HP Switch Software Access Security Guide K/KA/KB.15.15 Abstract This switch software guide is intended for network administrators and support personnel, and applies to the switch models listed on this page unless otherwise noted. This guide does not provide information about upgrading or replacing switch hardware. The information in this guide is subject to change without notice.
© Copyright 2014 Hewlett-Packard Development Company, LP Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Software End User License Agreement and Hardware Limited Warranty For the software end user license agreement and the hardware limited warranty information for HP Networking products, visit www.hp.com/ networking/support. Hewlett-Packard Company 8000 Foothills Boulevard, m/s 5551 Roseville, California 95747-5551 www.hp.
Contents 1 Configuring Username and Password Security..............................................20 Console access......................................................................................................................20 Creating password security......................................................................................................20 Setting an inactivity timer....................................................................................................
Password recovery.............................................................................................................46 Saving username and password security....................................................................................46 Security settings that can be saved.......................................................................................46 Benefits of saving security credentials....................................................................................
Specifying the time period enforced for implicit logoff........................................................76 Specifying how many authentication attempts can time-out before failure..............................76 Specifying how long the switch waits before processing a request from a MAC address that failed authentication......................................................................................................76 Specifying time period enforced on a client to re-authenticate.................
Viewing web-based authentication settings for ports, including web specific settings...............94 Viewing the show commands for MAC authentication.............................................................94 Viewing session information for MAC authenticated clients on a switch.................................95 Viewing detail on status of MAC authenticated client sessions.............................................96 Viewing MAC authentication settings on ports........................................
Concepts........................................................................................................................121 5 TACACS+ Authentication.........................................................................122 TACACS..............................................................................................................................122 Getting ready for TACACS+ authentication..........................................................................
Configuring RADIUS accounting........................................................................................157 Configuring a switch to access a RADIUS server..............................................................158 Reconfiguring the Acct-Session-ID operation (Optional) ....................................................159 Configure accounting types and controls for sending reports to the RADIUS server...............159 Accounting service types to track....................................
RADIUS accounting with IP attribute..........................................................................191 Operating rules for RADIUS accounting.........................................................................192 Acct-Session-ID Options in a Management Session..........................................................192 Unique Acct-Session-ID operation..................................................................................192 Common Acct-Session-ID operation..........................
Implicitly denying any IP traffic.................................................................................225 Monitoring shared resources.........................................................................................225 Event log messages.....................................................................................................225 Causes of client deauthentication immediately after authenticating................................226 8 Secure Shell (SSH)............................
10 IPv4 Access Control Lists (ACLs)..............................................................259 Configuring.........................................................................................................................259 Configuring named, standard ACLs....................................................................................259 Entering the IPv4 named ACL context.............................................................................
ACE counter operation.....................................................................................................297 Resetting ACE Hit counters to zero......................................................................................297 Using IPv6 counters with multiple interface assignments .......................................................298 Using IPv4 counters with multiple interface assignments .......................................................299 Overview........................
The sequence of entries in an ACL is significant..........................................................330 Allowing for the Implied Deny function......................................................................331 A configured ACL has no effect until you apply it to an interface...................................331 You can assign an ACL name or number to an interface even if the ACL does not exist in the switch configuration...........................................................................
Displaying the static configuration of IP-to-MAC bindings..................................................380 Debugging dynamic IP lockdown..................................................................................381 Verifying the dynamic IP lockdown configuration..................................................................381 Adding a MAC Address to a port......................................................................................
Keeping the intrusion log current by resetting alert flags...............................................409 Operating notes for port security...................................................................................410 Identifying the IP address of an intruder.....................................................................410 Proxy Web servers..................................................................................................410 "Prior To" entries in the intrusion log...........
Using HP switch security features............................................................................................435 Physical security...............................................................................................................435 Using the Management Interface wizard.............................................................................436 WebAgent: Management Interface wizard.....................................................................
Configuring 802.1X Open VLAN Mode.........................................................................467 Inspecting 802.1X Open VLAN Mode Operation.............................................................468 Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices......................................................................................................................468 Viewing 802.1X Open VLAN Mode Status.......................................
SSL changes....................................................................................................................502 Zeroizing with HA............................................................................................................502 Opacity shields command.................................................................................................502 Overview........................................................................................................................
1 Configuring Username and Password Security Console access Console access includes both the menu interface and the CLI. There are two levels of console access: Manager and Operator. For security, you can set a password pair (Username and Password) on each of these levels. NOTE: Usernames are optional. Passwords are configured in the menu interface. Usernames are configured in the CLI. Usernames and passwords for Manager and Operator access can also be configured using SNMP.
NOTE: When configuring an operator or manager password a message will appear indicating that (USB) autorun has been disabled. See Appendix A, “File Transfers”, in the Management and Configuration Guide for your switch for more information on the autorun feature. Setting an inactivity timer If you set a manager password, you can configure an inactivity timer which causes the console session to end after the specified period of inactivity.
Deleting password protection This procedure deletes all usernames (if configured) and passwords (manager and operator). Option one 1. 2. If you have physical access to the switch, press and hold the [Clear] button (on the front of the switch) for a minimum of one second to clear all password protection Enter new passwords. Option two If you do not have physical access to the switch, you will need manager-level access. Following this procedure to delete password protection: 1.
manager Configures access to the switch with manager-level privileges. operator Configures access to the switch with operator-level privileges. port-access Configures access to the switch through 802.1X authentication with operator-level privileges. user-namename The optional text string of the user name associated with the password. Username up to 64 characters. plaintext|sha1 Format for the password entry, and the password itself (up to 64 characters).
General password rules Usernames and passwords are case-sensitive. ASCII characters in the range of 33-126 are valid, including: • A through Z uppercase characters • a through z lower case characters • 0 through 9 numeric characters • Special characters ‘ ~ ! @ # $ % ^ & * ( ) - _ = + [ ] { } \ | ; : ‘ “ , < > / ?. NOTE: The SPACE character is allowed to form a username or password pass-phrase. The username must be in quotes, for example “The little brown fox”.
Restrictions for the setmib command Usernames and passwords can be set using the CLI command setmib. They cannot be set using SNMP. • Quotes are permitted for enclosing other characters, for example, a username or password of abcd can be enclosed in quotes “abcd” without the quotes becoming part of the username or password itself. Quotes can also be inserted between other characters of a username or password, for example, ab”cd.
Unable to use previous password If you cannot access the switch after a software version downgrade, clear the password by using the [Clear] button on the switch to regain access. Then boot into a software version that supports long passwords, and perform steps 1, 2, or 3 in the preceding section. Security credentials You can store and view the following security settings in the running-config file associated with the current software image.
Set or clear a local username/password for a given access level. manager Configures access to the switch with manager-level privileges. operator Configures access to the switch with operator-level privileges. port access Configures access to the switch through 802.1X authentication with operator-level privileges. user-name The optional text string of the user name associated with the password. Specifies the type of algorithm (if any) used to hash the password.
Figure 4 Example of security credentials saved in the running-config Although you can enter an SNMPv3 authentication or privacy password in either clear ASCII text or the SHA-1 hash of the password, the password is displayed and saved in a configuration file only in hashed format, see Figure 26 (page 48). See “Configuring for Network Management Applications” in the Management and Configuration Guide for your switch for more information about the configuration of SNMP security parameters. 802.
RADIUS shared-secret key authentication You can use RADIUS servers as the primary authentication method for users who request access to a switch through Telnet, SSH, console, or port access (802.1X). The shared secret key is a text string used to encrypt data in RADIUS packets transmitted between a switch and a RADIUS server during authentication sessions. Both the switch and the server have a copy of the key; the key is never transmitted across the network.
quoted with single quotes ('keystring'). The following restrictions for a keystring apply. • A keystring cannot contain both single and double quotes. • A keystring cannot have extra characters, such as a blank space or a new line. However, to improve readability, you can add a backlash at the end of each line. NOTE: The ip ssh public-key command allows you to configure only one SSH client public key at a time.
Restrictions to enabling security credentials The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command: • The private keys of an SSH host cannot be stored in the running configuration. Only the public keys used to authenticate SSH clients can be stored. An SSH host's private key is only stored internally, for example, on the switch or on an SSH client device.
Syntax [no]include-credentials[radius-tacacs-only|store-in-config] Enables the inclusion of passwords and security credentials in each configuration file when the file is saved onto a remote server or workstation. When [no]include-credentials is executed, include-credentials is disabled. Credentials continue to be stored in the active and inactive configuration files but are not displayed.
Figure 7 Output for show include credentials command Executing include-credentials or include-credentials store-in-config When include-credentials or include-credentials store-in-config is executed on a switch for the first time, the passwords and SSH keys are not currently stored in the configuration file (not activated.) This prompts the a caution message. Figure 8 Caution message This caution message can also appear if you have successfully executed the [no] include-credentials store-in-config command.
Table 1 Switch storage states (continued) Type Factory Default Enabled RADIUS & TACACS keystrings not displayed in config stored in flash displayed in config Include-Credentials No Include- Credentials Disabled but Active Executed Same as no credentials includecredentials displayed in config enabled— not displayed in config NOTE: When [no] include-credentials store-in-config command is executed, the switch is restored to its default state and only stores one set of operator/manager passwords and SSH
authenticator (port-access) security credentials, and SSH client public keys in the running configuration. (Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running-config file.) To view the currently configured security settings in the running configuration, enter one of the following commands: • show running-config: Displays the configuration settings in the current running-config file.
Figure 10 Creating an encrypted password Encrypting credentials in the configuration file A security risk is present when credentials used for authentication to remote devices such as RADIUS or TACACS+ servers are displayed in the configuration file in plain text. The encrypt-credentials command allows the storing, displaying, and transferring of credentials in encrypted form. When the encrypt-credentials feature is enabled, the affected credentials will be encrypted using aes-256-cbc encryption.
hex Set the key as a 64 hexadecimal character string (32 bytes). You must enter 64 hexadecimal digits to set this key. When encrypt-credentials is enabled without any parameters, a caution message displays advising you about the effect of the feature with prior software versions, and actions that are recommended. All versions of the command force a configuration save after encrypting or re-encrypting sensitive data in the configuration.
Table 2 Affected commands Existing Command New Equivalent Option HP Switch(config)# radius-server key secret1 HP Switch(config)# radius-server encrypted-key U2FsdGVkX18XWadTeFN+bxHxKA/q+s5cV1NiYvx+TuA= HP Switch(config)# radius-server host 10.0.0.1 key secret1 HP Switch(config)# radius-server host 10.0.0.
For some customers this is no longer true. Others simply want the added assurance that even if someone did manage to get to the switch that data would still remain secure. If you do not invoke front panel security on the switch, user defined passwords can be deleted by pushing the Clear button on the front panel. This function exists so that if customers forget the defined passwords they can still get back into the switch and reset the passwords.
Configuring front panel security Syntax: show front-panel-security Displays the current front panel security settings: clear password Shows the status of the Clear button on the front panel of the switch. Enabled means that pressing the Clear button erases the local usernames and passwords configured on the switch (and thus removes local password protection from the switch.) Disabled means that pressing the Clear button does not remove the local usernames and passwords configured on the switch.
Reset+Clear combination described under “Restoring the factory default configuration” (page 43). • Configure the Clear button to reboot the switch after clearing any local usernames and passwords. This provides an immediate, visual means (plus an Event Log message) for verifying that any usernames and passwords in the switch have been cleared.
Setting the Clear button functionality Syntax: [no]front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password clearing function of the Clear button on the switch front panel. • Specifies whether the switch reboots if the Clear button is pressed. To re-enable the password clear function, you must also specify whether to enable or disable the reset-on-clear option. Defaults: • password-clear: Enabled. • reset-on-clear: Disabled.
WARNING! This means that anyone who has physical access to the switch could use this button combination to replace the switch current configuration with the factory-default configuration, and render the switch accessible without the need to input a username or password. You can use the factory-reset command to prevent the Reset+Clear combination from being used for this purpose.
3. Release the Reset button. 4. When the Test LED to the right of the Clear button begins flashing, release the Clear button. It takes approximately 20-25 seconds for the switch to reboot. This process restores the switch configuration to the factory default settings.
NOTE: To disable password-recovery: • You must have physical access to the front panel of the switch. • The factory-reset replaceable must be enabled (the default). For redundant management systems, this command only affects the active management module. To disable password-recovery 1. Set the CLI to the global interface context. 2. Use show front-panel-security to determine whether the factory-reset replaceable is enabled.
Password recovery The password recovery feature is enabled by default and provides a method for regaining management access to the switch (without resetting the switch to its factory default configuration) in the event that the system administrator loses the local manager username or password.
is an alphanumeric string for the user name assigned to the manager or operator. indicates the type of hash algorithm used: SHA-1 or plain text. is the SHA-1 authentication protocol's hash of the password or clear ASCII text. For example, a manager username and password can be stored in a running-config file as follows: Figure 24 Manager/User name storage Use the write memory command to save the password configurations in the startup-config file.
Figure 26 Example of security credentials saved in the running-config Although you can enter a SNMPv3 authentication or privacy password in either clear ASCII text or the SHA-1 hash of the password, the password is displayed and saved in a configuration file only in hashed format, as shown in Figure 26 (page 48). For more information about the configuration of SNMP security replaceables, see "Configuring for Network Management Applications" in Management and Configuration Guide for your switch.
Type Factory default include-credentials include-credentials [no]include-credentials enabled disabled but active executed SNMPv3 auth and priv Stored in flash Stored in flash Not displayed in config Displayed in config Same as No credentials include-credentials displayed in config enabled Not displayed in config RADIUS & TACACS keystrings Not displayed in config Stored in flash Displayed in config Same as No credentials include-credentials displayed in config enabled Not displayed in config NOT
Operating Notes CAUTION: • When you first enter the include-credentials command to save the additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file. You are prompted by a warning message to perform a write memory operation to save the security credentials to the startup configuration.
• After you permanently save security configurations to the current startupconfig file using the write memory command, you can view and manage security settings with the following commands. show config Displays the configuration settings in the current startup-config file.
Table 3 Interactions include-credentials Active include-credentials Enabled encrypt-credentials Enabled Resulting behavior for sensitive data Hidden (default) Yes Yes Yes n/a Yes Yes n/a Hidden Yes 52 Shown, encrypted Yes Yes Yes Yes Yes Configuring Username and Password Security Shown, encrypted Shown, plaintext Yes Shown, encrypted
2 Virus throttling (connection-rate filtering) Configuring connection-rate filtering Viewing the connection-rate configuration Use the following command to view the basic connection-rate configuration. If you need to view connection-rate ACLs and/or any other switch configuration details, use show config or show running. See Figure 27 (page 53).
Figure 28 Connection-rate filtering configuration in the startup-config file Enabling global connection-rate filtering and sensitivity Use the commands in this section to enable connection-rate filtering on the switch and to apply the filtering on a per-port basis. Syntax: connection-rate-filter sensitivity [no]connection-rate-filter This command: • Enables connection-rate filtering.
medium Sets the connection-rate sensitivity to allow a mean of 37 destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured) between 30 and 60 seconds. high Sets the connection-rate sensitivity to allow a mean of 22 destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured) between 60 and 90 seconds.
Table 4 Throttle mode penalty periods Throttle mode (sensitivity) Frequency of IP connection requests from the same source Mean number of new destination hosts in the frequency period Penalty period Low < 0.1 second 54 < 30 seconds Medium < 1.0 second 37 30 - 60 seconds High < 1.0 second 22 60 - 90 seconds Aggressive < 1.
Blocked hosts Listing currently-blocked hosts Syntax: show connection-rate-filter all-hosts Lists, by VLAN membership, all hosts currently detected in a throttling or blocking state, along with a state indicator. throttled-hosts Lists, by VLAN membership, the hosts currently in a throttling state due to connection-rate action. blocked-hosts Lists, by VLAN membership, the hosts currently blocked by connection-rate action.
Figure 31 Example of listing hosts blocked by connection-rate filtering Unblocking currently-blocked hosts If a host becomes blocked by triggering connection-rate filtering on a port configured to block high connection rates, the host remains blocked on all ports on the switch even if you change the per-port filtering configuration. To help prevent a malicious host from automatically regaining access to the network, the source IP address block imposed by connection-rate filtering does not age-out.
HP Switch(config-crf-nacl)# If the ACL already exists, this command simply puts the CLI into the ACE context. Syntax: ip< any | host ip-addr | mask-length | [>] ip-addr Used in the ACE context to specify the action of the connection-rate ACE and the source IP address of the traffic that the ACE affects. The filter option assigns policy filtering to traffic with source IP address (SA) matching the source address in the ACE.
Used in the ACE context (above) to specify the action of the connection-rate ACE (filter or ignore), and the UDP/TCP criteria and SA of the IP traffic that the ACE affects. filter This option assigns a policy of filtering (dropping) IP traffic having an SA that matches the source address criteria in the ACE. ignore This option specifies a policy of allowing IP traffic having an SA that matches the source address criteria in the ACE.
"Less Than": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be less than the specified port number. neq "Not Equal": To have a match with the ACE entry, the TCP or UDP source-port number in a packet must not be equal to the specified port number. range To have a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range .
Figure 32 Examples of connection-rate ACEs using UDP/TCP criteria Applying connection-rate ACLs To apply a connection-rate ACL, use the access group command described below. NOTE: This command differs from the access group command for non-connection-rate ACLs. Syntax: [no]vlan vid ip access-group crf-list-name connection-rate-filter This command applies a connection-rate access control list (ACL) to inbound traffic on ports in the specified VLAN that are configured for connection-rate filtering.
Figure 33 Sample network In the basic example, the administrator configured connection-rate blocking on port D2. However: • The administrator has elevated the connection-rate sensitivity to high. • The server at IP address 15.45.50.17 frequently transmits a relatively high rate of legitimate connection requests, which now triggers connection-rate blocking of the server's IP address on port D2. This causes periodic, unnecessary blocking of access to the server.
2. Assigning the ACL to the VLAN through which traffic from the server enters the switch.
Connection-rate filtering Features and benefits Connection-rate filtering is a countermeasure tool you can use in your incident-management program to help detect and manage worm-type IT security threats received in inbound IP traffic. Major benefits of this tool include: • Behavior-based operation that does not require identifying details unique to the code exhibiting the worm-like operation. • Handles unknown worms. • Needs nosignature updates.
a large number of outbound IP connections in a short period of time, the switch responds in one of the following ways, depending on how connection-rate filtering is configured: • Notify only (of potential attack): While the apparent attack continues, the switch generates an Event Log notice identifying the offending host's source IP address and (if a trap receiver is configured on the switch) a similar SNMP trap notice).
Operating rules • Connection-rate filtering does not operate on IPv6 traffic. • Connection-rate filtering is triggered by inbound IP traffic exhibiting high rates of IP connections to new hosts. After connection-rate filtering has been triggered on a port, all traffic from the suspect host is subject to the configured connection-rate policy (notify-only, throttle, or block). • When connection-rate filtering is configured on a port, the port cannot be added to, or removed from, a port trunk group.
For more information on when to apply connection-rate ACLs, see “Application options” (page 66). NOTE: Connection-rate ACLs are a special case of the switch ACL feature. If you need information on other applications of ACLs or more detailed information on how ACLs operate, see “IPv4 Access Control Lists (ACLs)” (page 259).
configured for the port on which the traffic entered the switch. This option is most useful in applications where it is easier to use filter to specify suspicious traffic sources for screening than to use ignore to specify exceptions for trusted traffic sources that don't need screening. For example, if the host at 15.45.127.43 requires connection-rate screening, but all other hosts in the VLAN do not, you would configure and apply a connection-rate ACL with filter ip host 15.45.127.
Connection-rate log and trap messages See the Event Log Message Reference Guide for information about Event Log messages. Overview Overview The spread of malicious agents in the form of worms has severe implications for network performance. Damage can be as minimal as slowing down a network with excessive, unwanted traffic, or as serious as putting attacker-defined code on a system to cause any type of malicious damage.
5. Check any hosts that exhibit relatively high connection rate behavior to determine whether malicious code or legitimate use is the cause of the behavior. 6. Hosts demonstrating high, but legitimate connection rates, such as heavily used servers, can trigger a connection-rate filter. Configure connection rate ACLs to create policy exceptions for trusted hosts.
3 Web-based and MAC authentication Configuring MAC authentication on the switch Prerequisites for web-based or MAC authentication Before you configure web-based/MAC authentication, follow these guidelines. 1. Configure a local username and password on the switch for both the operator (login) and manager (enable) access levels. HP recommends that you use a local user name and password pair to protect the switch configuration from unauthorized access. 2.
3. Determine whether any VLAN assignments are needed for authenticated clients. a. If you configure the RADIUS server to assign a VLAN for an authenticated client, this assignment overrides any VLAN assignments configured on the switch while the authenticated client session remains active. The VLAN must be statically configured on the switch. b. If there is no RADIUS-assigned VLAN, the port can join an “Authorized VLAN” for the duration of the client session.
Configuring a global MAC authentication password MAC authentication requires that only a single entry containing the username and password is placed in the user database with the device's MAC address. This creates an opportunity for malicious device spoofing. The global password option configures a common MAC authentication password to use for all MAC authentications sent to the RADIUS server. This makes spoofing more difficult.
Specifies the MAC address format used in the RADIUS request message. This format must match the format used to store the MAC addresses in the RADIUS server. Default: no-delimiter no-delimiter: specifies an aabbccddeeff format. single-dash: specifies an aabbcc-ddeeff format. multi-dash: specifies an aa-bb-cc-dd-ee-ff format. multi-colon: specifies an aa:bb:cc:dd:ee:ff format. no-delimiter-uppercase: specifies an AABBCCDDEEFF format.
