Product guide

ManualsBrandsProCurve ManualsComputer equipment6200yl

Access Security Guide

6200yl

5400zl

3500yl

www.procurve.com

ProCurve Switches

K.12.XX

Summary of content (596 pages)

PAGE 1
6200yl 5400zl 3500yl ProCurve Switches K.12.XX www.procurve.
PAGE 2
PAGE 3
ProCurve Series 5400zl Switches Series 3500yl Switches 6200yl Switch February 2007 K.12.
PAGE 4
© Copyright 2005-2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. 3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.
PAGE 5
Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Software Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx 1 Security Overview Contents . . . . . . . . . . . . . . . .
PAGE 6
Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 Port Security, MAC Lockdown, and MAC Lockout . . . . . . . . . . . . . . . 1-10 Key Management System (KMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 Advanced Threat Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12 BPDU Filtering and BPDU Protection . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
3 Virus Throttling Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Overview of Connection-Rate Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Filtering Options . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 8
4 Web and MAC Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 9
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 5-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 5-5 Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 Before You Begin . . . . . .
PAGE 10
Configuring the Switch for RADIUS Authentication . . . . . . . . . . . . . 6-8 Outline of the Steps for Configuring RADIUS Authentication . . . . . . 6-9 1. Configure Authentication for the Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 2. Enable the (Optional) Access Privilege Option . . . . . . . . . . . . . . . . 6-12 3. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 6-13 4.
PAGE 11
7 Configuring RADIUS Server Support for Switch Services Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Configuring the RADIUS Server for Per-Port CoS and Rate-Limiting Services . . . . . . . . . . . . . . . . . . . . . . .
PAGE 12
Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Steps for Configuring and Using SSH for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6 General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8 Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . 8-9 1. Assigning a Local Login (Operator) and Enable (Manager) Password . . . . . . . . . . .
PAGE 13
Generate a CA-Signed server host certificate with the Web browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15 3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17 Using the CLI interface to enable SSL . . . . . . . . . . . . . . . . . . . . . . 9-19 Using the web browser interface to enable SSL . . . . . . . . . . . . . 9-19 Common Errors in SSL setup . . . . . . . . . . .
PAGE 14
What Is the Difference Between Network (or Subnet) Masks and the Masks Used with ACLs? . . . . . . . . . . . . . . . . . . . 10-36 Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-37 Configuring and Assigning an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 15
Sequence Numbering in ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-87 Inserting an ACE in an Existing ACL . . . . . . . . . . . . . . . . . . . . . . 10-88 Deleting an ACE from an Existing ACL . . . . . . . . . . . . . . . . . . . 10-90 Resequencing the ACEs in an ACL . . . . . . . . . . . . . . . . . . . . . . . 10-91 Attaching a Remark to an ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-92 Operating Notes for Remarks . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 16
Changing the Remote-id from a MAC to an IP Address . . . . . . 11-10 Disabling the MAC Address Check . . . . . . . . . . . . . . . . . . . . . . . 11-10 The DHCP Binding Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11 Operational Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12 Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13 Dynamic ARP Protection . . . . . . . . . . . . .
PAGE 17
Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . 12-9 Static Multicast Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15 Protocol Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16 Configuring Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17 Configuring a Source-Port Traffic Filter . . . . . . . . . . . . . . . . . . . . . .
PAGE 18
A. Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based Authentication . . . . . . . . . . . . . . . . . . 13-17 B. Specify User-Based Authentication or Return to Port-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-18 Example: Configuring User-Based 802.1X Authentication . . . . 13-19 Example: Configuring Port-Based 802.1X Authentication . . . . 13-19 2. Reconfigure Settings for Port-Access . . . . . . . . . . . . . . . . .
PAGE 19
Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-60 Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . . 13-61 14 Configuring and Monitoring Port Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 Port Security . . . . . . .
PAGE 20
Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-42 15 Using Authorized IP Managers Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3 Access Levels . . . . .
PAGE 21
Product Documentation About Your Switch Manual Set Note For the latest version of all ProCurve switch documentation, including Release Notes covering recently added features, please visit the ProCurve Networking Web site at www.procurve.com, click on Technical support, and then click on Product manuals (all). Printed Publications The two publications listed below are printed and shipped with your switch.
PAGE 22
Software Feature Index For the software manual set supporting your 3500yl/5400zl/6200yl switch model, this feature index indicates which manual to consult for information on a given software feature. Premium Edge Software Features. For the ProCurve 3500yl and 5400zl switches, Premium Edge features can be acquired by purchasing the optional Premium Edge license and installing it on the Intelligent Edge version of these switches. (These features are automatically included on the ProCurve 6200yl switches.
PAGE 23
Intelligent Edge Software Features Manual Management Advanced and Traffic Configuration Management Multicast and Routing Access Security Guide AAA Authentication X Authorized IP Managers X Authorized Manager List (Web, Telnet, TFTP) X Auto MDIX Configuration X BOOTP X Config File X Console Access X Copy Command X CoS (Class of Service) X Debug X DHCP Configuration X DHCP Option 82 X DHCP Snooping X DHCP/Bootp Operation X Diagnostic Tools X Downloading Software X Dynamic A
PAGE 24
Intelligent Edge Software Features Manual Management Advanced and Traffic Configuration Management GVRP X Identity-Driven Management (IDM) X IGMP Multicast and Routing Access Security Guide X Interface Access (Telnet, Console/Serial, Web) X IP Addressing X IP Routing X Jumbo Packets X LACP X Link X LLDP X LLDP-MED X MAC Address Management X MAC Lockdown X MAC Lockout X MAC-based Authentication X Management VLAN X Meshing X Monitoring and Analysis X Multicast Filtering
PAGE 25
Intelligent Edge Software Features Manual Management Advanced and Traffic Configuration Management Port Configuration Multicast and Routing X Port Monitoring X Port Security X Port Status X Port Trunking (LACP) X Port-Based Access Control (802.
PAGE 26
Intelligent Edge Software Features Manual Management Advanced and Traffic Configuration Management Multicast and Routing SSL (Secure Socket Layer) X Stack Management (3500yl/6200yl switches only) X Syslog X System Information X TACACS+ Authentication X Telnet Access X TFTP X Time Protocols (TimeP, SNTP) X Traffic Mirroring X Traffic/Security Filters X Troubleshooting X Uni-Directional Link Detection (UDLD) X UDP Forwarder USB Device Support Access Security Guide X X Virus Throt
PAGE 27
Security Overview Contents 1 Security Overview Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Switch Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 28
Security Overview Introduction Introduction Before you connect your switch to a network, ProCurve strongly recommends that you review the Security Overview beginning on page 1-3. It outlines the potential threats for unauthorized switch and network access, and provides guidelines on how to use the various security features available on the switch to prevent such access. For more information on individual features, see the references provided.
PAGE 29
Security Overview Switch Access Security Switch Access Security This section outlines provisions for protecting access to the switch’s status information and configuration settings. ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in your network.
PAGE 30
Security Overview Switch Access Security Inbound Telnet Access and Web Browser Access The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL must be used for remote access. This enables you to employ increased access security while still retaining remote client access.
PAGE 31
Security Overview Switch Access Security you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected operation).
PAGE 32
Security Overview Switch Access Security For details on this feature, refer to the section titled “Using SNMP To View and Configure Switch Authentication Features” on page 6-19. For information on SNMP, refer to “Using SNMP Tools To Manage the Switch” in the chapter titled “Configuring for Network Management Applications” in the Management and Configuration Guide for your switch.
PAGE 33
Security Overview Switch Access Security Other Provisions for Management Access Security The following features can help to prevent unauthorized management access to the switch.
PAGE 34
Security Overview Network Security Features Network Security Features This section outlines features for protecting access through the switch to the network. For more detailed information, see the indicated chapters. Access Control Lists (ACLs) Layer 3 IP filtering with Access Control Lists (ACLs) enables you to improve network performance and restrict network use by creating policies for: ■ Switch Management Access: Permits or denies in-band management access.
PAGE 35
Security Overview Network Security Features For more information, refer to Chapter 13 “Configuring Port-Based and UserBased Access Control (802.1X)”. Web and MAC Authentication These options are designed for application on the edge of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access.
PAGE 36
Security Overview Network Security Features Secure Socket Layer (SSLv3/TLSv1) This feature includes use of Transport Layer Security (TLSv1) to provide remote web access to the switch via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operation. The authenticated type includes server certificate authentication with user password authentication. For more information, refer to Chapter 9, “Configuring Secure Socket Layer (SSL)”.
PAGE 37
Security Overview Network Security Features Precedence of Security Options. Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port. 1. Disabled/Enabled physical port 2.
PAGE 38
Security Overview Advanced Threat Detection Advanced Threat Detection Advanced threat detection covers a range of features used to detect anomalous traffic on the switch and take mitigating action against network attacks. BPDU Filtering and BPDU Protection Protects the network from denial-of-service attacks that use spoofing BPDUs by dropping incoming BPDU frames and/or blocking traffic through a port.
PAGE 39
Security Overview Identity-Driven Manager (IDM) Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+) and uses RADIUS-based technologies to create a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of access security policy from a central management server, with policy enforcement to the network edge, and protection against both external and internal threats.
PAGE 40
Security Overview Identity-Driven Manager (IDM) — This page is intentionally unused — 1-14
PAGE 41
2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 Web: Setting Passwords and Usernames . . . . . . . .
PAGE 42
Configuring Username and Password Security Overview Overview Feature Default Menu CLI Web Set Usernames none — — page 2-8 Set a Password none page 2-5 page 2-7 page 2-8 Delete Password Protection n/a page 2-6 page 2-7 page 2-8 show front-panel-security n/a — page 1-13 — — page 1-13 — front-panel-security password-clear enabled — page 1-13 — reset-on-clear disabled — page 1-14 — factory-reset enabled — page 1-15 — password-recovery enabled — page 1-15 — Consol
PAGE 43
Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level. That is, if a Manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface. Operator: Access to the Status and Counters menu, the Event Log, and the CLI*, but no Configuration capabilities.
PAGE 44
Configuring Username and Password Security Overview Note The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface. If you configure only a Manager password (with no Operator password), and in a later session the Manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session.
PAGE 45
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a username requires either the CLI or the web browser interface. 1. From the Main Menu select: 3. Console Passwords Figure 2-1. 2. The Set Password Screen To set a new password: a. Select Set Manager Password or Set Operator Password. You will then be prompted with Enter new password. b.
PAGE 46
Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and passwords (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
PAGE 47
Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below. Configuring Manager and Operator Passwords. Syntax: [ no ] password [ user-name ASCII-STR ] [ no ] password < all > • Password entries appear as asterisks. • You must type the password entry twice. Figure 2-2. Example of Configuring Manager and Operator Passwords To Remove Password Protection.
PAGE 48
Configuring Username and Password Security Front-Panel Security Web: Setting Passwords and Usernames In the web browser interface you can enter passwords and (optional) usernames. To Configure (or Remove) Usernames and Passwords in the Web Browser Interface. 1. Click on the Security tab. Click on [Device Passwords]. 2. 3. Do one of the following: • To set username and password protection, enter the usernames and passwords you want in the appropriate fields.
PAGE 49
Configuring Username and Password Security Front-Panel Security ■ Gaining management access to the switch by having physical access to the switch itself When Security Is Important Some customers require a high level of security for information. Also, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires that systems handling and transmitting confidential medical records must be secure.
PAGE 50
Configuring Username and Password Security Front-Panel Security Front-Panel Button Functions The front panel of the switch includes the Reset button and the Clear button. Reset Button Reset Clear Button Clear Figure 2-4. Front-Panel Button Locations on a ProCurve Series 5400zl Switch Clear Button Pressing the Clear button alone for one second resets the password(s) configured on the switch. Reset Clear Figure 2-5.
PAGE 51
Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch. To do this: 1. Press and hold the Reset button. Reset 2.
PAGE 52
Configuring Username and Password Security Front-Panel Security 3. Release the Reset button. Reset Clear Test 4. When the Test LED to the right of the Clear button begins flashing, release the Clear button. . Reset Clear Test It can take approximately 20-25 seconds for the switch to reboot. This process restores the switch configuration to the factory default settings.
PAGE 53
Configuring Username and Password Security Front-Panel Security • Configure the Clear button to reboot the switch after clearing any local usernames and passwords. This provides an immediate, visual means (plus an Event Log message) for verifying that any usernames and passwords in the switch have been cleared. • Modify the operation of the Reset+Clear combination (page 2-11) so that the switch still reboots, but does not restore the switch’s factory default configuration settings.
PAGE 54
Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to “Password Recovery Process” on page 2-20.) (Default: Enabled.) CAUTION: Disabling this option removes the ability to recover a password on the switch. Disabling this option is an extreme measure and is not recommended unless you have the most urgent need for high security.
PAGE 55
Configuring Username and Password Security Front-Panel Security Indicates the command has disabled the Clear button on the switch’s front panel. In this case the Show command does not include the reseton-clear status because it is inoperable while the Clear Password functionality is disabled, and must be reconfigured whenever Clear Password is re-enabled . Figure 2-8.
PAGE 56
Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. • Specifies whether the switch reboots if the Clear button is pressed.
PAGE 57
Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-onclear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-9.
PAGE 58
Configuring Username and Password Security Front-Panel Security The command to disable the factory-reset operation produces this caution. To complete the command, press [Y]. To abort the command, press [N]. Completes the command to disable the factory reset option. Displays the current frontpanel-security configuration, with Factory Reset disabled. Figure 2-10.
PAGE 59
Configuring Username and Password Security Front-Panel Security Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form of the command) disables the ability to recover a lost password. When this feature is enabled, the switch allows management access through the password recovery process described below. This provides a method for recovering from a lost manager username (if configured) and password.
PAGE 60
Configuring Username and Password Security Front-Panel Security Figure 2-11. Example of the Steps for Disabling Password-Recovery Password Recovery Process If you have lost the switch’s manager username/password, but passwordrecovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by ProCurve.
PAGE 61
3 Virus Throttling Contents Overview of Connection-Rate Filtering . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Features and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 General Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Filtering Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Sensitivity to Connection Rate Detection . . . . . . . . . . . . . . . . . .
PAGE 62
Virus Throttling Contents Example of Using an ACL in a Connection-Rate Configuration . . . . 3-27 Connection-Rate ACL Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 3-29 Connection-Rate Log and Trap Messages . . . . . . . . . . . . . . . . . . . . . .
PAGE 63
Virus Throttling Overview of Connection-Rate Filtering Overview of Connection-Rate Filtering Feature Default Page Ref Global Configuration and Sensitivity Disabled 3-11 Per-Port Configuration None 3-12 Listing and Unblocking Blocked Hosts n/a 3-17 Viewing the Current Configuration n/a 3-15 Configuring Connection-Rate ACLs None 3-19 The spread of malicious agents in the form of worms exhibiting worm behavior has severe implications for network performance.
PAGE 64
Virus Throttling Overview of Connection-Rate Filtering Features and Benefits Connection-rate filtering is a countermeasure tool you can use in your incident-management program to help detect an manage worm-type IT security threats received in inbound IP traffic. Major benefits of this tool include: Note ■ Behavior-based operation that does not require identifying details unique to the code exhibiting the worm-like operation. ■ Handles unknown worms. ■ Needs no signature updates.
PAGE 65
Virus Throttling Overview of Connection-Rate Filtering General Operation Connection-rate filtering enables notification of worm-like behavior detected in inbound IP traffic and, depending on how you configure the feature, also throttles or blocks such traffic. This feature also provides a method for allowing legitimate, high connection-rate traffic from a given host while still protecting your network from possibly malicious traffic from other hosts.
PAGE 66
Virus Throttling Overview of Connection-Rate Filtering Application Options For the most part, normal network traffic is distinct from the traffic exhibited by malicious agents. However, when a legitimate network host generates multiple connections in a short period of time, connection-rate filtering may generate a “false positive” and treat the host as an infected client. Lowering the sensitivity or changing the filter mode may reduce the number of false positives.
PAGE 67
Virus Throttling Overview of Connection-Rate Filtering Operating Rules ■ Connection-rate filtering is triggered by inbound IP traffic exhibiting high rates of IP connections to new hosts. After connection-rate filtering has been triggered on a port, all traffic from the suspect host is subject to the configured connection-rate policy (notify-only, throttle, or block). ■ When connection-rate filtering is configured on a port, the port cannot be added to, or removed from, a port trunk group.
PAGE 68
Virus Throttling General Configuration Guidelines General Configuration Guidelines As stated earlier, connection-rate filtering is triggered only by inbound IP traffic generating a relatively high number of new IP connection requests from the same host. For a network that is relatively attack-free: 1. Enable notify-only mode on the ports you want to monitor. 2. Set global sensitivity to low. 3.
PAGE 69
Virus Throttling General Configuration Guidelines Note On a given VLAN, to unblock the hosts that have been blocked by the connection-rate feature, use the vlan < vid > connection-rate filter unblock command. 9. Maintain a practice of carefully monitoring the Event Log or configured trap receivers for any sign of high connectivity-rate activity that could indicate an attack by malicious code. (Refer to “Connection-Rate Log and Trap Messages” on page 3-31.
PAGE 70
Virus Throttling Configuring Connection-Rate Filtering Configuring Connection-Rate Filtering Command Page Global and Per-Port Configuration connection-rate-filter sensitivity < low | medium | high | aggressive > 3-11 filter connection-rate < port-list > < notify-only | throttle | block > 3-12 show connection-rate-filter < blocked-host > Unblocking Hosts connection-rate-filter unblock Note 3-18 As stated previously, connection-rate filtering is triggered by inbound IP traffic exhibiting a relativel
PAGE 71
Virus Throttling Configuring Connection-Rate Filtering Enabling Connection-Rate Filtering and Configuring Sensitivity Syntax: connection-rate-filter sensitivity < low | medium | high | aggressive > no connection-rate-filter This command: • Enables connection-rate filtering. • Sets the global sensitivity level at which the switch interprets a given host’s attempts to connect to a series of different devices as a possible attack by a malicious agent residing in the host.
PAGE 72
Virus Throttling Configuring Connection-Rate Filtering Configuring the Per-Port Filtering Mode Syntax: filter connection-rate < port-list > < notify-only | throttle | block > no filter connection-rate < port-list > Configures the per-port policy for responding to detection of a relatively high number of inbound, routed IP connection attempts from a given source.
PAGE 73
Virus Throttling Configuring Connection-Rate Filtering Example of a Basic Connection-Rate Filtering Configuration A B Switch 5400zl Switch VLAN 1 Server Server Server B1 15.45.100.1 B2 VLAN 10 15.45.200.1 B3 C B9 D Switch B4 E VLAN 15 15.45.300.1 D2 D1 Switch Company Intranet F G H Server Figure 3-2. Sample Network Basic Configuration.
PAGE 74
Virus Throttling Configuring Connection-Rate Filtering Enables connection-rate filtering and sets the sensitivity to “low”. Configures the desired responses to inbound, high connectivity-rate traffic on the various ports. Indicates that connectivity-rate filtering is enabled at the “low” sensitivity setting. Shows the per-port configuration for the currently enabled connectivity-rate filtering. Figure 3-3.
PAGE 75
Virus Throttling Configuring Connection-Rate Filtering Viewing and Managing Connection-Rate Status The commands in this section describe how to: ■ View the current connection-rate configuration ■ List the currently blocked hosts ■ Unblock currently blocked hosts Viewing Connection-Rate Configuration Use the following command to view the basic connection-rate configuration.
PAGE 76
Virus Throttling Configuring Connection-Rate Filtering To view the complete connection-rate configuration, including any ACLs (page 3-19), use show config (for the startup-config file) or show running (for the running-config file). For example: Entry showing that connection-rate-filtering is enabled and set to “medium” sensitivity. Example of a connection-rate filtering ACL appearing in the configuration. Example of a connection-rate filtering ACL appearing in a VLAN configuration.
PAGE 77
Virus Throttling Configuring Connection-Rate Filtering Listing Currently-Blocked Hosts Syntax: show connection-rate-filter < all-hosts | blocked-hosts | throttled-hosts > all-hosts: Lists, by VLAN membership, all hosts currently detected in a throttling or blocking state, along with a state indicator. throttled-hosts: Lists, by VLAN membership, the hosts currently in a throttling state due to connection-rate action.
PAGE 78
Virus Throttling Configuring Connection-Rate Filtering Unblocking Currently-Blocked Hosts If a host becomes blocked by triggering connection-rate filtering on a port configured to block high connection rates, the host remains blocked on all ports on the switch even if you change the per-port filtering configuration. (The source IP address block imposed by connection-rate filtering does not age-out.) This is to help prevent a malicious host from automatically regaining access to the network.
PAGE 79
Virus Throttling Configuring and Applying Connection-Rate ACLs Configuring and Applying Connection-Rate ACLs Command ip access-list connection-rate-filter < crf-list-name > Page 3-21, 3-23 < filter | ignore > ip < any | host < ip-addr > | ip-addr < mask >> 3-21 < filter | ignore > < udp | tcp > < source > < options > 3-23 vlan < vid > ip access-group < crf-list-name > connection-rate-filter A host sending legitimate, routed traffic can trigger connection-rate filtering in some circumstances.
