. Intrusion Alert on port Figure 10-15.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags To clear the intrusion from port A1 and enable the switch to enter any subsequent intrusion for port A1 in the Intrusion Log, execute the port-security clear-intrusion-flag command. If you then re-display the port status screen, you will see that the Intrusion Alert entry for port A1 has changed to “No”.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Command with “security” for Search Log Listing with Security Violation Detected Log Listing with No Security Violation Detected Figure 10-18.Example of Log Listing With and Without Detected Security Violations From the Menu Interface: In the Main Menu, click on 4. Event Log and use Next page and Prev page to review the Event Log contents. For More Event Log Information.
Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder. The Intrusion Log lists detected intruders by MAC address. If you are using HP ProCurve Manager to manage your network, you can use the device properties page to link MAC addresses to their corresponding IP addresses. Proxy Web Servers.
Configuring and Monitoring Port Security Operating Notes for Port Security HPswitch(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). HPswitch(config)# The switch will not allow you to configure LACP on a port on which port security is enabled. For example: HPswitch(config)# int e a17 lacp passive Error configuring port A17: LACP and port security cannot be run together.
11 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . 11-4 Overview of IP Mask Operation .
Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI Web Listing (Showing) Authorized Managers n/a page 11-5 page 11-6 page 11-8 Configuring Authorized IP Managers None page 11-5 page 11-6 page 11-8 Building IP Masks n/a page 11-9 page 11-9 page 11-9 Operating and Troubleshooting Notes n/a page 11-12 page 11-12 page 11-12 The Authorized IP Managers feature enhances security on the switches cov ered by this guide by using IP addresses
Using Authorized IP Managers Options Options You can configure: Caution ■ Up to 10 authorized manager addresses, where each address applies to either a single management station or a group of stations ■ Manager or Operator access privileges Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port.
Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations ■ Authorizing Single Stations: The table entry authorizes a single man agement station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Autho rized Manager IP column, and leave the IP Mask set to 255.255.255.255. This is the easiest way to use the Authorized Managers feature.
Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Masks” on page 11-9. Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch. This mask serves a different purpose than IP subnet masks and is applied in a different manner.
Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See “Building IP Masks” on page 11-9. 4. Use the Space bar to select Manager or Operator access. 5. Press [Enter], then [S] (for Save) to configure the IP Authorized Manager entry. Figure 11-2.
Using Authorized IP Managers Defining Authorized Management Stations The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: Access Mode: 255.255.255.252 10.28.227.100 through 103 Manager 255.255.255.254 10.28.227.104 through 105 Manager 255.255.255.255 10.28.227.125 Manager 255.255.255.0 10.28.227.
Using Authorized IP Managers Web: Configuring IP Authorized Managers To Edit an Existing Manager Access Entry. To change the mask or access level for an existing entry, use the entry’s IP address and enter the new value(s). (Notice that any parameters not included in the command will be set to their default.): HPswitch(config)# ip authorized-managers 10.28.227.101 255.255.255.0 access operator The above command replaces the existing mask and access level for IP address 10.28.227.101 with 255.255.255.
Using Authorized IP Managers Building IP Masks Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network. Configuring One Station Per Authorized Manager IP Entry This is the easiest way to apply a mask. If you have ten or fewer management and/or operator stations, you can configure them quickly by simply adding the address of each to the Authorized Manager IP list with 255.255.255.
Using Authorized IP Managers Building IP Masks Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access.
Using Authorized IP Managers Building IP Masks Figure 11-6. Analysis of IP Mask for Multiple-Station Entries 1st Octet 2nd Octet 3rd Octet 4th Octet Manager-Level or Operator-Level Device Access The “255” in the first three octets of the mask specify that only the exact value in the octet of the corresponding IP address is allowed. However, the zero (0) in the 4th octet of the mask allows any value between 0 and 255 in that octet of the corresponding IP address.
Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 Authorized Manager IP 10 IP Mask 255 238 255 250 Authorized Manager IP 10 33 255 248 1 This combination specifies an authorized IP address of 10.33.xxx.1.
Using Authorized IP Managers Operating Notes • If you don’t need proxy server access at all on the authorized station, then just disable the proxy server feature in the station’s web browser interface.
Using Authorized IP Managers Operating Notes — This page is intentionally unused.
12 Key Management System Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 Configuring Key Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Creating and Deleting Key Chain Entries . . . . . . . . . . . . . . . . . . . . . . . 12-3 Assigning a Time-Independent Key to a Chain . . . . . . . . .
Key Management System Overview Overview The HP Procurve switches covered in this guide provide support for advanced routing capabilities. Security turns out to be extremely important as complex networks and the internet grow and become a part of our daily life and business. This fact forces protocol developers to improve security mecha nisms employed by their protocols, which in turn becomes an extra burden for system administrators who have to set up and maintain them.
Key Management System Configuring Key Chain Management Configuring Key Chain Management KMS-Related CLI Commands in This Section Page show key-chain < chain_name > page 12-3 [ no ] key-chain chain_name page 12-3 [ no ] key-chain chain_name key Key_ID page 12-4 The Key Management System (KMS) has three configuration steps: 1. Create a key chain entry. 2. Assign a time-independent key or set of time-dependent keys to the Key Chain entry.