Specifiying the VLAN for an authorized client Syntax: aaa port-access mac-based [e] port-list [ auth-vid vid] no aaa port-access mac-based [e] port-list [ auth-vid] Specifies the VLAN to use for an authorized client. The RADIUS server can override the value (accept response includes avid). If auth-vid is 0, no VLAN changes occur unless the RADIUS server supplies one. Use the no form of the command to set the auth-vid to 0.
Forcing re-authentication of clients Syntax: [no]aaa port-access mac-based [e] port-list [ reauthenticate] Forces a re-authentication of all attached clients on the port. Specifying the period to wait for a server response to an authentication request Syntax: [no]aaa port-access mac-based [e] port-list [ server-timeout1-300] Specifies the period, in seconds, the switch waits for a server response to an authentication request.
Figure 40 Configuring an access denied message on the switch Figure 41 Output showing the custom access denied message Figure 42 Access denied message when radius-response is configured Unauthenticated clients can be assigned to a specific static, untagged VLAN (unauth-vid), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients, the port is blocked and no network access is available.
Figure 44 Running configuration output displaying access denied message Figure 45 Running configuration output when RADIUS response is configured Configuring MAC authentication on the switch 79
Redirecting HTTP when MAC address not found When a client’s MAC address is checked by the RADIUS server against the known list of MAC addresses, and the MAC address is not found, the client needs a way to quickly become registered through a web registration process. The HTTP Redirect feature provides a way for a client who has failed MAC authentication to become registered through a web/registration server. Only a web browser is required for this authentication process.
1. 2. 3. 4. 5. 6. 7. 8. When the redirect feature is enabled, a client that fails MAC authentication is moved into the unauthorized MAC authentication redirection state. A client in the redirect state (having failed MAC authentication) with a web browser open sends a DHCP request. The switch responds with a DHCP lease for an address in the switch configurable DHCP address range. Additionally, the switch IP address becomes the client’s default gateway.
Figure 46 Diagram of registration process Using the restrictive-filter option The restrictive-filter option allows the switch to reply to all HTTP requests to the switch IP address with an HTTP-redirect containing the URL of the registration server. It is used when there is no registration process and only a warning or informational page is displayed to the client. If SSL is not configured, the switch verifies that the MAC address and interface port parameters are present.
Figure 47 Show command displaying HTTP redirect configuration Reauthenticating a MAC Authenticated client Using SNMP The MIB variable hpicfUsrAuthMacAuthClientReauthenticateEntry in the hpicfUsrAuthMIB provides the capability to reauthenticate a specific MAC client on a port. The MAC address and port are required for SNMP reauthentication.
4. 5. 6. 7. 8. 9. Ping the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support web-based authentication on the switch. Configure the switch with the correct IP address and encryption key to access the RADIUS server. (Optional) To use SSL encryption for web-based authentication login, configure and enable SSL on the switch. Enable web-based authentication on the switch ports you want to use.
Prerequisities As implemented in 802.1X authentication, the disabling of incoming traffic and transmission of outgoing traffic on a web-based Authenticated egress port in an unauthenticated state (using the aaa portaccess controlled-directions in command) is supported only if: • The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.
Use the [no] form of the command to set the auth-vid to 0. (Default: 0.) Clearing statistics Syntax aaa port-access web-based [clear-statisics] Clears (resets to 0) all counters used to monitor the CEI, HTTP, Web-based authenticated control traffic generated in web-based authentication session. (To display Web-Auth traffic statistics, enter the show port-access web-based statistics command.
is also used for other purposes, you can wish to group the HTML files in their own directory, for example in “/EWA/”.) Figure 48 Adding web servers with the aaa port-access web-based ews-server command Figure 49 Removing a web server with the aaa port-access web-based ews-server command Specifying the period Syntax aaa port-access web-based [logoff-period]<60-9999999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff.
Specifying the re-authentication period Syntax aaa port-access web-based [reauth-period]<0-9999999>] Specifies the time period, in seconds, the switch enforces on a client to re-authenticate. When set to 0, reauthentication is disabled. (Default: 300 seconds) Specifying a forced reauthentication Syntax aaa port-access web-based [reauthenticate] Forces a re-authentication of all attached clients on the port.
• ◦ AABBCCDDEEFF ◦ AABBCC-DDEEFF ◦ AA-BB-CC-DD-EE-FF ◦ AA:BB:CC:DD:EE:FF If the device is a switch or other VLAN capable device, use the base MAC address assigned to the device, and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch. The switch applies a single MAC address to all VLANs configured in the switch. Thus, for a given switch, the MAC address is the same for all VLANs configured on the switch.
Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key, above. The tilde (~) character is allowed in the string. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
Implementing customized web-based authentication pages To implement enhanced web-based authentication pages, you need to: • Configure and start a web server on your local network. • Customize the HTML template files and make them accessible to the web server. • Configure the switch to display the customized files by using the aaa port-access web-based ewa-server command to specify the server's IP address or host name and the path to the customized HTML files on the server.
Information on ports not enabled for web authentication is not displayed. Figure 51 Example of show port-access web-based command output Viewing session details for web-Auth clients Syntax: show port-access web-based clients [ port-list ] Displays the session status, name, and address for each web-based authenticated client on the switch. The IP address displayed is taken from the DHCP binding table, learned through the DHCP snooping feature.
Figure 53 Example of show port-access web-based clients detailed command output Viewing web-based authentication settings for ports Syntax: show port-access web-based config [ port-list ] Displays the currently configured web-based authentication settings for all switch ports or specified ports, including: • Temporary DHCP base address and mask. • Support for RADIUS-assigned dynamic VLANs (Yes or No.) • Controlled directions setting for transmitting Wake-on-LAN traffic on egress ports.
Displays more detailed information on the currently configured web-based authentication settings for specified ports.
Displays the status of all ports or specified ports that are enabled for MAC authentication. The information displayed for each port includes: • Number of authorized and unauthorized clients. • VLAN ID number of the untagged VLAN used. If the switch supports MAC (untagged) VLANs, MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions. • If tagged VLANs (statically configured or RADIUS-assigned) are used (Yes or No.
Figure 58 Show port-access MAC-based clients command output Viewing detail on status of MAC authenticated client sessions Syntax: show port-access mac-based clients port-list detailed Displays detailed information on the status of MAC authenticated client sessions on specified ports. Shows session status, name, and address for each MAC authenticated client on the switch. The IP address displayed is taken from the DHCP binding table, learned through DHCP snooping.
Displays the currently configured MAC authentication settings for all switch ports or specified ports, including: • MAC address format. • Support for RADIUS-assigned dynamic VLANs (Yes or No.) • Controlled directions setting for transmitting Wake-on-LAN traffic on egress ports. • Authorized and unauthorized VLAN IDs. If the authorized or unauthorized VLAN ID value is 0, the default VLAN ID is used unless overridden by a RADIUS-assigned value.
Displays the currently configured web authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as: • Timeout waiting period. • Number of timeouts supported before authentication login fails. • Length of time (quiet period) supported between authentication login attempts.
The RADIUS server uses the device MAC address as the username and password, and grants or denies network access in the same way that it does for clients capable of interactive logons. The process does not use either a client device configuration or a logon session. MAC authentication is well-suited for clients not capable of providing interactive logons, such as telephones, printers, and wireless access points.
You configure access to an optional, unauthorized VLAN when you configure web-based and MAC authentication on a port. RADIUS-based authentication In web-based and MAC authentication, you use a RADIUS server to temporarily assign a port to a static VLAN to support an authenticated client. When a RADIUS server authenticates a client, the switch-port membership during the client's connection is determined according to the following hierarchy: 1. A RADIUS-assigned VLAN. 2.
The switch passes the supplied username and password to the RADIUS server for authentication and displays the following progress message: Figure 64 Progress message during authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access.
Clientless Endpoint Integrity Clientless Endpoint Integrity (CEI) allows a switch to validate the security software that a client is running before allowing the client to connect to the network. By using the CEI feature on a switch deployed at the edge of the network, there is no need to require a client to install special software to perform the endpoint integrity check. CEI verifies that a client is running the necessary security patches, service packs, virus definitions, and the last scan date.
If your LAN does use multiple VLANs, then some of the following factors can apply to your use of web-based authentication and MAC authentication. • web-based authentication and MAC authentication operate only with port-based VLANs. Operation with protocol VLANs is not supported, and clients do not have access to protocol VLANs during web-based authentication and MAC authentication sessions. • A port can belong to one, untagged VLAN during any client session.
looped back to an edge port will not be processed because they have a different broadcast/multicast MAC address from the client-authenticated MAC address. To ensure that client-authenticated edge ports get blocked when loops occur, you should enable loop protection on those ports. See "Multiple Instance Spanning-Tree Operation" in the Advanced Traffic Management Guide for your switch.
Figure 66 HTML code for user login page template Filename: accept.html The accept.html file is the web page used to confirm a valid client login. This web page is displayed after a valid username and password are entered and accepted. Figure 67 Access granted page The client device is then granted access to the network. To configure the VLAN used by authorized clients, specify a VLAN ID with the aaa port-access web-based auth-vid command parameter when you enable web-based authentication. The accept.
Figure 68 Filename: accept.html Filename: authen.html The authen.html file is the web page used to process a client login and is refreshed while user credentials are checked and verified. Figure 69 Authenticating page Figure 70 HTML code for authentication page template Invalid credentials page The reject_unauthvlan.html file is the web page used to display login failures in which an unauthenticated client is assigned to the VLAN configured for unauthorized client sessions.
Figure 71 Invalid credentials The getwauthredirecttime ESI inserts the value for the waiting time used by the switch to redirect an unauthenticated client while the client renews its IP address and gains access to the VLAN for unauthorized clients. This ESI should not be modified. Figure 72 HTML code for invalid credentials page template Filename: timeout.html The timeout.html file is the web page used to return an error message if the RADIUS server is not reachable.
Filename: retry_login.html The retry_login.html file is the web page displayed to a client that has entered an invalid username and/or password, and is given another opportunity to log in. Figure 75 Invalid credentials page The getwauthretriesleft ESI displays the number of login retries that remain for a client that entered invalid login credentials.
The getwauthsslsrv ESI inserts the URL that redirects a client to an SSL-enabled port on an EWA server to verify the client's username and password. This ESI should not be modified. Figure 78 HTML code for SSL redirect page template Filename: reject_novlan.html The reject_novlan file is the web page displayed after a client login fails and no VLAN is configured for unauthorized clients.
Configuring a DNS Server for Enhanced web authentication If you use a host name to configure access to a web server on which customized login web pages are stored, you must first configure a Domain Name System (DNS) server to resolve the web server's host name into a target IP address. (If you specify an IP address to configure a web server, it is not necessary to configure a DNS server.
Figure 82 HTML code for User Login page template Access Granted page (accept.html) Figure 83 Access Granted page The accept.html file is the web page used to confirm a valid client login. This web page is displayed after a valid username and password are entered and accepted. The client device is then granted access to the network. To configure the VLAN used by authorized clients, specify a VLAN ID with the aaa port-access web-based auth-vid command parameter when you enable web authentication.
Figure 84 HTML code for Access Granted page template Authenticating page (authen.html) Figure 85 Authenticating page The authen.html file is the web page used to process a client login and is refreshed while user credentials are checked and verified. Figure 86 HTML code for Authenticating page template Invalid Credentials page (reject_unauthvlan.html) Figure 87 Invalid Credentials page The reject_unauthvlan.
The GETWAUTHREDIRECTTIME ESI inserts the value for the waiting time used by the switch to redirect an unauthenticated client while the client renews its IP address and gains access to the VLAN for unauthorized clients. This ESI should not be modified. Figure 88 HTML code for Invalid Credentials page template Timeout page (timeout.html) Figure 89 Timeout page The timeout.html file is the web page used to return an error message if the RADIUS server is not reachable.
The GETWAUTHRETRIESLEFT ESI displays the number of login retries that remain for a client that entered invalid login credentials. You can configure the number of times that a client can enter their user name and password before authentication fails with the aaa port-access web-based max-retries commands when you enable web authentication.This ESI should not be modified. Figure 92 HTML code for Retry Login page template SSL Redirect page (sslredirect.
Access Denied page (reject_novlan.html) Figure 95 Access Denied page The reject_novlan file is the web page displayed after a client login fails and no VLAN is configured for unauthorized clients. The GETWAUTHQUIETTIME ESI inserts the time period used to block an unauthorized client from attempting another login.
Reported Status Available Network Connection Possible Explanations rejected-no vlan No network access • Invalid credentials supplied. • RADIUS Server difficulties. See log file. • If unauth-vid is specified it cannot be successfully applied to the port. An authorized client on the port has precedence. rejected-unauth vlan Unauthorized VLAN only • Invalid credentials supplied. • RADIUS Server difficulties. See log file. 116 timed out-no vlan No network access RADIUS request timed out.
4 Local MAC Authentication Possible scenarios for deployment The following are examples of possible scenarios where LMA can be deployed. 1. In the following scenario multiple clients are connected to a hub that is tagged to vlan "A" and untagged to vlan "B". The hub is attached to a switch port that is tagged to vlan "A" and untagged to vlan "B". LMA authenticates clients and upon authentication places them in appropriate vlans. 2.
• show LMA configuration HP-Switch# show port-access local-mac config HP-Switch# show port-access local-mac config detailed [Note: per port] • show LMA enabled ports HP-Switch# show port-access local-mac HP-Switch# show port-access local-mac [Note: per port] • show per port local mac client details HP-Switch# show port-access local-mac client [detailed] • show mac-entry and mac-group association HP-Switch# show port-access local-mac association Configuration
HP-Switch(config)#aaa port-access local-mac 1 auth-vid 10 • Configure UnauthVid HP-Switch(config)#aaa port-access local-mac 1 unauth-vid 12 • Configure address limit on a port HP-Switch(config)#aaa port-access local-mac 1 addr-limit 2 • Re-authenticate clients on a port HP-Switch(config)#aaa port-access local-mac 1 reauthenticate • Un-configure LMA on a port HP-Switch( config )#no aaa port-access local-mac 1 Configuration examples Configuration example 1 • In this example, a PC is directly connect
aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5 (for corporate ip phones) aaa port-access local-mac profile “wlan-ap-prof” vlan untagged 10 tagged 12-14 (for WLAN APs) 2. 3. 4.
(for the rest of PCs) aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5 (for phones) 2. 3.
5 TACACS+ Authentication TACACS Getting ready for TACACS+ authentication To use TACACS+ authentication, you need the following: • A TACACS+ server application installed and configured on one or more servers or management stations in your network. There are several TACACS+ software packages available. • A switch configured for TACACS+ authentication, with access to one or more TACACS+ servers. NOTE: The effectiveness of TACACS+ security depends on correctly using your TACACS+ server application.
3. • The username/password pairs you want the TACACS+ server to use for controlling access to the switch. • The privilege level you want for each username/password pair administered by the TACACS+ server for controlling access to the switch. • The username/password pairs you want to use for local authentication (one pair each for operator and manager levels). Plan and enter the TACACS+ server configuration needed to support TACACS+ operation for Telnet access (login and enable) to the switch.
Configuring Configuring TACACS+ on the switch Before you begin If you are new to TACACS+ authentication, HP recommends that you first read the “Getting ready for TACACS+ authentication” (page 122) and configure your TACACS+ servers before configuring authentication on the switch. The switch offers three command areas for TACACS+ operation: • showauthentication and show tacacs: Displays the switch TACACS+ configuration and status.
5. Check the Privilege level box and set the privilege level to 15 to allow "root" privileges. This allows you to use the single login option. Figure 98 The shell section of the TACACS+ server user setup As shown in “Configuring the switch TACACS+ Server Access” (page 125), login and enable access is always available locally through a direct terminal connection to the switch console port.
Configures an optional global encryption key. Keys configured in the switch must exactly match the encryption keys configured in the TACACS+ servers that the switch will attempt to use for authentication. [no]tacacs-server key Removes the optional global encryption key. This does not affect any server-specific encryption key assignments. tacacs-server timeout < 1-255> Changes the wait period for a TACACS server response. Default: 5 seconds.
1. 2. 3. When there are no TACACS+ servers configured, entering a server IP address makes that server the first-choice TACACS+ server. When there is one TACACS+ serves already configured, entering another server IP address makes that server the second-choice (backup) TACACS+ server. When there are two TACACS+ servers already configured, entering another server IP address makes that server the third-choice (backup) TACACS+ server. The above position assignments are fixed.
Specifies how long the switch waits for a TACACS+ server to respond to an authentication request. If the switch does not detect a response within the timeout period, it initiates a new request to the next TACACS+ server in the list. If all TACACS+ servers in the list fail to respond within the timeout period, the switch uses either local authentication (if configured) or denies access (if none configured for local authentication).
Configuring the Timeout period The timeout period specifies how long the switch waits for a response to an authentication request from a TACACS+ server before either sending a new request to the next server in the switch Server IP Address list or using the local authentication option.
NOTE: Encryption keys configured in the switch must exactly match the encryption keys configured in TACACS+ servers the switch will attempt to use for authentication. If you configure a global encryption key, the switch uses it only with servers for which you have not also configured a server-specific key. Thus, a global key is more useful where the TACACS+ servers you are using all have an identical key, and server-specific keys are necessary where different TACACS+ servers have different keys.
Figure 101 Example of the switch TACACS+ configuration listing Viewing key information Use the show running-config command to display the key information.
< login [privilege-mode] > The server grants privileges at the operator privilege level. If the privilege-mode option is entered, TACACS+ is enabled for a single login. The authorized privilege level (operator or manager) is returned to the switch by the TACACS+ server. Default: Single login disabled. < local | tacacs | radius> Selects the type of security access: local Authenticates with the manager and operator password you configure in the switch.
Figure 104 Example of the switch after assigning a different "first-choice" server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: HPswitch(config)# no tacacs-server host 10.28.227.
the two servers in the previous example, you will need to assign a server-specific key in the switch that applies only to the designated server: HPswitch(config)# tacacs-server host 10.28.227.87 key south10campus With both of the above keys configured in the switch, the south10campus key overrides the north40campus key only when the switch tries to access the TACACS+ server having the 10.28.227.87 address. Messages related to TACACS+ operation The switch generates the CLI messages listed below.
Figure 105 Example of TACACS+ operation TACACS+ uses an authentication hierarchy consisting of both: • remote passwords assigned in a TACACS+ server • local passwords configured on the switch. TACACS+ in the switches covered in this guide manages authentication of logon attempts through either the Console port or Telnet. TACACS+ uses an authentication hierarchy consisting of (1) remote passwords assigned in a TACACS+ server and (2) local passwords configured on the switch.
Figure 106 Using a TACACS+ Server for Authentication Using Figure 106 (page 136), after either switch detects an operator's logon request from a remote or directly connected terminal, the following events occur: 1. The switch queries the first-choice TACACS+ server for authentication of the request. 2. 3. 4. • If the switch does not receive a response from the first-choice TACACS+ server, it attempts to query a secondary server.
can configure using the CLI password command, the WebAgent, or the menu interface—which enables only local password configuration). • If the operator at the requesting terminal correctly enters the username/password pair for either access level, access is granted. • If the username/password pair entered at the requesting terminal does not match either username/password pair previously configured locally in the switch, access is denied.
Table 6 AAA Authentication Parameters (continued) Name Default Range Function Note: If you do not specify this parameter in the command line, the switch automatically assigns the secondary method as follows: • If the primary method is tacacs, the only secondary method is local. • If the primary method is local, the default secondary method is none.
CAUTION: Regarding the use of local for login primary access: During local authentication (which uses passwords configured in the switch instead of in a TACACS+ server), the switch grants read-only access if you enter the operator password, and read-write access if you enter the manager password.
Messages related to RADIUS Operation Table 8 Messages related to RADIUS operation Message Meaning Connecting to TACACS server The switch is attempting to contact the TACACS+ server identified in the switch’s tacacsserver configuration as the first-choice (or only) TACACS+ server.
6 RADIUS Authentication, Authorization, and Accounting Configuring Preparation procedures for RADIUS 1. Configure one to fifteen RADIUS servers to support the switch. See the documentation provided with the RADIUS server application.
2. Before configuring the switch, collect the following information: a. Determine the access methods (console, Telnet, Port-Access (802.1X), WebAgent and/or SSH) for which you want RADIUS as the primary authentication method. Consider both operator (login) and manager (enable) levels, as well as which secondary authentication methods to use (local or none) if the RADIUS authentication fails or does not respond. Figure 107 Possible RADIUS access assignments b. c. d. e. f. g. h. i. j.
Configuring the switch for RADIUS authentication Configure RADIUS authentication for controlling access through one or more of the following • Serial port • Telnet • SSH • Port-Access (802.1X) • WebAgent 1. RADIUS authentication on the switch must be enabled to override the default authentication operation which is to automatically assign an authenticated client to the operator privilege level.
3. Configure the global RADIUS parameters. • Server key This key must match the encryption key used on the RADIUS servers the switch contacts for authentication and accounting services unless you configure one or more per-server keys. Default: null. • Timeout period The timeout period the switch waits for a RADIUS server to reply. Default: 5 seconds; range: 1 to 15 seconds. • Retransmit attempts The number of retries when there is no server response to a RADIUS authentication request.
The default primary < enable|login > authentication is local. [ < local | none | authorized> ] Provides options for secondary authentication. For console access, secondary authentication must be local if primary access is not local. This prevents you from being locked out of the switch in the event of a failure in other access methods.