PAGE 80
Virus Throttling Configuring and Applying Connection-Rate ACLs For more information on when to apply connection-rate ACLs, refer to “Application Options” on page 3-6. Note Connection-rate ACLs are a special case of the switch’s ACL feature. If you need information on other applications of ACLs or more detailed information on how ACLs operate, refer to chapter 10, “Access Control Lists (ACLs)”.
PAGE 81
Virus Throttling Configuring and Applying Connection-Rate ACLs Inbound IP traffic from Host “A” with relatively high number of IP connection-rate attempts Yes Ignore Ignore or Filter? Allow traffic from Host “A” without filtering through per-port connection-rate policy No Source Match on any ACE in the ACL? Apply Implicit ACE (filter) Filter Apply per-port connection-rate policy to Host “A” traffic: – Notify-Only – Throttle – Block Figure 3-8.
PAGE 82
Virus Throttling Configuring and Applying Connection-Rate ACLs < filter | ignore > The filter option assigns policy filtering to traffic with source IP address (SA) matching the source address in the ACE. The ignore option specifies bypassing policy filtering for traffic with an SA that matches the source address in the ACE. ip < any | host < ip-addr > | ip-addr < mask-length > Specifies the SA criteria for traffic addressed by the ACE.
PAGE 83
Virus Throttling Configuring and Applying Connection-Rate ACLs Configuring a Connection-Rate ACL Using UDP/TCP Criteria (To configure a connection-rate ACL using source IP address criteria, refer to page 3-21.) Syntax: ip access-list connection-rate-filter < crf-list-name > Creates a connection-rate-filter ACL and puts the CLI into the access control entry (ACE) context: ProCurve(config-crf-nacl)# If the ACL already exists, this command simply puts the CLI into the ACE context.
PAGE 84
Virus Throttling Configuring and Applying Connection-Rate ACLs ip-addr < mask-length >: Applies the ACEs action (filter or ignore) to IP traffic having an SA within the range defined by either: < src-ip-addr/cidr-mask-bits> or > Use this criterion for traffic received from either a subnet or a group of IP addresses. The mask can be in either dotted-decimal format or CIDR format with the number of significant bits. Refer to “Using CIDR Notation To Enter the ACE Mask” on page 3-26.
PAGE 85
Virus Throttling Configuring and Applying Connection-Rate ACLs < tcp-data > or < udp-data > TCP or UDP Port Number or (WellKnown) Port Name: Use the TCP or UDP port number required for the desired match. The switch also accepts certain well-known TCP or UDP port names as alternates to their corresponding port numbers: TCP/UDP-PORT: Specify port by number.
PAGE 86
Virus Throttling Configuring and Applying Connection-Rate ACLs Applying Connection-Rate ACLs To apply a connection-rate ACL, use the access group command described below. Note that this command differs from the access group command for non-connection-rate ACLs. Syntax: [no] vlan < vid > ip access-group < crf-list-name > connection-rate-filter This command applies a connection-rate access control list (ACL) to inbound traffic on ports in the specified VLAN that are configured for connection-rate filtering.
PAGE 87
Virus Throttling Configuring and Applying Connection-Rate ACLs For more on ACE masks, refer to “How an ACE Uses a Mask To Screen Packets for Matches” on page 10-36. Example of Using an ACL in a Connection-Rate Configuration This example adds connection-rate ACLs to the basic example on page 3-13. IP Address: A B 15.45.100.7 Switch 5400zl Switch VLAN 1 Server Server Server B1 15.45.100.1 B2 VLAN 10 15.45.200.1 B3 C B9 D Switch B4 E VLAN 15 15.45.300.
PAGE 88
Virus Throttling Configuring and Applying Connection-Rate ACLs configure a connection-rate ACL that causes the switch to ignore (circumvent) connection-rate filtering for inbound traffic from the server, while maintaining the filtering for all other inbound routed traffic on port D2. The configuration steps include: 1. 2. Enters the connectionrate ACL context and names the ACL. Create the connection-rate ACL with a single entry: • Use the IP address of the desired server.
PAGE 89
Virus Throttling Configuring and Applying Connection-Rate ACLs The new switch configuration includes the ACL configured in figure 3-11. Shows the assignment of the above connection-rate ACL to VLAN 15. Figure 3-12.
PAGE 90
Virus Throttling Configuring and Applying Connection-Rate ACLs • 3-30 filter < source-criteria >: This ACE type does the opposite of an ignore entry. That is, all inbound traffic meeting the configured < sourcecriteria > must be filtered through the connection-rate policy configured for the port on which the traffic entered the switch.
PAGE 91
Virus Throttling Connection-Rate Log and Trap Messages Connection-Rate Log and Trap Messages These messages appear in the switch’s Event Log identifying the source IP address of a connection-rate filtering event. If SNMP trap receivers are configured on the switch, it also sends the messages to the designated receiver(s). Message Meaning Address not found in list of blocked hosts.
PAGE 92
Virus Throttling Connection-Rate Log and Trap Messages — This page is intentionally unused — 3-32
PAGE 93
4 Web and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . 4-5 Authenticator Operation . . . . . . . . . . . . . .
PAGE 94
Web and MAC Authentication Overview Overview Feature Default Menu CLI Web Configure Web Authentication n/a — 4-17 — Configure MAC Authentication n/a — 4-24 — Display Web Authentication Status and Configuration n/a — 4-28 — Display MAC Authentication Status and Configuration n/a — 4-36 — Web and MAC Authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized acce
PAGE 95
Web and MAC Authentication Overview password, and grants or denies network access in the same way that it does for clients capable of interactive logons. (The process does not use either a client device configuration or a logon session.) MAC authentication is wellsuited for clients that are not capable of providing interactive logons, such as telephones, printers, and wireless access points.
PAGE 96
Web and MAC Authentication Overview 4-4 ■ On a port configured for Web or MAC Authentication, the switch operates as a port-access authenticator using a RADIUS server and the CHAP protocol. Inbound traffic is processed by the switch alone, until authentication occurs. Some traffic from the switch is available to an unauthorized client (for example, broadcast or unknown destination packets) before authentication occurs.
PAGE 97
Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Authenticator Operation Before gaining access to the network clients first present their authentication credentials to the switch. The switch then verifies the supplied credentials with a RADIUS authentication server. Successfully authenticated clients receive access to the network, as defined by the System Administrator.
PAGE 98
Web and MAC Authentication How Web and MAC Authentication Operate Figure 4-2. Progress Message During Authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access. If specified, the client is redirected to a specific URL (redirect-url). Figure 4-3. Authentication Completed The assigned VLAN is determined, in order of priority, as follows: 1.
PAGE 99
Web and MAC Authentication How Web and MAC Authentication Operate moves have not been enabled (client-moves) on the ports, the session ends and the client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port’s VLAN memberships made while it is an authorized port take affect at the end of the session. A client may not be authenticated due to invalid credentials or a RADIUS server timeout.
PAGE 100
Web and MAC Authentication How Web and MAC Authentication Operate 4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked. The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate).
PAGE 101
Web and MAC Authentication Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN. Authentication Server: The entity providing an authentication service to the switch.
PAGE 102
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ ■ Note on Port Access M a na g e m e nt • Web Authentication (with or without 802.1X) • MAC Authentication (with or without 802.1X) • MAC lockdown • MAC lockout • Port-Security Order of Precedence for Port Access Management (highest to lowest): a. MAC lockout b. MAC lockdown or Port Security c. Port-based Access Control (802.
PAGE 103
Web and MAC Authentication Operating Rules and Notes • During an authenticated client session, the following hierarchy determines a port’s VLAN membership: 1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships. 2.
PAGE 104
Web and MAC Authentication General Setup Procedure for Web/MAC Authentication ■ N o t e o n Web / MAC A u t h e n t i c a t i on and LACP Web- or MAC-based authentication and LACP cannot both be enabled on the same port. The switch does not allow Web or MAC Authentication and LACP to both be enabled at the same time on the same port. The switch automatically disables LACP on ports configured for Web or MAC Authentication.
PAGE 105
Web and MAC Authentication General Setup Procedure for Web/MAC Authentication c. If there is neither a RADIUS-assigned VLAN or an “Authorized VLAN” for an authenticated client session on a port, then the port’s VLAN membership remains unchanged during authenticated client sessions. In this case, configure the port for the VLAN in which you want it to operate during client sessions. Note that when configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID.
PAGE 106
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server ■ Configure the client device’s (hexadecimal) MAC address as both username and password. Be careful to configure the switch to use the same format that the RADIUS server uses. Otherwise, the server will deny access. The switch provides four format options: aabbccddeeff (the default format) aabbcc-ddeeff aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff Note on MAC Addresses Letters in MAC addresses must be in lowercase.
PAGE 107
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Syntax: [no] radius-server [host < ip-address >] Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can configure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (Refer to “RADIUS Authentication and Accounting” on page 6-1.
PAGE 108
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of ‘1A7rd’ Figure 4-4.
PAGE 109
Web and MAC Authentication Configuring Web Authentication on the Switch Configuring Web Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. Identify or create a redirect URL for use by authenticated clients. ProCurve recommends that you provide a redirect URL when using Web Authentication. If a redirect URL is not specified, web browser behavior following authentication may not be acceptable. 3.
PAGE 110
Web and MAC Authentication Configuring Web Authentication on the Switch Configure the Switch for Web-Based Authentication Command Page Configuration Level aaa port-access web-based dhcp-addr 4-18 aaa port-access web-based dhcp-lease 4-18 [no] aaa port-access web-based [e] < port-list > 4-19 [auth-vid] 4-19 [client-limit] 4-19 [client-moves] 4-19 [logoff-period] 4-20 [max-requests] 4-20 [max-retries] 4-20 [quiet-period] 4-20 [reauth-period] 4-20 [reauthenticate] 4-20 [redirect-url
PAGE 111
Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: [no] aaa port-access web-based [e] < port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable webbased authentication on the specified ports. Syntax: aaa port-access web-based [e] < port-list> [auth-vid ]] no aaa port-access web-based [e] < port-list> [auth-vid] Specifies the VLAN to use for an authorized client.
PAGE 112
Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: aaa port-access web-based [e] < port-list > [logoff-period] <60-9999999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its preauthentication state.
PAGE 113
Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: aaa port-access web-based [e] < port-list > [redirect-url ] no aaa port-access web-based [e] < port-list > [redirect-url] Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. ProCurve recommends that you provide a redirect URL when using Web Authentication.
PAGE 114
Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: aaa port-access web-based [e] < port-list > [unauth-vid ] no aaa port-access web-based [e] < port-list > [unauth-vid] Specifies the VLAN to use for a client that fails authentication. If unauth-vid is 0, no VLAN changes occur. Use the no form of the command to set the unauth-vid to 0.
PAGE 115
Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: aaa port-access controlled-directions — Continued — Notes: ■ For information on how to configure the prerequisites for using the aaa port-access controlled-directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation” in the Advanced Traffic Management Guide.
PAGE 116
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made. 3.
PAGE 117
Web and MAC Authentication Configuring MAC Authentication on the Switch Configure the Switch for MAC-Based Authentication Command Page Configuration Level aaa port-access mac-based addr-format 4-25 [no] aaa port-access mac-based [e] < port-list > 4-25 [addr-limit] 4-26 [addr-moves] 4-26 [auth-vid] 4-26 [logoff-period] 4-26 [max-requests] 4-26 [quiet-period] 4-27 [reauth-period] 4-27 [reauthenticate] 4-27 [server-timeout] 4-27 [unauth-vid] 4-27 Syntax: aaa port-access mac-based ad
PAGE 118
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-32>] Specifies the maximum number of authenticated MACs to allow on the port. (Default: 1) Note: On switches where MAC Auth and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods.
PAGE 119
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [quiet-period <1 - 65535>] Specifies the time period, in seconds, the switch should wait before attempting an authentication request for a MAC address that failed authentication. (Default: 60 seconds) Syntax: aaa port-access mac-based [e] < port-list > [reauth-period <0 - 9999999>] Specifies the time period, in seconds, the switch enforces on a client to re-authenticate.
PAGE 120
Web and MAC Authentication Configuring MAC Authentication on the Switch Show Commands for Web-Based Authentication Command Page show port-access [port-list] web-based 4-28 [clients] 4-28 [config] 4-28 [config [auth-server]] 4-29 [config [web-server]] 4-29 show port-access port-list web-based config detail Syntax: 4-29 show port-access [port-list] web-based Shows the status of all Web-Authentication enabled ports or the specified ports.
PAGE 121
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access [port-list] web-based [config [auth-server]] Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.
PAGE 122
Web and MAC Authentication Configuring MAC Authentication on the Switch ProCurve(config)# show port-access web-based config Port Access Web-Based Configuration DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.255.
PAGE 123
Web and MAC Authentication Configuring MAC Authentication Configuring MAC Authentication Configuration Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made. 3.
PAGE 124
Web and MAC Authentication Configuring MAC Authentication Syntax: aaa port-access mac-based addr-format Specifies the MAC address format to be used in the RADIUS request message. This format must match the format used to store the MAC addresses in the RADIUS server. (Default: no-delimiter) no-delimiter — specifies an aabbccddeeff format. single-dash — specifies an aabbcc-ddeeff format. multi-dash — specifies an aa-bb-cc-dd-ee-ff format.
PAGE 125
Web and MAC Authentication Configuring MAC Authentication Syntax: aaa port-access mac-based [e] < port-list > [auth-vid ] no aaa port-access mac-based [e] < port-list > [auth-vid] Specifies the VLAN to use for an authorized client. The Radius server can override the value (accept-response includes a vid). If auth-vid is 0, no VLAN changes occur unless the RADIUS server supplies one. Use the no form of the command to set the auth-vid to 0.(Default: 0).
PAGE 126
Web and MAC Authentication Configuring MAC Authentication Syntax: aaa port-access mac-based [e] < port-list > [server-timeout <1 - 300>] Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depending on the current max-requests value, the switch sends a new attempt or ends the authentication session.
PAGE 127
Web and MAC Authentication Configuring MAC Authentication Prerequisites: As implemented in 802.1X authentication, the disabling of incoming traffic and transmission of outgoing traffic on a MAC-authenticated egress port in an unauthenticated state (using the aaa port-access controlled-directions in command) is supported only if: ■ The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch.
PAGE 128
Web and MAC Authentication Configuring MAC Authentication Notes: ■ — Continued — Using the aaa port-access controlled-directions in command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features: • 802.
PAGE 129
Web and MAC Authentication Configuring MAC Authentication Syntax: show port-access [port-list] mac-based [clients]] Shows the port address, MAC address, session status, and elapsed session time for attached clients on all ports or the specified ports. Ports with multiple clients have an entry for each attached client. Ports without any attached clients are not listed.
PAGE 130
Web and MAC Authentication Configuring MAC Authentication Example: Verifying a MAC Authentication Configuration The following example shows how to use the show port-access mac-based config command display the currently configured MAC authentication settings for all switch ports, including: ■ MAC address format ■ Authorized and unauthorized VLAN IDs ■ Controlled directions setting for transmitting Wake-on-LAN traffic on egress ports ProCurve(config)# show port-access mac-based config Port Access MAC-B
PAGE 131
Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Connection Possible Explanations authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires. authenticating Switch only Pending RADIUS request.
PAGE 132
Web and MAC Authentication Client Status — This page is intentionally unused — 4-40
PAGE 133
5 TACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 5-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 5-5 Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 134
TACACS+ Authentication Overview Overview Feature Default Menu CLI Web view the switch’s authentication configuration n/a — page 5-9 — view the switch’s TACACS+ server contact configuration n/a — page 5-10 — configure the switch’s authentication methods disabled — page 5-11 — configure the switch to contact TACACS+ server(s) disabled — page 5-15 — TACACS+ authentication enables you to use a central server to allow or deny access to the switches covered in this guide (and other TACACS
PAGE 135
TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/ write) privilege level access. TACACS+ does not affect web browser interface access.
PAGE 136
TACACS+ Authentication Terminology Used in TACACS Applications: face. (Using the menu interface you can assign a local password, but not a username.) Because this method assigns passwords to the switch instead of to individuals who access the switch, you must distribute the password information on each switch to everyone who needs to access the switch, and you must configure and manage password protection on a per-switch basis.
PAGE 137
TACACS+ Authentication General System Requirements General System Requirements To use TACACS+ authentication, you need the following: Notes ■ A TACACS+ server application installed and configured on one or more servers or management stations in your network. (There are several TACACS+ software packages available.) ■ A switch configured for TACACS+ authentication, with access to one or more TACACS+ servers.
PAGE 138
TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation” in the Troubleshooting chapter of the Management and Configuration Guide for your switch. 1.
PAGE 139
TACACS+ Authentication General Authentication Setup Procedure Note on Privil ege Levels When a TACACS+ server authenticates an access request from a switch, it includes a privilege level code for the switch to use in determining which privilege level to grant to the terminal requesting access. The switch interprets a privilege level code of “15” as authorization for the Manager (read/write) privilege level access. Privilege level codes of 14 and lower result in Operator (read-only) access.
PAGE 140
TACACS+ Authentication Configuring TACACS+ on the Switch configuration in your TACACS+ server application for mis-configurations or missing data that could affect the server’s interoperation with the switch. 8. After your testing shows that Telnet access using the TACACS+ server is working properly, configure your TACACS+ server application for console access. Then test the console access.
PAGE 141
TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication 5-9 show tacacs 5-10 aaa authentication 5-11 through 5-14 console Telnet num-attempts <1-10 > tacacs-server 5-15 host < ip-addr > 5-15 key 5-19 timeout < 1-255 > 5-20 Viewing the Switch’s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configu
PAGE 142
TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact.
PAGE 143
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied).
PAGE 144
TACACS+ Authentication Configuring TACACS+ on the Switch Table 5-1. AAA Authentication Parameters Name Default Range Function console - or telnet n/a n/a Specifies whether the command is configuring authentication for the console port or Telnet access method for the switch. enable - or login n/a n/a Specifies the privilege level for the access method being configured.
PAGE 145
TACACS+ Authentication Configuring TACACS+ on the Switch Table 5-2. Primary/Secondary Authentication Table Access Method and Privilege Level Authentication Options Console — Login Console — Enable Telnet — Login Telnet — Enable Caution Regarding the Use of Local for Login Primary Access Effect on Access Attempts Primary Secondary local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access.
PAGE 146
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server. Secondary using Local.
PAGE 147
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these parameters: Note ■ The host IP address(es) for up to three TACACS+ servers; one firstchoice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server. ■ An optional encryption key.
PAGE 148
TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string >] Adds a TACACS+ server and optionally assigns a server-specific encryption key. [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its serverspecific encryption key, if any). tacacs-server key Enters the optional global encryption key. [no] tacacs-server key Removes the optional global encryption key.
PAGE 149
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host [key none n/a Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, perserver encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key” on page 5-23 and the documentation provided with your TACACS+ server application.
PAGE 150
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range key none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server” key.
PAGE 151
TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 5-5. Example of the Switch After Assigning a Different “First-Choice” Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.
PAGE 152
TACACS+ Authentication How Authentication Operates To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs-server host 10.28.227.104 Note The show tacacs command lists the global encryption key, if configured.
PAGE 153
TACACS+ Authentication How Authentication Operates Using figure 5-6, above, after either switch detects an operator’s logon request from a remote or directly connected terminal, the following events occur: 1. The switch queries the first-choice TACACS+ server for authentication of the request. • If the switch does not receive a response from the first-choice TACACS+ server, it attempts to query a secondary server.
PAGE 154
TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentication only if one of these two conditions exists: ■ “Local” is the authentication option for the access method being used. ■ TACACS+ is the primary authentication mode for the access method being used.
PAGE 155
TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “secret key”, or “secret”) helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.
PAGE 156
TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to configure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.
PAGE 157
TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For information on such messages, refer to the documentation you received with the application.
PAGE 158
TACACS+ Authentication Operating Notes 5-26 ■ When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unauthorized persons.
PAGE 159
6 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 RADIUS-Administered CoS and Rate-Limiting . . . . . . . . . . . . . . . . . . .
PAGE 160
RADIUS Authentication and Accounting Contents Example Configuration on Cisco Secure ACS for MS Windows 6-28 Example Configuration Using FreeRADIUS . . . . . . . . . . . . . . . . . 6-30 Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-32 Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 6-33 Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 6-34 1. Configure the Switch To Access a RADIUS Server . . .
PAGE 161
RADIUS Authentication and Accounting Overview Overview Feature Default Menu CLI Web Configuring RADIUS Authentication None n/a 6-8 n/a Configuring RADIUS Accounting None n/a 6-32 n/a Configuring RADIUS Authorization None n/a 6-24 n/a n/a n/a 6-40 n/a Viewing RADIUS Statistics RADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one primary server and one or two backups) and maintain separate authentication and accounting for each RADIUS server
PAGE 162
RADIUS Authentication and Accounting Overview Note The switch does not support RADIUS security for SNMP (network management) access. For information on blocking access through the web browser interface, refer to “Controlling Web Browser Interface Access” on page 6-23. Accounting Services RADIUS accounting on the switch collects resource consumption data and forwards it to the RADIUS server. This data can be used for trend analysis, capacity planning, billing, auditing, and cost analysis.