Key Management System Configuring Key Chain Management Add new key chain Entry “Procurve1”. Display key chain entries. Figure 12-1. Adding a New Key Chain Entry After you add an entry, you can assign key(s) to it for use by a KMS-enabled protocol. Assigning a Time-Independent Key to a Chain A time-independent key has no Accept or Send time constraints. It is valid from boot-up until you change it. If you use a time-independent key, then it is the only key needed for a key chain entry.
Key Management System Configuring Key Chain Management Adds a new Time-Independent key to the “Procurve1” chain. Displays keys in the key chain entry. Figure 12-2. Example of Adding and Displaying a Time-Independent Key to a Key Chain Entry Assigning Time-Dependent Keys to a Chain A time-dependent key has Accept or Send time constraints. It is valid only during the times that are defined for the key . If a time-dependent key is used, there is usually more than one key in the key chain entry.
Key Management System Configuring Key Chain Management duration < mm/dd/yy [ yy ] hh:mm:ss | seconds > Specifies the time period during which the switch can use this key to authenticate inbound packets. Duration is either an end date and time or the number of seconds to allow after the start date and time (which is the accept-lifetime setting).
Key Management System Configuring Key Chain Management Note Given transmission delays and the variations in the time value from switch to switch, it is advisable to include some flexibility in the Accept lifetime of the keys you configure. Otherwise, the switch may disregard some packets because either their key has expired while in transport or there are significant time variations between switches. To list the result of the commands in figure 12-3: Figure 12-4.
Key Management System Configuring Key Chain Management The “Procurve1” key chain entry is a time-independent key and will not expire. “Procurve2” uses time-dependent keys, which result in this data: Expired = 1 Key 1 has expired because its lifetime ended at 8:10 on 01/18/03, the previous day. Active = 2 Key 2 and 3 are both active for 10 minutes from 8:00 to 8:10 on 1/19/03. Keys 4 and 5 are either not yet active or expired. The total number of keys is 5.
Index Numerics C 3DES … 6-3, 7-3 802.1x See port-based access control. certificate CA-signed … 7-3 root … 7-4 self-signed … 7-3 Clear button to delete password protection … 2-6 configuration filters … 8-2 port security … 10-6 RADIUS See RADIUS. SSH See SSH. console, for configuring authorized IP managers … 11-5 A aaa authentication … 4-8 aaa port-access See Web or MAC Authentication. access levels, authorized IP managers … 11-3 accounting See RADIUS.
G-I L-M GVRP, static VLAN not advertised … 9-46 IGMP effect on filters … 8-7 IP multicast address range … 8-7 inconsistent value, message … 10-18 intrusion alarms entries dropped from log … 10-39 event log … 10-37 prior to … 10-39 Intrusion Log prior to … 10-35, 10-36 IP authorized IP managers … 11-1 reserved port numbers … 6-17 IP masks building … 11-9 for multiple authorized manager stations … 11-10 for single authorized manager station … 11-9 operation … 11-4 LACP 802.
P password browser/console access … 2-4 case-sensitive … 2-5 caution … 2-4 delete … 2-6 deleting with the Clear button … 2-6 if you lose the password … 2-6 incorrect … 2-4 length … 2-5 operator only, caution … 2-4 pair … 2-2 setting … 2-5 password pair … 2-2 password security … 6-18 port numbering convention … 1-7 security configuration … 10-2 port security authorized address definition … 10-4 basic operation … 10-3 configuring … 10-6 configuring in browser interface … 10-31, 10-38 event log … 10-37 notice
prior to … 10-35, 10-36, 10-39 Privacy Enhanced Mode (PEM) See SSH. protocol filters … 8-8 proxy web server … 10-39 terminology … 5-3 TLS … 5-4 web-browser access controls … 5-16 web-browser security not supported … 5-2, 5-16 RADIUS accounting See RADIUS.
keys, zeroing … 6-11 key-size … 6-17 known-host file … 6-13, 6-15 man-in-the-middle spoofing … 6-16 messages, operating … 6-27 OpenSSH … 6-3 operating rules … 6-8 outbound SSH not secure … 6-8 password security … 6-18 password-only authentication … 6-18 passwords, assigning … 6-9 PEM … 6-4 prerequisites … 6-5 public key … 6-5, 6-13 public key, displaying … 6-14 reserved IP port numbers … 6-17 security … 6-18 SSHv1 … 6-2 SSHv2 … 6-2 steps for configuring … 6-6 supported encryption methods … 6-3 switch key to
messages … 4-25 NAS … 4-3 overview … 1-2 precautions … 4-5 preparing to configure … 4-8 preventing switch lockout … 4-15 privilege level code … 4-7 server access … 4-15 server priority … 4-18 setup, general … 4-5 show authentication … 4-8 supported features … 4-3 system requirements … 4-5 TACACS+ server … 4-3 testing … 4-5 timeout … 4-15 troubleshooting … 4-6 unauthorized access, preventing … 4-7 web access, controlling … 4-24 web access, no effect on … 4-5 tacacs-server … 4-8 TCP reserved port numbers … 7-
Technical information in this document is subject to change without notice. ©Copyright 2000, 2004. Hewlett-Packard Development Company, L.P. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws.