Figure 108 Example of AAA authentication using Authorized for the secondary authentication method Example Suppose you already configured local passwords on the switch, but want RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (the switch local passwords): Figure 109 Example configuration for RADIUS authentication NOTE: If you configure the Login Primary method as local instead of radius (and local passwords are configured on the switch), then clients
that client. Thus, an authenticated user authorized for the manager privilege level must authenticate again to change privilege levels. Using the optional login privilege-mode command overrides this default behavior for clients with enable access. That is, with privilege-mode enabled, the switch immediately allows enable (manager) access to a client for whom the RADIUS server specifies this access level.
For switches that have a separate out-of-band management port, the oobm parameter specifies that the RADIUS traffic will go through the out-of-band management (OOBM) port. [ auth-port | < port-number > ] Optional. Changes the UDP destination port for authentication requests to the specified RADIUS server (host). If you do not use this option with the radius-server host command, the switch automatically assigns the default authentication port number. The auth-port number must match its server counterpart.
The time window in seconds within which the received dynamic authorization requests are considered to be current and accepted for processing. A zero value means there is no time limit. A non-zero value indicates that the even-timestamp attribute is expected as part of all Change of Authorization and Disconnect request messages. If the timestamp attribute is not present the message is dropped. Default: 300 seconds.
Configuring the switch global RADIUS parameters Configure the switch for the following global RADIUS parameters: • Number of login attempts In a given session, this specifies how many tries at entering the correct username and password pair are allowed before access is denied and the session terminated. This is a general aaa authentication parameter and is not specific to RADIUS.
dyn-autz-port <1024-49151> Specifies the UDP port number that listens for Change of Authorization or Disconnect messages. The range of ports is 1024-49151. Default: 3799 radius-server timeout < 1 - 15 > Specifies the maximum time the switch waits for a response to an authentication request before counting the attempt as a failure.
Figure 113 Listings of global RADIUS parameters configured in Figure 112 (page 151) Connecting a RADIUS server with a server group Syntax [no]radius-server host Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can configure up to fifteen RADIUS server addresses. The switch uses the first server it successfully accesses.
Configuring the primary password authentication method for console, Telnet, SSH and WebAgent The following commands have the server-group option. If no server-group is specified, the default RADIUS group is used. The server group must already be configured. NOTE: The last RADIUS server in a server group cannot be deleted if any authentication or accounting method is using the server group.
Configures local, chap-radius (MD5), or eap-radius as the primary password authentication method for port-access. Default primary authentication: local. [ none | authorized | server-group ] none: No backup authentication method is used. authorized: Allow access without authentication server-group : Specifies the server group to use with RADIUS. Example 3 Configuring with Free RADIUS Below are the procedures necessary to create a dictionary file. 1.
Example 4 Configuring a Cisco secure ACS for MS Windows It is necessary to create a dictionary file that defines the VSAs so that the RADIUS server application can determine which VSAs to add to its user interface. The VSAs will appear below the standard attributes that can be configured in the application. The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps. 1. Create a dictionary file (for example, hp.
6. 7. 8. 9. Right click and then select New > key. Add the vendor Id number that you determined in step 4 (100 in the example). Restart all Cisco services. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry. In the Authenticate Using field choose RADIUS(HP) as an option for the type of security control protocol. Select Submit + Restart to effect the change.
Configuring RADIUS accounting NOTE: This procedure assumes: • RADIUS authentication is configured on the switch for one or more access methods • One or more RADIUS servers is configured to support the switch If you have not already done so, see “RADIUS Authentication, Authorization, and Accounting” (page 141). 1. Configure the switch for accessing a RADIUS server. You can configure up to three RADIUS servers (one primary, two backup).
Configuring a switch to access a RADIUS server Before you configure the actual accounting parameters, configure the switch to use a RADIUS server. This process is outlined in “Configuring the switch to access a RADIUS server” (page 147). Repeat this now only if one of the following applies:tt • The switch is not yet configured to use a RADIUS server • Your server data has changed • You need to specify a non-default UDP destination port for accounting requests.
Figure 115 Example of configuring for a RADIUS Server with a non-default accounting UDP port number The radius-server command as shown in Figure 115 (page 159) above, configures the switch to use a RADIUS server at IP address 10.33.18.151, with a non-default UDP accounting port of 1750, and a server-specific key of "source0151".
Configures RADIUS accounting service type and how data will be sent to the RADIUS server. < exec | network | system | command > Specifies an accounting service type to configure. See “Accounting service types” (page 185). start-stop Applies to exec, network, and system accounting service types. stop-only Applies to all accounting service types. radius Uses RADIUS as the accounting period. syslog Uses syslog as the accounting protocol. interim-update Applies to the commands accounting service type.
Accounting Controls These options are enabled separately, and define how the switch will send accounting data to a RADIUS server: • Start-Stop Applies to the exec, network, and system accounting service types: • • Send a "start record accounting" notice at the beginning of the accounting session and a "stop record notice" at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type. • Do not wait for an acknowledgement.
record when the switch boots up and an "Accounting-Off" record when the switch reboots or reloads. (Assume that Acct-Session-Id is configured for common.) Figure 118 Example of accounting session operation with "start-stop" enabled Configuring session blocking and interim updating options (Optional) These optional parameters give you additional control over accounting data.
Figure 119 Example of optional accounting update period and accounting suppression on unknown user Configuring commands authorization on a RADIUS server Using Vendor Specific Attributes (VSAs) Some RADIUS-based features implemented on HP switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access-Accept packets sent to the switch may contain the vendor-specific information. The list of commands that are permitted (or denied) execution by the user are called regular expressions.
and 249 characters in length. Multiple instances of this attribute may be present in Access-Accept packets. (A single instance may be present in Accounting-Request packets.) • HP-Command-Exception: A flag that specifies whether the commands indicated by the HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all listed commands and deny all others; a one (1) means deny all listed commands and permit all others.
If the VSA client limit decreases the switch configured client limit, all clients except the client that is overriding the settings is deauthenticated. Only one client session at a time can override the port-access settings on a port. When the client session is deauthenticated, the port resets itself to the configured settings. This port reset causes the deauthentication of all clients for the port-access authentication types that had their settings changed dynamically.
Primary authentication method. Default: local Use either the local switch user/password database or a RADIUS server for authentication. > Specifies the server group to use [local | none | authorized} Provides options for secondary authentication (default: none). Note that for console access, secondary authentication must be local if primary access is not local.
Viewing Viewing RADIUS server group information Syntax: show server-group radius Displays the same information as the show radius command, but displays the servers in their server groups. NOTE: For the 3800, 5400zl, and 8200zl switches, when the switch is in enhanced secure mode, you are prompted about displaying sensitive information before the command is executed. See “Secure Mode (3800, 5400zl, and 8200zl Switches)” (page 498).
Figure 121 Example of output from show authentication command Figure 122 Example of output from show accounting command Viewing and changing the SNMP access configuration Syntax: snmp-server mib hpswitchauthmib < excluded | included > included Enables manager-level SNMP read/write access to the switch authentication configuration (hpSwitchAuth) MIB. excluded Disables manager-level SNMP read/write access to the switch authentication configuration (hpSwitchAuth) MIB.
Example To disable SNMP access to the switch authentication MIB and then display the result in the Excluded MIB field, execute the following two commands. Figure 123 Disabling SNMP access to the authentication MIB and displaying the result An alternate method of determining the current Authentication MIB access state is to use the show run command.
Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed. Figure 125 Example of show authorization command Viewing RADIUS Statistics Syntax: show radius [host< ip-addr>] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host.
Table 11 Values for show radius host output Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the Accounting-Request that matched it from this RADIUS accounting server. Pending Requests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response. This variable is incremented when an accounting-Request is sent and decremented due to receipt of an Accounting-Response, a timeout or a retransmission.
Figure 128 Example of login attempt and primary/secondary authentication information from the show authentication command Figure 129 Example of RADIUS authentication information from a specific server Viewing port-access information The show port-access summary command displays the dynamically changed client limit settings. Syntax: show port-access summary [radius-overridden] Displays summary configuration information for all ports, including the ports that have client limits set by RADIUS VSAs.
To display the configuration information for just those ports that are dynamically overridden by RADIUS attributes, use the show port-access summary radius-overridden command. Figure 131 Example of output for client-limit values that are RADIUS overridden Viewing RADIUS accounting statistics Syntax: show accounting Lists configured accounting interval, "Empty User" suppression status, session ID, accounting types, methods, and modes.
Using Using multiple RADIUS server groups The authentication and accounting features on the switch can use up to fifteen RADIUS servers and these servers can be put into groups. Up to 5 groups of 3 RADIUS servers each can be configured. The authentication and accounting features can choose which RADIUS server group to communicate with. End-user authentication methods (802.
< secondary-method> Allows reauthentications to succeed when the RADIUS server is unavailable. Users already authenticated retain their currently-assigned session attributes. The primary methods for port-access authentication are local, chap-radius, or eap-radius. The primary method for web-based or mac-based authentication is chap-radius. The secondary methods can be none, authorized, or cached-reauth. Default secondary authentication for all types of port access: none.
Example 6 To enable the RADIUS protocol as the authorization method: HP Switch(config)# aaa authorization commands radius When the NAS sends the RADIUS server a valid username and password, the RADIUS server sends an Access-Accept packet that contains two attributes the command list and the command exception flag.
Syntax: [no] aaa autnorization group group-name <1-2147483647> match-command command-string [log] Create a local authorization group with the specified name. The name is case-sensitive and may not contain spaces. Duplicate names are not allowed. You can create a maximum of 16 groups. The name of the group can have a maximum of 16 characters. <1-2147483647> The evaluation order for the match commands. match-command The is the CLI command.
Figure 138 Configuring authorized commands for a group in the correct order Some commands cause the switch CLI to enter a special context, such as test mode, and the input is not processed by the normal CLI. Keyboard input is not checked against the command authorization group. If these special contexts are permitted, the user can proceed outside the control and logging of the command group configuration.
Syntax: show authorization group [group-name] Displays information about users and command authorization for command groups. Figure 140 Showing command information for all groups Specifying the group parameter without any group names displays information for all configured groups. Changing RADIUS-server access order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. NOTE: list.
To exchange the positions of the addresses so that the server at 10.10.10.3 is the first choice and the server at 10.10.10.1 is the last, perform the following: 1. Delete 10.10.10.3 from the list. This opens the third (lowest) position in the list. 2. Delete 10.10.10.1 from the list. This opens the first (highest) position in the list. 3. Re-enter 10.10.10.3. Because the switch places a newly entered address in the highest-available position, this address becomes first in the list. 4. Re-enter 10.10.10.1.
NOTE: All usernames, passwords, and keys configured in the hpSwitchAuth MIB are not returned via SNMP, and the response to SNMP queries for such information is a null string. However, SNMP sets can be used to configure username, password, and key MIB objects. To help prevent unauthorized access to the switch authentication MIB, HP recommends following the reviewing “Viewing and changing the SNMP access configuration” (page 168).
Example 7 Example 1. A cached-reauth-period is set to 900 seconds (15 minutes) and the reauth period is 180 seconds. 2. A client is successfully authenticated or reauthenticated. 3. The RADIUS server becomes unavailable. In 180 seconds from the authentication in step 1, 802.1X or web-based/MAC authentication initiates reauthentication. 4. In X seconds after the initiation of authentication in step 3 (1 to 30 seconds if default values for 802.1X or web-based/MAC authentication are used), 802.
then you can still get access to either the operator or manager level of the switch by entering the correct username/password pair for the level you want to enter. • If the username/password pair entered at the requesting terminal does not match either local username/password pair previously configured in the switch, access is denied. In this case, the terminal is again prompted to enter a username/password pair. In the default configuration, the switch allows up to three attempts.
If a switch port is configured to accept multiple 802.1X and/or web-based or MAC authentication client sessions, all authenticated clients must use the same port-based, untagged VLAN membership assigned for the earliest, currently active client session. On a port where one or more authenticated client sessions are already running, all clients are on the same untagged VLAN.
diagnose network operational problems and generate reports on terminated sessions. This attribute provides extended information on the statistics provided by the acct-terminate-cause attribute. • Change-of-Authorization (CoA) (RFC 3576 Dynamic Authorization Extensions to RADIUS): A mechanism that allows a RADIUS server to dynamically disconnect messages (DM) or change the authorization parameters (such as VLAN assignment) used in an active client session on the switch.
Table 13 Client records provided under port-based access control (continued) • • Acct-Terminate-Cause • Nas-Port • NAS-Identifier • Acct-Authentic • Acct-Output-Octets • Calling-Station-Id • Acct-Delay-Time • Acct-Session-Time • HP-acct-terminate-cause • Acct-Input-Packets • User-Name • MS-RAS-Vendor Exec accounting Provides records holding the information listed below about login sessions (console, Telnet, and SSH) on the switch: • • Acct-Session-Id • Acct-Delay-Time • NAS-IP-Address • A
The switch forwards the accounting information it collects to the designated RADIUS server, where the information is formatted, stored, and managed by the server. For more information on this aspect of RADIUS accounting, see the documentation provided with your RADIUS server.
Figure 145 Accounting in the (default) unique mode Common Acct-Session-ID operation In this case, all service types running in a given management session operate as subprocesses of the same parent process, and the same Acct-Session-ID is used for accounting of all service types, including successive CLI commands.
Figure 146 Accounting in common mode (same session ID throughout) Dynamic removal of authentication limits Overview In some situations, it is desirable to configure RADIUS attributes for downstream supplicant devices that allow dynamic removal of the 802.1X, MAC, and web-based authentication limits on the associated port of the authenticator switch. This eliminates the need to manually reconfigure ports associated with downstream 802.
Authentication with RADIUS allows for a unique password for each user, instead of the need to maintain and distribute switch-specific passwords to all users. RADIUS verifies identity for the following types of primary password access to the HP switch: • Serial port (console) • Telnet • SSH • SFTP/SCP • WebAgent (8212zl, 5400zl, 4200vl, 2800s as of software version I.08.60, and 2600s as of software version H.08.58 switches) • Port-Access (802.
Executive accounting Provides records holding the information listed below about login sessions (console, Telnet, and SSH) on the switch: Acct-Session-ID Acct-Delay-Time NAS-IP-Address Acct-Status-Type Acct-Session-Time NAS-Identifier Acct-Terminate-Cause User-Name Calling-Station-Id Acct-Authentic Service-Type MS-RAS-Vendor System accounting Provides records containing the information listed below when system events occur on the switch, including system reset, system boot, and enabling or disab
The switch forwards the accounting information it collects to the designated RADIUS server, where the information is formatted, stored, and managed by the server. For more information on this aspect of RADIUS accounting, see the documentation provided with your RADIUS server. Operating rules for RADIUS accounting • You can configure up to four types of accounting to run simultaneously: exec, system, network, and command. • RADIUS servers used for accounting are also used for authentication.
Figure 147 Acccounting in the (default) unique mode Common Acct-Session-ID operation In this case, all service types running in a given management session operate as subprocesses of the same parent process, and the same Acct-Session-ID is used for accounting of all service types, including successive CLI commands.
Figure 148 Acccounting in common mode (with same session ID throughout) Radius-administered CoS and rate-limiting The switches covered in this guide take advantage of vendor-specific attributes (VSAs) applied in a RADIUS server to support these optional, RADIUSassigned attributes: • 802.
access ports by creating new RADIUS HP vendor-specific attributes (VSAs) that will dynamically override the authentication limits. The changes are always applied to the port on the authenticator switch associated with the supplicant being authenticated. NOTE: All the changes requested by the VSAs must be valid for the switch configuration. For example, if either MAC or web-based port access is configured while 802.1X port access is in client mode, a RADIUS client with a VSA to change the 802.
HP Switches take advantage of vendor-specific attributes (VSAs) applied in a RADIUS server to support the following optional, RADIUS-assigned attributes: • 802.1p (CoS) priority assignment to inbound traffic on specified ports (port-access authentication only) • Per-Port Rate-Limiting on a port with an active link to an authenticated client (port-access authentication only) Commands authorization on HTTPS overview The RADIUS protocol combines user authentication and authorization steps into one phase.
well, for example, the Configuration Report. The Wizard utility is not accessible in the Navigation pane if the setup command is not allowed. If the user is not authorized to use the WebAgent, the WebAgent displays a blank window with a message that states “You are not authorized to access Web UI”. In some cases, there may be authorization to configure a subset of options or values.
Message Meaning you also see the message Can’t reach RADIUS server < x.x.x.x >, try the suggestions listed for that message. Not legal combination of authentication methods. 198 RADIUS Authentication, Authorization, and Accounting Indicates an attempt to configure local as both the primary and secondary authentication methods. If local is the primary method, then none must be the secondary method.
7 RADIUS server support for switch services Configuring Configuring the switch to support RADIUS-assigned ACLs An ACL configured in a RADIUS server is identified by the authentication credentials of the client or group of clients the ACL is designed to support. When a client authenticates with credentials associated with a particular ACL, the switch applies that ACL to the switch port the client is using.
3. Configure an authentication method. Options include 802.1X, web-based authentication, and MAC authentication. You can configure 802.1X, web-based authentication, and/or MAC authentication to operate simultaneously on the same ports. 802.1X Option: Syntax: aaa port-access authenticator aaa authentication port-access chap-radius aaa port-access authenticator active These commands configure 802.1X port-based access control on the switch, and activates this feature on the specified ports.
Table 14 Application of RADIUS-Assigned Values Dynamic RADIUS assignment options Static per-port setting options Application of dynamic RADIUS assignment 802.1p Priority (CoS) qos priority <0 - 7> Applies per-client; that is, only to client whose authentication triggered the assignment. (Up to 32 clients supported per-port.
"X" authenticates with web-based authentication on port 4 with a RADIUS server that assigns a priority of 3, an inbound rate-limit of 10,000 kbps, and an outbound rate-limit of 50,000 kbps, then: • The inbound traffic from client "X" will be subject to a priority of 3 and inbound rate-limit of 10,000 kbps. Traffic from other clients using the port will not be affected by these values.
These commands show the CLI-configured rate-limiting and port priority for the selected ports. They also include indications of RADIUS-assigned rate-limiting and client traffic priority settings for any clients that may be authenticated on the same ports.
Figure 152 Switch identity information for a freeRADIUS application 3. For a given client username/password pair or MAC address, create an ACL by entering one or more ACEs in the FreeRADIUS "users" file. Remember that every ACL created automatically includes an implicit deny in ip from any to any ACE.
1. Enter the following in the FreeRADIUS dictionary.hp file: • HP vendor-specific ID • ACL VSA for IPv6 ACLs (63) • HP-Nas-Rules-IPv6 VALUE setting to specify both IPv4 and IPv6 (1) Figure 154 Configuring the VSA for RADIUS-assigned IPv6 and IPv4 ACLs in a FreeRADIUS server 2. Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.
3. For a given client username/password pair, create an ACL by entering one or more IPv6 and IPv4 ACEs in the FreeRADIUS "users" file. Remember that the ACL created to filter both IPv4 and IPv6 traffic automatically includes an implicit deny in ip from any to any ACE at the end of the ACL in order to drop any IPv4 and IPv6 traffic that is not explicitly permitted or denied by the ACL. For example, to create ACL support for a client having a username of "Admin01" and a password of "myAuth9".
2. Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server's clients.conf file: Figure 158 Switch identity information for a freeRADIUS application 3. For a given client username/password pair, create an ACL by entering one or more IPv4 ACEs in the FreeRADIUS "users" file.
Note: If there are no ACLs currently assigned to any port in , executing this command returns only the system prompt. If a client authenticates but the server does not return a RADIUS-assigned ACL to the client port, then the server does not have a valid ACL configured and assigned to that client's authentication credentials.
MAC Address During an authenticated session, shows the MAC address of the authenticated client. • Access Policy Details: COS Map Indicates the 802.1p priority assigned by the RADIUS server for traffic inbound on the port from an authenticated client. The field shows an eight-digit value where all digits show the same, assigned 802.1p number. For example, if the assigned 802.1p value is 5, then this field shows 55555555. If an 802.
Table 15 ICMP type numbers and keywords IPv4 ICMP IPv6 ICMP # Keyword # Keyword 0 echo reply 1 destination unreachable 3 destination unreachable 2 packet too big 4 source quench 3 time exceeded 5 redirect 4 parameter problem 8 echo request 128 echo request 9 router advertisement 129 echo reply 10 router solicitation 130 multicast listener query 11 time-to-live exceeded 131 multicast listener reply 12 IP header bad 132 multicast listener done 13 timestamp request 1
Table 16 RADIUS services supported on the switch (continued) Service Application IPv6 and/or IPv4 ACEs(NAS-Filter-Rule) per-user 92 61 NAS-Rules-IPv6 (sets IP mode to IPv4-only or IPv4 per-user and IPv6) — 63 1 2 Standard RADIUS HP vendor-specific attribute1 RADIUS attribute (VSA) HP recommends using theStandard RADIUS attribute if available.
Table 17 CoS and rate-limiting services (continued) Service Control method and operating notes Assigns a RADIUS-configured bandwidth limit to the inbound packets received from a specific client authenticated on a port. VSA: 46 Note: Beginning with software release K.14.01, this attribute is assigned per-authenticated-user instead of per-port. To assign a per-port inbound rate limit, use the rate-limit all in CLI command instead of this option.