PAGE 163
RADIUS Authentication and Accounting Terminology Terminology AAA: Authentication, Authorization, and Accounting groups of services provided by the carrying protocol. CHAP (Challenge-Handshake Authentication Protocol): A challengeresponse authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a challenge from a RADIUS server. CoS (Class of Service): Support for priority handling of packets traversing the switch, based on the IEEE 802.
PAGE 164
RADIUS Authentication and Accounting Switch Operating Rules for RADIUS Vendor-Specific Attribute: A vendor-defined value configured in a RADIUS server to specific an optional switch feature assigned by the server during an authenticated client session. Switch Operating Rules for RADIUS ■ ■ ■ ■ ■ ■ ■ 6-6 You must have at least one RADIUS server accessible to the switch. The switch supports authentication and accounting using up to three RADIUS servers.
PAGE 165
RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS servers to support the switch. (That is, one primary server and one or two backups.) Refer to the documentation provided with the RADIUS server application. 2. Before configuring the switch, collect the information outlined below. Table 6-1. Preparation for Configuring RADIUS on the Switch • Determine the access methods (console, Telnet, Port-Access (802.
PAGE 166
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you have configured the switch to access.) • Determine whether you want to bypass a RADIUS server that fails to respond to requests for service.
PAGE 167
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: 1. Configure RADIUS authentication for controlling access through one or more of the following • Serial port • Telnet • SSH • Port-Access (802.1X) • Web browser interface 2.
PAGE 168
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Timeout Period: The timeout period the switch waits for a RADIUS server to reply. (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no server response to a RADIUS authentication request. (Default: 3; range of 1 to 5.
PAGE 169
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius (or tacacs) for primary authentication, you must configure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail.
PAGE 170
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 2. Enable the (Optional) Access Privilege Option In the default RADIUS operation, the switch automatically admits any authenticated client to the Login (Operator) privilege level, even if the RADIUS server specifies Enable (Manager) access for that client. Thus, an authenticated user authorized for the Manager privilege level must authenticate again to change privilege levels.
PAGE 171
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication — Continued from the preceding page. — The no form of the command returns the switch to the default RADIUS authentication operation. The default behavior for most interfaces is that a client authorized by the RADIUS server for Enable (Manager) access will be prompted twice, once for Login (Operator) access and once for Enable access.
PAGE 172
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication [acct-port < port-number >] Optional. Changes the UDP destination port for accounting requests to the specified RADIUS server. If you do not use this option with the radius-server host command, the switch automatically assigns the default accounting port number. The acct-port number must match its server counterpart.(Default: 1813) [key < key-string >] Optional.
PAGE 173
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 6-3. Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server To make the changes listed prior to figure 6-3, you would do the following: Changes the key for the existing server to “source0127” (step 1, above). Adds the new RADIUS server with its required “source0119” key. Lists the switch’s new RADIUS server configuration. Compare this with Figure 6-4.
PAGE 174
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication ■ Global server key: The server key the switch will use for contacts with all RADIUS servers for which there is not a server-specific key configured by radius-server host < ip-address > key < key-string >. This key is optional if you configure a server-specific key for each RADIUS server entered in the switch. (Refer to “3. Configure the Switch To Access a RADIUS Server” on page 6-13.
PAGE 175
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server retransmit < 1 - 5 > If a RADIUS server fails to respond to an authentication request, specifies how many retries to attempt before closing the session. Default: 3; Range: 1 - 5) Note Where the switch has multiple RADIUS servers configured to support authentication requests, if the first server fails to respond, then the switch tries the next server in the list, and so-on.
PAGE 176
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in this guide. After two attempts failing due to username or password entry errors, the switch will terminate the session. Global RADIUS parameters from figure 6-5. Server-specific encryption key for the RADIUS server that will not use the global encryption key. These two servers will use the global encryption key. Figure 6-6.
PAGE 177
RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features Using SNMP To View and Configure Switch Authentication Features Beginning with software release K.12.xx, SNMP MIB object access is available for switch authentication configuration (hpSwitchAuth) features.
PAGE 178
RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features 2c access. (Refer to “Switch Access Security” on page 1-3.) Changing and Viewing the SNMP Access Configuration Syntax: snmp-server mib hpswitchauthmib < excluded | included > included: Enables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB.
PAGE 179
RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features Figure 6-7. Disabling SNMP Access to the Authentication MIB and Displaying the Result An alternate method of determining the current Authentication MIB access state is to use the show run command. ProCurve(config)# show run Running configuration: ; J8697A Configuration Editor; Created on release #K.12.01 hostname "ProCurve" snmp-server mib hpSwitchAuthMIB excluded ip default-gateway 10.10.24.
PAGE 180
RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: ■ Local is the authentication option for the access method being used. ■ The switch has been configured to query one or more RADIUS servers for a primary authentication request, but has not received a response, and Local is the configured secondary option.
PAGE 181
RADIUS Authentication and Accounting Controlling Web Browser Interface Access Controlling Web Browser Interface Access To help prevent unauthorized access through the web browser interface, do one or more of the following: ■ Configure the switch to support RADIUS authentication for web browser interface access (Web Authentication, Chapter 7).
PAGE 182
RADIUS Authentication and Accounting Configuring RADIUS Authorization Configuring RADIUS Authorization Overview You can limit the services for a user by enabling AAA RADIUS authorization. The NAS uses the information set up on the RADIUS server to control the user’s access to CLI commands. The RADIUS protocol combines user authentication and authorization steps into one phase.
PAGE 183
RADIUS Authentication and Accounting Configuring RADIUS Authorization Enabling Authorization with the CLI To configure authorization for controlling access to the CLI commands, enter this command. Syntax: [no] aaa authorization Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed.
PAGE 184
RADIUS Authentication and Accounting Configuring RADIUS Authorization Showing Authorization Information You can show the authorization information by entering this command: Syntax: show authorization Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed. An example of the output is shown.
PAGE 185
RADIUS Authentication and Accounting Configuring RADIUS Authorization The results of using the HP-Command-String and HP-Command-Exception attributes in various combinations are shown below. HP-Command-String HP-Command-Exception Description Not present Not present If command authorization is enabled and the RADIUS server does not provide any authorization attributes in an Access-Accept packet, the user is denied access to the server.
PAGE 186
RADIUS Authentication and Accounting Configuring RADIUS Authorization Example Configuration on Cisco Secure ACS for MS Windows It is necessary to create a dictionary file that defines the VSAs so that the RADIUS server application can determine which VSAs to add to its user interface. The VSAs will appear below the standard attributes that can be configured in the application. The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps. 1.
PAGE 187
RADIUS Authentication and Accounting Configuring RADIUS Authorization Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). 3. From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils> csutil -addudv 0 hp.ini The zero (0) is the slot number.
PAGE 188
RADIUS Authentication and Accounting Configuring RADIUS Authorization 6. Right click and then select New > key. Add the vendor Id number that you determined in step 4 (100 in the example). 7. Restart all Cisco services. 8. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry.
PAGE 189
RADIUS Authentication and Accounting Configuring RADIUS Authorization # # # # # # # dictionary.hp As posted to the list by User Version: $Id: dictionary.hp, v 1.0 2006/02/23 17:07:07 VENDOR Hp 11 # HP Extensions ATTRIBUTE ATTRIBUTE Hp-Command-String Hp-Command-Exception 2 3 string integer Hp Hp # Hp-Command-Exception Attribute Values VALUE VALUE Hp-Command-Exception Hp-Command-Exception Permit-List Deny-List 0 1 2.
PAGE 190
RADIUS Authentication and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting Note RADIUS Accounting Commands Page [no] radius-server host < ip-address > 6-35 [acct-port < port-number >] 6-35 [key < key-string >] 6-35 [no] aaa accounting < exec | network | system | commands> < start-stop | stop-only> radius 6-38 [no] aaa accounting update periodic < 1 - 525600 > (in minutes) 6-38 [no] aaa accounting suppress null-username 6-38 show accounting 6-43 show accounting sessio
PAGE 191
RADIUS Authentication and Accounting Configuring RADIUS Accounting ■ Exec accounting: Provides records holding the information listed below about login sessions (console, Telnet, and SSH) on the switch: • • • • ■ • • • • Acct-Delay-Time Acct-Session-Time Username Service-Type • NAS-IP-Address • NAS-Identifier • Calling-Station-Id System accounting: Provides records containing the information listed below when system events occur on the switch, including system reset, system boot, and enabling or disab
PAGE 192
RADIUS Authentication and Accounting Configuring RADIUS Accounting ■ If access to a RADIUS server fails during a session, but after the client has been authenticated, the switch continues to assume the server is available to receive accounting data. Thus, if server access fails during a session, it will not receive accounting data transmitted from the switch. Steps for Configuring RADIUS Accounting 1. Configure the switch for accessing a RADIUS server.
PAGE 193
RADIUS Authentication and Accounting Configuring RADIUS Accounting 1. Configure the Switch To Access a RADIUS Server Before you configure the actual accounting parameters, you should first configure the switch to use a RADIUS server. This is the same as the process described on page 6-13. You need to repeat this step here only if you have not yet configured the switch to use a RADIUS server, your server data has changed, or you need to specify a non-default UDP destination port for accounting requests.
PAGE 194
RADIUS Authentication and Accounting Configuring RADIUS Accounting For example, suppose you want to the switch to use the RADIUS server described below for both authentication and accounting purposes. ■ IP address: 10.33.18.151 ■ A non-default UDP port number of 1750 for accounting.
PAGE 195
RADIUS Authentication and Accounting Configuring RADIUS Accounting Note that there is no time span associated with using the system option. It simply causes the switch to transmit whatever accounting data it currently has when one of the above events occurs. ■ Network: Use Network if you want to collect accounting information on 802.1X port-based-access users connected to the physical ports on the switch to access the network. (See also “Accounting Services” on page 4.
PAGE 196
RADIUS Authentication and Accounting Configuring RADIUS Accounting For example, to configure RADIUS accounting on the switch with start-stop for exec functions and stop-only for system functions: Configures exec and system accounting and controls. Summarizes the switch’s accounting configuration. Exec and System accounting are active. (Assumes the switch is configured to access a reachable Figure 6-11. Example of Configuring Accounting Types 3.
PAGE 197
RADIUS Authentication and Accounting Configuring RADIUS Accounting To continue the example in figure 6-11, suppose that you wanted the switch to: ■ Send updates every 10 minutes on in-progress accounting sessions. ■ Block accounting for unknown users (no username). Update Period Suppress Unknown User Figure 6-12.
PAGE 198
RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Configuring RADIUS Accounting” on page 6-32.) Figure 6-13.
PAGE 199
RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 6-14. RADIUS Server Information From the Show Radius Host Command Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the AccountingRequest that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
PAGE 200
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Syntax: show authentication Displays the primary and secondary authentication methods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.
PAGE 201
RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 6-16. Example of RADIUS Authentication Information from a Specific Server RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppression status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) configured in the switch (using the radius-server host command).
PAGE 202
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 6-18. Example of RADIUS Accounting Information for a Specific Server Figure 6-19. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.
PAGE 203
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order RADIUS server IP addresses listed in the order in which the switch will try to access them. In this case, the server at IP address 1.1.1.1 is first. Note: If the switch successfully accesses the first server, it does not try to access any other servers in the list, even if the client is denied access by the first server. Figure 6-20.
PAGE 204
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Removes the “003” and “001” addresses from the RADIUS server list. Inserts the “003” address in the first position in the RADIUS server list, and inserts the “001” address in the last position in the list. Shows the new order in which the switch searches for a RADIUS server. Figure 6-21.
PAGE 205
RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch. If the server is accessible, then verify that the switch is using the correct encryption key and that the server is correctly configured to receive an authentication request from the switch.
PAGE 206
RADIUS Authentication and Accounting Messages Related to RADIUS Operation — This page is intentionally unused — 6-48
PAGE 207
7 Configuring RADIUS Server Support for Switch Services Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Configuring the RADIUS Server for Per-Port CoS and Rate-Limiting Services . . . . . . . . . . . . . . . . . . . . . . . 7-3 Viewing the Currently Active Per-Port CoS and Rate-Limiting Configuration Specified by a RADIUS Server . . . . . . . . . . . . . . . . . . . .
PAGE 208
Configuring RADIUS Server Support for Switch Services Overview Overview This chapter provides information that applies to setting up a RADIUS server to configure the following switch features on ports supporting RADIUSauthenticated clients: ■ CoS ■ Rate-Limiting ■ ACLS Optional Network Management Applications. Per-port CoS and ratelimiting assignments through a RADIUS server are also supported in the ProCurve Manager (PCM) application.
PAGE 209
Configuring RADIUS Server Support for Switch Services Configuring the RADIUS Server for Per-Port CoS and Rate-Limiting Services Configuring the RADIUS Server for Per-Port CoS and Rate-Limiting Services This section provides general guidelines for configuring a RADIUS server to dynamically apply CoS (Class of Service) and Rate-Limiting for inbound traffic on ports supporting authenticated clients.
PAGE 210
Configuring RADIUS Server Support for Switch Services Configuring the RADIUS Server for Per-Port CoS and Rate-Limiting Services Service Control Method and Operating Notes: Rate-Limiting on inbound traffic This feature assigns a bandwidth limit to all inbound packets received on a port supporting an authenticated client. Vendor-Specific Attribute configured in the RADIUS server.
PAGE 211
Configuring RADIUS Server Support for Switch Services Configuring the RADIUS Server for Per-Port CoS and Rate-Limiting Services Syntax: show port-access authenticator [ port-list ] show rate-limit all show qos port-priority These commands display the CoS and Rate-Limiting settings specified by the RADIUS server used to grant authentication for a given client on a given port.
PAGE 212
Configuring RADIUS Server Support for Switch Services Configuring the RADIUS Server for Per-Port CoS and Rate-Limiting Services ProCurve(config)# show rate-limit all Inbound Rate Limit Maximum % Port ----B1 B2 B3 . . . | + | | | | | | Limit -------50 Disabled Disabled . . . Radius Override --------------80 No-override No-override . . . The 50 in the Limit field indicates that the most recent rate-limit configured in the switch for this port is 50% of the port’s available bandwidth.
PAGE 213
Configuring RADIUS Server Support for Switch Services Configuring the RADIUS Server for Per-Port CoS and Rate-Limiting Services Note Where multiple clients are currently authenticated on a given port where inbound CoS and Rate-Limiting values have been imposed by a RADIUS server, the port operates with the inbound CoS priority and rate-limit assigned by RADIUS for the most recently authenticated client.
PAGE 214
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuring and Using RADIUS-Assigned Access Control Lists Introduction A RADIUS-assigned ACL is a dynamic port ACL configured on a RADIUS server and assigned by the server to filter traffic entering the switch through a specific port from an authenticated client. Note that client authentication can be enhanced by using ProCurve Manager with the optional IDM application.
PAGE 215
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists • RACL: an ACL assigned to filter routed traffic entering or leaving the switch on a VLAN. (Separate assignments are required for inbound and outbound traffic.
PAGE 216
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists by other ACEs configured sequentially earlier in the ACL. Unless otherwise noted, “implicit deny IP any” refers to the “deny” action enforced by both standard and extended ACLs. Inbound Traffic: For the purpose of defining where the switch applies ACLs to filter traffic, inbound traffic is any IP packet that enters the switch from a given client on a given port.
PAGE 217
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Overview of RADIUS-Assigned, Dynamic Port ACLs Dynamic port ACLs enhance network and switch management access security and traffic control by permitting or denying authenticated client access to specific network resources and to the switch management interface.
PAGE 218
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note A dynamic port ACL can be applied to a port regardless of whether IP traffic on the port is already being filtered by a static port ACL and/or any VLANbased ACLs configured on the switch. For more information, refer to “Multiple ACLs on an Interface” on page 10-20.
PAGE 219
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Contrasting Dynamic and Static ACLs Table 7-1, below, highlights several key differences between the static ACLs configurable on switch VLANs and ports, and the dynamic port ACLs that can be assigned to individual ports by a RADIUS server. Table 7-1. Contrasting Dynamic and Static ACLs Dynamic Port ACLs Static Port and VLAN ACLs Configured in client accounts on a RADIUS server.
PAGE 220
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Dynamic Port ACLs Static Port and VLAN ACLs A given dynamic port ACL filters only the IP traffic entering the switch from the authenticated client corresponding to that ACL, and does not filter IP traffic inbound from other authenticated clients.(The traffic source is not a configurable setting.
PAGE 221
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists How a RADIUS Server Applies a Dynamic Port ACL to a Switch Port A dynamic port ACL configured on a RADIUS server is identified and invoked by the unique credentials (username/password pair or a client MAC address) of the specific client the ACL is designed to service.
PAGE 222
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists General ACL Features, Planning, and Configuration These steps suggest a process for using dynamic port ACLs to establish access policies for client IP traffic. 1. Determine the polices you want to enforce for authenticated client traffic inbound on the switch. 2.
PAGE 223
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note If a dynamic port ACL permits an authenticated client’s inbound IP packet, but the client port is also configured with a static port ACL and/or belongs to a VLAN for which there is an inbound, VLAN-based ACL configured on the switch, then the packet will also be filtered by these other ACLs. If there is a match with a deny ACE in any of these ACLs, the switch drops the packet.
PAGE 224
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists was also configured on VLAN “Y”, then a deny match in the RACL would apply as well to any inbound, routed traffic from the client (and to any inbound, switched traffic having a destination on the switch itself). (If an outbound RACL was also configured on VLAN “Y”, then any outbound, routed IP traffic leaving the switch through the subject port would be filtered by the outbound RACL as well.
PAGE 225
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists (Note that the “string” value and the “Setting” specifier are identical.) ■ ACL configuration, including: • one or more explicit “permit” and/or “deny” ACEs created by the system operator • implicit deny any any ACE automatically active after the last operatorcreated ACE Example of Configuring a Dynamic Port ACL Using the FreeRADIUS Application.
PAGE 226
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists automatically includes an implicit deny in ip from any to any ACE.
PAGE 227
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Any instance of a dynamic port ACL is structured to filter authenticated client traffic as follows: ■ Applies only to inbound client traffic on the switch port the authenticated client is using. ■ Allows only the “any” source address (for any authenticated IP device connected to the port).
PAGE 228
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists from any: Required keywords specifying the (authenticated) client source. (Note that a dynamic port ACL assigned to a port filters only the inbound traffic having a source MAC address that matches the MAC address of the client whose authentication invoked the ACL assignment.) to: Required destination keyword. < ip-addr >: Specifies a single destination IP address.
PAGE 229
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists are not explicitly denied, you must configure permit in ip from any to any as the last explicit ACE in the ACL. This pre-empts the implicit deny in ip from any to any ACE and permits packets not explicitly permitted or denied by earlier ACEs in the list.
PAGE 230
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuring the Switch To Support Dynamic Port ACLs An ACL configured in a RADIUS server is identified by the authentication credentials of the client or group of clients the ACL is designed to support. When a client authenticates with credentials associated with a particular ACL, the switch applies that ACL to the switch port the client is using.
PAGE 231
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists MAC Authentication Option: Syntax: aaa port-access mac-based < port-list > This command configures MAC authentication on the switch and activates this feature on the specified ports. For more on MAC authentication, refer to chapter 4, “Web and MAC Authentication”.
PAGE 232
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Indicates MAC address identity of the authenticated client on the specified port. This data identifies the client to which the ACL applies. Lists “deny” ACE for Inbound Telnet (23 = TCP port number) traffic, with counter configured to show the number of matches detected. Lists current counter for the preceding “Deny” ACE.
PAGE 233
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Syntax: show port-access authenticator < port-list > For ports, in < port-list > that are configured for authentication, this command indicates whether there are any RADIUS-assigned features active on the port(s). (Any ports in < port-list > that are not configured for authentication do not appear in this listing.) Port: Port number of port configured for authentication.
PAGE 234
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Figure 7-8. Example of Output Showing Current RADIUS-Applied Features Event Log Messages Message Meaning ACE parsing error, permit/deny keyword < ace-# > client < mac-address > port < port-# >. Notifies of a problem with the permit/deny keyword in the indicated ACE included in the access list for the indicated client on the indicated switch port. Could not add ACL entry.
PAGE 235
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Message Meaning ACE parsing error, destination IP, < ace-# > client < mac-address > port < port-# >. Notifies of a problem with the destination IP field in the indicated ACE of the access list for the indicated client on the indicated switch port. ACE parsing error, tcp/udp ports, < ace-# > client < mac-address > port < port-# >.
PAGE 236
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists subscribed, new RADIUS-based sessions using dynamic port ACLs cannot be authenticated until the necessary resources are released from other applications. For information on determining the current resource availability and usage, refer to the appendix titled “Monitoring Resources” in the Management and Configuration Guide for your switch.
PAGE 237
8 Configuring Secure Shell (SSH) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 238
Configuring Secure Shell (SSH) Overview Overview Feature Generating a public/private key pair on the switch Using the switch’s public key Default Menu CLI Web No n/a page 8-10 n/a n/a n/a page 8-12 n/a Enabling SSH Disabled n/a page 8-15 n/a Enabling client public-key authentication Disabled n/a pages 8-19, 8-22 n/a Enabling user authentication Disabled n/a page 8-18 n/a The switches covered in this guide use Secure Shell version 2 (SSHv2) to provide remote access to management
PAGE 239
Configuring Secure Shell (SSH) Terminology Note SSH in ProCurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit www.openssh.com. Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication shown in figure 8-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key. As in figure 8-1, the switch authenticates itself to SSH clients.
PAGE 240
Configuring Secure Shell (SSH) Terminology 8-4 ■ PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted client public-key that has been encoded for portability and efficiency. SSHv2 client public-keys are typically stored in the PEM format. See figure 8-3 for an example of PEM-encoded ASCII keys. ■ Private Key: An internally generated key used in the authentication process. A private key generated by the switch is not accessible for viewing or copying.
PAGE 241
Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 8-2), then the client program must have the capability to generate or import keys.
PAGE 242
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 8-1.
PAGE 243
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch (page 8-9). 2. Generate a public/private key pair on the switch (page 8-10). You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. (You can remove or replace this key pair, if necessary.) 3.
PAGE 244
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes 8-8 ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store 10 keys client key pairs. ■ The switch’s own public/private key pair and the (optional) client public key file are stored in the switch’s flash memory and are not affected by reboots or the erase startup-config command.
PAGE 245
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 8-17 show crypto client-public-key [] [keylist-str] [< babble | fingerprint>] 8-25 show crypto host-public-key [< babble | fingerprint >] 8-14 show authentication 8-21 crypto key < generate | zeroize > ssh [rsa] 8-11 ip ssh 8-16 port < 1 - 65535|default > 8-17 timeout < 5 - 120 > 8-17 aaa authentication s
PAGE 246
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 8-4. Example of Configuring Local Passwords 2. Generating the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
PAGE 247
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be “permanent”; that is, avoid re-generating the key pair without a compelling reason.
PAGE 248
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch Version 1 and Version 2 views of same host public key Figure 8-5. Example of Generating a Public/Private Host Key Pair for the Switch The 'show crypto host-public-key' displays it in two different formats because your client may store it in either of these formats after learning the key.
PAGE 249
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below.
PAGE 250
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Inserted IP Address Bit Size Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Exponent Modulus Figure 8-8. Example of a Switch Public Key Edited To Include the Switch’s IP Address For more on this topic, refer to the documentation provided with your SSH client application.
PAGE 251
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 8-9. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 8-9 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host” file. The switch has only one RSA host key.
PAGE 252
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if the switch’s public key has not been copied into the client, then the client’s first connection to the switch will question the connection and, for security reasons, provide the option of accepting or refusing.
PAGE 253
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation ■ Zeroize the switch’s existing key pair. (page 8-11). Syntax: [no] ip ssh Enables or disables SSH on the switch. [port < 1-65535 | default >] The TCP port number for SSH connections (default: 22). Important: See “Note on Port Number” on page 8-17. [timeout < 5 - 120 >] The SSH login timeout value (default: 120 seconds). The ip ssh key-size command affects only a per-session, internal server key the switch creates, uses, and discards.
PAGE 254
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution Protect your private key file from access by anyone other than yourself. If someone can access your private key file, they can then penetrate SSH security on the switch by appearing to be you. SSH does not protect the switch from unauthorized access via the web interface, Telnet, SNMP, or the serial port.
PAGE 255
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< local | none >] Configures a password method for the primary and secondary login (Operator) access. If you do not specify an optional secondary method, it defaults to none. If the primary method is local, the secondary method must be none.
PAGE 256
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configures the switch to authenticate a client public-key at the login level with an optional secondary password method (default: none). Syntax: aaa authentication ssh enable < local | tacacs | radius > < local | none > Configures a password method for the primary and secondary enable (Manager) access. If you do not specify an optional secondary method, it defaults to none.
PAGE 257
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 8-12 shows how to check the results of the above commands. Lists the current SSH authentication configuration. Client Key Index Number Shows the contents of the public key file downloaded with the copy tftp command in figure 8-11. In this example, the file contains two client public-keys. Figure 8-12. SSH Configuration and Client-Public-Key Listing From Figure 8-11 6.
PAGE 258
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Further Information on SSH Client Public-Key Authentication The section titled “5. Configuring the Switch for SSH Authentication” on page 8-18 lists the steps for configuring SSH authentication on the switch. However, if you are new to SSH or need more details on client public-key authentication, this section may be helpful.
PAGE 259
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 3. If there is not a match, and you have not configured the switch to accept a login password as a secondary authentication method, the switch denies SSH access to the client. 4. If there is a match, the switch: a. Generates a random sequence of bytes. b. Uses the client’s public key to encrypt this sequence. c. Send these encrypted bytes to the client. 5.
PAGE 260
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Notes Comments in public key files, such as smith@support.cairns.com in figure 8-13, may appear in a SSH client application’s generated public key. While such comments may help to distinguish one key from another, they do not pose any restriction on the use of a key by multiple clients and/or users.
PAGE 261
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Note on Public K e ys The actual content of a public key entry in a public key file is determined by the SSH client application generating the key. (Although you can manually add or edit any comments the client application adds to the end of the key, such as the smith@support.cairns.com at the end of the key in figure 8-13 on page 8-23.
PAGE 262
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication For example, if you wanted to copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 and then display the file contents: Key Index Number Figure 8-14. Example of Copying and Displaying a Client Public-Key File Containing Two Different Client Public Keys for the Same Client Replacing or Clearing the Public Key File.
PAGE 263
Configuring Secure Shell (SSH) Messages Related to SSH Operation Allows SSH client access only if the switch detects a match between the client’s public key and an entry in the clientpublic-key file most recently copied into the switch. Caution To enable client public-key authentication to block SSH clients whose public keys are not in the client-public-key file copied into the switch, you must configure the Login Secondary as none.
PAGE 264
Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning Download failed: overlength key in key file. The public key file you are trying to download has one of the following problems: • A key in the file is too long. The maximum key length is 1024 characters, including spaces. This could also mean that two or more keys are merged together instead of being separated by a . • There are more than ten public keys in the key file and switch total.
PAGE 265
9 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Steps for Configuring and Using SSL for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 266
Configuring Secure Socket Layer (SSL) Overview Overview Feature Generating a Self Signed Certificate on the switch Generating a Certificate Request on the switch Enabling SSL Default Menu CLI Web No n/a page 9-9 page 9-13 No n/a n/a page 9-15 Disabled n/a page 9-17 page 9-19 The switches covered in this guide use Secure Socket Layer Version 3 (SSLv3) and support for Transport Layer Security(TLSv1) to provide remote web access to the switches via encrypted paths between the switch and manag
PAGE 267
Configuring Secure Socket Layer (SSL) Terminology 1. Switch-to-Client SSL Cert. ProCurve Switch SSL Client Browser 2. User-to-Switch (login password and enable password authentication) options: – Local – TACACS+ – RADIUS (SSL Server) Figure 9-1.
PAGE 268
Configuring Secure Socket Layer (SSL) Terminology 9-4 ■ Root Certificate: A trusted certificate used by certificate authorities to sign certificates (CA-Signed Certificates) and used later on to verify that authenticity of those signed certificates. Trusted certificates are distributed as an integral part of most popular web clients. (see browser documentation for which root certificates are pre-installed). ■ Manager Level: Manager privileges on the switch.
PAGE 269
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the computer(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include: A. Client Preparation 1.
PAGE 270
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes 9-6 ■ Once you generate a certificate on the switch you should avoid regenerating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all management stations (clients) you previously set up for SSL access to the switch. In some situations this can temporarily allow security breaches.
PAGE 271
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 9-19 show config page 9-19 show crypto host-cert page 9-12 crypto key generate cert [rsa] <512 | 768 |1024> page 9-10 zeroize cert page 9-10 crypto host-cert generate self-signed [arg-list] page 9-10 zeroize page 9-10 1.
PAGE 272
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface, refer to the chapter titled “Using the ProCurve Web Browser Interface” in the Management and Configuration Guide for your switch. Security Tab Password Button Figure 9-2. Example of Configuring Local Passwords 1.
PAGE 273
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’s Server Host Certificate You must generate a server certificate on the switch before enabling SSL. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch. (The session key pair mentioned above is not visible on the switch.
PAGE 274
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To Generate or Erase the Switch’s Server Certificate with the CLI Because the host certificate is stored in flash instead of the running-config file, it is not necessary to use write memory to save the certificate. Erasing the host certificate automatically disables SSL. CLI commands used to generate a Server Host Certificate.
PAGE 275
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on certificate fields. There are a number arguments used in the generation of a server certificate. table 9-1, “Certificate Field Descriptions” describes these arguments. Table 9-1. Certificate Field Descriptions Field Name Description Valid Start Date This should be the date you desire to begin using the SSL functionality.
PAGE 276
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Notes “Zeroizing” the switch’s server host certificate or key automatically disables SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation. CLI Command to view host certificates.
PAGE 277
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a Self-Signed Host Certificate with the Web browser interface You can configure SSL from the web browser interface. For more information on how to access the web browser interface refer to the chapter titled “Using the ProCurve Web Browser Interface” in the Management and Configuration Guide for your switch. To generate a self signed host certificate from the web browser interface: i.
PAGE 278
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers interface: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments Figure 9-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface: 9-14 1. Proceed to the Security tab 2.
PAGE 279
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 9-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web browser interface To install a CA-Signed server host certificate from the web browser interface.
PAGE 280
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.
PAGE 281
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE----MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMB
PAGE 282
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generating the Switch’s Server Host Certificate” on page 9-9.
PAGE 283
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443). Important: See “Note on Port Number” on page 9-20. show config Shows status of the SSL server. When enabled webmanagement ssl will be present in the config list. To enable SSL on the switch 1.
PAGE 284
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 9-8. Using the web browser interface to enable SSL and select TCP port number Note on Port Number ProCurve recommends using the default IP port number (443). However, you can use web-management ssl tcp-port to specify any TCP port for SSL connections except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http).
PAGE 285
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 9-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host certificate. (Refer to “Generate a SelfSigned Host Certificate with the Web browser interface” on page 9-13.) You may be using a reserved TCP port.
PAGE 286
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup — This page is intentionally unused — 9-22
PAGE 287
10 Access Control Lists (ACLs) Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Overview of Options for Applying ACLs on the Switch . . . . . . . . . 10-5 Static ACLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Dynamic Port ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 288
Access Control Lists (ACLs) Contents Configuring and Assigning an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-41 General Steps for Implementing ACLs . . . . . . . . . . . . . . . . . . . . 10-41 Options for Permit/Deny Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-42 ACL Configuration Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 289
Access Control Lists (ACLs) Contents Attaching a Remark to an ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-92 Operating Notes for Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-95 Displaying ACL Configuration Data . . . . . . . . . . . . . . . . . . . . . . . . . . 10-96 Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-97 Display the Content of All ACLs on the Switch . . . . . . . . . . . . . . . . .
PAGE 290
Access Control Lists (ACLs) Introduction Introduction An Access Control List (ACL) is a list of one or more Access Control Entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing the switch’s interfaces. This chapter describes how to configure, apply, and edit ACLs in a network populated with the switches covered by this guide, and how to monitor ACL actions. .
PAGE 291
Access Control Lists (ACLs) Overview of Options for Applying ACLs on the Switch Overview of Options for Applying ACLs on the Switch To apply ACL filtering, assign a configured ACL to the interface on which you want the IP traffic filtering to occur. VLAN and routed IP traffic ACLs can be applied statically using the switch configuration. Port traffic ACLs can be applied either statically or dynamically (using a RADIUS server). Static ACLS Static ACLs are configured on the switch.
PAGE 292
Access Control Lists (ACLs) Overview of Options for Applying ACLs on the Switch Note This chapter describes the ACL applications you can statically configure on the switch. For information on dynamic port ACLs assigned by a RADIUS server, refer to the chapter 7, “Configuring RADIUS Server Support for Switch Services”. Table 10-1.
PAGE 293
Access Control Lists (ACLs) Overview of Options for Applying ACLs on the Switch Delete a Standard ACL ProCurve(config)# no ip access-list standard < name-str | 1-99 > 10-85 For numbered, standard ACLs, the following command can be substituted for the above: ProCurve(config)# access-list < 1 - 99 > remark < remark-str > 1 The mask can be in either dotted-decimal notation (such as 0.0.15.255) or CIDR notation (such as /20).
PAGE 294
Access Control Lists (ACLs) Overview of Options for Applying ACLs on the Switch Table 10-2.
PAGE 295
Access Control Lists (ACLs) Overview of Options for Applying ACLs on the Switch Action Enter or Remove a Remark Command(s) ProCurve(config)# ip access-list extended < name-str | 100-199 > ProCurve(config-ext-nacl)# [ remark < remark-str > | no remark ] Page 10-92 10-94 For numbered, extended ACLs only, the following remark commands can be substituted for the above: ProCurve(config)# access-list < 100 - 199 > remark < remark-str > ProCurve(config)# [no] access-list < 100 - 199 > remark Delete an Extended
PAGE 296
Access Control Lists (ACLs) Terminology Terminology Access Control Entry (ACE): A policy consisting of criteria and an action (permit or deny) to execute on a packet if it meets the criteria.
PAGE 297
Access Control Lists (ACLs) Terminology ACL: See “Access Control List”. ACL ID: A number or alphanumeric string used to identify an ACL. A standard ACL ID can have either an alphanumeric string or a number in the range of 1 to 99. An extended ACL ID can have either an alphanumeric string or a number in the range of 100 to 199. See also “Identifier”. Note: RADIUS-assigned ACLs are identified by client authentication data and do not use the ACL ID strings described here.
PAGE 298
Access Control Lists (ACLs) Terminology identifier: The term used in ACL syntax statements to represent either the name or number by which the ACL can be accessed. See also name-str. Note: RADIUS-assigned ACLs are identified by client authentication data and do not use the identifiers described in this chapter.
PAGE 299
Access Control Lists (ACLs) Terminology Named ACL: An ACL created with the ip access-list < extended | standard > < name-str > command and then populated using the < deny | permit > command in the Named ACL (nacl) CLI context. (Refer to “Entering the “Named ACL” (nacl) Context” on page 10-53.) Numbered ACL: An ACL created and initially populated by using the accesslist < 1-99 | 100 - 199 > command. (Refer to “Creating or Adding to a Standard, Numbered ACL” on page 10-57.
PAGE 300
Access Control Lists (ACLs) Terminology seq-#: The term used in ACL syntax statements to represent the sequence number variable used to insert an ACE within an existing list. The range allowed for sequence numbers is 1 - 2147483647. Standard ACL: This type of access control list uses the layer-3 IP criteria of source IP address to determine whether there is a match with an IP packet.
PAGE 301
Access Control Lists (ACLs) Overview Overview Types of IP ACLs A permit or deny policy for IP traffic you want to filter can be based on source IP address alone, or on source IP address plus other IP factors. Standard ACL: Use a standard ACL when you need to permit or deny IP traffic based on source IP address only. Standard ACLs are also useful when you need to quickly control a performance problem by limiting IP traffic from a subnet, group of devices, or a single device.
PAGE 302
Access Control Lists (ACLs) Overview • outbound traffic generated by the switch itself. ■ VLAN ACL (VACL): on a VLAN configured with a VACL, any inbound IP traffic, regardless of whether it is switched or routed. On a multinetted VLAN, this includes all inbound IP traffic from any subnet. ■ Static port ACL: any inbound IP traffic on that port.
PAGE 303
Access Control Lists (ACLs) Overview The subnet mask for this example is 255.255.255.0. Switch with IP Routing Enabled 10.28.10.5 VLAN 1 10.28.10.1 (One Subnet) VLAN 2 10.28.20.1 (One Subnet) VLAN 3 10.28.40.1 10.28.30.1 (Multiple Subnets) 10.28.30.33 10.28.40.17 10.28.20.99 An ACL assigned to screen routed, inbound IP traffic on VLAN 1 screens only the routed IP traffic arriving from the 10.28.10.0 network. Screening routed IP traffic inbound from the 10.28.20.
PAGE 304
Access Control Lists (ACLs) Overview VACL Applications VACLs filter any IP traffic entering the switch on a VLAN configured with the “VLAN” ACL option. vlan < vid > ip access-group < identifier > vlan For example, in figure 10-2, you would assign a VACL to VLAN 2 to filter all inbound switched or routed IP traffic received from clients on the 10.28.20.0 network. In this instance, routed IP traffic received on VLAN 2 from VLANs 1 or 3 would not be filtered by the VACL on VLAN 2.
PAGE 305
Access Control Lists (ACLs) Overview Static Port ACL and Dynamic Port ACL Applications ■ Static Port ACL: filters any IP traffic inbound on the designated port, regardless of whether it is switched or routed. ■ Dynamic (RADIUS-assigned) Port ACL: filters IP traffic inbound from the client whose authentication resulted in the ACL assignment to the designated port. For example, client “A” connects to a given port and is authenticated by a RADIUS server.
PAGE 306
Access Control Lists (ACLs) Overview 802.1X User-Based and Port-Based Applications. User-Based 802.1X access control allows up to 32 individually authenticated clients on a given port. However, port-based access control does not set a client limit, and requires only one authenticated client to open a given port (and is recommended for applications where only one client at a time can connect to the port). ■ If you configure 802.
PAGE 307
Access Control Lists (ACLs) Overview ■ Note One inbound and one outbound RACL filtering routed IP traffic moving through the port for VLAN “X”. (Also applies to inbound, switched traffic on VLAN “X” that has a destination on the switch itself.” In cases where an RACL and any type of port or VLAN ACL are filtering traffic entering the switch, the switched traffic explicitly permitted by the port or VLAN ACL is not filtered by the RACL (except when the traffic has a destination on the switch itself).
PAGE 308
Access Control Lists (ACLs) Overview ■ An RACL that denies inbound IP traffic having a destination on the 10.28.10.0 subnet In this case, no IP traffic received on the switch from clients on the 10.28.20.0 subnet will reach the 10.28.10.0 subnet, even though the VACL allows such traffic. This is because the deny in the RACL causes the switch to drop the traffic regardless of whether any other VACLs permit the traffic. Subnet Mask: 255.255.255.0.
PAGE 309
Access Control Lists (ACLs) Overview ■ You can apply any one ACL to multiple interfaces. ■ All ACEs in an ACL configured on the switch are automatically sequenced (numbered). For an existing ACL, entering an ACE without specifying a sequence number automatically places the ACE at the end of the list. Specifying a sequence number inserts the ACE into the list at the correct sequential location. • Automatic sequence numbering begins with “10” and increases in increments of 10.
PAGE 310
Access Control Lists (ACLs) Overview General Steps for Planning and Configuring ACLs 1. Identify the ACL application to apply. As part of this step, determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted IP traffic at the edge of the network instead of in the core. Also, on the switch itself, you can improve performance by filtering unwanted IP traffic where it is inbound to the switch instead of outbound.
PAGE 311
Access Control Lists (ACLs) Overview 5. Assign the ACLs to the interfaces you want to filter, using the ACL application (static port ACL, VACL, or RACL) appropriate for each assignment. (For RADIUS-assigned ACLs, refer to the Note in the table in step 1 on page 10-24.) 6. If you are using an RACL, ensure that IP routing is enabled on the switch. 7. Test for desired results. For more details on ACL planning considerations, refer to “Planning an ACL Application” on page 10-30.
PAGE 312
Access Control Lists (ACLs) ACL Operation ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). An ACL applies only to the switch in which it is configured. ACLs operate on assigned interfaces, and offer these traffic filtering options: ■ Any IP traffic inbound on a port. ■ Any IP traffic inbound on a VLAN. ■ Routed IP traffic entering or leaving the switch on a VLAN.
PAGE 313
Access Control Lists (ACLs) ACL Operation Note After you assign an ACL to an interface, the default action on the interface is to implicitly deny any IP traffic that is not specifically permitted by the ACL. (This applies only in the direction of traffic flow filtered by the ACL.) The Packet-filtering Process Sequential Comparison and Action. When an ACL filters a packet, it sequentially compares each ACE’s filtering criteria to the corresponding data in the packet until it finds a match.
PAGE 314
Access Control Lists (ACLs) ACL Operation no further comparisons of the packet are made with the remaining ACEs in the list. This means that when an ACE whose criteria matches a packet is found, the action configured for that ACE is invoked, and any remaining ACEs in the ACL are ignored. Because of this sequential processing, successfully implementing an ACL depends in part on configuring ACEs in the correct order for the overall policy you want the ACL to enforce.