Table 18 RADIUS-assigned rate-limit increments RADIUS-assigned Applied rate-limiting increment bits-per-second rate limit 1 - 10,999,999 100 Kbps 11,000,000 - 100,999,999 1 Mbps 101,000,000 - 999,999,999 10 Mbps 1,000,000,000 - 10 Gbps 100 Mbps For example, some of the following RADIUS-assigned rates fall between their respective incremental values, resulting in applied rates lower than the RADIUS-assigned rates.
Rate-limit assignment method Outbound Rate-limit actions and restrictions VSA 46 up to the port's physical capacity, unless the available bandwidth on the port has been reduced by a CLI-assigned per-port bandwidth limit. CLI egress rate-limit per-port Determines the maximum egress bandwidth available on the port, unless there is also a RADIUS-assigned per-port rate limit on the port.
A RADIUS-assigned ACL filters IP traffic entering the switch from the client whose authentication caused the ACL assignment. Filter criteria is based on: • Destination address • IPv4 or IPv6 traffic type (such as TCP and UDP traffic) Implementing the feature requires: • RADIUS authentication using the 802.
Depending on the ACL configuration in the RADIUS server, the ACLs described in this section filter either IPv4 traffic only or both IPv4 and IPv6 traffic. These ACLs do not filter non-IP traffic such as AppleTalk and IPX. Contrasting RADIUS-assigned and static ACLs Table 21 (page 216) highlights several key differences between the static ACLs configurable on switch VLANs and ports, and the dynamic ACLs that can be assigned by a RADIUS server to filter IP traffic from individual clients.
Table 21 Contrasting dynamic (RADIUS-assigned) and static ACLs (continued) RADIUS-assigned ACLs Static port and VLAN ACLs A VACL can be applied on a VLAN to filter either IPv4 or IPv6 traffic entering the switch through a port on that VLAN. A static port ACL can be applied on a port to filters either IPv4 or IPv6 traffic entering the switch through that port. Requires client authentication by a RADIUS server configured to dynamically assign an ACL to a client on a switch port, based on client credentials.
NOTE: Implicit Deny Every RADIUS-assigned ACL ends with an implicit deny inACE for both IPv4 and IPv6 traffic. This implicit ACE denies any IP traffic that is not specifically permitted. To override this default, configure an explicit permit in ip from any to any as the ACL's last explicit ACE.
The packet-filtering process Packet-filtering in an applied ACL is sequential, from the first ACE in the ACL to the implicit deny any any following the last explicit ACE. This operation is the same regardless of whether the ACL is applied dynamically from a RADIUS server or statically in the switch configuration. CAUTION: ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security.
be applied for each authenticated client. Inbound IP traffic from any client whose authentication does not result in a RADIUS-assigned ACL will be blocked and the client will be deauthenticated. Also, if 802.1X port-based access is configured on the port, only one client can be authenticated on the port at any given time. In this case, no other inbound client traffic is allowed.
Table 22 Nas-Filter-Rule Attribute Options (continued) Service Control method and operating notes one instance of this VSA must be included in the ACL. Note that this attribute supports either of the following IP modes for Nas-filter-Rule ACEs: • both IPv6 and IPv4 traffic • only IPv4 traffic HP vendor-specific ID: 11 VSA: 63 (string=HP-Nas-Rules-IPv6) • IPv6 and IPv4 ACLs: integer = 1(Using this option causes the ACL to filter both IPv4 and IPv6 traffic.
Table 22 Nas-Filter-Rule Attribute Options (continued) Service Control method and operating notes Assigns a RADIUS-configured IPv4 ACL to filter inbound IPv4 packets received from a specific client authenticated on a switch port. This attribute is maintained for legacy purposes (for configurations predating software release K.14.01) to support ACEs in RADIUS-assigned ACLs capable of filtering only IPv4 traffic.
Specifies whether to forward or drop the identified IP traffic type from the authenticated client. (For information on explicitly permitting or denying all inbound IP traffic from an authenticated client, or for implicitly denying all such IP traffic not already permitted or denied, see “Configuration notes” (page 224).) in Required keyword specifying that the ACL applies only to the traffic inbound from the authenticated client. Options for specifying the type of traffic to filter.
For example, the any destinations in the following ACL apply to both IPv4 and IPv6 traffic: HP-Nas-Rules-IPv6=1Nas-filter-Rule="permit in tcp from any to any 23" Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24" Nas-filter-Rule+="permit in ip from any to fe80::d1:1/120" Nas-filter-Rule+="deny in ip from any to any" host Specifies a single destination IPv4 address. Specifies a series of contiguous destination addresses or all destination addresses in a subnet.
Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=1 See Table 22 (page 220) for information on the above attributes. Explicitly permit only the IPv4 traffic from an authenticated client Any of the following three options for ending a RADIUS-assigned ACL explicitly permit all of the client's inbound IPv4 traffic not previously permitted or denied. These options also deny any of the client's IPv6 traffic not previously permitted or denied.
Causes of client deauthentication immediately after authenticating • • • ACE formatted incorrectly in the RADIUS server • from,any, or to keyword missing. • An IPv4 or IPv6 protocol number in the ACE exceeds 255. • An optional UDP or TCP port number is invalid, or a UDP/TCP port number is specified when the protocol is neither UDP or TCP. A RADIUS-assigned ACL limit has been exceeded. • An ACE in the ACL for a given authenticated client exceeds 80 characters.
8 Secure Shell (SSH) Configuring Steps for configuring and using SSH for switch and client authentication For two-way authentication between the switch and an SSH client, you must use the login level.
5. Configure the primary and secondary authentication methods for the switch to use. In all cases, the switch will use its host public key to authenticate itself when initiating an SSH session with a client. • SSH Login (operator) options: • Option A: Primary: Local, TACACS+, or RADIUS password Secondary: Local password or none. If the primary option is local, the secondary option must be none.
to the switch. Some SSH client applications automatically add the switch public key to a "known hosts" file. Other SSH applications require you to manually create a known hosts file and place the switch public key in the file. See the documentation for your SSH client application for more details. Note: The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client session, and then discarded.
[fingerprint] Displays fingerprints of the switch public key in hexadecimal format, see “Displaying the Public Key” (page 232). Example To generate and display a new key: Figure 163 Example of generating a public/private host key pair for the switch To compare the switch key to the key stored in your client's known-hosts file, note that the formatting and comments need not match. NOTE: "Zeroizing" the switch key automatically disables SSH (sets ip ssh to no).
Figure 164 A public key generated by the switch NOTE: The generated public key on the switch is always 896 bits. With a direct serial connection from a management station to the switch: a. Use a terminal application such as HyperTerminal to display the switch public key with the show crypto host public-key command, see Figure 163 (page 230). b. Bring up the SSH client's "known host" file in a text editor such as Notepad as straight ASCII text, and copy the switch public key into the file. c.
Displaying the Public Key The switch provides three options for displaying its public key. This is helpful if you need to visually verify that the public key the switch is using for authenticating itself to a client matches the copy of this key in the client's "known hosts" file: • Non-encoded ASCII numeric string Requires a client ability to display the keys in the "known hosts" file in the ASCII format. This method is tedious and error-prone due to the length of the keys. See Figure 165 (page 231).
4. Enable SSH on the switch and anticipate SSH client contact behavior. The ip ssh command enables or disables SSH on the switch, and modifies parameters the switch uses for transactions with clients. After you enable SSH, the switch can authenticate itself to SSH clients. NOTE: Before enabling SSH on the switch you must generate the switch public/private key pair. If not yet done, see Step 2. When configured for SSH, the switch uses its host public key to authenticate itself to SSH clients.
• aes192-cbc • aes256-cbc • aes128-ctr • aes192-ctr • aes256-ctr Default: All cipher types are available. NOTE: For the 3800, 5400zl, and 8200zl switches, when the switch is in enhanced secure mode, there are fewer cipher options. The ciphers 3des-cbc is not available. See “Secure Mode (3800, 5400zl, and 8200zl Switches)” (page 498). Use the no form of the command to disable a cipher type. [filetransfer] Enable/disable secure file transfer capability.
[ listen ] The listen parameter is available only on switches that have a separate out-of-band management port. Values for this parameter are: • oobm — inbound SSH access is enabled only on the out-of-band management port. • data — inbound SSH access is enabled only on the data ports. • both — inbound SSH access is enabled on both the out-of-band management port and on the data ports. This is the default value.
5. Configure the switch for SSH authentication. Note that all methods in this section result in authentication of the switch public key by an SSH client. However only Option B below results in the switch also authenticating the client's public key. Also, for a more detailed discussion of the topics in this section, see “SSH client public-key authentication notes” (page 243). NOTE: HP recommends that you always assign a manager-level (enable) password to the switch.
Configures the switch to authenticate a client public key at the login level with an optional secondary password method. Default: none Syntax: aaa authentication ssh enable Configures a password method for the primary and secondary enable (manager) access. If you do not specify an optional secondary method, it defaults to none. If the primary access method is local, you can only specify none for a secondary access method.
Figure 170 SSH configuration and client public-key listing from figure 6. Use an SSH client to access the switch. Test the SSH configuration on the switch to ensure that you have the level of SSH operation needed for the switch. If you have problems, see "RADIUS-Related Problems" in the Management and Configuration Guide for your switch. Disable Username Prompt For Management Interface Authentication in the Quick Base system Authentication bypass for the username when logging onto the switch.
event log message (warning) will be logged that relates to this command. The event log message with be similar to the following: W 05/22/13 21:02:06 00419 auth: Bypassing the username for Operator and Manager access level is enabled NOTE: The protocols SFTP and SCP which are based on SSH will exhibit similar behavior as SSH. There are no changes required for PCM and IDM.
Figure 171 User login screen Switch behavior with SSH There is no username prompt in SSH, (for example: ssh any_username@IP-address). The following configuration examples are related to SSH: SSH configuration example 1 In the following configuration, the password is entered without the username. Once the enable command is entered, the username prompt will be bypassed.
SSH configuration example 4 Operator password: Set Operator username: Not set Manager password: Set Manager username: Not set Both Operator and Manager passwords are the same • Entering the password logs onto the switch in the manager mode. Figure 172 SSH configuration screen Switch behavior with WebUI The user is prompted for both username and password. Any entry including blank in the username field is allowed. This condition is true for all the below configuration.
WebUI configuration example 3 Operator password: Set Operator username: Not set Manager password: Set Manager username: Not set • Logging in using the operator password logs onto the switch in operator mode. • Entering only the manager password, logs onto the switch in manager mode.
About configuring SSH Prerequisite for using SSH Before using the switch as an SSH server, install a publicly or commercially available SSH client application on the computers to be used for management access to the switch. For client public-key authentication the client program must have the capability to generate or import keys, see “Client Public-Key authentication (login/operator level) with user password authentication (enable/manager level)” (page 254) for more details.
NOTE: Without using client public-key authentication you can still require authentication from whoever attempts to access the switch from an SSH client— by employing the local username/password, TACACS+, or RADIUS features. See Step 5. If you enable client public-key authentication, the following events occur when a client tries to access the switch using SSH: 1. The client sends its public key to the switch with a request for authentication. 2.
• The private key should be passphrase protected for highest security; the user is prompted to enter the passphrase. • The private key can be configured by copying it to the SSH client switch, using the copy command. • If the public-key authentication fails or the client has not been configured with a key pair, the "password" method of authentication is used and the user is prompted for a password. • Successful TACACS or RADIUS logins will give the user either operator or manager privileges.
Message Meaning command, the switch displays this message while it is generating the key. Host RSA key file corrupt or not found. Use ' generate ssh [dsa] [rsa] to create new host key. The switch key is missing or corrupt. Use the generate ssh [dsa] [rsa] command to generate a new key for the switch.
If no username is configured, the username of the current login is used. There will be a prompt for a password if needed. hostname Hostname of the remote system. IPv4 IPv4 address of the remote system. IPv6 IPv6 address of the remote system. [port <1-65535>] The TCP port running the SSH server on the remote system. If no port number is specified, the default port 22 is used.
NOTE: Comments in public-key files may appear in a SSH client application's generated public key. While such comments may help to distinguish one key from another, they do not pose any restriction on the use of a key by multiple clients and/or users. Public key illustrations such as the key shown in Figure 176 (page 247) usually include line breaks as a method for showing the whole key. However, in practice, line breaks in a public key will cause errors resulting in authentication failure. 1.
Syntax: copy pub-key-file [ ] Copies a public-key file from a TFTP server into flash memory in the switch. The append option adds the keys for operator access. The manager option replaces the keys for manager access; follow with the 'append' option to add the keys. The operator option replaces the keys for operator access (default); follow with the 'append' option to add the keys.
Figure 177 Copying and displaying a client public-key file containing two different client public keys for the same client Replacing or clearing the Public-Key file The client public-key file remains in the switch flash memory even if you erase the startup-config file, reset the switch, or reboot the switch. Remove the existing client public-key file or specific keys by executing the clear crypto public-key command. This clears the public keys from both management modules.
3. Use copy ftp to copy the client public-key file into the switch. Note that the switch can hold 10 keys. The new key is appended to the client public-key file Use the aaa authentication ssh command to enable client public-key authentication. Copying client key files Only one ssh client key for authenticating the manager is allowed on a switch. The copy command allows you to copy the client key files using sftp, tftp, and usb or xmodem, allowing encryption and authentication through SSH.
below.
If no username is specified, the client's current username is used. There will be a prompt for a password if needed. hostname Specifies the hostname of the TFTP server. IPv4 Specifies the TFTP server's IPv4 address. IPv6 Specifies the TFTP server's IPv6 address. The remote filename containing the key. Copying the Host public key The following copy commands can be used to manage public keys in a known hosts file.
Syntax: crypto key zeroize ssh-client-known-hosts Deletes the SSH client known hosts file. You are prompted with a message: Warning: The SSH client known hosts file will be deleted, continue [y/n] ? Displaying open sessions Syntax: show session-list Displays the active incoming and outgoing sessions.
Figure 179 Client public-key authentication model Overview 255
9 Secure web management Configuration summary 1. 2. 3. Assign a login (operator) and enable (manager) password on the switch. Install a web certificate on the switch. Enable SSL on the switch. Assigning a local login (operator) and enabling (manager) password At a minimum, HP recommends that you always assign at least a manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Table 25 Self-signed certificate browser compatibility (continued) Bowsers Operating System Firefox 1.5 Netscape 7.1 Mozilla 1.4 Safari Mac OS X 10.5 Opera 9.0+ Konqueror 3.5 Products Mozilla based on NSS 3.8+ Products based on OpenSSL 0.9.8+ Products based on Java 1.4.2+ NOTE: sha256withRSAEncryption is not compatible with certain operating system and browser combinations. It is supported in Google Chrome on operating systems Windows Vista and above only.
To enable SSL on the switch: 1. Install a web certificate if you have not already done so. 2. Execute the web-management ssl command. To disable SSL on the switch, do either of the following: • Execute [no]web-management ssl . • Remove the switch's host certificate or certificate key. Overview HP Switches use SSLv3 and TLSv1.0, TLS v1.1, TLS v1.2 to provide secure web access.
10 IPv4 Access Control Lists (ACLs) Configuring Configuring named, standard ACLs For a match to occur with an ACE in an extended ACL, a packet must have the source and destination address criteria specified by the ACE, as well as any IPv4 protocol-specific criteria included in the command.
Defines the source IPv4 address (SA) a packet must carry for a match with the ACE. • any Allows IPv4 packets from any SA. • host Specifies only packets having as the source. Use this criterion when you want to match the IPv4 packets from a single source address. • SA or SA /mask–length Specifies packets received from either a subnet or a group of IPv4 addresses. The mask format can be in either dotted-decimal format or CIDR format (number of significant bits).
Figure 182 Screen output listing the sample-list ACL content Deleting an ACE 1. Enter the ACL context. To view the sequence numbers of the ACEs in a list, use: Syntax: show access–list config 2. Delete the sequence number for the unwanted ACE. Creating or adding to a standard, numbered ACL Use the following steps when creating or adding to a numbered, standard ACL: 1. Create a numbered, standard ACL by entering the first ACE in the list. 2.
create a standard access list with an alphanumeric name ( name-str) instead of a number, see “Configuring named, standard ACLs” (page 259). Specifies whether the ACE denies or permits a packet matching the criteria in the ACE, as described next. | SA > Defines the source IPv4 address (SA) a packet must carry for a match with the ACE. • any - Allows IPv4 packets from any SA. • host < SA > - Specifies only packets having < SA > as the source.
Figure 183 Standard, numbered ACL with the same ACEs as the standard, named ACL in Figure 181 (page 260) Configuring extended ACLs Standard ACLs use only source IPv4 addresses for filtering criteria, extended ACLs use multiple filtering criteria. This enables you to more closely define your IPv4 packet-filtering.
1. 2. Create and/or enter the context of a named, extended ACL. Enter the first ACE in a new, extended ACL or append an ACE to the end of an existing, extended ACL. The following command is a prerequisite to entering or editing ACEs in a named, extended ACL. Syntax: ip access–list extended Places the CLI in the "Named ACL" (nacl) context specified by the alphanumeric identifier. This enables entry of individual ACEs in the specified ACL.
Used after deny or permit to specify the packet protocol type required for a match. An extended ACL must include one of the following: • ip —any IPv4 packet. • ip-protocol — any one of the following IPv4 protocol names: ip-in-ip ipv6-in-ipgre es pah ospfpim vrrp sctp tcp* udp* icmp* igmp* • ip-protocol-nbr — the protocol number of an IPv4 packet type, such as "8" for Exterior Gateway Protocol or 121 for Simple Message Protocol.
This is the second instance of IPv4 addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination address (DA) that a packet must carry in order to have a match with the ACE. • any Allows routed IPv4 packets to any DA. • host Specifies only packets having DAas the destination address. Use this criterion when you want to match only the IPv4 packets for a single DA.
This option can be used after the DA to generate an Event Log message if: • The action is deny. Not applicable to permit. • There is a match. • ACL logging is enabled. See “Enabling ACL logging on the switch” (page 294). Including options for TCP and UDP traffic in extended ACLs An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both.
• neq < tcp/udp-port-nbr> "Not Equal"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must not be equal to . • range < start-port-nbr > < end-port-nbr > For a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range < end-port-nbr >. Port number or well-known port name Use the TCP or UDP port number required by your application.
For more on using TCP control bits, see RFC 793. Controlling ICMP traffic in extended ACLs Where it is necessary to permit some types of ICMP traffic and deny other types, instead of simply permitting or denying all types of ICMP traffic use this option. An ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE.
• general-parameter-problemport-unreachable • host-isolatedprecedence-unreachable • host-precedence-unreachableprotocol-unreachable • host-redirectreassembly-timeout • host-tos-redirectredirect • host-tos-unreachablerouter-advertisement • host-unknownrouter-solicitation • host-unreachablesource-quench • information-replysource-route-failed • information-requesttime-exceeded • mask-replytimestamp-reply • mask-requesttimestamp-request • mobile-redirecttraceroute • net-redirectttl-ex
1. 2. Permit Telnet traffic from 10.10.10.44 to 10.10.20.78, deny all other IPv4 traffic from network 10.10.10.0 (VLAN 10) to 10.10.20.0 (VLAN 20), and permit all other IPv4 traffic from any source to any destination. (See "A" in “An extended ACL” (page 271), below.) Permit FTP traffic from 10.10.20.100 (on VLAN 20) to 10.10.30.55 (on VLAN 30). Deny FTP traffic from other hosts on network10.10.20.0 to any destination, but permit all other IPv4 traffic.
NOTE: To insert a new ACE between two existing ACEs in an extended, numbered ACL: 1. Use ip access list extended < 100 - 199 > to open the ACL as a named ACL. 2. Enter the desired sequence number along with the ACE statement you want. For a match to occur, a packet must have the source and destination addressing criteria specified in the ACE, as well as: • The protocol-specific criteria configured in the ACE, including any included, optional elements (described later in this section.
In an extended ACL, this parameter defines the source address (SA) that a packet must carry in order to have a match with the ACE. • any Specifies all inbound IPv4 packets. • host < SA > Specifies only inbound IPv4 packets from a single address. Use this option when you want to match only the IPv4 packets from a single source address. • SA/mask-length or SA < mask > Specifies packets received from an SA, where the SA is either a subnet or a group of IPv4 addresses.
Syntax [ precedence < 0 - 7 | precedence-name > ] This option causes the ACE to match packets with the specified IP precedence value.
This source-port and destination-port TCP/UDP criteria is identical to the criteria described for TCP/UDP use in named, extended ACLs. See “Including options for TCP and UDP traffic in extended ACLs” (page 267). Controlling ICMP traffic flow This command is useful where it is necessary to permit some types of ICMP traffic and deny other types, instead of simply permitting or denying all types of ICMP traffic.
switch suspends the timer and resets itself to send a message as soon as a new "deny" match occurs. • default Sets the wait period timer to 300 seconds. • <30-300> Sets the wait period timer to the specified number of seconds. Viewing Viewing an ACL summary This command lists the configured IPv4 and IPv6 ACLs, regardless of whether they are assigned to any VLANs. Syntax: show access-list List a summary table of the name, type, and application status of IPv4 and IPv6 ACLs configured on the switch.
NOTE: Notice that you can use the output from this command for input to an offline text file in which you can edit, add, or delete ACL commands. See “Enabling ACL logging on the switch” (page 294). This information also appears in the show running display. If you executed write memory after configuring an ACL, it appears in the show config display.