PAGE 315
Access Control Lists (ACLs) ACL Operation Note The order in which an ACE occurs in an ACL is significant. For example, if an ACL contains six ACEs, but the first ACE allows Permit Any forwarding, then the ACL permits all IP traffic, and the remaining ACEs in the list do not apply, even if they specify criteria that would make a match with any of the IP traffic permitted by the first ACE.
PAGE 316
Access Control Lists (ACLs) Planning an ACL Application It is important to remember that all ACLs configurable on the switch include an implicit deny ip any any. That is, IP packets that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped instead of forwarded on the interface. If you want to preempt the implicit deny so that packets not explicitly denied by other ACEs in the ACL will be permitted, insert an explicit “permit any” as the last ACE in the ACL.
PAGE 317
Access Control Lists (ACLs) Planning an ACL Application ■ Any TCP traffic (only) for a specific TCP port or range of ports, including optional control of connection traffic based on whether the initial request should be allowed ■ Any UDP traffic (only) or UDP traffic for a specific UDP port ■ Any ICMP traffic (only) or ICMP traffic of a specific type and code ■ Any IGMP traffic (only) or IGMP traffic of a specific type ■ Any of the above with specific precedence and/or ToS settings Depending on th
PAGE 318
Access Control Lists (ACLs) Planning an ACL Application Security ACLs can enhance security by blocking IP traffic carrying an unauthorized source IP address (SA).
PAGE 319
Access Control Lists (ACLs) Planning an ACL Application Access Control Entries (ACEs) in the ACL, beginning with the first ACE in the list and proceeding sequentially until a match is found. When a match is found, the switch applies the indicated action (permit or deny) to the packet. ■ The first match in an ACL dictates the action on a packet. Subsequent matches in the same ACL are ignored.
PAGE 320
Access Control Lists (ACLs) Planning an ACL Application 10-34 • Numeric Standard ACLs: Up to 99; numeric range: 1 - 99 • Numeric Extended ACLs: Up to 100; numeric range: 100 - 199 • Total ACEs in all ACLs: Depends on the combined resource usage by ACL, QoS, IDM, Virus-Throttling, ICMP, and Management VLAN features (For more on this topic, refer to “Monitoring Shared Resources” on page 10-114.
PAGE 321
Access Control Lists (ACLs) Planning an ACL Application ■ VACLs: These filter any IP traffic entering the switch through any port belonging to the designated VLAN. VACLs do not filter IP traffic leaving the switch or being routed from another VLAN. ■ VACLs and RACLs Operate On Static VLANs: You can assign an ACL to any VLAN that is statically configured on the switch. ACLs do not operate with dynamic VLANs.
PAGE 322
Access Control Lists (ACLs) Planning an ACL Application How an ACE Uses a Mask To Screen Packets for Matches When the switch applies an ACL to IP traffic, each ACE in the ACL uses an IP address and ACL mask to enforce a selection policy on the packets being screened. That is, the mask determines the range of IP addresses (SA only or SA/DA) that constitute a match between the policy and a packet being screened.
PAGE 323
Access Control Lists (ACLs) Planning an ACL Application Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) ■ For a given ACE, when the switch compares an IP address and corresponding mask in the ACE to an IP address carried in a packet: • A mask-bit setting of 0 (“off”) requires that the corresponding bit in the packet’s IP address and in the ACE’s IP address must be the same.
PAGE 324
Access Control Lists (ACLs) Planning an ACL Application ■ Every IP address and mask pair (source or destination) used in an ACE creates one of the following policies: • Any IP address fits the matching criteria. In this case, the switch automatically enters the IP address and mask in the ACE. For example: access-list 1 deny any produces this policy in an ACL listing: IP Address Mask 0.0.0.0 255.255.255.
PAGE 325
Access Control Lists (ACLs) Planning an ACL Application Example of How the Mask Bit Settings Define a Match . Assume an ACE where the second octet of the mask for an SA is 7 (the rightmost three bits are “on”, or “1”) and the second octet of the corresponding SA in the ACE is 31 (the rightmost five bits). In this case, a match occurs when the second octet of the SA in a packet being filtered has a value in the range of 24 to 31. Refer to table 10-4, below. Table 10-4.
PAGE 326
Access Control Lists (ACLs) Planning an ACL Application Examples Allowing Multiple IP Addresses. Table 10-5 provides examples of how to apply masks to meet various filtering requirements. Table 10-5. Example of Using an IP Address and Mask in an Access Control Entry IP Address in the ACE Mask Policy for a Match Between a Allowed IP Addresses Packet and the ACE A: 10.38.252.195 0.0.0.255 Exact match in first three octets only. 10.38.252.< 0-255 > (See row A in table 10-6, below.) B: 10.38.252.195 0.
PAGE 327
Access Control Lists (ACLs) Configuring and Assigning an ACL Configuring and Assigning an ACL ACL Feature Page Configuring and Assigning a Standard ACL 10-51 Configuring and Assigning an Extended ACL 10-60 Enabling or Disabling ACL Filtering 10-81 Overview General Steps for Implementing ACLs 1. Configure one or more ACLs. This creates and stores the ACL(s) in the switch configuration. 2. Assign an ACL. This step uses one of the following applications to assign the ACL to an interface: 3.
PAGE 328
Access Control Lists (ACLs) Configuring and Assigning an ACL Options for Permit/Deny Policies The permit or deny policy for IP traffic you want to filter can be based on source IP address alone, or on source IP address plus other IP factors. ■ Standard ACL: Uses only a packet's source IP address as a criterion for permitting or denying the packet. For a standard ACL ID, use either a unique numeric string in the range of 1-99 or a unique name string of up to 64 alphanumeric characters.
PAGE 329
Access Control Lists (ACLs) Configuring and Assigning an ACL 3. One or more deny/permit list entries (ACEs): One entry per line. Element 4. Notes Type Standard or Extended Identifier • Alphanumeric; Up to 64 Characters, Including Spaces • Numeric: 1 - 99 (Standard) or 100 - 199 (Extended) Remark Allows up to 100 alphanumeric characters, including blank spaces. (If any spaces are used, the remark must be enclosed in a pair of single or double quotes.
PAGE 330
Access Control Lists (ACLs) Configuring and Assigning an ACL For example, figure 10-10 shows how to interpret the entries in a standard ACL. ACE Action (permit or deny) End-of-List Marker ProCurve(Config)# show running . ACL List Heading with List Type and . Identifier (Name or Number) . ip access-list standard “Sample-List” 10 deny 10.28.150.77 0.0.0.0 log 20 permit 10.28.150.1 0.0.0.255 exit Source IP Address Mask Optional Logging Command Figure 10-10.
PAGE 331
Access Control Lists (ACLs) Configuring and Assigning an ACL Extended ACL Configuration Structure Individual ACEs in an extended ACL include: ■ A permit/deny statement ■ Source and destination IP addressing ■ Choice of IP criteria, including optional precedence and ToS ■ Optional ACL log command (for deny entries) ■ Optional remark statements ip access-list extended < identifier > [ [ seq-# ] remark < remark-str >] < permit | deny > < ip-type > < SA > < src-acl-mask > < DA > [log
PAGE 332
Access Control Lists (ACLs) Configuring and Assigning an ACL For example, figure 10-12 shows how to interpret the entries in an extended ACL. ProCurve(config)# show running Running configuration: ACL List Heading with List Type and ID String (Name or Number) ; J8697A Configuration Editor; Created on release #K.11.XX Protocol Types Indicates all possible destination IP addresses. hostname "ProCurve" Denies TCP ip access-list extended "Sample-List-1" Port 80 IP traffic to any 10 permit ip 10.38.130.
PAGE 333
Access Control Lists (ACLs) Configuring and Assigning an ACL significant because, once a match is found for a packet, subsequent ACEs in the same ACL will not be applied to that packet, regardless of whether they match the packet. For example, suppose that you have applied the ACL shown in figure 10-13 to inbound IP traffic on VLAN 1 (the default VLAN): Source IP Mask Destination IP Mask ip access-list extended "Sample-List-2" 10 deny ip 10.28.235.10 0.0.0.0 0.0.0.0 255.255.255.255 20 deny ip 10.28.
PAGE 334
Access Control Lists (ACLs) Configuring and Assigning an ACL Line # Action n/a The Implicit Deny is a function the switch automatically adds as the last action in all ACLs. It denies (drops) any IP traffic from any source to any destination that has not found a match with earlier entries in the ACL.
PAGE 335
Access Control Lists (ACLs) Configuring and Assigning an ACL Using the CLI To Create an ACL Command Page access-list (standard ACLs) 10-51 access-list (extended ACLs) 10-60 You can use either the switch CLI or an offline text editor to create an ACL. This section describes the CLI method, which is recommended for creating short ACLs. (To use the offline method, refer to “Creating or Editing ACLs Offline” on page 10-104.
PAGE 336
Access Control Lists (ACLs) Configuring and Assigning an ACL To insert an ACE anywhere in a numbered ACL, use the same process as described above for inserting an ACE anywhere in a named ACL. For example, to insert an ACE denying IP traffic from the host at 10.10.10.77 as line 52 in an existing ACL identified (named) with the number 11: ProCurve(config)# ip access-list standard 99 ProCurve(config-std-nacl)# 52 deny host 10.10.10.
PAGE 337
Access Control Lists (ACLs) Configuring Standard ACLs Configuring Standard ACLs Table 10-9.
PAGE 338
Access Control Lists (ACLs) Configuring Standard ACLs A standard ACL uses only source IP addresses in its ACEs. This type of ACE is useful when you need to: ■ Permit or deny any IP traffic based on source IP address only. ■ Quickly control the IP traffic from a specific address. This allows you to isolate IP traffic problems generated by a specific device, group of devices, or a subnet threatening to degrade network performance.
PAGE 339
Access Control Lists (ACLs) Configuring Standard ACLs Configuring Named, Standard ACLs This section describes the commands for performing the following: ■ creating and/or entering the context of a named, standard ACL ■ appending an ACE to the end of an existing list or entering the first ACE in a new list For other ACL topics, refer to the following: Topic Page configuring numbered, standard ACLs 10-56 configuring named, extended ACLs 10-62 configuring numbered, extended ACLs 10-74 applying or
PAGE 340
Access Control Lists (ACLs) Configuring Standard ACLs Configuring ACEs in a Named, Standard ACL. Configuring ACEs is done after using the ip access-list standard < name-str > command described above to enter the “Named ACL” (nacl) context of an access list. For a standard ACL syntax summary, refer to table 10-9 on page 10-51. Syntax: < deny | permit > < any | host < SA > | SA > [log] Executing this command appends the ACE to the end of the list of ACEs in the current ACL.
PAGE 341
Access Control Lists (ACLs) Configuring Standard ACLs [ log] This option generates an ACL log message if: • The action is deny. • There is a match. • ACL logging is enabled on the switch. (Refer to “Enable ACL “Deny” Logging” on page 10-109.) (Use the debug command to direct ACL logging output to the current console session and/or to a Syslog server. Note that you must also use the logging < ip-addr > command to specify the IP addresses of Syslog servers to which you want log messages sent.
PAGE 342
Access Control Lists (ACLs) Configuring Standard ACLs ProCurve(config)# show access-list Sample-List Access Control Lists Name: Sample-List Type: Standard Applied: No SEQ Entry ------------------------------------------------------------------------------10 Action: permit IP : 10.10.10.104 Mask: 0.0.0.0 Note that each ACE is automatically assigned a 20 Action: deny (log) sequence number. IP : 10.10.10.1 Mask: 0.0.0.255 30 Action: permit IP : 0.0.0.0 Mask: 255.255.255.255 Figure 10-15.
PAGE 343
Access Control Lists (ACLs) Configuring Standard ACLs Creating or Adding to a Standard, Numbered ACL. This command is an alternative to using ip access-list standard < name-str > and does not use the “Named ACL” (nacl) context. For a standard ACL syntax summary, refer to table 10-9 on page 10-51. Syntax: access-list < 1-99 > < deny | permit > < any | host < SA > | SA < mask | SA/mask-length >> [log] Appends an ACE to the end of the list of ACEs in the current standard, numbered ACL.
PAGE 344
Access Control Lists (ACLs) Configuring Standard ACLs < any | host < SA > | SA < mask | SA/mask-length >> Defines the source IP address (SA) a packet must carry for a match with the ACE. • any — Allows IP packets from any SA. • host < SA > — Specifies only packets having < SA > as the source. Use this criterion when you want to match only the IP packets from a single SA. • SA < mask > or SA /mask-length — Specifies packets received from an SA, where the SA is either a subnet or a group of IP addresses.
PAGE 345
Access Control Lists (ACLs) Configuring Standard ACLs Example of Creating and Viewing a Standard ACL. This example creates a standard, numbered ACL with the same ACE content as show in figure 10-14 on page 10-55. ProCurve(config)# ProCurve(config)# ProCurve(config)# ProCurve(config)# access-list 17 permit host 10.10.10.104 access-list 17 deny 10.10.10.
PAGE 346
Access Control Lists (ACLs) Configuring Extended ACLs Configuring Extended ACLs Table 10-10.
PAGE 347
Access Control Lists (ACLs) Configuring Extended ACLs Action Enter or Remove a Remark Command(s) Page ProCurve(config)# ip access-list extended < name-str | 100-199 > ProCurve(config-ext-nacl)# [ remark < remark-str > | no < 1 - 2147483647 > remark ] 10-92 10-94 For numbered, extended ACLs only, the following remark commands can be substituted for the above: ProCurve(config)# access-list < 100 - 199 > remark < remark-str > ProCurve(config)# [no] access-list < 100 - 199 > remark Delete an Extended ACL
PAGE 348
Access Control Lists (ACLs) Configuring Extended ACLs Configuring Named, Extended ACLs For a match to occur with an ACE in an extended ACL, a packet must have the source and destination IP address criteria specified by the ACE, as well as any IP protocol-specific criteria included in the command. Use the following general steps to create or add to a named, extended ACL: 1. Create and/or enter the context of a named, extended ACL. 2.
PAGE 349
Access Control Lists (ACLs) Configuring Extended ACLs Creating a Named, Extended ACL and/or Entering the “Named ACL” (nacl) Context. This command is a prerequisite to entering or editing ACEs in a named, extended ACL. (For a summary of the extended ACL syntax options, refer to table 10-10 on page 10-60.) Syntax: ip access-list extended < name-str > Places the CLI in the “Named ACL” (nacl) context specified by the < name-str > alphanumeric identifier.
PAGE 350
Access Control Lists (ACLs) Configuring Extended ACLs Configure ACEs in a Named, Extended ACL and/or Enter the “Named ACL” (nacl) Context. Configuring ACEs is done after using the ip accesslist standard < name-str > command described on page 10-63 to enter the “Named ACL” (nacl) context of an ACL. For an extended ACL syntax summary, refer to table 10-10 on page 10-60.
PAGE 351
Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Used after deny or permit to specify the packet protocol type required for a match. An extended ACL must include one of the following: • ip — any IP packet.
PAGE 352
Access Control Lists (ACLs) Configuring Extended ACLs < any | host < DA > | DA/mask-length | DA/ < mask >> This is the second instance of IP addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination IP address (DA) that a packet must carry in order to have a match with the ACE. • any — Allows routed IP packets to any DA. • host < DA > — Specifies only packets having DA as the destination address.
PAGE 353
Access Control Lists (ACLs) Configuring Extended ACLs [ tos < tos-setting > ] This option can be used after the DA to cause the ACE to match packets with the specified IP Type-of-Service (ToS) setting.
PAGE 354
Access Control Lists (ACLs) Configuring Extended ACLs Options for TCP and UDP Traffic in Extended ACLs. An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic. (For a summary of the extended ACL syntax options, refer to table 10-10 on page 10-60.
PAGE 355
Access Control Lists (ACLs) Configuring Extended ACLs Port Number or Well-Known Port Name: Use the TCP or UDP port number required by your application. The switch also accepts these well-known TCP or UDP port names as an alternative to their port numbers: • TCP: bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet • UDP: bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp, snmp-trap, tftp To list the above names, press the [Shift] [?] key combination after entering an operator.
PAGE 356
Access Control Lists (ACLs) Configuring Extended ACLs Options for ICMP Traffic in Extended ACLs. This option is useful where it is necessary to permit some types of ICMP traffic and deny other types, instead of simply permitting or denying all types of ICMP traffic. That is, an ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE.
PAGE 357
Access Control Lists (ACLs) Configuring Extended ACLs [ icmp-type-name ] These name options are an alternative to the [icmp-type [ icmp-code] ] methodology described above. For more information, visit the IANA website cited above.
PAGE 358
Access Control Lists (ACLs) Configuring Extended ACLs Option for IGMP in Extended ACLs. This option is useful where it is necessary to permit some types of IGMP traffic and deny other types instead of simply permitting or denying all types of IGMP traffic. That is, an ACE designed to permit or deny IGMP traffic can optionally include an IGMP packet type to permit or deny an individual type of IGMP packet while not addressing other IGMP traffic types in the same ACE.
PAGE 359
Access Control Lists (ACLs) Configuring Extended ACLs Example of a Named, Extended ACL. Suppose that you want to implement these policies on a switch configured for IP routing and membership in VLANs 10, 20, and 30: A. Permit Telnet traffic from 10.10.10.44 to 10.10.20.78, deny all other IP traffic from network 10.10.10.0 (VLAN 10) to 10.10.20.0 (VLAN 20), and permit all other IP traffic from any source to any destination. (See “A” in figure 10-18, below.) B. Permit FTP traffic from IP address 10.10.20.
PAGE 360
Access Control Lists (ACLs) Configuring Extended ACLs A (Refer to figure 10-18 on page ProCurve(config)# ip access-list extended Extended-List-01 ProCurve(config-ext-nacl)# permit tcp host 10.10.10.44 host 10.10.20.78 eq telnet ProCurve(config-ext-nacl)# deny ip 10.10.10.1/24 10.10.20.
PAGE 361
Access Control Lists (ACLs) Configuring Extended ACLs Creating or Adding to an Extended, Numbered ACL. This command is an alternative to using ip access-list extended < name-str > and does not use the Named ACL (nacl) context. (For an extended ACL syntax summary, refer to table 10-10 on page 10-60.
PAGE 362
Access Control Lists (ACLs) Configuring Extended ACLs < deny | permit > Specifies whether to deny (drop) or permit (forward) a packet that matches the criteria specified in the ACE, as described below. < ip | ip-protocol | ip-protocol-nbr > Specifies the packet protocol type required for a match. An extended ACL must include one of the following: • ip — any IP packet.
PAGE 363
Access Control Lists (ACLs) Configuring Extended ACLs SA Mask Application: The mask is applied to the SA in the ACL to define which bits in a packet’s source SA must exactly match the IP address configured in the ACL and which bits need not match. Example: 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any IP address in the range of 10.10.10.(1-255). Note: Specifying a group of contiguous IP addresses may require more than one ACE.
PAGE 364
Access Control Lists (ACLs) Configuring Extended ACLs [ precedence < 0 - 7 | precedence-name >] This option causes the ACE to match packets with the specified IP precedence value.
PAGE 365
Access Control Lists (ACLs) Configuring Extended ACLs Additional Options for TCP and UDP Traffic. An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic. (For a summary of the extended ACL syntax options, refer to table 10-10 on page 10-60.
PAGE 366
Access Control Lists (ACLs) Configuring Extended ACLs Additional Option for IGMP. This option is useful where it is necessary to permit some types of IGMP traffic and deny other types, instead of simply permitting or denying all types of IGMP traffic. That is, an ACE designed to permit or deny IGMP traffic can optionally include an IGMP packet type to permit or deny an individual type of IGMP packet while not addressing other IGMP traffic types in the same ACE.
PAGE 367
Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface Adding or Removing an ACL Assignment On an Interface Filtering Routed IP Traffic For a given VLAN interface on a switch configured for routing, you can assign an ACL as a RACL to filter inbound IP traffic and another ACL as a RACL to filter outbound IP traffic. You can also assign one ACL for both inbound and outbound RACLs, and for assignment to multiple VLANs.
PAGE 368
Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface ProCurve(config)# vlan 20 ip access-group My-List in ProCurve(config)# vlan 20 ProCurve(vlan-20)# ip access-group 155 out ProCurve(vlan-20)# exit ProCurve(config)# no vlan 20 ip access-group My-List in ProCurve(config)# vlan 20 ProCurve(vlan-20)# no ip access-group 155 out ProCurve(vlan-20)# exit Enables an RACL from the Global Configuration Level Enables an RACL from a VLAN Context.
PAGE 369
Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface ProCurve(config)# vlan 20 ip access-group My-List vlan ProCurve(config)# vlan 20 ProCurve(vlan-20)# ip access-group 155 vlan ProCurve(vlan-20)# exit ProCurve(config)# no vlan 20 ip access-group My-List vlan ProCurve(config)# vlan 20 ProCurve(vlan-20)# no ip access-group 155 vlan ProCurve(vlan-20)# exit Enables a VACL from the Global Configuration Level Enables a VACL from a VLAN Context.