Figure 188 Listing the ACL assignments for a VLAN Viewing static port (and trunk) ACL assignments This command lists the identification and types of current static port ACL assignments to individual switch ports and trunks, as configured in the running-config file. The switch allows one static port ACL assignment per port. Syntax: show access-list ports < all | port-list> Lists the current static port ACL assignments for ports and trunks in the running config file.
NOTE: This information also appears in the show running display. If you execute write memory after configuring an ACL, it also appears in the show config display. For information on IPv4 ACL operation, see the latest version of the Access Security Guide for your switch. Syntax: show access-list [ config] Displays detailed information on the content of a specific ACL configured in the running-config file.
Figure 191 Listing an IPv4 extended ACL The show access-list identifier config command shows the same ACL data as show access-list < identifier > but in the format used by the show < run | config > commands to list the switch configuration. For example: Figure 192 An ACL listed with the "Config" option Table 26 Descriptions of data types included in show access-list < acl-id > output Field Description Name The ACL identifier. Can be a number from 1 to 199, or a name. Type Standard or Extended.
Table 26 Descriptions of data types included in show access-list < acl-id > output (continued) Field Description The source and destination IPv4 addresses to which the corresponding configured masks are applied to determine whether there is a match with a packet. ss Mask The mask configured in an ACE and applied to the corresponding IPv4 address in the ACE to determine whether a packet matches the filtering criteria. Proto Used only in extended ACLs to specify the packet protocol type to filter.
Figure 193 Methods for enabling and disabling RACLs Filtering IPv4 traffic inbound on a VLAN For a given VLAN interface, you can assign an ACL as a VACL to filter any IPv4 traffic entering the switch on that VLAN. You can also use the same ACL for assignment to multiple VLANs. For limits and operating rules, see “IPv4 ACL configuration and operating rules” (page 320). Syntax: [no] vlan < vid > ip access-group vlan where: < identifier > =either a ACL name or an ACL ID number.
Assigns an ACL as a static port ACL to a port, port list, or static trunk to filter any IPv4 traffic entering the switch on that interface. You can use either the global configuration level or the interface context level to assign or remove a static port ACL. NOTE: The switch allows you to assign a nonexistent ACL name or number to an interface. In this case, if you subsequently configure an ACL with that name or number, it automatically becomes active on the assigned interface.
Insert an ACE anywhere in a named ACL by specifying a sequence number. For example, if you wanted to insert a new ACE as line 15 between lines 10 and 20 in an existing ACL named "List-2" to deny IPv4 traffic from the device at 10.10.10.77: HP Switch(config)# ip access-list standard List-2 HP Switch(config-std-nacl)# 15 deny host 10.10.10.77 • Numbered IPv4 ACLs Add an ACE to the end of a numbered ACL by using the access-list < 1 - 99 | [100 - 199 >] command.
perform. The offline method provides an alternative to using the CLI for creating or extensively editing a large ACL. This section describes how to: • move an existing ACL to a TFTP server • use a text (.txt) file format to create a new ACL or edit an existing ACL offline • use TFTP to load an offline ACL into the switch’s running-config For longer ACLs that may be difficult or time-consuming to accurately create or edit in the CLI, you can use the offline method described in this section.
Example Suppose you want to create an extended ACL for an RACL application to fulfill the following requirements (Assume a subnet mask of 255.255.255.0 and a TFTP server at 10.10.10.1.): • ID: "LIST-20-IN" • Deny Telnet access to a server at 10.10.10.100 on VLAN 10 from these three addresses on VLAN 20 with ACL logging: • 10.10.20.17 • 10.10.20.23 • 10.10.20.
NOTE: If a transport error occurs, the switch does not execute the command and the ACL is not configured. Figure 198 Using copy tftp command-file to configure an ACL in the switch 3. In this example, the command to assign the ACL to a VLAN was included in the .txt command file. If this is not done in your applications, the next step is to manually assign the new ACL to the intended VLAN. vlan < vid > ip access-group < identifier > in 4.
Deleting an ACL Syntax: no ip access-list standard < name-str 1-99 > no ip access-list extended name-str | 100-199 no access-list 1-99 | 100-199 Removes the specified ACL from the switch running-config file. NOTE: If an ACL name is assigned to an interface before the ACL itself has actually been created, then the switch creates an "empty" version of the ACL in the running configuration and assigns the empty ACL to the interface.
Figure 200 Inserting an ACE in an existing ACL In the following example, the first two ACEs entered become lines 10 and 20 in the list. The third ACE entered is configured with a sequence number of 15 and is inserted between lines 10 and 20. Figure 201 Inserting an ACE into an existing sequence Deleting an ACE from an existing ACL This action uses ACL sequence numbers to delete ACEs from an ACL.
Figure 202 Deleting an ACE from any ACL Resequencing the ACEs in an ACL This action reconfigures the starting sequence number for ACEs in an ACL, and resets the numeric interval between sequence numbers for ACEs configured in the ACL. Syntax: ip access-list resequence > < name-str | 1 – 99 | 100 – 199 < starting-seq-# > < interval > Resets the sequence numbers for all ACEs in the ACL. < starting– seq-# > Specifies the sequence number for the first ACE in the list.
Figure 203 Viewing and resequencing an ACL Attaching a remark to an ACE A remark is numbered in the same way as an ACE, and uses the same sequence number as the ACE to which it refers. This operation requires that the remark for a given ACE be entered prior to entering the ACE itself. Syntax: access-list < 1 - 99 | 100 - 199 > remark < remark-str > This syntax appends a remark to the end of a numbered ACL and automatically assigns a sequence number to the remark.
NOTE: After a numbered ACL has been created (using access-list 1-99 | 100-199), it can be managed as either a named or numbered ACL. For example, in an existing ACL with a numeric identifier of "115", either of the following command sets adds an ACE denying IPv4 traffic from any source to a host at 10.10.10.100: HP Switch(config)# access-list 115 deny ip host 10.10.10.100 HP Switch(config)# ip access-list extended 115 HP Switch(config-ext-nacl)# deny ip any 10.10.10.
Inserting a remark for an ACE that already exists in an ACL If a sequence number is already assigned to an ACE in a list, you cannot insert a remark by assigning it to the same number. (To configure a remark with the same number as a given ACE, the remark must be configured first.) To assign a remark to the same number as an existing ACE: 1. Delete the ACE. 2. Configure the remark with the number you want assigned to the pair. 3. Re-Enter the deleted ACE with the number used to enter the remark.
(The exact duration of the period depends on how the packets are internally routed.) At the end of the collection period, the switch sends a single-line summary of any additional “deny” or “permit” matches for that ACE (and any other “deny” or “permit” ACEs for which the switch detected a match). If no further log messages are generated in the wait-period, the switch suspends the timer and resets itself to send a message as soon as a new “deny” or “permit” match occurs.
Figure 208 Commands for applying an ACL with logging to Figure 207 (page 294) Monitoring static ACL performance ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface.
Resets ACE hit counters to zero for the specified IPv6 or IPv4 static ACL assignment on a specific interface.
Example 8 ACL performance monitioring Figure 10-47 shows a sample of performance monitoring output for an IPv6 ACL assigned as a VACL. Figure 210 IPv6 ACL performance monitoring output Figure 211 IPv4 ACL assigned as a VACL performance monitoring output ACE counter operation For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset.
Example 9 Resetting ACE hit counters to Zero The following example uses the counter activity in figure 10–47 to demonstrate using clear statistics to reset the counters to zero. Figure 212 IPv6 ACL performance monitoring output after zero Using IPv6 counters with multiple interface assignments Where the same IPv6 ACL is assigned to multiple interfaces, the switch maintains a separate instance of each ACE counter in the ACL.
Figure 214 Application to filter traffic inbound on port B2 Using the topology in Figure 214 (page 299), a workstation at FE80::20:117 on port B2 attempting to ping and Telnet to the workstation at FE80::20:2 is filtered through the PACL instance of the "V6-01" ACL assigned to port B2, resulting in the following: Figure 215 Ping and telnet from FE80::20:117 to FE80::20:2 filtered by the assignment of "V6-01" as a PACL on port B2 Figure 216 Resulting ACE hits on ACL "V6-01" NOTE: IPv4 ACE counters assigne
Figure 217 ACL "Test-1" and interface assignment commands Figure 218 Using the same ACL for VACL and RACL applications In the above case: • Matches with ACEs 10 or 20 that originate on VLAN 20 will increment only the counters for the instances of these two ACEs in the Test-1 VACL assignment on VLAN 20. The same counters in the instances of ACL Test-1 assigned to VLANs 50 and 70 will not be incremented. • Any Telnet requests to 10.10.20.
However, using a device at 10.10.30.11 on VLAN 50 for attempts to ping and Telnet to 10.10.20.12 requires routing, and filters the attempts through the RACL instance of the "Test-1" ACL on VLAN 50. Figure 221 Ping and telnet from 10.10.30.11 to 10.10.20.2 filtered by the assignment of "Test-1" as a RACL on VLAN 30 This action has an identical effect on the counters in all RACL instances of the "Test-1" ACL configured and assigned to interfaces on the same switch.
NOTE: ACLs for IPv4 configuration and operation. Because the switches covered by this guide support IPv4/IPv6 dual-stack operation, simultaneous operation of statically configured IPv4 and IPv6 ACLs is supported in these switches as well as dynamic (RADIUS-siigned) ACLs capable of filtering both IPv4 and IPv6 traffic from authenticated clients.However: • IPv4 and IPv6 ACEs cannot be combined in the same static ACL. • IPv4 and IPv6 static ACLs do not filter each other’s traffic.
Table 27 Interface options: (continued) Interface ACL application Application point Filter action VLAN VACL entering the switch on the VLAN inbound IPv4 traffic entering the switch on the VLAN routed IPv4 traffic entering the switch and any IPv4 traffic with a destination on the switch itself exiting from the switch on the VLAN routed IPv4 traffic exiting from the switch 2 RACL 1 2 The information provided here describes ACLs statically configured on the switch.
• Monitoring Shared Resources. Applied ACLs share internal switch resources with several other features. The switch provides ample resources for all features. However, if the internal resources become fully subscribed, additional ACLs cannot be applied until the necessary resources are released from other applications. For information on determining current resource availability and usage, see Appendix E, “Monitoring Resources” in the Management and Configuration Guide for your switch.
NOTE: After you assign an IPv4 ACL to an interface, the default action on the interface is to implicitly deny IPv4 traffic that is not specifically permitted by the ACL. (This applies only in the direction of traffic flow filtered by the ACL.) Options for applying IPv4 ACLs on the switch To apply IPv4 ACL filtering, assign a configured IPv4 ACL to the interface on which you want traffic filtering to occur. VLAN and routed IPv4 traffic ACLs can be applied statically using the switch configuration.
A standard ACL uses an alphanumeric ID string or a numeric ID of 1 through 99. Specify a single host, a finite group of hosts, or any host. Named and numbered standard ACL A named, standard ACL is identified by an alphanumeric string of up to 64 characters and is created by entering the Named ACL (nacl) context. A numbered, standard ACL is identified by a number in the range of 1 - 99 and is created without having to leave the global config context.
Static port ACL any inbound IPv4 traffic on that port. RADIUS-assigned ACL on a port having an ACL assigned by a RADIUS server to filter an authenticated client's traffic, filters inbound IPv4 and IPv6 traffic from that client For information on RADIUS-assigned ACLs, see “RADIUS server support for switch services” (page 199). ACL Mirroring Beginning with software release K.14.
NOTE: The switch allows one inbound RACL assignment and one outbound RACL assignment configured per VLAN. This is in addition to any other ACL assigned to the VLAN or to any ports on the VLAN. You can use the same RACL or different RACLs to filter inbound and outbound routed traffic on a VLAN. RACLs do not filter IPv4 traffic that remains in the same subnet from source to destination (switched traffic) unless the destination address (DA) or source address (SA) is on the switch itself.
Effect of RADIUS-assigned ACLs when multiple clients are using the same port Some network configurations may allow multiple clients to authenticate through a single port where a RADIUS server assigns a separate, RADIUS-assigned ACL in response to each client's authentication on that port. In such cases, a given client's inbound traffic will be allowed only if the RADIUS authentication response for that client includes a RADIUS-assigned ACL.
filter IPv6 traffic. (ACLs are based on the MAC address of the authenticating client.) See “RADIUS server support for switch services” (page 199). • To support authentication of IPv6 clients: ◦ The VLAN to which the port belongs must be configured with an IPv6 address. ◦ Connection to an IPv6-capable RADIUS server must be supported. ◦ For 802.1X or MAC authentication methods, clients can authenticate regardless of their IP version (IPv4 or IPv6).
NOTE: In cases where an RACL and any type of port or VLAN ACL are filtering traffic entering the switch, the switched traffic explicitly permitted by the port or VLAN ACL is not filtered by the RACL, except where the traffic has a destination on the switch itself. However, routed traffic explicitly permitted by the port or VLAN ACL (and any switched traffic having a destination on the switch itself) must also be explicitly permitted by the RACL, or it is dropped.
Exception for Connection-Rate filtering Connection-rate filtering can be configured along with one or more other ACL applications on the same interface. In this case, a connection-rate match for a filter action is carried out according to the configured policy, regardless of whether any other ACLs on the interface have a match for a deny action. Also, if a connection-rate filter permits (ignore action) a packet, it can still be denied by another ACL on the interface.
General steps for planning and configuring ACLs 1. Identify the ACL action to apply. As part of this step, determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted IPv4 traffic at the edge of the network instead of in the core. Also, on the switch itself, you can improve performance by filtering unwanted IPv4 traffic where it is inbound to the switch instead of outbound.
For more details on ACL planning considerations, see “Configuring named, standard ACLs” (page 259). CAUTION: Regarding the Use of Source Routing Source routing is enabled by default on the switch and can be used to override ACLs. For this reason, if you are using ACLs to enhance network security, the recommended action is to use the no ip source-route command to disable source routing on the switch.
entry (permit or drop the packet) and no further comparisons of the packet are made with the remaining ACEs in the list. This means that when an ACE whose criteria matches a packet is found, the action configured for that ACE is invoked, and any remaining ACEs in the ACL are ignored. Because of this sequential processing, successfully implementing an ACL depends in part on configuring ACEs in the correct order for the overall policy you want the ACL to enforce.
Figure 230 How an ACL filters packets It is important to remember that all IPv4 ACLs configurable on the switch include an implicit deny ip any. That is, IPv4 packets that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped instead of forwarded on the interface. If you want topreempt the implicit deny so that IPv4 packets not explicitly denied by other ACEs in the ACL will be permitted, insert an explicit "permit any" as the last ACE in the ACL.
NOTE: All IPv4 traffic entering the switch on a given interface is filtered by all ACLs configured for inbound traffic on that interface. For this reason, an inbound IPv4 packet will be denied (dropped) if it has a match with either an implicit or explicit deny in any of the inbound ACLs applied to the interface. This does not apply to traffic leaving the switch because only one type of ACL-an RACL-can be applied, and only to routed IPv4 traffic.
• Blocking access to or from the internet • Blocking access to sensitive data storage or restricted equipment • Preventing specific IPv4, TCP, UDP, IGMP, and ICMP traffic types, including unauthorized access using functions such as Telnet, SSH, and web browser You can also enhance switch management security by using ACLs to block IPv4 traffic that has the switch itself as the destination address (DA).
a number in the range of 1 - 99 and is created without having to leave the global config context. Note that the CLI command syntax for creating a named ACL differs from the command syntax for creating a numbered ACL. For example, the first pair of entries below illustrate how to create (or enter) a named, standard ACL and enter an ACE. The next entry illustrates creating a numbered, standard ACL with the same ACE.
Sequence numbering in ACLs The ACEs in any ACL are sequentially numbered. In the default state, the sequence number of the first ACE in a list is "10" and subsequent ACEs are numbered in increments of 10.
VACLs and switched or routed IPv4 traffic A VACL filters traffic entering the switch on the VLANs to which it is assigned. Static port ACLs A static port ACL filters traffic entering the switch on the ports or trunks to which it is assigned. Per switch ACL limits for all ACL types. At a minimum an ACL must have one, explicit "permit" or "deny" Access Control Entry. You can configure up to 2048 IPv4ACLs each for IPv4 and IPv6.
VACLs and RACLs operate on static VLANs You can assign an ACL to any VLAN that is statically configured on the switch. ACLs do not operate with dynamic VLANs. A VACL or RACL affects all physical ports in a static VLAN A VACL or RACL assigned to a VLAN applies to all physical ports on the switch belonging to that VLAN, including ports that have dynamically joined the VLAN.
Rules for defining a match between a packet and an access control entry (ACE) • For a given ACE, when the switch compares an IPv4 address and corresponding mask in the ACE to an IPv4 address carried in a packet: • A mask-bit setting of 0 ("off") requires that the corresponding bits in the packet's address and in the ACE's address must be the same. Thus, if a bit in the ACE's address is set to 1 ("on"), the same bit in the packet's address must also be 1.
Syntax access-list 1 permit host 10.28.100.15 Produces this policy in an ACL listing: Address Mask 10.28.100.15 0.0.0.0 This policy states that every bit in every octet of a packet's SA must be the same as the corresponding bit in the SA defined in the ACE. • A group of IPv4 addresses fits the matching criteria In this case you provide both the address and the mask. For example: Syntax access-list 1 permit 10.28.32.1 0.0.0.31 Address Mask 10.28.32.1 0.0.0.
Example 10 Example of allowing only one IPv4 address ("host" option) Suppose, for example, that you have configured the ACL in Figure 236 (page 325) to filter inbound packets on VLAN 20. Because the mask is all zeros, the ACE policy dictates that a match occurs only when the source address on such packets is identical to the address configured in the ACE.
Example 11 Examples allowing multiple IPv4 addresses The following table provides examples of how to apply masks to meet various filtering requirements. Table 31 Using an IP Address and Inverse Mask in an Access Control Entry Address in the ACE Mask Policy for a match between Allowed addresses a packet and the ACE A: 10.38.252.195 0.0.0.255 Exact match in first three octets only. B: 10.38.252.195 0.0.7.255 Exact match in the first two 10.38.< 248-255 > .
Table 33 Examples of CIDR notation for masks Address used in an ACL with Resulting ACL mask CIDR notation Meaning 10.38.240.125/15 0.1.255.255 The leftmost 15 bits must match; the remaining bits are wildcards. 10.38.240.125/20 0.0.15.255 The leftmost 20 bits must match; the remaining bits are wildcards. 10.38.240.125/21 0.0.7.255 The leftmost 21 bits must match; the remaining bits are wildcards. 10.38.240.125/24 0.0.0.255 The leftmost 24 bits must match; the remaining bits are wildcards. 18.
• Any IGMP traffic (only) or IGMP traffic of a specific type • Any of the above with specific precedence and/or ToS settings For an extended ACL ID, use either a unique number in the range of 100-199 or a unique name string of up to 64 alphanumeric characters. Carefully plan ACL applications before configuring specific ACLs. For more on this topic, see “Configuring named, standard ACLs” (page 259).
For example, figure shows how to interpret the entries in a standard ACL.
Figure 240 Displayed extended ACL configuration ACL configuration factors The sequence of entries in an ACL is significant When the switch uses an ACL to determine whether to permit or deny a packet, it compares the packet to the criteria specified in the individual ACEs in the ACL, beginning with the first ACE in the list and proceeding sequentially until a match is found. When a match is found, the switch applies the indicated action (permit or deny) to the packet.
Table 34 Effect of the above ACL on inbound IPv4 traffic in the assigned VLAN (continued) Line # Action 30 A TCP packet from SA 10.28.18.100 with a DA of 10.28.237.1 will be permitted (forwarded). Since no earlier ACEs in the list have filtered TCP packets from 10.28.18.100 and destined for 10.28.237.1, the switch will use this ACE to evaluate such packets. Any packets that meet this criteria will be forwarded.
Enabling ACL "Deny" logging ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit "deny" action.
aclv6 acl-name-str vlan vid vlan Displays the current match (hit) count per ACE for the specified IPv4 or IPv6 static ACL assignment on a specific interface.
Example 12 Example of ACL Performance Monitoring The following figure shows a sample of performance monitoring output for an IPv6 ACL assigned as a VACL. The following figure shows a sample of performance monitoring output for an IPv4 ACL assigned as a VACL. IPv6 Counter Operation with Multiple Interface Assignments NOTE: The examples of counters in this section use small values to help illustrate counter operation.
Figure 244 Application to filter traffic inbound on port B2 Using the topology in Figure 244 (page 335), a workstation at FE80::20:117 on port B2 attempting to ping and Telnet to the workstation at FE80::20:2 is filtered through the PACL instance of the "V6-01" ACL assigned to port B2, resulting in the following: Figure 245 Ping and telnet from FE80::20:117 to FE80::20:2 filtered by the assignment of "V6-01" as a PACL on port B2 Figure 246 Resulting ACE hits on ACL "V6-01" IPv4 Counter Operation with Mul
Figure 247 ACL "Test-1" and interface assignment commands Figure 248 Using the same ACL for VACL and RACL applications In the above case: • Matches with ACEs 10 or 20 that originate on VLAN 20 will increment only the counters for the instances of these two ACEs in the Test-1 VACL assignment on VLAN 20. The same counters in the instances of ACL Test-1 assigned to VLANs 50 and 70 will not be incremented. • Any Telnet requests to 10.10.20.
NOTE: Any port VLAN-ID changes made on 802.1X-aware ports during an 802.1X-authenticated session do not take effect until the session ends. With GVRP enabled, a temporary, untagged static VLAN assignment created on a port by 802.1X authentication is advertised as an existing VLAN. If this temporary VLAN assignment causes the switch to disable a configured (untagged) static VLAN assignment on the port, then the disabled VLAN assignment is not advertised. When the 802.
802.1X User-based access control 802.1X operation with access control on aper-user basis provides client-level security that allows LAN access to individual 802.1X clients (up to 32 per port), where each client gains access to the LAN by entering valid user credentials. This operation improves security by opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenticated.
Accounting The switches covered in this guide also provide RADIUS Network accounting for 802.1X access. See “RADIUS Authentication, Authorization, and Accounting” (page 141). General 802.1X authenticator operation This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.
3. 3rd Priority: If the port does not have an Authorized-Client VLAN configured, but does have a static, untagged VLAN membership in its configuration, then the switch assigns the port to this VLAN. A port assigned to a VLAN by an Authorized-Client VLAN configuration (or a RADIUS server) will be an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN.
• Using port-based 802.1X authentication when a port on the switch is configured as an authenticator, one authenticated client opens the port. Other clients not running an 802.1X supplicant application can have access to the switch and network through the opened port. If another client uses an 802.1X supplicant application to access the opened port, re-authentication occurs using the RADIUS configuration response for the latest client to authenticate.
Unauthenticated (guest) VLAN access When a PC is connected through an IP phone to a switch port that has been authorized using 802.1X or Web/MAC authentication, the IP phone is authenticated using client-based 802.1X or Web/MAC authentication and has access to secure, tagged VLANs on the port. If the PC is unauthenticated, it needs to have access to the insecure guest VLAN (unauthenticated VLAN) that has been configured for 802.1X or Web/MAC authentication. 802.
The 802.1X Open VLAN mode solves this problem by temporarily suspending the port's static VLAN memberships and placing the port in a designated Unauthorized-Client VLAN (sometimes termed a guest VLAN). In this state the client can proceed with initialization services, such as acquiring IP addressing and 802.1X client software, and starting the authentication process. NOTE: On ports configured to allow multiple sessions using 802.1X user-based access control, all clients must use the same untagged VLAN.
configured, it will always be untagged and will block the port from using a statically configured, untagged membership in another VLAN. After client authentication, the port returns to membership in any tagged VLANs for which it is configured. Table 35 802.1X Open VLAN mode options 802.1X per-port configuration Port response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session.
Table 35 802.1X Open VLAN mode options (continued) 802.1X per-port configuration Unauthorized-Client VLAN configured: Port response should include only what a client needs to enable an authentication session. If the port is statically configured as an untagged member of another VLAN, the switch temporarily removes the port from membership in this other VLAN while membership in the Unauthorized-Client VLAN exists.
Condition Rule Temporary VLAN membership during a client session • Port membership in a VLAN assigned to operate as the Unauthorized-Client VLAN is temporary, and ends when the client receives authentication or the client disconnects from the port, whichever is first. In the case of the multiple clients allowed on switches covered in this guide, the first client to authenticate determines the untagged VLAN membership for the port until all clients have disconnected.
Condition Rule disconnects from the port. (If there is no Unauthorized-Client VLAN configured on the authenticator port, the port simply blocks access for any unauthorized client.) Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an untagged member. This rule assumes no other authenticated clients are already using the port on a different VLAN. IP addressing for a client connected to a port configured for 802.
Figure 251 Showing ports configured for open VLAN mode In the output shown in Figure 251 (page 348): • When the Auth VLAN ID is configured and matches the Current VLAN ID, an authenticated client is connected to the port. This assumes the port is not a statically configured member of the VLAN you are using for Auth VLAN. • When the Unauth VLAN ID is configured and matches the Current VLAN ID, an unauthenticated client is connected to the port.
Status indicator Meaning No unauthorized VLAN has been configured for the indicated port. Authorized VLAN ID < vlan-id > Lists the VID of the static VLAN configured as the authorized VLAN for the indicated port. 0 No authorized VLAN has been configured for the indicated port. Output for determining Open VLAN mode status Figure 251 (page 348). Status indicator Meaning Status Closed Either no client is connected or the connected client has not received authorization through 802.1X authentication.
• If the only authenticated client on a port loses authentication during a session in 802.1X Open VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client VLAN configured, then the client loses access to the port until it can reauthenticate itself. If there are multiple clients authenticated on the port, if one client loses access and attempts to re-authenticate, that client will be handled as a new client on the port.
Thus, if the supplicant's link to the authenticator fails, the supplicant retains the transaction statistics it most recently received until one of the above events occurs. If moving a link with an authenticator from one supplicant port to another without clearing the statistics data from the first port, the authenticator's MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1X authentication affects VLAN operation Static VLAN requirement RADIUS authentication for an 802.
Operating notes • During client authentication, a port assigned to a VLAN by a RADIUS server or an authorized-client VLAN configuration is an untagged member of the VLAN for the duration of the authenticated session. This applies even if the port is also configured in the switch as a tagged member of the same VLAN. The following restrictions apply: • If the port is assigned as a member of an untagged static VLAN, the VLAN must already be configured on the switch.
port-based, untagged VLAN membership assigned for the earliest, currently active client session. Therefore, on a port where one or more authenticated client sessions are already running, all such clients are on the same untagged VLAN. If a RADIUS server subsequently authenticates a new client, but attempts to re-assign the port to a different, untagged VLAN than the one already in use for the previously existing, authenticated client sessions, the connection for the new client will fail.
Example 14 Example of untagged VLAN assignment in a RADIUS-based authentication session The following example shows how an untagged static VLAN is temporarily assigned to a port for use during an 802.1X authentication session. In the example, an 802.1X-aware client on port A2 has been authenticated by a RADIUS server for access to VLAN 22. However, port A2 is not configured as a member of VLAN 22 but as a member of untagged VLAN 33 as shown in Figure 253 (page 355).
Example 15 Example Suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Figure 253 An active VLAN configuration In Figure 253 (page 355), if RADIUS authorizes an 802.1X client on port A2 with the requirement that the client use VLAN 22, then: • VLAN 22 becomes available as Untagged on port A2 for the duration of the session.
When the 802.1X client's session on port A2 ends, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is "permanently" configured as untagged on the port becomes available again. Therefore, when the RADIUS-authenticated 802.1X session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored as shown in Figure 256 (page 356). Figure 256 The active configuration for VLAN 33 restores port A2 after the 802.
11 Port Security Configuring Planning port security Plan your port security configuration and monitoring according to the following: 1. On which ports do you want port security? 2. Which devices (MAC addresses) are authorized on each port? 3. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmitting to the network.
Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more information on the mac-age-time command see "Interface Access and System Information" in the Management and Configuration Guide for your switch.
configured Must specify which MAC addresses are allowed for this port. Range is 1 (default) to 64 and addresses are not ageable. Addresses are saved across reboots. limited-continuous Also known as MAC Secure, or "limited" mode. The limited parameter sets a finite limit to the number of learned addresses allowed per port. (You can set the range from 1, the default, to a maximum of 32 MAC addresses which may be learned by each port.
Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port. none Prevents an SNMP trap from being sent. none is the default value. send-alarm Sends an intrusion alarm. Causes the switch to send an SNMP trap to a network management station. send-disable Sends alarm and disables the port.
} MAX-ACCESS read-write STATUS current DESCRIPTION “If enabled on a switch, outbound unknown unicast packets will not be forwarded out this port. If enabled on a repeater, outbound unknown unicast packets for this port will be scrambled.::= { hpSecurePortEntry 5 } Blocked unautrhorized traffic Unless you configure the switch to disable a port on which a security violation is detected, the switch security measures block unauthorized traffic without disabling the port.
Configuring Additional Validation Checks on ARP Packets Dynamic ARP protection can be configured to perform additional validation checks on ARP packets. By default, no additional checks are performed. To configure additional validation checks, enter the arp-protect validate command at the global configuration level.
Figure 260 Setting Trusted Ports DHCP server packets are forwarded only if received on a trusted port; DHCP server packets received on an untrusted port are dropped. Use the no form of the command to remove the trusted configuration from a port. Configuring authorized server addresses If authorized server addresses are configured, a packet from a DHCP server must be received on a trusted port AND have a source address in the authorized server list in order to be considered valid.
NOTE: A port configured with MAC Lockdown does not accept Multicast MAC addresses; such a port does accept unicast MAC addresses. MAC Lockdown, also known as "static addressing," is permanently assigned a given MAC address and VLAN to a specific port on the switch. Use MAC Lockdown to prevent station movement and MAC address hijacking and control address learning on the switch. Locking down a MAC address on a port and a specific VLAN only restricts the MAC address on that VLAN.
[login-failures] The count of failed CLI login attempts or SNMP management authentication failures per hour. (Default threshold setting when enabled: 10 med) [mac-address-count] The number of MAC addresses learned in the forwarding table. You must enter a specific value in order to enable this feature. (Default threshold setting when enabled: 1000 med) [mac-moves] The average number of MAC address moves per minute from one port to another.
To enable monitoring of learn discards with the default medium threshold value: HP Switch(config)# instrumentation monitor learndiscards To disable monitoring of learn discards: HP Switch(config)# no instrumentation monitor learndiscards To enable or disable SNMP trap generation: HP Switch(config)# [no] instrumentation monitor trap Viewing Displaying port security settings Syntax: show port-security show port-security port number show port-security [ port numbernumber] port number ] . . .
Displaying ARP Packet Statistics To display statistics about forwarded ARP packets, dropped ARP packets, MAC validation failure, and IP validation failures, enter the show arp-protect statistics command: Figure 264 Show arp-protect statistics Command Monitoring Dynamic ARP Protection When dynamic ARP protection is enabled, you can monitor and troubleshoot the validation of ARP packets with the debug arp-protect command.
vlan Lists the authorized MAC addresses detected on ports belonging to the specified VLAN. Figure 266 Show mac-address outputs Viewing the current instrumentation monitor configuration The show instrumentation monitor configuration command displays the configured thresholds for monitored parameters.
An alternate method of determining the current Instrumentation Monitor configuration is to use the show run command. However, the show run command output does not display the threshold values for each limit set. Using Port Security Enabling port security eavesdrop-prevention Syntax: [no] port-security port-list eavesdrop-prevention With port security enabled, the port is prevented form transmitting packets that have unknown destination addresses.
Syntax [no]dhcp-snooping [authorized-server | database | option | trust | verify | vlan] authorized server Enter the IP address of a trusted DHCP server. If no authorized servers are configured, all DHCP server addresses are considered valid. Maximum: 20 authorized servers. database To configure a location for the lease database, enter a URL in the format tftp://ip-addr/ascii-string. The maximum number of characters for the URL is 63.
Figure 270 Show DHCP snooping statistics Enabling DHCP snooping on VLANs DHCP snooping on VLANs is disabled by default. To enable DHCP snooping on a VLAN or range of VLANs enter this command: HP Switch(config)# dhcp-snooping vlan You can also use this command in the vlan context, in which case you cannot enter a range of VLANs for snooping. Below is an example of DHCP snooping enabled on VLAN 4.
remote-id Set the value used for the remote-id field of the relay information option. mac The switch mac address is used for the remote-id. This is the default. subnet-ip The IP address of the VLAN the packet was received on is used for the remote-id. If subnet-ip is specified but the value is not set, the MAC address is used. mgmt-ip The management VLAN IP address is used as the remote-id. If mgmt-ip is specified but the value is not set, the MAC address is used.
Figure 273 Showing the DHCP snooping verify MAC setting DHCP binding database DHCP snooping maintains a database of up to 8192 DHCP bindings on untrusted ports. Each binding consists of: • Client MAC address • Port number • VLAN identifier • Leased IP address • Lease time The switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted. If the switch is rebooted, it will read its binding database from the specified location.
NOTE: If a lease database is configured, the switch drops all DHCP packets until the lease database is read. This only occurs when the switch reboots and is completed quickly. If the switch is unable to read the lease database from the tftp server, it waits until that operation times out and then begins forwarding DHCP packets. DHCPv4 Snooping Max Binding DHCP snooping max-binding prevents binding entries from getting exhausted. This feature is on a per-port basis.
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 No Yes Yes No No No No No Yes No No No No No Yes 21 - 2 12 - 8 24 - Syntax (config)# show dhcp-snooping stats Shows the dhcp-snooping statistics.
Enabling Dynamic IP Lockdown To enable dynamic IP lockdown on all ports or specified ports, enter the ip source-lockdown command at the global configuration level. Use the no form of the command to disable dynamic IP lockdown. Syntax [no]ip source-lockdown Enables dynamic IP lockdown grobally on all ports or on specified ports on the routing switch.
Figure 275 Two authorized addresses on port A1 The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: HP Switch(config)# port-security a1 address-limit 1 HP Switch(config)# no port-security a1 mac-address 0c0090-123456 The above command sequence results in the following configuration for port A1: Figure 276 Port A1 after removing one MAC address Using Port Security 377
Example 16 Specifying MAC Address and intrusion responses This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port. The default device limit is 1.It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port.
Removes the specified MAC address from the specified VLAN HP Switch(config)# clear mac-address vlan 2 mac 0001e6-b197a8 To view the results from clearing a MAC address, use the show mac-address command with the appropriate option. Figure 277 A MAC Address cleared from the MAC Address Table Deploying MAC Lockdown When deploying MAC Lockdown, it is crucial to consider its use in your network topology to ensure security.
Syntax [no]ip source-binding vlan interface mac-address Specifies a MAC address to bind with a VLAN and IP address on the specified port in the DHCP binding database. vlan-id Specifies a VLAN ID number to bind with the specified MAC and IP addresses on the specified port in the DHCP binding database. ip-address Specifies an IP address to bind with a VLAN and MAC address on the specified port in the DHCP binding database.
In the show ip source-lockdown bindings command output, the “Not in HW” column specifies whether or not (YES or NO) a statically configured IP-toMAC and VLAN binding on a specified port has been combined in the lease database maintained by the DHCP Snooping feature. Debugging dynamic IP lockdown To enable the debugging of packets dropped by dynamic IP lockdown, enter the debug dynamic-ip-lockdown command.
Figure 280 show ip source-lockdown status command output Adding a MAC Address to a port To simply add a device (MAC address) to a port's existing Authorized Addresses list, enter the port number with the mac-address parameter and the device's MAC address.This assumes that Learn Mode is set to static and the Authorized Addresses list is not full (as determined by the current Address Limit value).
Figure 282 Adding a second authorized device to a port The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. Note that if you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode.
show port-security intrusion-log List intrusion log content. clear intrusion-flags Clear intrusion flags on all ports. port-security [e] clear-intrusion-flag Clear the intrusion flag on one or more specific ports. Example In the following example, executing show interfaces brief lists the switch port status, indicating an intrusion alert on port A1.
HP Switch(config)# port-security a1 clear-intrusion-flag HP Switch(config)# show interfaces brief Figure 286 Port status screen after alert flags reset For more on clearing intrusions, see “Keeping the intrusion log current by resetting alert flags” (page 409). Checking for intrusions, listing intrusion alerts, and resetting alert flags (Menu) The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen. 1.
This example shows two intrusions for port A3 and one intrusion for port A1. In this case, only the most recent intrusion at port A3 has not been acknowledged (reset). This is indicated by the following: • • Because the Port Status screen “Port status screen with intrusion alert on port A3” (page 385) does not indicate an intrusion for port A1, the alert flag for the intrusion on port A1 has already been reset.
Example Figure 289 Log listing with and without detected security violations For more Event Log information, see "Using the Event Log To Identify Problem Sources" in the Management and Configuration Guide for your switch. Using the event log to find intrusion alerts menu In the Main Menu, click on 4. Event Log and useNext page and Prev page to review the Event Log contents.
Instrumentation monitor: Protects your network from a variety of other common attacks besides DHCP and ARP attacks, including: • Attempts at a port scan to expose a vulnerability in the switch, indicated by an excessive number of packets sent to closed TCP/UDP ports. • Attempts to fill all IP address entries in the switch’s forwarding table and cause legitimate traffic to be dropped, indicated by an increased number of learned IP destination addresses.
DHCP Operational Notes • DHCP is not configurable from the WebAgent or menu interface. • If packets are received at too high a rate, some may be dropped and need to be re-transmitted. • HP recommends running a time synchronization protocol such as SNTP in order to track lease times accurately. • A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot.
If you have already enabled DHCP snooping on a switch, you may also want to add static IP-to-MAC address bindings to the DHCP snooping database so that ARP packets from devices that have been assigned static IP addresses are also verified. • Supports additional checks to verify source MAC address, destination MAC address, and IP address. ARP packets that contain invalid IP addresses or MAC addresses in their body that do not match the addresses in the Ethernet header are dropped.
address is not contained in the DHCP binding database. As a result, dynamic IP lockdown will not allow inbound traffic from the client. • It is recommended that you enable DHCP snooping a week before you enable dynamic IP lockdown to allow the DHCP binding database to learn clients’ leased IP addresses. You must also ensure that the lease time for the information in the DHCP binding database lasts more than a week. Alternatively, you can configure a DHCP server to re-allocate IP addresses to DHCP clients.
Figure 290 Internal Statements used by Dynamic IP Lockdown NOTE: The deny any statement is applied only to VLANs for which DHCP snooping is enabled. The permit any statement is applied only to all other VLANs. Operational notes • Dynamic IP lockdown is enabled at the port configuration level and applies to all bridged or routed IP packets entering the switch. The only IP packets that are exempt from dynamic IP lockdown are broadcast DHCP request packets, which are handled by DHCP snooping.
Dynamic IP lockdown is activated on the port only after you make the following configuration changes: ◦ Enable DHCP snooping on the switch. ◦ Configure the port as a member of a VLAN that has DHCP snooping enabled. ◦ Remove the trusted-port configuration. • You can configure dynamic IP lockdown only from the CLI; this feature cannot be configured from the WebAgent or menu interface. • If you enable dynamic IP lockdown on a port, you cannot add the port to a trunk.
When dynamic IP lockdown is enabled globally or on ports the bindings associated with the ports are written to hardware. This occurs during these events: • Switch initialization • Hot swap • A dynamic IP lockdown-enabled port is moved to a DHCP snoopingenabled VLAN • DHCP snooping or dynamic IP lockdown characteristics are changed such that dynamic IP lockdown is enabled on the ports.
Table 40 Parameters for monitoring (continued) Parameter Name Description port-auth-failures/min The count of times a client has been unsuccessful logging into the network. system-delay The response time, in seconds, of the CPU to new network events such as BPDU packets or packets for other network protocols. Some DoS attacks can cause the CPU to take too long to respond to new network events, which can lead to a breakdown of Spanning Tree or other features.
30 minutes, then for 1 hour, 2 hours, 4 hours, 8 hours, and after that the persisting condition is reported once a day. As with other event log entries, these alerts can be sent to a server. • Known Limitations: The instrumentation monitor runs once every five minutes. The current implementation does not track information such as the port, MAC, and IP address from which an attack is received.
Figure 293 Trusted Ports for Dynamic ARP Protection Take into account the following configuration guidelines when you use dynamic ARP protection in your network: • You should configure ports connected to other switches in the network as trusted ports. In this way, all network switches can exchange ARP packets and update their ARP caches with valid information. • Switches that do not support dynamic ARP protection should be separated by a router in their own Layer 2 domain.
• Learn-Mode Specify how the port acquires authorized addresses. ◦ Limited-Continuous: Sets a finite limit (1 - 32) to the number of learned addresses allowed per port. ◦ Continuous: Allows the port to learn addresses from inbound traffic from any connected device. This is the default setting. • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses.
Table 41 Learn — Effect Learn mode Effect Static When Eavesdrop Prevention is disabled, the port transmits packets that have unknown destination addresses. The port is secured and only a limited number of static MAC addresses are learned. A device must generate traffic before the MAC address is learned and traffic is forwarded to it. Continuous The default. The Eavesdrop Prevention option does not apply because port security is disabled.
configured MAC age time. For information on the mac-age-time command, see "Interface Access and System Information" in the Management and Configuration Guide for your switch.
Adding an Authorized Device to a Port To simply add a device (MAC address) to a port’s existing Authorized Addresses list, enter the port number with the mac-address parameter and the device’s MAC address. This assumes that Learn Mode is set to static and the Authorized Addresses list is not full (as determined by the current Address Limit value).
Figure 297 Port Security on Port A1 with an Address Limit of “1” To add a second authorized device to port A1, execute a port-security command for port A1 that raises the address limit to 2 and specifies the additional device’s MAC address. For example: HP Switch(config)# port-security a1 mac-address 0c0090456456 address-limit 2 Removing a Device From the “Authorized” List for a Port This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list.
The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: HP Switch(config)# port-security a1 address-limit 1 HP Switch(config)# no port-security a1 mac-address 0c0090-123456 The above command sequence results in the following configuration for port A1: Figure 299 Port A1 After Removing One MAC Address How MAC Lockdown works When a device's MAC address is locked down to a port (typically in a pair with a VLAN) all information sent to that MAC address must go
NOTE: If the device moves to a distant part of the network where data sent to its MAC address never goes through the locked-down switch, it may be possible for the device to have full two-way communication. For full and complete lockdown network-wide, all switches must be configured appropriately. • Once you lock down a MAC address/VLAN pair on one port that pair cannot be locked down on a different port. • You cannot perform MAC Lockdown and 802.
Port security maintains a list of allowed MAC addresses on a per-port basis. An address can exist on multiple ports of a switch. Port security deals with MAC addresses only while MAC Lockdown specifies both a MAC address and a VLAN for lockdown. MAC Lockdown, on the other hand, is not a "list." It is a global parameter on the switch that takes precedence over any other security mechanism. The MAC Address will only be allowed to communicate using one specific port on the switch.