PAGE 370
Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface Filtering Inbound IP Traffic Per Port For a given port, port list, or static port trunk, you can assign an ACL as a static port ACL to filter any IP traffic entering the switch on that interface. You can also use the same ACL for assignment to multiple interfaces. For limits and operating rules, refer to “ACL Configuration and Operating Rules” on page 10-33.
PAGE 371
Access Control Lists (ACLs) Deleting an ACL Deleting an ACL Syntax: no ip access-list standard < name-str | 1-99 > no ip access-list extended < name-str | 100-199 > no access-list < 1 - 99 | 100 - 199 > Removes the specified ACL from the switch’s runningconfig file. Note: Deleting an ACL does not delete any assignment of that ACL’s identifier on a specific interface. Creating a new ACL using an identifier that is already configured on an interface causes the switch to automatically activate that ACL.
PAGE 372
Access Control Lists (ACLs) Editing an Existing ACL Editing an Existing ACL The CLI provides the capability for editing in the switch by using sequence numbers to insert or delete individual ACEs. An offline method is also available. This section describes using the CLI for editing ACLs. To use the offline method for editing ACLs, refer to “Creating or Editing ACLs Offline” on page 10-104.
PAGE 373
Access Control Lists (ACLs) Editing an Existing ACL ■ Deleting the last ACE from an ACL leaves the ACL in memory. In this case, the ACL is “empty” and cannot perform any filtering tasks. (In any ACL the Implicit Deny does not apply unless the ACL includes at least one explicit ACE.) Sequence Numbering in ACLs The ACEs in any ACL are sequentially numbered. In the default state, the sequence number of the first ACE in a list is “10” and subsequent ACEs are numbered in increments of 10.
PAGE 374
Access Control Lists (ACLs) Editing an Existing ACL For example, to append a fourth ACE to the end of the ACL in figure 10-23: ProCurve(config)# ip access-list standard My-List ProCurve(config-std-nacl)# permit any ProCurve(config-std-nacl)# show run . . . ip access-list standard "My-List" 10 permit 10.10.10.25 0.0.0.0 20 permit 10.20.10.117 0.0.0.0 30 deny 10.20.10.1 0.0.0.255 40 permit 0.0.0.0 255.255.255.255 exit Figure 10-25.
PAGE 375
Access Control Lists (ACLs) Editing an Existing ACL 2. Begin the ACE command with a sequence number that identifies the position you want the ACE to occupy. (The sequence number range is 12147483647.) 3. Complete the ACE with the command syntax appropriate for the type of ACL you are editing. For example, inserting a new ACE between the ACEs numbered 10 and 20 in figure 10-25 requires a sequence number in the range of 11-19 for the new ACE.
PAGE 376
Access Control Lists (ACLs) Editing an Existing ACL Deleting an ACE from an Existing ACL This action uses ACL sequence numbers to delete ACEs from an ACL. Syntax: ip access-list < standard | extended > < name-str | 1 - 99 | 100 - 199 > no < seq-# > The first command enters the “Named-ACL” context for the specified ACL. The no command deletes the ACE corresponding to the sequence number entered. (Range: 1 - 2147483647 ) 1.
PAGE 377
Access Control Lists (ACLs) Editing an Existing ACL Resequencing the ACEs in an ACL This action reconfigures the starting sequence number for ACEs in an ACL, and resets the numeric interval between sequence numbers for ACEs configured in the ACL. Syntax: ip access-list resequence < name-str | 1 - 99 | 100 - 199 > < starting-seq-# > < interval > Resets the sequence numbers for all ACEs in the ACL. < starting-seq-# > : Specifies the sequence number for the first ACE in the list.
PAGE 378
Access Control Lists (ACLs) Editing an Existing ACL Attaching a Remark to an ACE A remark is numbered in the same way as an ACE, and uses the same sequence number as the ACE to which it refers. This operation requires that the remark for a given ACE be entered prior to entering the ACE itself. Syntax: access-list < 1 - 99 | 100 - 199 > remark < remark-str > This syntax appends a remark to the end of a numbered ACL and automatically assigns a sequence number to the remark.
PAGE 379
Access Control Lists (ACLs) Editing an Existing ACL Note After a numbered ACL has been created (using access-list < 1 - 99 | 100 - 199 >), it can be managed as either a named or numbered ACL. For example, in an existing ACL with a numeric identifier of “115”, either of the following command sets adds an ACE denying IP traffic from any IP source to a host at 10.10.10.100: ProCurve(config)# access-list 115 deny ip host 10.10.10.
PAGE 380
Access Control Lists (ACLs) Editing an Existing ACL Inserting Remarks and Related ACEs Within an Existing List. To insert an ACE with a remark within an ACL by specifying a sequence number, insert the numbered remark first, then, using the same sequence number, insert the ACE. (This operation applies only to ACLs accessed using the “Named-ACL” (nacl) context.) For example: ProCurve(config-std-nacl)# 15 remark "HOST 10.10.10.21" ProCurve(config-std-nacl)# 15 permit host 10.10.10.
PAGE 381
Access Control Lists (ACLs) Editing an Existing ACL Operating Notes for Remarks ■ The resequence command ignores “orphan” remarks that do not have an ACE counterpart with the same sequence number. For example, if: • a remark numbered “55” exists in an ACE • there is no ACE numbered “55” in the same ACL • resequence is executed on an ACL then the remark retains “55” as its sequence number and will be placed in the renumbered version of the ACL according to that sequence number.
PAGE 382
Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying ACL Configuration Data ACL Commands Function show access-list Displays a brief listing of all ACLs on the switch. 10-97 show access-list config Display the type, identifier, and content of all ACLs configured in the switch. 10-98 show access-list vlan < vid > List the name and type for each ACL application assigned to a particular VLAN on the switch.
PAGE 383
Access Control Lists (ACLs) Displaying ACL Configuration Data Display an ACL Summary This command lists the configured ACLs, regardless of whether they are assigned to any VLANs. Syntax: show access-list List a summary table of the name, type, and application status of all ACLs configured on the switch.
PAGE 384
Access Control Lists (ACLs) Displaying ACL Configuration Data Display the Content of All ACLs on the Switch This command lists the configuration details for every ACL in the runningconfig file, regardless of whether any are actually assigned to filter IP traffic on specific VLANs. Syntax: show access-list config List the configured syntax for all ACLs currently configured on the switch.
PAGE 385
Access Control Lists (ACLs) Displaying ACL Configuration Data Display the RACL and VACL Assignments for a VLAN This command briefly lists the identification and type(s) of RACLs and VACLs currently assigned to a particular VLAN in the running-config file. (The switch allows one inbound and one outbound RACL assignment per VLAN, plus one VACL assignment.) Syntax: show access-list vlan < vid > Lists any RACL and/or VACL assignments to a VLAN in the running config file.
PAGE 386
Access Control Lists (ACLs) Displaying ACL Configuration Data Display Static Port ACL Assignments This command briefly lists the identification and type(s) of current static port ACL assignments to individual switch ports and trunks, as configured in the running-config file. (The switch allows one static port ACL assignment per port.) Syntax: show access-list ports < all | interface > Lists the current static port ACL assignments for ports and trunks in the running config file.
PAGE 387
Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying the Content of a Specific ACL This command displays a specific ACL configured in the running config file in an easy-to-read tabular format. Note This information also appears in the show running display. If you execute write memory after configuring an ACL, it also appears in the show config display.
PAGE 388
Access Control Lists (ACLs) Displaying ACL Configuration Data ProCurve(config)# show access-list List-120 Access Control Lists Name: List-120 Type: Extended Applied: No Indicates whether the ACL is applied to an interface. SEQ Entry Indicates source and destination entries in the ACL. ---------------------------------------------------------------------10 Action: permit Remark: Telnet Allowed Src IP: 10.30.133.27 Mask: 0.0.0.0 Port(s): eq 23 Dst IP: 0.0.0.0 Mask: 255.255.255.
PAGE 389
Access Control Lists (ACLs) Displaying ACL Configuration Data Table 10-11. Descriptions of Data Types Included in Show Access-List < acl-id > Output Field Description Name The ACL identifier. Can be a number from 1 to 199, or a name. Type Standard or Extended. The former uses only source IP addressing. The latter uses both source and destination IP addressing and also allows TCP or UDP port specifiers. Applied “Yes” means the ACL has been applied to a port or VLAN interface.
PAGE 390
Access Control Lists (ACLs) Creating or Editing ACLs Offline Creating or Editing ACLs Offline The section titled “Editing an Existing ACL” on page 10-86 describes how to use the CLI to edit an ACL, and is most applicable in cases where the ACL is short or there is only a minor editing task to perform. The offline method provides a useful alternative to using the CLI for creating or extensively editing a large ACL.This section describes how to: ■ move an existing ACL to a TFTP server ■ use a text (.
PAGE 391
Access Control Lists (ACLs) Creating or Editing ACLs Offline If you are replacing an ACL on the switch with a new ACL that uses the same number or name syntax, begin the command file with a no ip accesslist command to remove the earlier version of the ACL from the switch’s running-config file. Otherwise, the switch will append the new ACEs in the ACL you download to the existing ACL.
PAGE 392
Access Control Lists (ACLs) Creating or Editing ACLs Offline ■ Deny all other IP traffic from VLAN 20 to VLAN 10. ■ Deny all IP traffic from VLAN 30 (10.10.30.0) to the server at 10.10.10.100 on VLAN 10 (without ACL logging), but allow any other IP traffic from VLAN 30 to VLAN 10. ■ Deny all other inbound IP traffic to VLAN 20. (Hint: The Implicit Deny can achieve this objective.) 1. You would create a .txt file with the content shown in figure 10-40.
PAGE 393
Access Control Lists (ACLs) Creating or Editing ACLs Offline In this example, the CLI would show the following output to indicate that the ACL was successfully downloaded to the switch: Note If a transport error occurs, the switch does not execute the command and the ACL is not configured. ProCurve(config)# copy tftp command-file 10.10.10.1 LIST-20-IN.txt pc Running configuration may change, do you want to continue [y/n]? Y 1. ip access-list extended LIST-20-IN As illustrated here, blank lines in the .
PAGE 394
Access Control Lists (ACLs) Creating or Editing ACLs Offline ProCurve(config)# show run Note that the comments preceded . . . by “ ; “ in the .txt source file for this configuration do not appear in the ip access-list extended "LIST-20-IN" ACL configured in the switch. 10 remark "THIS ACE APPLIES INBOUND ON VLAN 20" 10 permit tcp 0.0.0.0 255.255.255.255 10.10.20.98 0.0.0.0 eq 80 20 permit tcp 0.0.0.0 255.255.255.255 10.10.20.21 0.0.0.0 eq 80 30 deny tcp 0.0.0.0 255.255.255.255 10.10.20.1 0.0.0.
PAGE 395
Access Control Lists (ACLs) Enable ACL “Deny” Logging Enable ACL “Deny” Logging ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny” action.
PAGE 396
Access Control Lists (ACLs) Enable ACL “Deny” Logging ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includes both the deny action and the optional log parameter, an ACL log message is sent to the designated debug destination. The first time a packet matches an ACE with deny and log configured, the message is sent immediately to the destination and the switch starts a wait-period of approximately five minutes.
PAGE 397
Access Control Lists (ACLs) Enable ACL “Deny” Logging Enabling ACL Logging on the Switch 1. If you are using a Syslog server, use the logging < ip-addr > command to configure the Syslog server IP address(es). Ensure that the switch can access any Syslog server(s) you specify. 2. Use logging facility syslog to enable the logging for Syslog operation. 3. Use the debug destination command to configure one or more log destinations. (Destination options include logging, session, and windshell.
PAGE 398
Access Control Lists (ACLs) Enable ACL “Deny” Logging ProCurve(config)# ip access-list extended NO-TELNET ProCurve(config-ext-nacl)# remark "DENY 10.10.10.3 TELNET TRAFFIC IN" ProCurve(config-ext-nacl)# deny tcp host 10.10.10.3 any eq telnet log ProCurve(config-ext-nacl)# permit ip any any ProCurve(config-ext-nacl)# exit ProCurve(config)# vlan 10 ip access-group NO-TELNET in ProCurve(config)# logging 10.10.20.
PAGE 399
Access Control Lists (ACLs) General ACL Operating Notes General ACL Operating Notes ACLs do not provide DNS hostname support. ACLs cannot be configured to screen hostname IP traffic between the switch and a DNS. ACLs Do Not Affect Serial Port Access. ACLs do not apply to the switch’s serial port. ACL Screening of IP Traffic Generated by the Switch. Outbound RACL applications on a switch do not screen IP traffic (such as broadcasts, Telnet, Ping, and ICMP replies) generated by the switch itself.
PAGE 400
Access Control Lists (ACLs) General ACL Operating Notes Monitoring Shared Resources. Applied ACLs share internal switch resources with several other features. The switch provides ample resources for all features. However, if the internal resources become fully subscribed, additional ACLs cannot be applied until the necessary resources are released from other applications.
PAGE 401
11 Configuring Advanced Threat Protection Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Enabling DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 402
Configuring Advanced Threat Protection Introduction Introduction As your network expands to include an increasing number of mobile devices, continuous Internet access, and new classes of users (such as partners, temporary employees, and visitors), additional protection from attacks launched from both inside and outside your internal network is often necessary. Advanced threat protection can detect port scans and hackers who try to access a port or the switch itself.
PAGE 403
Configuring Advanced Threat Protection DHCP Snooping • Attempts to exhaust system resources so that sufficient resources are not available to transmit legitimate traffic, indicated by an unusually high use of specific system resources • Attempts to attack the switch’s CPU and introduce delay in system response time to new network events • Attempts by hackers to access the switch, indicated by an excessive number of failed logins or port authentication failures • Attempts to deny switch service by fi
PAGE 404
Configuring Advanced Threat Protection DHCP Snooping DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped. Conditions for dropping packets are shown below.
PAGE 405
Configuring Advanced Threat Protection DHCP Snooping option: Add relay information option (Option 82) to DHCP client packets that are being forwarded out trusted ports. The default is yes, add relay information. trust: Configure trusted ports. Only server packets received on trusted ports are forwarded. Default: untrusted. verify: Enables DHCP packet validation.
PAGE 406
Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# show dhcp-snooping stats Packet type ----------server client server server client client client client Action ------forward forward drop drop drop drop drop drop Reason Count ---------------------------- --------from trusted port 8 to trusted port 8 received on untrusted port 2 unauthorized server 0 destination on untrusted port 0 untrusted option 82 field 0 bad DHCP release request 0 failed verify MAC check 0 Figure 11-2.
PAGE 407
Configuring Advanced Threat Protection DHCP Snooping Configuring DHCP Snooping Trusted Ports By default, all ports are untrusted. To configure a port or range of ports as trusted, enter this command: ProCurve(config)# dhcp-snooping trust You can also use this command in the interface context, in which case you are not able to enter a list of ports.
PAGE 408
Configuring Advanced Threat Protection DHCP Snooping Configuring Authorized Server Addresses If authorized server addresses are configured, a packet from a DHCP server must be received on a trusted port AND have a source address in the authorized server list in order to be considered valid. If no authorized servers are configured, all servers are considered valid. You can configure a maximum of 20 authorized servers.
PAGE 409
Configuring Advanced Threat Protection DHCP Snooping Note DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, not on VLANS without snooping enabled. If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.
PAGE 410
Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the switch as the remoteid in Option 82 additions.
PAGE 411
Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# dhcp-snooping verify mac ProCurve(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans : 4 Verify MAC : yes Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : subnet-ip Figure 11-7. Example Showing the DHCP Snooping Verify MAC Setting The DHCP Binding Database DHCP snooping maintains a database of up to 8192 DHCP bindings on untrusted ports.
PAGE 412
Configuring Advanced Threat Protection DHCP Snooping A message is logged in the system event log if the DHCP binding database fails to update. To display the contents of the DHCP snooping binding database, enter this command. Syntax: show dhcp-snooping binding ProCurve(config)# show dhcp-snooping binding MacAddress ------------22.22.22.22.22.22 IP VLAN Interface Time left --------------- ---- --------- --------10.0.0.1 4 B2 1600 Figure 11-8.
PAGE 413
Configuring Advanced Threat Protection DHCP Snooping ■ ProCurve recommends running a time synchronization protocol such as SNTP in order to track lease times accurately. ■ A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot. Log Messages Server packet received on untrusted port dropped. Indicates a DHCP server on an untrusted port is attempting to transmit a packet.
PAGE 414
Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay information logs for . More than one DHCP client packet received on an untrusted port with a relay information field was dropped. To avoid filling the log file with repeated attempts, untrusted relay information packets will not be logged for the specified . Client address not equal to source MAC detected on port .
PAGE 415
Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings advertised in the source protocol address and source physical address fields are discarded.
PAGE 416
Configuring Advanced Threat Protection Dynamic ARP Protection • If a binding is valid, the switch updates its local ARP cache and forwards the packet. • If a binding is invalid, the switch drops the packet, preventing other network devices from receiving the invalid IP-to-MAC information. DHCP snooping intercepts and examines DHCP packets received on switch ports before forwarding the packets. DHCP packets are checked against a database of DHCP binding information.
PAGE 417
Configuring Advanced Threat Protection Dynamic ARP Protection Enabling Dynamic ARP Protection To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp protect vlan command at the global configuration level. Syntax: [no] arp protect vlan {vlan-range} vlan-range Specifies a VLAN ID or a range of VLAN IDs from one to 4094; for example, 1–200.
PAGE 418
Configuring Advanced Threat Protection Dynamic ARP Protection Take into account the following configuration guidelines when you use dynamic ARP protection in your network: ■ You should configure ports connected to other switches in the network as trusted ports. In this way, all network switches can exchange ARP packets and update their ARP caches with valid information. ■ Switches that do not support dynamic ARP protection should be separated by a router in their own Layer 2 domain.
PAGE 419
Configuring Advanced Threat Protection Dynamic ARP Protection To add the static configuration of an IP-to-MAC binding for a port to the database, enter the ip source binding command at the global configuration level. Syntax: [no] ip source binding vlan interface mac-address Specifies a MAC address to bind with a VLAN and IP address on the specified port in the DHCP binding database.
PAGE 420
Configuring Advanced Threat Protection Dynamic ARP Protection dst-mac (Optional) Drops any unicast ARP response packet in which the destination MAC address in the Ethernet header does not mach the target MAC address in the body of the ARP packet. ip (Optional) Drops any ARP packet in which the sender IP address is invalid. Drops any ARP response packet in which the target IP address is invalid. Invalid IP addresses include: 0.0.0.0, 255.255.255.
PAGE 421
Configuring Advanced Threat Protection Dynamic ARP Protection Displaying ARP Packet Statistics To display statistics about forwarded ARP packets, dropped ARP packets, MAC validation failure, and IP validation failures, enter the show arp protect statistics command: ProCurve(config)# show arp protect statistics Status and Counters - ARP Protection Counters for VLAN 1 1 Forwarded pkts Bad bindings Malformed pkts : 10 : 1 : 0 Bad source mac : 2 Bad destination mac: 1 Bad IP address : 0 Status and Counters
PAGE 422
Configuring Advanced Threat Protection Using the Instrumentation Monitor ProCurve(config)# debug arp protect 1. ARP request is valid "DARPP: Allow ARP request 000000-000001,10.0.0.1 for 10.0.0.2 port A1, vlan " 2. ARP request detected with an invalid binding "DARPP: Deny ARP request 000000-000003,10.0.0.1 port A1, vlan 1" 3. ARP response with a valid binding "DARPP: Allow ARP reply 000000-000002,10.0.0.2 port A2, vlan 1" 4.
PAGE 423
Configuring Advanced Threat Protection Using the Instrumentation Monitor Parameter Name Description login-failures/min The count of failed CLI login attempts or SNMP management authentication failures. This indicates an attempt has been made to manage the switch with an invalid login or password. Also, it might indicate a network management station has not been configured with the correct SNMP authentication parameters for the switch.
PAGE 424
Configuring Advanced Threat Protection Using the Instrumentation Monitor ■ W W W W W 01/01/90 01/01/90 01/01/90 01/01/90 01/01/90 00:05:00 00:10:00 00:15:00 00:20:00 00:20:00 Alerts are automatically rate limited to prevent filling the log file with redundant information.
PAGE 425
Configuring Advanced Threat Protection Using the Instrumentation Monitor [learn-discards] : The number of MAC address learn events per minute discarded to help free CPU resources when busy. (Default threshold setting when enabled: 100 (med)) [login-failures] : The count of failed CLI login attempts or SNMP management authentication failures per hour. (Default threshold setting when enabled: 10 (med)) [mac-address-count] : The number of MAC addresses learned in the forwarding table.
PAGE 426
Configuring Advanced Threat Protection Using the Instrumentation Monitor To adjust the alert threshold for the MAC address count to a specific value: ProCurve(config)# instrumentation monitor macaddress-count 767 To enable monitoring of learn discards with the default medium threshold value: ProCurve(config)# instrumentation monitor learndiscards To disable monitoring of learn discards: ProCurve(config)# no instrumentation monitor learndiscards To enable or disable SNMP trap generation: ProCurve(config)# [
PAGE 427
Configuring Advanced Threat Protection Using the Instrumentation Monitor An alternate method of determining the current Instrumentation Monitor configuration is to use the show run command. However, the show run command output does not display the threshold values for each limit set.