Basic MAC Lockdown deployment. In the Model Network Topology shown above, the switches that are connected to the edge of the network each have one and only one connection to the core network. This means each switch has only one path by which data can travel to Server A. You can use MAC Lockdown to specify that all traffic intended for Server A's MAC Address must go through the one port on the edge switches.
Figure 301 Connectivity problems using MAC lockdown with multiple paths The resultant connectivity issues would prevent you from locking down Server A to Switch 1. And when you remove the MAC Lockdown from Switch 1 (to prevent broadcast storms or other connectivity issues), you then open the network to security problems. The use of MAC Lockdown as shown in the above figure would defeat the purpose of using MSTP or having an alternate path.
VLANs configured Number of MAC lockout addresses Total number of MAC addresses 257-1024 16 16,384 1025-2048 8 16,384 There are l imits for the number of VLANs, Multicast Filters, and Lockout MACs that can be configured concurrently as all use MAC table entries. The limits are shown below.
When a security violation occurs on a port configured for Port Security, the switch responds in the following ways to notify you: • • The switch sets an alert flag for that port. This flag remains set until: • You use either the CLI, menu interface, or WebAgent to reset the flag. • The switch is reset to its factory default configuration.
NOTE: On a given port, if the intrusion action is to send an SNMP trap and then disable the port (send-disable), and an intruder is detected on the port, then the switch sends an SNMP trap, sets the port's alert flag, and disables the port. If you re-enable the port without resetting the port's alert flag, then the port operates as follows: • The port comes up and will block traffic from unauthorized devices it detects.
To restore LACP to the port, you must remove port security and re-enable LACP active or passive. Log Messages Server packet received on untrusted port dropped. Indicates a DHCP server on an untrusted port is attempting to transmit a packet. This event is recognized by the reception of a DHCP server packet on a port that is configured as untrusted. Server packet received on untrusted port dropped.
Attempt to release address leased to port l detected on port dropped. Indicates an attempt by a client to release an address when a DHCPRELEASE or DHCPDECLINE packet is received on a port different from the port the address was leased to. Ceasing bad release logs for %s. More than one bad DHCP client release packet was dropped. To avoid filling the log file with repeated bad release dropped packets, bad releases will not be logged for .
12 Authorized IP Managers Configuring Viewing and configuring IP Authorized Managers (Menu) Only IPv4 is supported when using the menu to set the management access method. From the console Main Menu, select: 2. Switch Configuration … 6. IP Authorized Managers Figure 303 How to add an authorized manager entry Figure 304 Edit menu for authorized IP managers To authorize manager access This command authorizes manager-level access for any station with an IP address of 10.28.227.0 through 10.28.227.
To edit an existing manager access entry To change the mask or access level for an existing entry, use the entry's IP address and enter the new value(s). (Notice that any parameters not included in the command will be set to their default.): HPswitch(config)# ip authorized-managers 10.28.227.101 255.255.255.0 access operator The above command replaces the existing mask and access level for IP address 10.28.227.101 with 255.255.255.0 and operator.
HP Switch(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager If you omit the < mask bits > when adding a new authorized manager, the switch automatically uses 255.255.255.255. If you do not specify either Manager or Operator access, the switch assigns the Manager access. To Edit an Existing Manager Access Entry. To change the mask or access level for an existing entry, use the entry’s IP address and enter the new value(s).
Web Proxy Servers If you use the WebAgent to access the switch from an authorized IP manager station, it is highly recommended that you avoid using a web proxy server in the path between the station and the switch. This is because switch access through a web proxy server requires that you first add the web proxy server to the Authorized Manager IP list. This reduces security by opening switch access to anyone who uses the web proxy server.
Building IP Masks: Configuring one station per Authorized Manager IP entry The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network. This is the easiest way to apply a mask. If you have ten or fewer management and/or operator stations, you can configure them by adding the address of each to the Authorized Manager IP list with 255.255.255.255 for the corresponding mask.
Table 44 Analysis of IP Mask for Single-Station Entries (continued) 1st Octet 2nd Octet 3rd Octet 4th Octet Manager-Level or Operator-Level Device Access authorized IP address settings for the fixed bits is allowed for the purposes of IP management station access to the switch. Thus, any management station having an IP address of 10.28.227.121, 123, 125, or 127 can access the switch.
When configured in the switch, the Authorized IP Managers feature takes precedence over local passwords, TACACS+, and RADIUS. This means that the IP address of a networked management device must be authorized before the switch will attempt to authenticate the device by invoking any other access security features. If the Authorized IP Managers feature disallows access to the device, then access is denied.
NOTE: When no Authorized IP manager rules are configured, the access method feature is disabled, that is, access is not denied. Options You can configure: • Up to 100 authorized manager addresses, where each address applies to either a single management station or a group of stations • Manager or Operator access privileges CAUTION: Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port.
addresses. For example, a mask of 255.255.255.0 and any value for the Authorized Manager IP parameter allows a range of 0 through 255 in the 4th octet of the authorized IP address, which enables a block of up to 254 IP addresses for IP management access (excluding 0 for the network and 255 for broadcasts). A mask of 255.255.255.252 uses the 4th octet of a given Authorized Manager IP address to authorize four IP addresses for management station access.
If it is necessary to use the WebAgent and your browser access is through a web proxy server, perform these steps: 1. Enter the web proxy server’s MAC address in the port’s Authorized Addresses list. 2. Enter the web proxy server’s IP address in the switch’s IP Authorized Managers list. You must perform both of these steps or the switch only detects the proxy server’s MAC address and IP address instead of your workstation addresses, and your connection is considered unauthorized.
13 Key Management System Configuring key chain management KMS has three configuration steps: 1. Create a key chain entry. 2. Assign a time-independent key or set of time-dependent keys to the Key Chain entry. The choice of key type is based on the level of security required for the protocol to which the key entry will be assigned. 3. Assign the key chain to a KMS-enabled protocol. This procedure is protocol-dependent.
Generates or deletes a key in the key chain entry < chain_name > . Using the optional no form of the command deletes the key. The < key_id > is any number from 0-255. [key-string key_str ] This option lets you specify the key value for the protocol using the key. The < key_str >can be any string of up to 14 characters in length. [accept-lifetime infinite] [send-lifetime infinite] accept-lifetime infinite:Allows packets with this key to be accepted at any time from boot-up until the key is removed.
Specifies the start date and time of the valid period in which the switch can transmit this key as authentication for outbound packets. duration < mm/dd/yy [ yy ] hh:mm:ss | seconds > Specifies the time period during which the switch can use this key to authenticate outbound packets. Duration is either an end date and time or the number of seconds to allow after the start date and time ( which is the accept-lifetime setting).
Figure 313 Status of keys in key chain entry "HPSwitch2" The "HPSwitch1" key chain entry is a time-independent key and will not expire. "HPSwitch2" uses time-dependent keys, which result in this data: Expired=1 Key 1 has expired because its lifetime ended at 8:10 on 01/18/03, the previous day. Active=2 Key 2 and 3 are both active for 10 minutes from 8:00 to 8:10 on 1/19/03. Keys 4 and 5 are either not yet active or expired. The total number of keys is 5.
14 Traffic/Security Features and Monitors Configuring traffic/security Configuring security settings using the CLI wizard To configure the security settings using the CLI wizard, follow the steps below: 1. At the command prompt, type setup mgmt-interfaces. The welcome banner appears and the first setup option is displayed (Operator password). As you advance through the wizard, each setup option displays the current value in brackets [ ] as shown in Figure 314 (page 427).
3. When the message appears asking if you want to save these changes, you have the following options: • To save your changes, press Enter. • To cancel any changes without saving, type [n] and then press Enter. After pressing Enter, the wizard exits to the command line prompt. Defining and configuring named source-port filters The named source-port filter command operates from the global configuration level.
To configure a named source-port filter to prevent inbound traffic from being forwarded to specific destination switch ports or port trunks, the dropoption is used.
Figure 318 Showing Traffic Filtered on Specific Ports The same command, using IDX 26, shows how traffic from the Internet is handled. Figure 319 Source Port Filtering with Internet Traffic As the company grows, more resources are required in accounting. Two additional accounting workstations are added and attached to ports 12 and 13. A second server is added attached to port8.
Figure 321 Showing Network Traffic Management with Source Port Filters We next apply the updated named source-port filters to the appropriate switch ports. As a port can only have one source-port filter (named or not named), before applying the new named source-port filters we first remove the existing source-port filters on the port. Figure 322 No filter source-port The named source-port filters now manage traffic on the switch ports as shown below, using the show filter source-port command.
NOTE: If multiple VLANs are configured, the source-port and the destination port(s) must be in the same VLAN unless routing is enabled. Similarly, if a VLAN containing both the source and destination is multinetted, the source and destination ports and/or trunks must be in the same subnet unless routing is enabled. Syntax [drop][forward ] Configures the filter to drop traffic for the ports and/or trunks in the designated < destination-port-list >.
explicitly configure the filter on the port trunk. If you use the show filter < index > command for a filter created before the related source port was added to a trunk, the port number appears between asterisks ( * ), indicating that the filter action has been suspended for that filter.
Example 19 Example Suppose you wanted to configure the filters in table 12-3 on a switch. (For more on source-port filters, see “Configuring a source-port traffic filter” (page 431).
Using HP switch security features HP switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types. When preparing the switch for network operation, therefore, HP strongly recommends that you enforce a security policy to help ensure that the ease in getting started is not used by unauthorized persons as an opportunity for access and possible malicious actions.
Using the Management Interface wizard The Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation.
SNMPv3 security options include: • Configuring device communities as a means for excluding management access by unauthorized stations • Configuring for access authentication and privacy • Reporting events to the switch CLI and to SNMP trap receivers • Restricting non-SNMPv3 agents to either read-only access or no access • Co-existing with SNMPv1 and v2c if necessary. SNMP access to the authentication configuration MIB Beginning with software release K.12.
3. 4. 5. 6. MAC lockdown Port security Authorized IP Managers Application features at higher levels in the OSI model, such as SSH. The above list does not address the mutually exclusive relationship that exists among some security features. Precedence of Client-based authentication: Dynamic Configuration Arbiter Starting in software release K.13.xx, the Dynamic Configuration Arbiter (DCA) is implemented to determine the client-specific parameters that are assigned in an authentication session.
NIM also allows you to configure and apply client-specific profiles on ports that are not configured to authenticate clients (unauthorized clients), provided that a client's MAC address is known in the switch forwarding database. The profile of attributes applied for each client (MAC address) session is stored in the hpicfUsrProfile MIB, which serves as the configuration interface for NIM. A client profile consists of NIM-configured, RADIUS-assigned, and statically configured parameters.
newly authenticating client conflicts with the rate-limiting values assigned to previous clients, by using Network Immunity you can configure the switch to apply any of the following attributes: • Apply only the latest rate-limiting value assigned to all clients. • Apply a client-specific rate-limiting configuration to the appropriate client session (overwrites any rate-limit previously configured for other client sessions on the port).
Table 47 Access Security and Switch Authentication Features Feature Default setting Security guidelines More information and configuration details Manager password no password Configuring a local Manager password is a fundamental step in reducing the possibility of unauthorized access through the switch's WebAgent and console (CLI and Menu) interfaces.
Table 47 Access Security and Switch Authentication Features (continued) Feature Default setting Security guidelines More information and configuration details SSH disabled SSH provides Telnet-like functions “Using the Management Interface through encrypted, authenticated wizard” (page 436) transactions of the following types: “Secure Shell (SSH)” (page 227) • client public-key authentication: uses one or more public keys (from clients) that must be stored on the switch.
Table 47 Access Security and Switch Authentication Features (continued) Feature Default setting Security guidelines More information and configuration details preventing unauthorized SNMP access should be a key element of your network security strategy.
Table 47 Access Security and Switch Authentication Features (continued) Feature Default setting 802.1X Access Control none Security guidelines More information and configuration details This feature provides port-based or user-based authentication through a RADIUS server to protect the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control client access to network services.
Network security features This section outlines features and defence mechanisms for protecting access through the switch to the network.
Table 48 Network Security—Default Settings and Security Guidelines (continued) Feature Default setting Security guidelines More information and configuration details WebAgent, and SNMP) for transactions between specific source and destination IP addresses.) • Application Access Security: Eliminating unwanted IP, TCP, or UDP traffic by filtering packets where they enter or leave the switch on specific interfaces.
Table 48 Network Security—Default Settings and Security Guidelines (continued) Feature Default setting Security guidelines More information and configuration details protocols that use time-dependent or time-independent keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys.) KMS provides specific instances of routing protocols with one or more Send or Accept keys that must be active at the time of a request.
Table 48 Network Security—Default Settings and Security Guidelines (continued) Feature Default setting Security guidelines More information and configuration details spoofing and repeated address requests. • Dynamic ARP Protection: Protects your network from ARP cache poisoning. • Dynamic IP Lockdown: Prevents IP source address spoofing on a per-port and per-VLAN basis. • Instrumentation Monitor: Helps identify a variety of malicious attacks by generating alerts for detected anomalies on the switch.
Displaying traffic/security filters This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters. Syntax show filter corresponding filter index (IDX) numbers. IDX: An automatically assigned index number used to identify the filter for a detailed information listing. A filter retains its assigned IDX number for as long as the filter exists in the switch.
configure a traffic filter to either forward or drop all network traffic moving to outbound (destination) ports and trunks (if any) on the switch Applicable switch models As of June 2010, Traffic/Security filers are available on these current HP switch models: Table 49 Switch model filter availability Model Source-Port Filters Protocol Filters Multicast Filters 8200zl Switches Yes Yes Yes 6600 Switches Yes Yes Yes 8400cl Switches Yes No No 5400zl Switches Yes Yes Yes 4200vl Switches Ye
Table 50 Filter types and criteria Static Filter Type Selection criteria Source-port Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis. Multicast Inbound traffic having a specified multicast MAC address will be forwarded to outbound ports (the default) or dropped on a per-port (destination) basis. Protocol Inbound traffic having the selected frame (protocol) type will be forwarded or dropped on a per-port (destination) basis.
configure to drop traffic. (Destination ports that comprise a trunk are listed collectively by the trunk name— such as Trk1— instead of by individual port name.) • Packets allowed for forwarding by a source-port filter are subject to the same operation as inbound packets on a port that is not configured for source-port filtering.
Operating rules for named source—port filters • A port or port trunk may only have one source-port filter, named or not named. • A named source-port filter can be applied to multiple ports or port trunks. • Once a named source-port filter is defined, subsequent changes only modify its action, they don’t replace it. • To change the named source-port filter used on a port or port trunk, the current filter must first be removed, using the no filter source-port named-filter command.
Protocol filters This filter type enables the switch to forward or drop, on the basis of protocol type, traffic to a specific set of destination ports on the switch. Filtered protocol types include: • Appletalk • ARP • IPX • NetBEUI • SNA Only one filter for a particular protocol type can be configured at any one time. For example, a separate protocol filter can be configured for each of the protocol types listed above, but only one of those can be an IP filter.
15 Port-Based and User-Based Access Control (802.1X) Configuring Port-Based Access Why Use Port-Based or User-Based Access Control? Local Area Networks are often deployed in a way that allows unauthorized clients to attach to network devices, or allows unauthorized users to get access to unattended clients on a network. Also, the use of DHCP services and zero configuration make access to networking services easily available. This exposes the network to unauthorized use and malicious attacks.
configured on the port, provided the client is configured to use the available, tagged VLAN memberships. • If the first client authenticates and opens the port, and then one or more other clients connect without trying to authenticate, then the port configuration as determined by the original RADIUS response remains unchanged and all such clients will have the same access as the authenticated client.
Operator password (text string) used only for local authentication of 802.1X clients. This value is different from the local operator password configured with the password command for management access. Example 22 Example How to configure a local operator password for 802.1X access: HP Switch(config)# password port-access user-name Jim secret3 You can save the port-access password for 802.1X authentication in the configuration file by using the include-credentials command.
Configuring Switch Ports as 802.1X Authenticators This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, see the following: • “802.1X User-based access control” (page 338) • “802.1X Port-based access control” (page 338) • “Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches” (page 478) Enable 802.1X user-based or port-based authentication on the individual ports you want to serve as authenticators.
NOTE: If you enable 802.1X authentication on a port, the switch automatically disables LACP on that port. However, if the port is already operating in an LACP trunk, you must remove the port from the trunk before you can configure it for 802.1X authentication. • Enable the Selected Ports as Authenticators and Enable the (Default) Port-Based Authentication Syntax [no]aaa port-access authenticator < port-list > Enables specified ports to operate as 802.1X authenticators and enables port-based authentication.
Example 23 This example enables ports A10-A12 to operate as authenticators, and then configures the ports for user-based authentication. HP Switch(config)# aaa port-access authenticator a10-A12 HP Switch(config)# aaa port-access authenticator a10-A12 client-limit 4 Example 24 This example enables ports A13-A15 to operate as authenticators, and then configures the ports for port-based authentication.
will not start another session until a client tries a new access attempt. If you are using RADIUS authentication with two or three host servers, the switch will open a session with each server, in turn, until authentication occurs or there are no more servers to try. During the quietperiod (previous page), if any, you cannot reconfigure this parameter. (Default: 2) [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated.
Example 25 To enable the switch to perform 802.1X authentication using one or more EAP-capable RADIUS servers: Figure 333 802.1X (Port-Access) Authentication Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the authentication method, configure the switch to use 1, 2, or 3 RADIUS servers for authentication. The following syntax shows the basic commands.
Enable 802.1X Authentication on the Switch After configuring 802.1X authentication as described in the preceding four sections, activate it with this command: Syntax aaa port-access authenticator active Activates 802.1X port-access on ports you have configured as authenticators. Optional: Reset Authenticator Operation While 802.1X authentication is operating, you can use the following aaa portaccess authenticator commands to reset 802.1X authentication and statistics on specified ports.
aaa port-access controlled-direction • both (default): Incoming and outgoing traffic is blocked on an 802.1X-aware port before authentication occurs. in: • Incoming traffic is blocked on an 802.1X-aware port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated 802.1X-aware ports.
Before you configure the 802.1X Open VLAN mode on a port: • Statically configure an “Unauthorized-Client VLAN” in the switch. The only ports that should belong to this VLAN are ports offering services and access you want available to unauthenticated clients. (802.1X authenticator ports do not have to be members of this VLAN.) CAUTION: Do not allow any port memberships or network services on this VLAN that would pose a security risk if exposed to an unauthorized client.
1. Enable 802.1X authentication on the individual ports you want to serve as authenticators. (The switch automatically disables LACP on the ports on which you enable 802.1X.) On the ports you will use as authenticators with VLAN operation, ensure that the port-control parameter is set to auto (the default). (See “Enable 802.1X Authentication on Selected Ports” (page 458).) This setting requires a client to support 802.1X authentication (with 802.
The no form of the command removes the global encryption key. 4. Activate authentication on the switch. Syntax aaa port-access authenticator active Activates 802.1X port-access on ports you have configured as authenticators. 5. Test both the authorized and unauthorized access to your system to ensure that the 802.1X authentication works properly on the ports you have configured for port-access.
HP Switch(config)# aaa port-access authenticator e a10-a20 auth-vid 81 Configures ports A10 - A20 to use VLAN 81 as the Authorized-Client VLAN. HP Switch(config)# aaa port-access authenticator active Activates 802.1X port-access on ports you have configured as authenticators. Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, see “Viewing 802.1X Open VLAN Mode Status” (page 471).
Table 52 Field table (continued) Field Description Server Timeout Period of time (in seconds) that the switch waits for a server response to an authentication request. Cntrl Dir Direction in which flow of incoming and outgoing traffic is blocked on 802.1X-aware port that has not yet entered the authenticated state: Both: Incoming and outgoing traffic is blocked on port until authentication occurs. In: Only incoming traffic is blocked on port before authentication occurs.
Figure 336 show port-access authenticator session-counters Command Syntax show port-access authenticator vlan [port-list] Displays the following information on the VLANs configured for use in 802.1X port-access authentication on all switch ports, or specified ports, that are enabled as 802.1X authenticator: • Authentication mode used on each port, configured with the aaa port-access authenticator control command (see page 13-21) • VLAN ID (if any) to be used for traffic from 802.
Figure 338 show port-access authenticator clients Command Output Syntax Show port-access authenticator clients detailed Displays detailed information on the status of 802.1Xauthenticated client sessions on specified ports, including the matches the switch detects for individual ACEs configured with the cnt (counter) option in an ACL assigned to the port by a RADIUS server. Figure 339 show port-access authenticator clients detailed Command Output Viewing 802.
Figure 340 Showing ports configured for open VLAN Mode Thus, in the output shown in figure 13-18: • When the Auth VLAN ID is configured and matches the Current VLAN ID, an authenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Auth VLAN.) • When the Unauth VLAN ID is configured and matches the Current VLAN ID, an unauthenticated client is connected to the port.
Table 53 Output for Determining Open VLAN Mode Status (Figure 13-18, Lower) (continued) Status Indicator Meaning criteria. (You can still configure console, Telnet, or SSH security on the port.)Unauthorized: Configures the port for “Force Unauthorized”, which blocks access to any device connected to the port, regardless of whether the device meets 802.1X criteria. Unauthorized VLAN ID < vlan-id >: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated port.
Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < portlist > ports configured on the switch as supplicants. The Supplicant State can include the following: Connecting Starting authentication. Authenticated - Authentication completed (regardless of whether the attempt was successful). Acquired The port received a request for identification from an authenticator. Authenticating Authentication is in progress. Held Authenticator sent notice of failure.
authenticate clients, you can provide port-level security protection from unauthorized network access for the following authentication methods: • 802.1X: Port-based or client-based access control to open a port for client access after authenticating valid user credentials. • MAC address: Authenticates a device’s MAC address to grant access to the network • WebAgent: Authenticates clients for network access using a web page for user login. NOTE: You can use 802.
Figure 342 Active VLAN Configuration In Figure 342 (page 476), if RADIUS authorizes an 802.1X client on port A2 with the requirement that the client use VLAN 22, then: VLAN 22 becomes available as Untagged on port A2 for the duration of the session. VLAN 33 becomes unavailable to port A2 for the duration of the session (because there can be only one untagged VLAN on any port).
Figure 344 The Active Configuration for VLAN 33 Temporarily Drops Port 22 for the 802.1X Session When the 802.1X client’s session on port A2 ends, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as untagged on the port becomes available again. Therefore, when the RADIUS-authenticated 802.1X session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored as shown in Figure 345 (page 477).
Alternative Syntax no aaa port-access authenticator < port-list> client-limit Configures port-based 802.1X authentication on the specified ports, which opens the port. (See “User Authentication Methods” (page 455).) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches A switch port can operate as a supplicant in a connection to a port on another 802.1X-aware switch to provide security on links between 802.1X-aware switches.
Supplicant Port Configuration Enabling a Switch Port as a Supplicant. You can configure a switch port as a supplicant for a point-to-point link to an 802.1X-aware port on another switch. Configure the port as a supplicant before configuring any supplicant- related parameters. Syntax [no] aaa port-access supplicant [ethernet] < port-list > Configures a port as a supplicant with either the default supplicant settings or any previously configured supplicant settings, whichever is most recent.
[auth-timeout < 1 - 300 >] Sets the delay period the port waits to receive a challenge from the authenticator. If the request times out, the port sends another request, up to the number of attempts specified by the max-start parameter. (Default: 30 seconds). [max-start < 1 - 10 >] Defines the maximum number of times the supplicant port requests authentication. See step 1 on page 13-50 for a description of how the port reacts to the authenticator response. (Default: 3).
3. The switch responds in one of the following ways: a. If 802.1X on the switch is configured for RADIUS authentication, the switch then forwards the request to a RADIUS server. i. The server responds with an access challenge which the switch forwards to the client. ii. The client then provides identifying credentials (such as a user certificate), which the switch forwards to the RADIUS server. iii. The RADIUS server then checks the credentials provided by the client. iv.
NOTE: On the switches covered in this guide, using the same port for both RADIUS-assigned clients and clients using a configured, Authorized-Client VLAN is not recommended. This is because doing so can result in authenticated clients with mutually exclusive VLAN priorities, which means that some authenticated clients can be denied access to the port. See Figure 347 (page 482). Figure 347 Priority of VLAN Assignment for an Authenticated Client Viewing Displaying 802.
If you enter the show port-access authenticator command without an optional value, the following configuration information is displayed for all switch ports, or specified ports, that are enabled for 802.1X port-access authentication: • Port -access authenticator activated: Are any switch ports configured to operate as 802.
Figure 348 show port-access authenticator Command The information displayed with the show port-access authenticator command for individual (config | statistics | session-counters | vlan | clients) options is described below. Syntax show port-access authenticator config [port-list] Displays 802.1X port-access authenticator configuration settings, including: • Whether port-access authentication is enabled • Whether RADIUS-assigned dynamic VLANs are supported • 802.
NOTE: 1. If a port is assigned as a member of an untagged dynamic VLAN, the dynamic VLAN configuration must exist at the time of authentication and GVRP for port-access authentication must be enabled on the switch. If the dynamic VLAN does not exist or if you have not enabled the use of a dynamic VLAN for authentication sessions on the switch, the authentication fails. 2.
◦ Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication. ◦ Supplicant implementation using CHAP authentication and independent user credentials on each port. • The local operator password configured with the password command for management access to the switch is no longer accepted as an 802.
NOTE: On ports configured to allow multiple sessions using 802.1X user-based access control, all clients must use the same untagged VLAN (unless MAC-based VLANs are enabled. See “MAC-based VLANs” (page 197)). On a given port where there are no currently active, authenticated clients, the first authenticated client determines the untagged VLAN in which the port will operate for all subsequent, overlapping client sessions.
Table 54 802.1x per-port configuration 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN • When the port detects a client without 802.1X supplicant capability, it automatically becomes an untagged member of this VLAN.
Table 54 802.1x per-port configuration (continued) 802.1X Per-Port Configuration Port Response Authorized-Client VLAN • After client authentication, the port drops membership in the Unauthorized-Client VLAN and becomes an untagged member of this VLAN. NOTE: If the client is running an 802.
Table 54 802.1x per-port configuration (continued) 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured Port automatically blocks a client that cannot initiate an authentication session. f the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.
Operating Rules for Authorized-Client and Unauthorized-Client VLANs Table 55 Condition for authorized client and unauthorized client VLANs Condition Rule Static VLANs used as Authorized- Client or Unauthorized-Client VLANs These must be configured on the switch before you configure an 802.1X authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.
Table 55 Condition for authorized client and unauthorized client VLANs (continued) Condition Rule VLAN (also untagged). While the Authorized-Client VLAN is in use, the port does not have access to the statically configured, untagged VLAN. When the authenticated client disconnects, the switch removes the port from the Authorized-Client VLAN and moves it back to the untagged membership in the statically configured VLAN.
Table 55 Condition for authorized client and unauthorized client VLANs (continued) Condition Rule previously-existing client session, and the new client must operate in this same VLAN, regardless of other factors. (This means that a client without 802.1X client authentication software cannot access a configured, Unauthenticated-Client VLAN if another, authenticated client is already using the port.) Note: Limitation on Using an Unauthorized-Client VLAN on an 802.
a re-authentication occurs using the RADIUS configuration response for the latest client to authenticate. To control access by all clients, use the user-based method. • Where a switch port is configured with user-based authentication to accept multiple 802.1X (and/or Web- or MAC-Authentication) client sessions, all authenticated clients must use the same port-based, untagged VLAN membership assigned for the earliest, currently active client session.
Operating Notes • Using the aaa port-access controlled-direction in command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features ◦ 802.
• Guests cannot be authorized on any tagged VLANs. • Guests can use the same bandwidth, rate limits and QoS settings that may be assigned for authenticated clients on the port (via RADIUS attributes). • When no authenticated clients are authorized on the untagged authenticated VLAN, the port becomes an untagged member of the guest VLAN for as long as no untagged packets are received from any authenticated clients on the port.
VLAN configured on the port (as described in the preceding bullet and in “Example of untagged VLAN assignment in a RADIUS-based authentication session” (page 354), the disabled VLAN assignment is not advertised. When the authentication session ends, the switch: ◦ Removes the temporary untagged VLAN assignment and stops advertising it. ◦ Re-activates and resumes advertising the temporarily disabled, untagged VLAN assignment. • If you modify a VLAN ID configuration on a port during an 802.
16 Secure Mode (3800, 5400zl, and 8200zl Switches) Configuring Configuring secure mode When using enhanced secure mode, several commands have differences from standard secure mode in their options or output. To transition from one security mode to the other, enter this command from a serial terminal connected to the switch. Syntax secure-mode Enables the selected secure mode. This command must be executed from a serial terminal. standard Use standard security. This is the default.
If “y/Y” is entered, the normal output of the command is displayed. If any other key is pressed, the command is not executed and there is no output. The default is “n/N” when interactive mode is disabled. Show flash and show version command output When using enhanced secure mode, the output from the show flash and show version commands is slightly different.
Password commands When the switch is in enhanced secure mode, a plaintext password cannot be entered inline; it is prompted for interactively twice, for example, for an operator password: New password for operator: ***** Please retype new password for operator: ***** Additional password command option There is an additional password command option that allows the setting of a password for the ROM console.
Additional password commands Table 58 Password Commands Affected by Enhanced Secure Mode Command in Standard Secure Mode Command in Enhanced Secure Mode Location snmpv3 user auth [md5 snmpv3 user auth [md5 Management and Configuration Guide | sha] [priv [des | aes] | sha][priv] ] aaa port-access supplicant aaa port-access supplicant identity secret identity secret [] aaa port-access mac-based passwor
SSH changes There are fewer options available for the ip ssh cipher command in enhanced secure mode. The following options are unavailable: • 3des-cbc • rijndael-dbd@lysator.liu.se The only option available for the ip ssh mac command in enhanced secure mode is hmac-sha1. See “About configuring SSH” (page 243) for more information about SSH. SSL changes When operating in enhanced secure mode, the SSL server will not allow protocol versions lower than TLS 1.0.
Operating notes for passwords in enhanced secure mode The following rules are in effect when enhanced secure mode is enabled or the system is transitioning to enhanced secure mode. • Switching access levels, for example, from manager to operator, requires going through the appropriate authentication process for that access level. • Passwords must be at least 8 characters. • The password for operator, manager, or ROM cannot be disabled. See “Secure Mode (3800, 5400zl, and 8200zl Switches)” (page 498).
Error messages Error messages that may occur when executing secure-mode: Initial check failure message: This command can only be run on a serial terminal Possible pre-check failure messages: • The default boot image is not set. • The default boot image must be the same image that is running • Standby Management Module is not responding • Active and Standby Management Modules are not in sync • The current software image was downloaded with an older software version and does not have its signature.
17 Certificate manager Certificate Manager enables Public Key Infrastructure (PKI) capability on the switch providing authentication of network entities. This feature enables configuration and management of digital certificates on HP Networking switches, a key component of establishing digital identity in PKI. Each entity in the PKI has their identity validated by a CA/RA. The CA issues a digital certificate as part of enrolling each entity into the PKI.
optional. The user can enter both subject information and one or more IP addresses when creating an Identity Profile. There is no constraint to have either subject or IP addresses, they are not mutually exclusive although at least one must be present.
Options key-size [1024|2048] The length of the RSA key, default is 1024 bits. Definitions certificate-name Name of the certificate. ta-profile The Trust Anchor Profile associated with the certificate. A profile named ‘default’ is updateable from the web UI. ta-profile-name Specify the Switch Id TA profile name. useage[] Intended application for the certificate, the default is web. valid-start Certificate validity start date (MM/DD/YY). valid-end Certificate validity end date (MM/DD/YY).
KFzmffQJXRXOnH6rfQSNYBXndg0azhc8saORrOqrTn3Yw3psYSNMbA== -----END CERTIFICATE REQUEST----- Local certificate enrollment — manual mode You must manually copy the certificate signing request (CSR) created with the “create-csr” command (above) and have it signed by a CA. The local certificate status is updated to “pending” after the CSR is created. A pending certificate request is not persistent across a power cycle or reboot.
To enroll a Local certificate in self-signed mode, the user must specify the subject information and key-size. The details specific to the certificate “subject” are obtained from id-profile if not specified here. Options key-size [1024|2048] The length of the key; default is 1024 bits. fields [address ] Subject fields of the certificate; the default values are specified in the identity profile. usage [] Intended application for the certificate; the default is web.
subject [field ] Subject fields of the certificate; the default values are specified in the identity profile. usage [] Intended application for the certificate; the default is web. valid-startdate Start date of the certificate. valid-enddate End date of the certificate. Subject Fields Following are the prompts appear if these required fields are not given as arguments.
Local enrollment is implemented in the web UI and the security — SSL page is updated for the web UI SSL server application. The Web UI does not provide general PKI configurability for all applications creation or management of other device certificates. Removal of certificates/CSRs To remove the certificates/CSRs, use the following command: Syntax (config)# crypto pki clear certificate-name [Cert-Name] Clears the CSR or certificate and its related private key.
Syntax Definitions ta-certificate Copy a Trust Anchor certificate to the device. ta-profile-name The Trust Anchor Profile associated with the certificate. ip-addr IP address of the server. file-name Name of the certificate file. ipv6-addr Specify TFTP server IPv6 address. host-name-str Specify hostname of the SFTP server. user Specify the username on the remote system. username@ip-str Specify the username along with remote system information (hostname, IPv4 or IPv6 address.
ta-profile-name The Trust Anchor Profile associated with the certificate. local certificate Local Certificate to be copied. ip-addr IP address of the server. file-name Name of the certificate file. ipv6–addr Specify TFTP server IPv6 address. host-name-str Specify hostname of the SFTP server. user Specify the username on the remote system. username@ip-str Specify the username along with remote system information (hostname, IPv4 or IPv6 address.) port TCP port of the SSH server on the remote system.
Name Usage Expiration Parent / Profile -------------------- ---------- -------------- -------------------SSL_Certificate Web CSR Customer Secondary PKI Openflow_Cert Openflow 2030/06/11 Intermediate01 Intermediate01 Inter 2014/01/01 Customer Primary PKI Default_cert All 2030/06/11 Intermediate02 Intermediate02 Inter 2014/01/01 Intermediate01 Summary mode lists all certificates below a TA profile, including both local certificates and installed intermediates.
X509v3 Key Usage: Critical Digital signature, Key encipherment, Key agreement The detail form of the certificate specific show command is available from the web UI. The web UI allows display of those configured certificates related to the web server only. This includes the SSL server certificate, trust anchor certificate and any other certificates configured as part of the certificate chain. All the certificates in the trust chain are also displayed.
The output format for the TA certificate is same as the format for “Certificate details” provided above. The “Status” field lists the total number of certificates, including both intermediates and local, that references this trust anchor. Intermediate certificates are shown with the local (leaf) certificates, as the certificates “under” an anchor form a tree rather than a list. NOTE: This command is not available on the web UI. Certificate details Show the configured switch identity.
Certificate: Data: Version: 3 (0x2) Serial Number: 10B7D4E3 00010000 0086… Issuer: emailAddress=myca@aabbcc.net C=CN ST=Country A L=City X O=abc OU=bjs CN=new-ca Validity Not Before: Jan 13 08:57:21 2004 GMT Not After : Jan 20 09:07:21 2005 GMT Subject: C=CN ST=Country B L=City Y CN=PKI test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00D41D1F … Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS: hyf.xxyyzz.
SSL screen The following figure, Figure 352 (page 518)shows the results if the user clicks Security — SSL. Details about each panel/widow in the SSL page are given below. Figure 352 SSL Screen Panel hierarchy The SSL panel displays Certificate Management features. TA certificates panel The Trust Anchor (TA) Certificates Panel displays information and status for TA profiles. Buttons, Install and Remove, install new TA profiles or remove existing ones.
A default TA profile is automatically created when the conditions explained in section “TA certificates panel” (page 518) have been satisfied. The install option is not available if: 1. Both TA profiles are used and neither is named “default”. 2. The current certificate with ‘usage=web’ is linked to a TA profile whose name is not “default” Switch identity profile panel Switch Identity Profile displays the details of switch identity profile, if already configured with the CLI.
Figure 357 Certificate requests panel When you select of either the Create Self-Signed Certificate or Create CSR link, an edit request form providing fields for creation of the certificate appears. NOTE: The default TA Profile is called Default. Figure 358 Certificate requests form The Certificate Request field have the following constraints: Common Name (CN) – must be present, max length 64. Common Name should be preset with value from Switch ID profile if one exists.
Figure 359 Certificate request form Once the certificate request is approved, the request status changes and the certificate can be installed, see XXXXX. Paste the reply from the CA in the Certificate request reply box and select the Install link. Figure 360 Certificate request pending Select Cancel Request to cancel at any time. Error messages Table 60 Error messages Error Message Explanation A self-signed certificate requires a TA profile.
Table 60 Error messages (continued) Error Message Explanation Certificate name is too long. The maximum The certificate name exceeds the maximum length allowed. length is 20. Certificate name “%s” already exists. The certificate name already exists. Certificate subject does not match the Overwriting a configured TA certificate. existing certificate associated with Trust Anchor profile . File format not recognized or file is There is a problem with the file, such a corruption. corrupted.
Table 60 Error messages (continued) Error Message Explanation The existing certificate for this TA profile [%s] will be replaced. Continue (y/n)? The mentioned TA Profile Certificate already exists and the user attempts to install a new certificate over the existing one. Enter Enter Enter Enter Enter Enter Common Name(CN) : Org Unit(OU) : Org Name(O) : Locality(L) : State(ST) : Country(C) : Prompts appear if the required fields are not given as arguments.
Index port-based:untagged VLAN membership;802.1X access control:VLAN:untagged, 343 port-based:with Web/MAC authentication, 338 port-security use, 338 PVID, 349 RADIUS:effect on VLAN operation, 351 rules of operation, 340 security credentials saved to configuration file, 31, 48 supplicant statistics, note, 350 supplicant:client not using, 345 troubleshooting, gvrp, 351, 352 trunked port blocked;802.
extended:configure, 271 extended:numbered, configure, 271 mask:CIDR, 69 ACL, IPv4 802.1X client limit, 309 802.1X, effect on;802.1X:ACL, effect on;ACL, IPv4:user-based 802.1X;ACL, IPv4:port-based 802.1X, 309 ACE, order in list, 318 ACE:after match not used, 318, 330 ACE:insert in list;ACL, IPv4:sequence number:use to insert ACE, 288 ACE:limit, 321 ACE:not used, 315 application methods, 317 application points, 313, 317 applications, 305, 313, 327 assign nonexistent i.d.
permit: any forwarding, 318 planning; ACL, IPv4:policies, 316 planning;ACL, IPv4:configuration planning, 313 policy application points, 302 policy type, 328 port ACL operation defined, 307 port;ACL, IPv4:trunk;ACL, IPv4:port added to trunk;ACL, IPv4:port removed from trunk;trunk:port added or removed, ACL, 321 ports affected, 322 precedence, 274 precedence, numbers and names, 266 precedence;ACL, IPv4:ToS: setting, 313 purpose, 302 RACL:defined;RACL defined, 305 RACL:operation defined, 306 RACL:RACL applicat
Authority-signed certificate, 257 authorized addresses for IP management security, 420 for port security, 398 authorized IP managers access-method, 414 building IP masks, 417 configuring in console, 413 definitions of single and multiple, 420 effect of duplicate IP addresses;duplicate IP address:effect on authorized IP managers, 421 IP mask for single station, 417 IP mask operation, 420 manager, operator;, 414 operating notes, 421 overview, 413 troubleshooting, 421 authorized, option for authentication, 145
interfaces brief, 383 IP Access List, 58 ip access list, 275 ip access-group, 62, 281, 282, 307, 308 ip access-list, 59, 259, 264, 267, 269, 271, 274, 275, 276, 277, 278, 279, 288, 289, 290, 291, 323, 324 ip authoized managers, 416 ip authorized-managers, 414 ip source-binding, 380 ip source-lockdown, 376, 381 ip source-locksown, 380 ip ssh, 29, 233 ip statistics ACL, 295 ip-protocol-nbr, 264 ipv6 authorized managers, 414 key, 127, 462 key chain, 423, 424, 425 keysize, 230 lockout-mac, 364 log, 386 log-off
udp, 274 unauth-redirect, 80 unauth-vid, 77 uthentication request, 127 verify signature flash, 503 vlan, 277, 473 web-based, 86, 87, 88, 91, 92, 93, 94, 145, 174, 200, 201, 252 web-based config, 94 web-management ssl, 257 config file, 26 configuration access method, 131 password security, 20 saving security credentials in multiple files, 51 username and password security, 20 username security, 20 configuring connection-rate ACL, 59 connection-rate ACLs, 58 connection-rate filtering, 53, 70, 71 local passwor
fingerprint, 230 currently-blocked hosts listing, 57 customizing HTML templates, 91 user login web pages, 90 D default configuration and security, 428 default settings 802.
F time-independent key; KMS: generating a time-independent key; KMS:assigning a time-independent key, 423 Framed-IP-Address, 186 RADIUS, 186 G L general password rules, 24 GVRP static VLAN not advertised;VLAN:not advertised for GVRP, 337 LACP 802.
authorized IP managers, 421 connection-rate ACL, 68 port security, 410 operator password, 20, 21, 22 saving to configuration file, 46 P password 802.1X port access, 31 802.
manager access privilege, service type value;RADIUS:service type value, 142 manager access privilege;RADIUS:login-privilege mode, 146 MD5, 195 messages, 140 MS-RAS-Vendor attribute, 184 multiple ACL application types in use, 218 multiple server groups, 174 NAS-Prompt-User service-type value, 147 network accounting, 185 operating rules, switch, 195 override, precedence, multiple clients, 202 rate-limiting configuration, 200 security note, 195 server access order, 192 server access order, changing, 179 server
show, 93 SNMP password and username configuration, 20 SNMPv3 saving security credentials to configuration file, 46, 47 security credentials not supported in downloaded file, 31 SSH authentication, client public key;SSH:authentication, user password, 254 caution, security, 235 CLI commands, 228 client behavior, 233 client public key, clearing, 250 client public key, displaying, 249 client public-key authentication, 236 client public-key, creating file, 247 client: copy client-known-hosts file, 251 client: co
type="Index" text="port-based access control, 337 see also 802.1X access control U unblocking currently-blocked hosts, 58 user name cleared, 22 SNMP configuration, 20 using ACL, 62 configuring, 83 configuring commands, 84 MAC authentication, 72 preparation, 83 prerequisites, 72 V vendor-specific attribute, 211 configuring, 211 configuring support for HP VSAs, 164 defining, 155 viewing authentication configuration, 130 key information, 131 virus throttling, 53 VLAN 802.