PAGE 428
Configuring Advanced Threat Protection Using the Instrumentation Monitor — This page is intentionally unused — 11-28
PAGE 429
12 Traffic/Security Filters and Monitors Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-2 Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Using Port Trunks with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 430
Traffic/Security Filters and Monitors Overview Overview Applicable Switch Models.
PAGE 431
Traffic/Security Filters and Monitors Filter Types and Operation You can enhance in-band security and improve control over access to network resources by configuring static filters to forward (the default action) or drop unwanted traffic. That is, you can configure a traffic filter to either forward or drop all network traffic moving to outbound (destination) ports and trunks (if any) on the switch. Filter Limits The switch accepts up to 101 static filters.
PAGE 432
Traffic/Security Filters and Monitors Filter Types and Operation Source-Port Filters This filter type enables the switch to forward or drop traffic from all end nodes on the indicated source-port to specific destination ports.
PAGE 433
Traffic/Security Filters and Monitors Filter Types and Operation ■ When you create a source port filter, all ports and port trunks (if any) on the switch appear as destinations on the list for that filter, even if routing is disabled and separate VLANs and/or subnets exist. Where traffic would normally be allowed between ports and/or trunks, the switch automatically forwards traffic to the outbound ports and/or trunks you do not specifically configure to drop traffic.
PAGE 434
Traffic/Security Filters and Monitors Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to destination port 7 (server "A"). Notice that the filter allows traffic to move from source port 5 to all other destination ports. Figure 12-3. The Filter for the Actions Shown in Figure 12-2 Named Source-Port Filters You can specify named source-port filters that may be used on multiple ports and port trunks.
PAGE 435
Traffic/Security Filters and Monitors Filter Types and Operation ■ A named source-port filter can only be deleted when it is not applied to any ports. Defining and Configuring Named Source-Port Filters The named source-port filter command operates from the global configuration level. Syntax: [no] filter source-port named-filter Defines or deletes a named source-port filter.
PAGE 436
Traffic/Security Filters and Monitors Filter Types and Operation A named source-port filter must first be defined and configured before it can be applied. In the following example two named source-port filters are defined, web-only and accounting. ProCurve(config)# filter source-port named-filter webonly ProCurve(config)# filter source-port named-filter accounting By default, these two named source-port filters forward traffic to all ports and port trunks.
PAGE 437
Traffic/Security Filters and Monitors Filter Types and Operation Using Named Source-Port Filters A company wants to manage traffic to the Internet and its accounting server on a 26-port switch. Their network is pictured in Figure 12-4. Switch port 1 connects to a router that provides connectivity to a WAN and the Internet. Switch port 7 connects to the accounting server. Two workstations in accounting are connected to switch ports 10 and 11. Network Design 1.
PAGE 438
Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# filter source-port named-filter web-only drop 2-26 ProCurve(config)# filter source-port named-filter accounting drop 1-6,8,9,12-26 ProCurve(config)# filter source-port named-filter no-incoming-web drop 7,10,11 ProCurve(config)# show filter source-port Traffic/Security Filters Ports and port trunks using the filter. When NOT USED is displayed the named source-port filter may be deleted.
PAGE 439
Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter Traffic/Security Filters IDX Filter Type --- -----------1 Source Port 2 Source Port 3 Source Port 4 Source Port 5 Source Port 6 Source Port 7 Source Port 8 Source Port 20 21 22 23 24 25 26 Source Source Source Source Source Source Source Port Port Port Port Port Port Port | + | | | | | | | | Value ------------------2 3 4 5 6 8 9 12 | | | | | | | 24 25 26 7 10 11 1 Indicates the port number or porttrunk nam
PAGE 440
Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 4 Traffic/Security Filters ProCurve(config)# show filter 24 Traffic/Security Filters Filter Type : Source Port Source Port : 5 Filter Type : Source Port Source Port : 10 Dest Port Type | Action --------- --------- + ------1 10/100TX | Forward 2 10/100TX | Drop 3 10/100TX | Drop 4 10/100TX | Drop 5 10/100TX | Drop 6 10/100TX | Drop 7 10/100TX | Drop 8 10/100TX | Drop 9 10/100TX | Drop 10 10/100TX | Drop 11 10/
PAGE 441
Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- --------- + -----------------------1 10/100TX | Forward 2 10/100TX | Forward 3 10/100TX | Forward 4 10/100TX | Forward 5 10/100TX | Forward 6 10/100TX | Forward 7 10/100TX | Drop 8 10/100TX | Forward 9 10/100TX | Forward 10 10/100TX | Drop 11 10/100TX | Drop 12 10/100TX | Forward . . .
PAGE 442
Traffic/Security Filters and Monitors Filter Types and Operation The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command.
PAGE 443
Traffic/Security Filters and Monitors Filter Types and Operation Static Multicast Filters This filter type enables the switch to forward or drop multicast traffic to a specific set of destination ports. This helps to preserve bandwidth by reducing multicast traffic on ports where it is unnecessary, and to isolate multicast traffic to enhance security. You can configure up to 16 static multicast filters (defined by the filter command—page 12-21).
PAGE 444
Traffic/Security Filters and Monitors Filter Types and Operation Notes: Per-Port IP Multicast Filters. The static multicast filters described in this section filter traffic having a multicast address you specify. To filter all multicast traffic on a per-VLAN basis, refer to the section titled “Configuring and Displaying IGMP” in the chapter titled “Multimedia Traffic Control with IP Multicast (IGMP)” in the Multicast and Routing Guide for your switch. IP Multicast Filters.
PAGE 445
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Configuring Traffic/Security Filters Use this procedure to specify the type of filters to use on the switch and whether to forward or drop filtered packets for each filter you specify. 1. Select the static filter type(s). 2. For inbound traffic matching the filter type, determine the filter action you want for each outbound (destination) port on the switch (forward or drop).
PAGE 446
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Configuring a Source-Port Traffic Filter Syntax: [no] filter [source-port < port-number | trunk-name>] Specifies one inbound port or trunk. Traffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the sourceport filter for < port-number > and returns the destination ports for that filter to the Forward action. (Default: Forward on all ports.
PAGE 447
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a source-port filter that drops all traffic received on port 5 with a destination of port trunk 1 (Trk1) and any port in the range of port 10 to port 15.
PAGE 448
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters filter on port 5, then create a trunk with ports 5 and 6, and display the results, you would see the following: The *5* shows that port 5 is configured for filtering, but the filtering action has been suspended while the port is a member of a trunk. If you want the trunk to which port 5 belongs to filter traffic, then you must explicitly configure filtering on the trunk.
PAGE 449
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Figure 12-7. Assigning Additional Destination Ports to an Existing Filter Configuring a Multicast or Protocol Traffic Filter Syntax: [no] filter [multicast < mac- address >] Specifies a multicast address. Inbound traffic received (on any port) with this multicast address will be filtered. (Default: Forward on all ports.
PAGE 450
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters For example, suppose you wanted to configure the filters in table 12-3 on a switch. (For more on source-port filters, refer to “Configuring a Source-Port Traffic Filter” on page 12-18.) Table 12-3.
PAGE 451
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Displaying Traffic/Security Filters This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters. Syntax: show filter Lists the filters configured in the switch, with corresponding filter index (IDX) numbers. IDX: An automatically assigned index number used to identify the filter for a detailed information listing.
PAGE 452
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Lists all filters configured in the switch. Filter Index Numbers (Automatically Assigned) Criteria for Individual Filters Uses the index number (IDX) for a specific filter to list the details for that filter only. Figure 12-9.
PAGE 453
13 Configuring Port-Based and User-Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 13-3 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 802.1X User-Based Access Control . .
PAGE 454
Configuring Port-Based and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . 13-21 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 13-22 5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . 13-23 6. Optional: Reset Authenticator Operation . . . . . . . . . . . . . . . . . . . . 13-23 7. Optional: Configure 802.1X Controlled Directions . . . . . . . . . . . .
PAGE 455
Configuring Port-Based and User-Based Access Control (802.1X) Overview Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1X Authenticators Disabled n/a page 13-16 n/a Configuring 802.1X Open VLAN Mode Disabled n/a page 13-26 n/a Configuring Switch Ports to Operate as 802.1X Supplicants Disabled n/a page 13-44 n/a n/a n/a page 13-48 n/a n/a n/a page 13-56 n/a Displaying 802.1X Configuration, Statistics, and Counters How 802.
PAGE 456
Configuring Port-Based and User-Based Access Control (802.1X) Overview • Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication. • Supplicant implementation using CHAP authentication and independent user credentials on each port. ■ Local authentication of 802.
PAGE 457
Configuring Port-Based and User-Based Access Control (802.1X) Overview the session total includes any sessions begun by the Web Authentication or MAC Authentication features covered in chapter 4.) For more information, refer to “Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices” on page 13-42. 802.1X Port-Based Access Control 802.1X port-based access control provides port-level security that allows LAN access only on ports where a single 802.
PAGE 458
Configuring Port-Based and User-Based Access Control (802.1X) Terminology Note Port-Based 802.1X can operate concurrently with Web-Authentication or MAC-Authentication on the same port. However, this is not a commonly used application and is not generally recommended. For more information, refer to “Operating Notes” on page 13-60. Alternative To Using a RADIUS Server Note that you can also configure 802.
PAGE 459
Configuring Port-Based and User-Based Access Control (802.1X) Terminology local authentication is used, in which case the switch performs this function using its own username and password for authenticating a supplicant). Authenticator: In ProCurve applications, a switch that requires a supplicant to provide the proper credentials before being allowed access to the network. CHAP (MD5): Challenge Handshake Authentication Protocol.
PAGE 460
Configuring Port-Based and User-Based Access Control (802.1X) Terminology Supplicant: The entity that must provide the proper credentials to the switch before receiving access to the network. This is usually an end-user workstation, but it can be a switch, router, or another device seeking network services. Tagged Membership in a VLAN: This type of VLAN membership allows a port to be a member of multiple VLANs simultaneously. If a client connected to the port has an operating system that supports 802.
PAGE 461
Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode” on page 13-26.
PAGE 462
Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation Note The switches covered in this guide can use either 802.1X port-based authentication or 802.1X user-based authentication. For more information, refer to “User Authentication Methods” on page 13-4. VLAN Membership Priority Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration.
PAGE 463
Configuring Port-Based and User-Based Access Control (802.1X) General 802.
PAGE 464
Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the user-based mode, when there is an authenticated client on a port, the following traffic movement is allowed: • Multicast and broadcast traffic is allowed on the port. • Unicast traffic to authenticated clients on the port is allowed. • All traffic from authenticated clients on the port is allowed.
PAGE 465
Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes ■ If a port on switch “A” is configured as an 802.1X supplicant and is connected to a port on another switch, “B”, that is not 802.1X-aware, access to switch “B” will occur without 802.1X security protection. ■ On a port configured for 802.1X with RADIUS authentication, if the RADIUS server specifies a VLAN for the supplicant and the port is a trunk member, the port will be blocked.
PAGE 466
Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Access Control Do These Steps Before You Configure 802.1X Operation 13-14 1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.
PAGE 467
Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802.1X Authentication on the Switch This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to the following: ■ “802.1X User-Based Access Control” on page 13-4 ■ “802.1X Port-Based Access Control” on page 13-5 ■ “Configuring Switch Ports To Operate As Supplicants for 802.
PAGE 468
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Note If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected. 7. If you are using Port Security on the switch, configure the switch to allow only 802.1X access on ports configured for 802.
PAGE 469
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches, and consists of two steps: A. Enable the selected ports as authenticators. B. Specify either user-based or port-based 802.1X authentication. (Actual 802.
PAGE 470
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User-Based Authentication or Return to PortBased Authentication User-Based 802.1X Authentication. Syntax: aaa port-access authenticator client-limit < port-list > < 1 - 32 > Used after executing aaa port-access authenticator < port-list > (above) to convert authentication from port-based to userbased. Specifies user-based 802.1X authentication and the maximum number of 802.
PAGE 471
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring User-Based 802.1X Authentication This example enables ports A10-A12 to operate as authenticators, and then configures the ports for user-based authentication. ProCurve(config)# aaa port-access authenticator a10-A12 ProCurve(config)# aaa port-access authenticator a10-A12 client-limit 4 Figure 13-2. Example of Configuring User-Based 802.
PAGE 472
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page). (Default: 60 seconds) [tx-period < 0 - 65535 >] Sets the period the port waits to retransmit the next EAPOL PDU during an authentication session.
PAGE 473
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid < vlan-id >] Configures an existing static VLAN to be the Unauthorized-Client VLAN.
PAGE 474
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators eap-radius Use EAP-RADIUS authentication. (Refer to the documentation for your RADIUS server application.) chap-radius Use CHAP-RADIUS (MD-5) authentication. (Refer to the documentation for your RADIUS server application.) For example, to enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers: Configuration command for EAP-RADIUS authentication. 802.
PAGE 475
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Syntax: radius-server key < global key-string > Specifies the global encryption key the switch uses for sessions with servers for which the switch does not have a server-specific key. This key is optional if all RADIUS server addresses configured in the switch include a server- specific encryption key. 5. Enable 802.1X Authentication on the Switch After configuring 802.
PAGE 476
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 7. Optional: Configure 802.1X Controlled Directions After you enable 802.1X authentication on specified ports, you can use the aaa port-access controlled-directions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state. As documented in the IEEE 802.1X standard, an 802.
PAGE 477
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators The aaa port-access controlled-direction in command allows Wake-on-LAN traffic to be transmitted on an 802.1X-aware egress port that has not yet transitioned to the 802.1X authenticated state; the controlled-direction both setting prevents Wake-on-LAN traffic to be transmitted on an 802.1X-aware egress port until authentication occurs.
PAGE 478
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode ProCurve(config)# ProCurve(config)# ProCurve(config)# ProCurve(config)# aaa aaa aaa aaa port-access authenticator a10 authentication port-access eap-radius port-access authenticator active port-access a10 controlled-directions in Figure 13-5. Example of Configuring 802.1X Controlled Directions 802.1X Open VLAN Mode 802.1X Authentication Commands page 13-16 802.1X Supplicant Commands page 13-46 802.
PAGE 479
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode The 802.1X Open VLAN mode solves this problem by temporarily suspending the port’s static VLAN memberships and placing the port in a designated Unauthorized-Client VLAN (sometimes termed a guest VLAN). In this state the client can proceed with initialization services, such as acquiring IP addressing and 802.1X client software, and starting the authentication process.
PAGE 480
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will be an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN. Note After client authentication, the port resumes membership in any tagged VLANs for which it is configured.
PAGE 481
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 13-2. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN • When the port detects a client without 802.1X supplicant capability, it automatically becomes an untagged member of this VLAN.
PAGE 482
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Authorized-Client VLAN Port Response • After client authentication, the port drops membership in the Unauthorized-Client VLAN and becomes an untagged member of this VLAN. Notes: If the client is running an 802.
PAGE 483
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
PAGE 484
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session. • If the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.
PAGE 485
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as AuthorizedThese must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1X authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.
PAGE 486
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN session on untagged port VLAN membership • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Unauthorized-Client VLAN (also untagged). (While the Unauthorized-Client VLAN is in use, the port does not access any other VLANs.
PAGE 487
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an untagged member. This rule assumes no other authenticated clients are already using the port on a different VLAN. IP Addressing for a Client Connected A client can either acquire an IP address from a DHCP server or use to a Port Configured for 802.x Open a manually configured IP address before connecting to the switch.
PAGE 488
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Note: Limitation on Using an Unauthorized-Client VLAN on an 802.1X Port Configured to Allow Multiple-Client Access You can optionally enable switches to allow up to 32 clients per-port. The Unauthorized-Client VLAN feature can operate on an 802.1Xconfigured port regardless of how many clients the port is configured to support.
PAGE 489
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 13-2 on page 13-29 for other options. Before you configure the 802.1X Open VLAN mode on a port: ■ Caution Statically configure an “Unauthorized-Client VLAN” in the switch.
PAGE 490
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges. Also, you must use 802.1X supplicant software that supports the use of local switch passwords.
PAGE 491
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration. [key < server-specific key-string >] Optional. Specifies an encryption key for use with the specified server. This key must match the key used on the RADIUS server.
PAGE 492
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 13-37. Syntax: aaa port-access authenticator < port-list > [auth-vid < vlan-id >] Configures an existing, static VLAN to be the AuthorizedClient VLAN.
PAGE 493
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1X Open VLAN Mode Status” on page 13-51. 802.1X Open VLAN Operating Notes ■ Although you can configure Open VLAN mode to use the same VLAN for both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this is not recommended.
PAGE 494
Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices ■ The first client to authenticate on a port configured to support multiple clients will determine the port’s VLAN membership for any subsequent clients that authenticate while an active session is already in effect. Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices If 802.
PAGE 495
Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices Port-Security Note If 802.1X port-access is configured on a given port, then port-security learnmode for that port must be set to either continuous (the default) or port-access. In addition to the above, to use port-security on an authenticator port (chapter 14), use the per-port client-limit option to control how many MAC addresses of 802.
PAGE 496
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands page 13-16 802.
PAGE 497
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches • If, after the supplicant port sends the configured number of start packets, it does not receive a response, it assumes that switch “B” is not 802.1X-aware, and transitions to the authenticated state. If switch “B” is operating properly and is not 802.1X-aware, then the link should begin functioning normally, but without 802.1X security.
PAGE 498
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. You can configure a switch port as a supplicant for a point-to-point link to an 802.1X-aware port on another switch. Configure the port as a supplicant before configuring any supplicant-related parameters.
PAGE 499
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [secret] Enter secret: < password > Repeat secret: < password > Sets the secret password to be used by the port supplicant when an MD5 authentication request is received from an authenticator. The switch prompts you to enter the secret password after the command is invoked.
PAGE 500
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 13-16 802.1X Supplicant Commands page 13-44 802.1X Open VLAN Mode Commands page 13-26 802.1X-Related Show Commands show port-access authenticator below show port-access supplicant page 13-55 Details of 802.
PAGE 501
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters show port-access authenticator (Syntax Continued) config [< port-list >] Shows: • Whether port-access authenticator is active • The 802.1X configuration settings of ports configured as 802.1X authenticators (For a description of each setting, refer to the syntax descriptions in “2. Reconfigure Settings for PortAccess” on page 13-19.
PAGE 502
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.
PAGE 503
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Viewing 802.1X Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show portaccess authenticator vlan and show port-access authenticator < port-list > commands as illustrated in figure 13-9. Table 13-2 describes the data that these two commands display.
PAGE 504
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Thus, in the output shown in figure 13-9: ■ When the Auth VLAN ID is configured and matches the Current VLAN ID, an authenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Auth VLAN.
PAGE 505
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 13-3. Output for Determining Open VLAN Mode Status (Figure 13-9, Lower) Status Indicator Meaning Status Closed: Either no client is connected or the connected client has not received authorization through 802.1X authentication. Current VLAN ID < vlan-id >: Lists the VID of the static, untagged VLAN to which the port currently belongs. Open: An authorized 802.
PAGE 506
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show vlan < vlan-id > Displays the port status for the selected VLAN, including an indication of which port memberships have been temporarily overridden by Open VLAN mode. Note that ports B1 and B3 are not in the upper listing, but are included under “Overridden Port VLAN configuration”.
PAGE 507
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [< port-list >] [statistics] show port-access supplicant [< port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < portlist > ports configured on the switch as supplicants.
PAGE 508
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement. RADIUS authentication for an 802.1X client on a given port can include a (static) VLAN requirement.
PAGE 509
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1X client requires access to VLAN 22 from port A2. However, access to VLAN 22 is blocked (not untagged or tagged) on port A2 and Figure 13-11.
PAGE 510
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1X session. This is to accommodate an 802.1X client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22. Note: With the current VLAN configuration (figure 13-11), the only time port A2 appears in this show vlan 22 listing is during an 802.
PAGE 511
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation When the 802.1X client’s session on port A2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN actually configured as untagged on the port again becomes available. Thus, when the RADIUS-authenticated 802.1X session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored. After the 802.
PAGE 512
Configuring Port-Based and User-Based Access Control (802.1X) Operating Notes Operating Notes ■ 13-60 Applying Web Authentication or MAC Authentication Concurrently with Port-Based 802.1X Authentication: While 802.1X portbased access control can operate concurrently with Web Authentication or MAC Authentication, port-based access control is subordinate to WebAuth and MAC-Auth operation. If 802.1X operates in port-based mode and MAC or Web authentication is enabled on the same port, any 802.
PAGE 513
Configuring Port-Based and User-Based Access Control (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation Table 13-4. 802.1X Operating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.1X authenticators. Use this command to enable the ports as authenticators: ProCurve(config)# aaa port-access authenticator e 10 Port < port-list > is not a supplicant.
PAGE 514
Configuring Port-Based and User-Based Access Control (802.1X) Messages Related to 802.
PAGE 515
14 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-4 Eavesdrop Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 516
Configuring and Monitoring Port Security Contents Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-41 Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 517
Configuring and Monitoring Port Security Overview Overview Feature Displaying Current Port Security Default Menu CLI Web n/a — page 14-8 page 14-34 disabled — page 14-12 page 14-34 n/a — page 14-18 n/a MAC Lockdown disabled — page 14-23 MAC Lockout disabled — page 14-31 n/a page 14-40 page 14-38 Configuring Port Security Retention of Static Addresses Intrusion Alerts and Alert Flags page 14-41 Port Security (Page 14-4).
PAGE 518
Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port security setting for each port is off, or “continuous”. That is, any device can access a port without causing a security reaction. Intruder Protection. A port that detects an “intruder” blocks the intruding device from transmitting to the network through that port. Eavesdrop Protection.
PAGE 519
Configuring and Monitoring Port Security Port Security ■ • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses. (If you specify only some of the authorized addresses, the port learns the remaining authorized addresses from the traffic it receives from connected devices.) • Configured: Requires that you specify all MAC addresses authorized for the port.
PAGE 520
Configuring and Monitoring Port Security Port Security configuration to ports on which hubs, switches, or other devices are connected, and to maintain security while also maintaining network access to authorized users.
PAGE 521
Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to the following: a. On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port? c. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmitting to the network.
PAGE 522
Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 14-9 show mac-address port-security 14-12 < port-list > 14-12 learn-mode 14-12 address-limit 14-15 mac-address 14-16 action 14-16 clear-intrusion-flag 14-17 no port-security 14-17 This section describes the CLI port security command and how the switch acquires and maintains authorized addresses.
PAGE 523
Configuring and Monitoring Port Security Port Security Displaying Port Security Settings. Syntax: show port-security show port-security show port-security [-]. . .
PAGE 524
Configuring and Monitoring Port Security Port Security Figure 14-3. Example of the Port Security Configuration Display for a Single Port The next example shows the option for entering a range of ports, including a series of non-contiguous ports.
PAGE 525
Configuring and Monitoring Port Security Port Security Listing Authorized and Detected MAC Addresses. Syntax: show mac-address [ port-list | mac-address | vlan < vid >] Without an optional parameter, show mac-address lists the authorized MAC addresses that the switch detects on all ports. mac-address: Lists the specified MAC address with the port on which it is detected as an authorized address. port list: Lists the authorized MAC addresses detected on the specified port(s).
PAGE 526
Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security and edit security settings. ■ Add or delete devices from the list of authorized addresses for one or more ports. ■ Clear the Intrusion flag on specific ports Syntax: port-security [e] < learn-mode | address-limit | mac-address | action | clear-intrusion-flag > < port-list >: Specifies a list of one or more ports to which the port-security command applies.
PAGE 527
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limitedcontinuous > (Continued) static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port.
PAGE 528
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limitedcontinuous > (Continued) Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an un-wanted device to become “authorized”.
PAGE 529
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system-information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces.
PAGE 530
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [] [] . . . [] Available for learn-mode with the, static, configured, or limited-continuous option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in the address-limit parameter. The mac-address limited mode allows up to 32 authorized MAC addresses per port.
PAGE 531
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) clear-intrusion-flag Clears the intrusion flag for a specific port. (See “Reading Intrusion Alerts and Resetting Alert Flags” on page 14-34.) no port-security mac-address [ ] Removes the specified learned MAC address(es) from the specified port.
PAGE 532
Configuring and Monitoring Port Security Port Security Retention of Static Addresses Static MAC addresses do not age-out. MAC addresses learned by using learnmode continuous or learn-mode limited-continuous age out according to the currently configured MAC age time. (For information on the mac-age-time command, refer to the chapter titled “Interface Access and System Information” in the Management and Configuration Guide for your switch. Learned Addresses.
PAGE 533
Configuring and Monitoring Port Security Port Security Specifying Authorized Devices and Intrusion Responses. This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port. (The default device limit is 1.) It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port.
PAGE 534
Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s existing Authorized Addresses list, enter the port number with the mac-address parameter and the device’s MAC address. This assumes that Learn Mode is set to static and the Authorized Addresses list is not full (as determined by the current Address Limit value).
PAGE 535
Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. Note that if you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode.
PAGE 536
Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list. (An Authorized Address list is available for each port for which Learn Mode is currently set to “Static”. Refer to the command syntax listing under “Configuring Port Security” on page 14-12.
PAGE 537
Configuring and Monitoring Port Security MAC Lockdown The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090123456 The above command sequence results in the following configuration for port A1: Figure 14-9.
PAGE 538
Configuring and Monitoring Port Security MAC Lockdown You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you do not specify a VLAN ID (VID) the switch inserts a VID of “1”. How It Works. When a device’s MAC address is locked down to a port (typically in a pair with a VLAN) all information sent to that MAC address must go through the locked-down port. If the device is moved to another port it cannot receive data.
PAGE 539
Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair cannot be locked down on a different port. You cannot perform MAC Lockdown and 802.1X authentication on the same port or on the same MAC address. MAC Lockdown and 802.1X authentication are mutually exclusive. Lockdown is permitted on static trunks (manually configured link aggregations).
PAGE 540
Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.
PAGE 541
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as “meshing” or Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths.
PAGE 542
Configuring and Monitoring Port Security MAC Lockdown Internal Core Network There is no need to lock MAC addresses on switches in the internal core network. Server “A” 5400zl Switch 5400zl Switch 3500yl Switch 3500yl Switch Network Edge Lock Server “A” to these ports. Switch 1 Switch 1 Edge Devices Mixed Users Figure 14-10.MAC Lockdown Deployed At the Network Edge Provides Security Basic MAC Lockdown Deployment.
PAGE 543
Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
PAGE 544
Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fails, traffic to Server A will not use the backup path via Switch 3 Switch 3 Server A Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 External Network MixedUsers Figure 14-11.Connectivity Problems Using MAC Lockdown with Multiple Paths The resultant connectivity issues would prevent you from locking down Server A to Switch 1.
PAGE 545
Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so that any traffic to or from the “locked-out” MAC address will be dropped. This means that all data packets addressed to or from the given address are stopped by the switch. MAC Lockout is implemented on a per switch assignment. You can think of MAC Lockout as a simple blacklist. The MAC address is locked out on the switch and on all VLANs.
PAGE 546
Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1X authentication. You cannot use MAC Lockout to lock: • Broadcast or Multicast Addresses (Switches do not learn these) • Switch Agents (The switch’s own MAC Address) There are limits for the number of VLANs, Multicast Filters, and Lockout MACs that can be configured concurrently as all use MAC table entries. The limits are shown below. Table 14-12.
PAGE 547
Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in conjunction with port-security.
PAGE 548
Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features 1. Click on the Security tab. 2. Click on [Port Security]. 3. Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field. 4. Implement your new data by clicking on [Apply Changes]. To access the web-based Help provided for the switch, click on [?] in the web browser screen.
PAGE 549
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ■ The switch enables notification of the intrusion through the following means: • • • • In the CLI: – The show port-security intrusion-log command displays the Intrusion Log – The log command displays the Event Log In the menu interface: – The Port Status screen includes a per-port intrusion alert – The Event Log includes per-port entries for security violations In the web browser interface: – The Alert
PAGE 550
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.
PAGE 551
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen. 1. From the Main Menu select: 1. Status and Counters 4. Port Status The Intrusion Alert column shows “Yes” for any port on which a security violation has been Figure 14-14.
PAGE 552
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 14-14 on page 14-37) does not indicate an intrusion for port A1, the alert flag for the intrusion on port A1 has already been reset. • Since the switch can show only one uncleared intrusion per port, the alert flag for the older intrusion for port A3 in this example has also been previously reset.
PAGE 553
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags clear intrusion-flags Clear intrusion flags on all ports. port-security [e] < port-number > clear-intrusion-flag Clear the intrusion flag on one or more specific ports. In the following example, executing show interfaces brief lists the switch’s port status, which indicates an intrusion alert on port A1. Intrusion Alert on port Figure 14-16.
PAGE 554
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags To clear the intrusion from port A1 and enable the switch to enter any subsequent intrusion for port A1 in the Intrusion Log, execute the port-security clear-intrusion-flag command. If you then re-display the port status screen, you will see that the Intrusion Alert entry for port A1 has changed to “No”.
PAGE 555
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Command with “security” for Search Log Listing with Security Violation Detected Log Listing with No Security Violation Detected Figure 14-19.Example of Log Listing With and Without Detected Security Violations From the Menu Interface: In the Main Menu, click on 4. Event Log and use Next page and Prev page to review the Event Log contents. For More Event Log Information.
PAGE 556
Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder. The Intrusion Log lists detected intruders by MAC address. If you are using ProCurve Manager to manage your network, you can use the device properties page to link MAC addresses to their corresponding IP addresses. Proxy Web Servers.
PAGE 557
Configuring and Monitoring Port Security Operating Notes for Port Security ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configure LACP on a port on which port security is enabled. For example: ProCurve(config)# int e a17 lacp passive Error configuring port A17: LACP and port security cannot be run together.
PAGE 558
Configuring and Monitoring Port Security Operating Notes for Port Security — This page is intentionally unused — 14-44
PAGE 559
15 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3 Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3 Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . 15-4 Overview of IP Mask Operation .
PAGE 560
Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI Web Listing (Showing) Authorized Managers n/a page 15-5 page 15-6 page 15-9 Configuring Authorized IP Managers None page 15-5 page 15-6 page 15-9 Building IP Masks n/a page 15-9 page 15-9 page 15-9 Operating and Troubleshooting Notes n/a page 15-12 page 15-12 page 15-12 The Authorized IP Managers feature uses IP addresses and masks to determine which stations (PCs or workstations) c
PAGE 561
Using Authorized IP Managers Options Options You can configure: Caution ■ Up to 10 authorized manager addresses, where each address applies to either a single management station or a group of stations ■ Manager or Operator access privileges (for Telnet, SNMPv1, and SNMPv2c access only) Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port.
PAGE 562
Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations ■ Authorizing Single Stations: The table entry authorizes a single management station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Authorized Manager IP column, and leave the IP Mask set to 255.255.255.255. This is the easiest way to use the Authorized Managers feature.
PAGE 563
Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Masks” on page 15-9. Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch. This mask serves a different purpose than IP subnet masks and is applied in a different manner.
PAGE 564
Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See “Building IP Masks” on page 15-9. 4. Use the Space bar to select Manager or Operator access. 5. Press [Enter], then [S] (for Save) to configure the IP Authorized Manager entry. Applies only to access through Telnet, SNMPv1, and SNMPv2c.
PAGE 565
Using Authorized IP Managers Defining Authorized Management Stations Figure 15-3.Example of the Show IP Authorized-Manager Display The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: Access Mode: 255.255.255.252 10.28.227.100 through 103 Manager 255.255.255.254 10.28.227.104 through 105 Manager 255.255.255.255 10.28.227.125 Manager 255.255.255.0 10.28.227.
PAGE 566
Using Authorized IP Managers Defining Authorized Management Stations If you omit the < mask bits > when adding a new authorized manager, the switch automatically uses 255.255.255.255. If you do not specify either Manager or Operator access, the switch assigns the Manager access. For example: Omitting a mask in the ip authorized-managers command results in a default mask of 255.255.255.255, which authorizes only the specified station.
PAGE 567
Using Authorized IP Managers Web: Configuring IP Authorized Managers Web: Configuring IP Authorized Managers In the web browser interface you can configure IP Authorized Managers as described below. To Add, Modify, or Delete an IP Authorized Manager address: 1. Click on the Security tab. 2. Click on [Authorized Addresses]. 3. Enter the appropriate parameter settings for the operation you want. 4. Click on [Add], [Replace], or [Delete] to implement the configuration change.
PAGE 568
Using Authorized IP Managers Building IP Masks Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access.
PAGE 569
Using Authorized IP Managers Building IP Masks Figure 15-6. Analysis of IP Mask for Multiple-Station Entries 1st Octet 2nd Octet 3rd Octet 4th Octet Manager-Level or Operator-Level Device Access The “255” in the first three octets of the mask specify that only the exact value in the octet of the corresponding IP address is allowed. However, the zero (0) in the 4th octet of the mask allows any value between 0 and 255 in that octet of the corresponding IP address.
PAGE 570
Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 Authorized Manager IP 10 33 255 248 1 IP Mask 255 238 255 250 Authorized Manager IP 10 This combination specifies an authorized IP address of 10.33.xxx.1.
PAGE 571
Using Authorized IP Managers Operating Notes • • Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions” list in the web browser interface you are using on the authorized station.
PAGE 572
Using Authorized IP Managers Operating Notes — This page is intentionally unused — 15-14
PAGE 573
16 Key Management System Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-2 Configuring Key Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3 Creating and Deleting Key Chain Entries . . . . . . . . . . . . . . . . . . . . . . . 16-3 Assigning a Time-Independent Key to a Chain . . . . . . . . .
PAGE 574
Key Management System Overview Overview The switches covered in this guide provide support for advanced routing capabilities. Security turns out to be extremely important as complex networks and the internet grow and become a part of our daily life and business. This fact forces protocol developers to improve security mechanisms employed by their protocols, which in turn becomes an extra burden for system administrators who have to set up and maintain them.
PAGE 575
Key Management System Configuring Key Chain Management Configuring Key Chain Management KMS-Related CLI Commands in This Section Page show key-chain < chain_name > page 16-3 [ no ] key-chain chain_name page 16-3 [ no ] key-chain chain_name key Key_ID page 16-4 The Key Management System (KMS) has three configuration steps: 1. Create a key chain entry. 2. Assign a time-independent key or set of time-dependent keys to the Key Chain entry.
PAGE 576
Key Management System Configuring Key Chain Management Add new key chain Entry “Procurve1”. Display key chain entries. Figure 16-1. Adding a New Key Chain Entry After you add an entry, you can assign key(s) to it for use by a KMS-enabled protocol. Assigning a Time-Independent Key to a Chain A time-independent key has no Accept or Send time constraints. It is valid from boot-up until you change it. If you use a time-independent key, then it is the only key needed for a key chain entry.
PAGE 577
Key Management System Configuring Key Chain Management Adds a new Time-Independent key to the “Procurve1” chain. Displays keys in the key chain entry. Figure 16-2. Example of Adding and Displaying a Time-Independent Key to a Key Chain Entry Assigning Time-Dependent Keys to a Chain A time-dependent key has Accept or Send time constraints. It is valid only during the times that are defined for the key . If a time-dependent key is used, there is usually more than one key in the key chain entry.
PAGE 578
Key Management System Configuring Key Chain Management duration < mm/dd/yy [ yy ] hh:mm:ss | seconds > Specifies the time period during which the switch can use this key to authenticate inbound packets. Duration is either an end date and time or the number of seconds to allow after the start date and time (which is the accept-lifetime setting).
PAGE 579
Key Management System Configuring Key Chain Management Note Given transmission delays and the variations in the time value from switch to switch, it is advisable to include some flexibility in the Accept lifetime of the keys you configure. Otherwise, the switch may disregard some packets because either their key has expired while in transport or there are significant time variations between switches. To list the result of the commands in figure 16-3: Figure 16-4.
PAGE 580
Key Management System Configuring Key Chain Management The “Procurve1” key chain entry is a time-independent key and will not expire. “Procurve2” uses time-dependent keys, which result in this data: Expired = 1 Key 1 has expired because its lifetime ended at 8:10 on 01/18/03, the previous day. Active = 2 Key 2 and 3 are both active for 10 minutes from 8:00 to 8:10 on 1/19/03. Keys 4 and 5 are either not yet active or expired. The total number of keys is 5.
PAGE 581
Index Numerics 3DES … 8-3, 9-3 802.1X ACL, effect on … 10-20 802.
PAGE 582
port-based access … 13-4 client without authentication … 13-5 effect of Web/MAC Auth client … 13-60 enable … 13-17, 13-43 latest client, effect … 13-5 multiple client access … 13-5 multiple clients authenticating … 13-5 no client limit … 13-4 open port … 13-4 operation … 13-5 recommended use … 13-5 return to … 13-18 See also user-based.
PAGE 583
untagged … 13-27, 13-30, 13-31 untagged membership … 13-18 VLAN operation … 13-56 VLAN use, multiple clients … 13-6 VLAN, assignment conflict … 13-12 VLAN, membership priority … 13-10, 13-27 VLAN, priority, RADIUS … 13-31 VLAN, tagged membership … 13-31 Wake-on-LAN traffic … 13-24 Web/MAC Auth effect … 13-60 A aaa authentication … 5-8 web browser … 6-11 aaa port-access See Web or MAC Authentication. access levels, authorized IP managers … 15-3 accounting See RADIUS. ACL 802.1X client limit … 10-20 802.
PAGE 584
example, named extended … 10-73 exception for connection-rate filtering … 10-22 exit statement … 10-48 extended command summary … 10-8 configure … 10-60, 10-74 create … 10-8, 10-60 defined … 10-11, 10-42 delete … 10-9, 10-61 named, configure … 10-62 numbered, configure … 10-75 numeric I.D.
PAGE 585
policies … 10-30 policy application points … 1-8, 10-4 policy type … 10-42 policy, permit/deny … 10-42 port … 10-34 port ACL defined See also static port ACL and dynamic port ACL. … 10-5 port ACL operation defined … 10-16 port added to trunk … 10-34 port removed from trunk … 10-34 port-based 802.
PAGE 586
ACL, connection-rate See connection-rate filtering ACLs management access protection … 1-8 See also RADIUS-assigned ACLs.
PAGE 587
false positive … 3-6 guidelines … 3-8, 3-9 high rate, legitimate … 3-18 host, trusted … 3-18 host, unblocking … 3-18 ICMP ping message … 3-3 notify and reduce … 3-5 notify only … 3-5 notify-only … 3-12 operating rules … 3-7 operation … 3-5 options … 3-5 penalty period, throttling … 3-12 port setting change, effect … 3-7 reboot, effect … 3-7 recommended application … 3-3 re-enable blocked host … 3-7 routed traffic … 3-10 sensitivity level … 3-5, 3-8 sensitivity level, changing … 3-18 sensitivity level, comma
PAGE 588
event log alerts for monitored events … 11-23 connection-rate filtering alerts … 3-31 intrusion alerts … 14-40 messages … 3-31 F filter, source-port applicable models … 12-2 editing … 12-20 filter indexing … 12-22 filter type … 12-8 idx … 12-8, 12-22 index … 12-8, 12-22 operating rules … 12-4, 12-6 port-trunk operation … 12-3, 12-19 show … 12-8 value … 12-8 viewing … 12-8 filters … 12-2 effect of IGMP … 12-16 multicast … 12-15 protocol … 12-16 source port … 12-4 source-port filter value … 12-22 static … 12
PAGE 589
L LACP 802.
PAGE 590
See ProCurve Manager. physical security … 1-6 port security configuration … 14-3 trusted … 11-17 untrusted … 11-18 port access client limit … 13-18 concurrent … 13-18 MAC auth … 13-4 See also 802.1X access control. tracking client authentication failures … 11-23 Web auth … 13-4 Web/MAC … 13-18 port ACL … 10-5 port monitoring, ACL … 10-16 port scan, detecting … 11-22 port security 802.
PAGE 591
multiple ACL application types in use … 7-15 NAS-Prompt-User service-type value … 6-12 network accounting … 6-32 operating rules, switch … 6-6 override CoS … 7-5 override CoS, example … 7-5, 7-6 override Rate-Limiting … 7-5 override Rate-Limiting, example … 7-5, 7-6 override, precedence, multiple clients … 7-7 rate-limiting … 7-3, 7-4, 7-6 Rate-Limiting override … 7-3 security … 6-11 security note … 6-4 server access order … 6-33 server access order, changing … 6-44 servers, multiple … 6-17 service type val
PAGE 592
notices of … 14-34 security, ACL See ACL, security use. security, password See SSH.
PAGE 593
generate host key pair … 9-10 generate self-signed … 9-13 generate self-signed certificate … 9-10, 9-13 generate server host certificate … 9-10 generating Host Certificate … 9-9 host key pair … 9-10 key, babble … 9-12 key, fingerprint … 9-12 man-in-the-middle spoofing … 9-18 OpenSSL … 9-2 operating notes … 9-6 operating rules … 9-6 passwords, assigning … 9-7 prerequisites … 9-5 remove self-signed certificate … 9-10 remove server host certificate … 9-10 reserved TCP port numbers … 9-20 root … 9-4 root certif
PAGE 594
TLS See RADIUS. troubleshooting authentication via Telnet … 5-15 authorized IP managers … 15-12 trunk filter, source-port … 12-3, 12-19 LACP, 802.1X not allowed … 13-17 port added or removed, ACL … 10-34 See also LACP.
PAGE 595
PAGE 596
Technical information in this document is subject to change without notice. © Copyright 2005-2007 Hewlett-Packard Development Company, L.P. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws.