access security guide hp procurve series 4100gl switches www.hp.
HP Procurve Series 4100GL Switches Software Release G.07.
© Copyright 2001-2002 Hewlett-Packard Company All Rights Reserved. This document contains information which is protected by copyright. Reproduction, adaptation, or translation without prior permission is prohibited, except as allowed under the copyright laws. Publication Number 5990-3032 December 2002 Edition 2 Disclaimer The information contained in this document is subject to change without notice.
Contents Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . xii Command Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Simulating Display Output . . . . . . . . . . . . . . . .
2 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 2-4 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 General Authentication Setup Procedure . . . . . . . . . . . . .
Outline of the Steps for Configuring RADIUS Authentication . . . . . . 3-6 1. Configure Authentication for the Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 2. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 3-10 3. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 3-12 Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Assigning a Local Login (Operator) and Enable (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . 4-10 3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 4-12 4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15 5. Configuring the Switch for SSH Authentication . . . . . . .
6 Configuring Port-Based Access Control (802.1x) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Why Use Port-Based Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 How 802.1x Operates . .
How RADIUS/802.1x Authentication Affects VLAN Operation . . 6-43 Static VLAN Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-43 Messages Related to 802.1x Operation . . . . . . . . . . . . . . . . . . . . . . . . 6-47 7 Configuring and Monitoring Port Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . 8-4 Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4 Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . . 8-5 CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . . 8-6 Listing the Switch’s Current Authorized IP Manager(s) . . . . . . . . 8-6 Configuring IP Authorized Managers for the Switch . . . . . . . . . .
Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . xii Command Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Simulating Display Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Getting Started Introduction Introduction This Access Security Guide is intended for use with the following switches: ■ HP Procurve Switch 4104GL ■ HP Procurve Switch 4108GL Together, these two devices are termed the HP Procurve Series 4100GL Switches. Overview of Access Security Features ■ Local Manager and Operator passwords (page 1-1) Control access and privileges for the CLI, menu, and web browser interface.
Getting Started Overview of Access Security Features Allows access to the switch by a networked device having an IP address previously configured in the switch as "authorized". HP recommends that you use local passwords together with the switch’s other security features to provide a more comprehensive security fabric than if you use only the local password option. Table 1 lists these features with the security coverage they provide. Table 1.
Getting Started Command Syntax Conventions Command Syntax Conventions This guide uses the following conventions for command syntax and displays. Syntax: aaa port-access authenticator < port-list > [ control < authorized | auto | unauthorized >] ■ Vertical bars ( | ) separate alternative, mutually exclusive elements. ■ Square brackets ( [ ] ) indicate optional elements. ■ Braces ( < > ) enclose required elements.
Getting Started Related Publications Screen Simulations Figures containing simulated screen text and command output look like this: Figure 1. Example of a Figure Showing a Simulated Screen In some cases, brief command-output sequences appear without figure iden tification. For example: HPswitch(config)# clear public-key HPswitch(config)# show ip client-public-key show_client_public_key: cannot stat keyfile Related Publications Product Notes and Software Update Information.
Getting Started Related Publications HP provides a PDF version of this guide on the Product Documentation CDROM shipped with the switch. You can also download the latest copy from the HP Procurve website. (See “Getting Documentation From the Web” on page xvii.) Command Line Interface Reference Guide. This guide, available in a PDF file on the HP Procurve website, provides a summary of the CLI com mands generally available for HP Procurve switches.
Getting Started Getting Documentation From the Web Getting Documentation From the Web 1. Go to the HP Procurve website at http://www.hp.com/go/hpprocurve 2. Click on technical support. 3. Click on manuals. 4. Click on the product for which you want to view or download a manual.
Getting Started Sources for More Information Sources for More Information ■ If you need information on specific parameters in the menu interface, refer to the online help provided in the interface. Online Help for Menu ■ If you need information on a specific command in the CLI, type the command name followed by “help”.
Getting Started Need Only a Quick Start? Need Only a Quick Start? IP Addressing. If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using VLANs, HP recommends that you use the Switch Setup screen to quickly configure IP addressing. To do so, do one of the following: ■ Enter setup at the CLI Manager level prompt. HPswitch# setup ■ In the Main Menu of the Menu interface, select 8.
1 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Web: Setting Passwords and Usernames . . . . . . . .
Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames no user names set Set a Password no passwords set page 1-4 page 1-5 page 1-6 Delete Password Protection n/a page 1-4 page 1-6 page 1-6 — CLI Web — page 1-6 Console access includes both the menu interface and the CLI. There are two levels of console access: Manager and Operator. For security, you can set a password pair (username and password) on each of these levels.
Configuring Username and Password Security Overview If you do steps 1 and 2, above, then the next time a console session is started for either the menu interface or the CLI, a prompt appears for a password. Assuming you have protected both the Manager and Operator levels, the level of access to the console interface will be determined by which password is entered in response to the prompt. If you set a Manager password, you may also want to configure the Inactivity Time parameter.
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a username requires either the CLI or the web browser interface. 1. From the Main Menu select: 3. Console Passwords Figure 1-1. The Set Password Screen 2. To set a new password: a. Select Set Manager Password or Set Operator Password. You will then be prompted with Enter new password. b.
Configuring Username and Password Security Configuring Local Password Security If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter. If you do not have physical access to the switch, you will need Manager-Level access: 1. Enter the console at the Manager level. 2. Go to the Set Passwords screen as described above. 3.
Configuring Username and Password Security Configuring Local Password Security To Remove Password Protection. Removing password protection means to eliminate password security. This command prompts you to verify that you want to remove one or both passwords, then clears the indicated password(s). (This command also clears the username associated with a password you are removing.
2 TACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 2-4 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 2-6 Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . .
TACACS+ Authentication Overview Overview Feature Default Menu CLI Web view the switch’s authentication configuration n/a — page 2-10 — view the switch’s TACACS+ server contact configuration n/a — page 2-10 — configure the switch’s authentication methods disabled — page 2-11 — configure the switch to contact TACACS+ server(s) disabled — page 2-15 — TACACS+ authentication enables you to use a central server to allow or deny access to the Series 4100GL switches (and other TACACS-aware
TACACS+ Authentication Overview server and (2) local passwords configured on the switch. That is, with TACACS+ configured, the switch first tries to contact a designated TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/write) privilege level access.
TACACS+ Authentication Terminology Used in TACACS Applications: Terminology Used in TACACS Applications: ■ NAS (Network Access Server): This is an industry term for a TACACS-aware device that communicates with a TACACS server for authentication services. Some other terms you may see in literature describing TACACS operation are communication server, remote access server, or terminal server.
TACACS+ Authentication General System Requirements • TACACS+ Authentication: This method enables you to use a TACACS+ server in your network to assign a unique password, user name, and privilege level to each individual or group who needs access to one or more switches or other TACACS-aware devices. This allows you to administer primary authentication from a central server, and to do so with more options than you have when using only local authentication.
TACACS+ Authentication General Authentication Setup Procedure Notes The effectiveness of TACACS+ security depends on correctly using your TACACS+ server application. For this reason, HP recommends that you thoroughly test all TACACS+ configurations used in your network. TACACS-aware HP switches include the capability of configuring multiple backup TACACS+ servers. HP recommends that you use a TACACS+ server application that supports a redundant backup installation.
TACACS+ Authentication General Authentication Setup Procedure 2. Determine the following: • The IP address(es) of the TACACS+ server(s) you want the switch to use for authentication. If you will use more than one server, determine which server is your first-choice for authentication services. • The encryption key, if any, for allowing the switch to communicate with the server. You can use either a global key or a server-specific key, depending on the encryption configuration in the TACACS+ server(s).
TACACS+ Authentication General Authentication Setup Procedure Caution 2-8 You should ensure that the switch has a local Manager password. Otherwise, if authentication through a TACACS+ server fails for any reason, then unauthorized access will be available through the console port or Telnet. 5. Using a terminal device connected to the switch’s console port, configure the switch for TACACS+ authentication only for telnet login access and telnet enable access.
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring TACACS+ on the Switch Before You Begin If you are new to TACACS+ authentication, HP recommends that you read the “General Authentication Setup Procedure” on page 2-6 and configure your TACACS+ server(s) before configuring authentication on the switch. The switch offers three command areas for TACACS+ operation: ■ show authentication and show tacacs: Displays the switch’s TACACS+ configuration and status.
TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configured for each type of access. Syntax: show authentication This example shows the default authentication configuration. Configuration for login and enable access to the switch through the switch console port.
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied).
TACACS+ Authentication Configuring TACACS+ on the Switch Table 2-1. AAA Authentication Parameters Name Default Range Function console - or telnet n/a n/a Specifies whether the command is configuring authentication for the console port or Telnet access method for the switch. enable - or login n/a n/a Specifies the privilege level for the access method being configured.
TACACS+ Authentication Configuring TACACS+ on the Switch Table 2-2. Primary/Secondary Authentication Table Access Method and Privilege Level Authentication Options Console — Login Console — Enable Telnet — Login Telnet — Enable Effect on Access Attempts Primary Secondary local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. local none* Local username/password access only.
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. HPswitch (config)# aaa authentication console login tacacs local Console Login (Operator or Read-Only Access) Primary Secondary Console Enable (Manager or Read/Write Access: Primary using TACACS+ server. Secondary using Local.
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these parameters: Note ■ The host IP address(es) for up to three TACACS+ servers; one first choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server. ■ An optional encryption key.
TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string >] Adds a TACACS+ server and optionally assigns a server-specific encryption key. [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its server specific encryption key, if any). tacacs-server key Enters the optional global encryption key. [no] tacacs-server key Removes the optional global encryption key.
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host [key none n/a Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key” on page 2-23 and the documentation provided with your TACACS+ server application.
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Name Default Range key none (null) n/a Specifies the optional, global "encryption key" that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any "per-server" encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a "per-server" key.
TACACS+ Authentication Configuring TACACS+ on the Switch The "10" server is now the "first-choice" TACACS+ authentication device. Figure 2-5. Example of the Switch After Assigning a Different "First-Choice" Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: HPswitch(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.
TACACS+ Authentication How Authentication Operates To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: HPswitch(config)# tacacs-server host 10.28.227.104 Note The show tacacs command lists the global encryption key, if configured.
TACACS+ Authentication How Authentication Operates Using figure 2-6, above, after either switch detects an operator’s logon request from a remote or directly connected terminal, the following events occur: 1. The switch queries the first-choice TACACS+ server for authentication of the request. • If the switch does not receive a response from the first-choice TACACS+ server, it attempts to query a secondary server.
TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentication only if one of these two conditions exists: ■ "Local" is the authentication option for the access method being used. ■ TACACS+ is the primary authentication mode for the access method being used.
TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed "key", "secret key", or "secret") helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.
TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to configure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.
TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For information on such messages, refer to the documentation you received with the application.
TACACS+ Authentication Operating Notes ■ 2-26 When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unauthorized persons.
3 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Authentication and Accounting Overview Overview Feature Default Menu CLI Web Configuring RADIUS Authentication None n/a 3-6 n/a Configuring RADIUS Accounting None n/a 3-16 n/a n/a n/a 3-23 n/a Viewing RADIUS Statistics RADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one primary server and one or two backups) and maintain separate authentication and accounting for each RADIUS server employed.
RADIUS Authentication and Accounting Terminology Terminology CHAP (Challenge-Handshake Authentication Protocol): A challengeresponse authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a challenge from a RADIUS server. EAP(Extensible Authentication Protocol): A general PPP authentication protocol that supports multiple authentication mechanisms.
RADIUS Authentication and Accounting Switch Operating Rules for RADIUS Switch Operating Rules for RADIUS 3-4 ■ You must have at least one RADIUS server accessible to the switch. ■ The switch supports authentication and accounting using up to three RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius ( page 3-23). If the first server does not respond, the switch tries the next one, and so-on.
RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: Table 3-1. 1. Configure one to three RADIUS servers to support the switch. (That is, one primary server and one or two backups.) Refer to the documentation provided with the RADIUS server application. 2. Before configuring the switch, collect the information outlined below.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands aaa authentication < console | telnet | ssh > < enable | login > radius < local | none > [no] radius-server host < IP-address > Page 3-8 3-8 3-8 3-10 [auth-port < port-number >] 3-10 [acct-port < port-number >] 3-10, 3-19 [key < server-specific key-string >] 3-10 [no] radius-server key < global key-string > 3-12 radius-server timeout
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note This step assumes you have already configured the RADIUS server(s) to support the switch. Refer to the documentation provided with the RADIUS server documentation.) 3.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 1. Configure Authentication for the Access Methods You Want RADIUS To Protect This section describes how to configure the switch for RADIUS authentication through the following access methods: ■ Console: Either direct serial-port connection or modem connection. ■ Telnet: Inbound Telnet must be enabled (the default). ■ SSH: To employ RADIUS for SSH access, you must first configure the switch for SSH operation.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch’s local passwords): The switch now allows Telnet and SSH authentication only through Figure 3-2.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 3-16: “Configuring RADIUS Accounting” instead of continuing here.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have configured the switch as shown in figure 3-3 and you now need to make the following changes: 1. Change the encryption key for the server at 10.33.18.127 to "source0127". 2. Add a RADIUS server with an IP address of 10.33.18.119 and a server specific encryption key of "source0119". Figure 3-3.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch’s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters: ■ Number of login attempts: In a given session, specifies how many tries at entering the correct username and password pair are allowed before access is denied and the session terminated. (This is a general aaa authentication parameter and is not specific to RADIUS.
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 .. 15 > Specifies the maximum time the switch waits for a response to an authentication request before counting the attempt as a failure. (Default: 3 seconds; Range: 1 - 15 seconds) radius-server retransmit < 1 .. 5 > If a RADIUS server fails to respond to an authentication request, specifies how many retries to attempt before closing the session.
RADIUS Authentication and Accounting Local Authentication Process After two attempts failing due to username or password entry errors, the switch will terminate the session. Global RADIUS parameters from figure 3-5. Server-specific encryption key for the RADIUS server that will not use the global encryption key. These two servers will use the global encryption key. Figure 3-6.
RADIUS Authentication and Accounting Controlling Web Browser Interface Access When Using RADIUS Authentication For local authentication, the switch uses the Operator-level and Manager-level username/password set(s) previously configured locally on the switch. (These are the usernames and passwords you can configure using the CLI password command, the web browser interface, or the menu interface—which enables only local password configuration).
RADIUS Authentication and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 3-19 [ acct-port < port-number >] 3-19 [key < key-string >] Note 3-19 [no] aaa accounting < exec | network | system > < start-stop | stop-only> radius 3-21 [no] aaa accounting update periodic < 1 ..
RADIUS Authentication and Accounting Configuring RADIUS Accounting (For 802.1x information for the switch, refer to “Configuring Port-Based Access Control (802.1x)” on page 6-1.
RADIUS Authentication and Accounting Configuring RADIUS Accounting ■ If access to a RADIUS server fails during a session, but after the client has been authenticated, the switch continues to assume the server is available to receive accounting data. Thus, if server access fails during a session, it will not receive accounting data transmitted from the switch. Steps for Configuring RADIUS Accounting 1. Configure the switch for accessing a RADIUS server.
RADIUS Authentication and Accounting Configuring RADIUS Accounting 1. Configure the Switch To Access a RADIUS Server Before you configure the actual accounting parameters, you should first configure the switch to use a RADIUS server. This is the same as the process described on page 3-10. You need to repeat this step here only if you have not yet configured the switch to use a RADIUS server, your server data has changed, or you need to specify a non-default UDP destination port for accounting requests.
RADIUS Authentication and Accounting Configuring RADIUS Accounting Because the radius-server command includes an acct-port element with a non default 1750, the switch assigns this value to the accounting port UDP port numbers. Because auth-port was not included in the command, the authentication UDP port is set to the default 1812. Figure 3-7.
RADIUS Authentication and Accounting Configuring RADIUS Accounting ■ Start-Stop: • Send a start record accounting notice at the beginning of the accounting session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type (Network, Exec, or System). • Do not wait for an acknowledgement.
RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additional control over accounting data. ■ Updates: In addition to using a Start-Stop or Stop-Only trigger, you can optionally configure the switch to send periodic accounting record updates to a RADIUS server. ■ Suppress:The switch can suppress accounting for an unknown user having no username.
RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [ host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Configuring RADIUS Accounting” on page 3-16.) Figure 3-10.
RADIUS Authentication and Accounting Viewing RADIUS Statistics Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the AccountingRequest that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Syntax: show authentication Displays the primary and secondary authentication methods configured for the Console, Telnet, Port-Access (802.1x), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, "Empty User" supression status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) configured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch. Figure 3-14.
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 3-16. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order To exchange the positions of the addresses so that the server at 10.10.10.003 will be the first choice and the server at 10.10.10.001 will be the last, you would do the following: 1. Delete 10.10.10.003 from the list. This opens the third (lowest) position in the list. 2. Delete 10.10.10.001 from the list. This opens the first (highest) position in the list. 3. Re-enter 10.10.10.003.
RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch. If the server is accessible, then verify that the switch is using the correct encryption key and that the server is correctly configured to receive an authentication request from the switch.
4 Configuring Secure Shell (SSH) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Secure Shell (SSH) Overview Overview Feature Generating a public/private key pair on the switch Using the switch’s public key Default Menu CLI Web No n/a page 4-10 n/a n/a n/a page 4-12 n/a Enabling SSH Disabled n/a page 4-15 n/a Enabling client public-key authentication Disabled n/a pages 4-19, 4-22 n/a Enabling user authentication Disabled n/a page 4-18 n/a The Series 4100GL switches use Secure Shell version 1 or 2 (SSHv1 or SSHv2) to provide remote access to manag
Configuring Secure Shell (SSH) Terminology Note SSH in the HP Procurve Series 4100GL switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http:// www.openssh.com. Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 4-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.
Configuring Secure Shell (SSH) Prerequisite for Using SSH ■ PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted client public-key that has been encoded for portability and efficiency. SSHv2 client public-keys are typically stored in the PEM format. See figures 4-3 and 4-4 for examples of PEM-encoded ASCII and non encoded ASCII keys. ■ Private Key: An internally generated key used in the authentication process. A private key generated by the switch is not accessible for viewing or copying.
Configuring Secure Shell (SSH) Public Key Formats Public Key Formats Any client application you use for client public-key authentication with the switch must have the capability export public keys. The switch can accept keys in the PEM-Encoded ASCII Format or in the Non-Encoded ASCII format. Beginning of actual SSHv2 public key in PEM-Encoded Comment describing public Figure 4-3. Example of Public Key in PEM-Encoded ASCII Format Common for SSHv2 Clients Bit Size Exponent Modulus Figure 4-4.
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Switch Access Level Manager (Enable) Level Primary SSH Authentication Authenticate Switch Public Key to SSH Clients? Authenticate Client Public Key to the Switch? Primary Switch Password Authentication Secondary Switch Password Authentication ssh enable local Yes No Yes local or none ssh enable tacacs Yes No Yes local or none ssh enable radius Yes No Yes local or none 1 For ssh login
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch (page 4-9). 2. Generate a public/private key pair on the switch (page 4-10). You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. (You can remove or replace this key pair, if necessary.) 3.
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes 4-8 ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store 10 keys client key pairs. ■ The switch’s own public/private key pair and the (optional) client public key file are stored in the switch’s flash memory and are not affected by reboots or the erase startup-config command.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 4-17 show crypto client-public-key [keylist-str] [< babble | fingerprint >] 4-25 show crypto host-public-key [< babble | fingerprint >] 4-14 show authentication 4-21 crypto key < generate | zeroize > ssh [rsa] 4-11 ip ssh 4-16 key-size < 512 | 768 | 1024 > 4-16 port < 1 - 65535|default > 4-16 timeout < 5 ..
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: password < manager | operator | all > Figure 4-6. Example of Configuring Local Passwords 2. Generating the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be "permanent"; that is, avoid re-generating the key pair without a compelling reason.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch Version 1 and Version 2 views of same host public key Figure 4-7. Example of Generating a Public/Private Host Key Pair for the Switch The 'show crypto host-public-key' displays it in two different formats because your client may store it in either of these formats after learning the key.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Inserted IP Address Bit Size Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Exponent Modulus Figure 4-10. Example of a Switch Public Key Edited To Include the Switch’s IP Address For more on this topic, refer to the documentation provided with your SSH client application.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 4-11. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 4-11 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s "known host" file. The switch has only one RSA host key.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Refer to “5. Configuring the Switch for SSH Authentication” on page 4-18. SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you have not copied the switch’s public key into the client, your client’s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (default: 22). Important: See “Note on Port Number” on page 4-17. [timeout < 5 - 120 >] The SSH login timeout value (default: 120 seconds). [version <1 | 2 | 1-or-2 > The version of SSH to accept connections from. (default: 1-or-2) The ip ssh key-size command affects only a per-session, internal server key the switch creates, uses, and discards.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH does not protect the switch from unauthorized access via the web interface, Telnet, SNMP, or the serial port. While web and Telnet access can be restricted by the use of passwords local to the switch, if you are unsure of the security this provides, you may want to disable web-based and/or Telnet access (no web-management and no telnet). If you need to increase SNMP security, you should use SNMP version 3 only.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configures a password method for the primary and secondary enable (Manager) access. If you do not spec ify an optional secondary method, it defaults to none. Option B: Configuring the Switch for Client Public-Key SSH Authentication. If configured with this option, the switch uses its public key to authenticate itself to a client, but the client must also provide a client public-key for the switch to authenticate.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh enable < local | tacacs | radius > < local | none > Configures a password method for the primary and secondary enable (Manager) access. If you do not spec ify an optional secondary method, it defaults to none. For example, assume that you have a client public-key file named ClientKeys.pub (on a TFTP server at 10.33.18.117) ready for downloading to the switch.
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 4-14 shows how to check the results of the above commands. Lists the current SSH authentication configuration. Client Key Index Number Shows the contents of the public key file downloaded with the copy tftp command in figure 4-13. In this example, the file contains two client Figure 4-14. SSH Configuration and Client-Public-Key Listing From Figure 4-13 6.
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Further Information on SSH Client Public-Key Authentication The section titled “5. Configuring the Switch for SSH Authentication” on page 4-18 lists the steps for configuring SSH authentication on the switch. However, if you are new to SSH or need more details on client public-key authentication, this section may be helpful.
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 3. If there is not a match, and you have not configured the switch to accept a login password as a secondary authentication method, the switch denies SSH access to the client. 4. If there is a match, the switch: a. Generates a random sequence of bytes. b. Uses the client’s public key to encrypt this sequence. c. Send these encrypted bytes to the client. 5.
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Notes Comments in public key files, such as smith@support.cairns.com in figure 4-15, may appear in a SSH client application’s generated public key. While such comments may help to distinguish one key from another, they do not pose any restriction on the use of a key by multiple clients and/or users.
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Note on Public K e ys The actual content of a public key entry in a public key file is determined by the SSH client application generating the key. (Although you can manually add or edit any comments the client application adds to the end of the key, such as the smith@fellow at the end of the key in figure 4-15 on page 4-23.
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: clear crypto public-key Deletes the client-public-key file from the switch. Syntax: clear crypto public-key 3 Deletes the entry with an index of 3 from the client public-key file on the switch. Enabling Client Public-Key Authentication.
Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp server or not finding the file to download. Causes include such factors as: • Incorrect IP configuration on the switch • Incorrect IP address in the command • Case (upper/lower) error in the filename used in the command • Incorrect configuration on the TFTP server • The file is not in the expected location.
Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning Error: Requested keyfile does not exist. The client key does not exist in the switch. Use copy tftp to download the key from a TFTP server. Generating new RSA host key. If the cache is depleted, this could take up to two minutes. After you execute the crypto key generate ssh [rsa] command, the switch displays this message while it is generating the key. Host RSA key file corrupt or not found.
5 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Steps for Configuring and Using SSL for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Secure Socket Layer (SSL) Overview Overview Feature Default Menu CLI Web Generating a Self Signed Certificate on the switch No n/a page 5-9 page 5-13 Generating a Certificate Request on the switch No n/a n/a page 5-15 Disabled n/a page 5-17 page 5-19 Enabling SSL The Series 4100GL switches use Secure Socket Layer Version 3 (SSLv3) and support for Transport Layer Security(TLSv1) to provide remote web access to the switches via encrypted paths between the switch and management
Configuring Secure Socket Layer (SSL) Terminology 1. Switch-to-Client SSL Cert. HP Switch 2. User-to-Switch (login password and enable password authentication) options: – Local – TACACS+ – RADIUS (SSL Server) SSL Client Browser Figure 5-1.
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL ■ CA-Signed Certificate: A certificate verified by a third party certificate authority (CA). Authenticity of CA-Signed certificates can be verified by an audit trail leading to a trusted root certificate. ■ Root Certificate: A trusted certificate used by certificate authorities to sign certificates (CA-Signed Certificates) and used later on to verify that authenticity of those signed certificates.
Configuring Secure Socket Layer (SSL) Steps for Configuring and Using SSL for Switch and Client Authentication 1. Note: Install an SSL capable browser application on a management station you want to use for access to the switch. (Refer to the documentation provided with your browser.) The latest versions of Microsoft Internet Explorer and Netscape web browser support SSL and TLS functionality. See browser documentation for additional details B. Switch Preparation 1.
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes 5-6 ■ Once you generate a certificate on the switch you should avoid regenerating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all management stations (clients) you previously set up for SSL access to the switch. In some situations this can temporarily allow security breaches.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 5-19 show config page 5-19 show crypto host-cert page 5-12 crypto key generate cert [rsa] <512 | 768 |1024> page 5-10 zeroize cert page 5-10 crypto host-cert generate self-signed [arg-list] page 5-10 zeroize page 5-10 1.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface see the Series 4100GL switches Management and Configuration guide Chapter titled "Using the HP Web Browser Interface". Security Tab Password Button Figure 5-2. Example of Configuring Local Passwords 1.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’s Server Host Certificate You must generate a server certificate on the switch before enableing SSL. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch. (The session key pair mentioned above is not visible on the switch.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To Generate or Erase the Switch’s Server Certificate with the CLI Because the host certificate is stored in flash instead of the running-config file, it is not necessary to use write memory to save the certificate. Erasing the host certificate automatically disables SSL. CLI commands used to generate a Server Host Certificate.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on certificate fields. There are a number arguments used in the generation of a server certificate. table 9-1, “Certificate Field Descriptions” describes these arguments. Field Name Description Valid Start Date This should be the date you desire to begin using the SSL functionality.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Notes "Zeroizing" the switch’s server host certificate or key automatically disables SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation. CLI Command to view host certificates.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a Self-Signed Host Certificate with the Web browser interface You can configure SSL from the web browser interface. For more information on how to access the web browser interface see the Series 4100GL switches Management and Configuration guide Chapter titled "Using the HP Web Browser Interface". To generate a self signed host certificate from the web browser interface: i.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers interface: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Argument Figure 5-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface: 5-14 1. Proceed to the Security tab 2.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 5-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web browser interface To install a CA-Signed server host certificate from the web browser interface.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE----MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMB
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generating the Switch’s Server Host Certificate” on page 5-9.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443). Important: See “Note on Port Number” on page 5-20. show config Shows status of the SSL server. When enabled web management ssl will be present in the config list. To enable SSL on the switch 1.
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 5-8. Using the web browser interface to enable SSL and select TCP port number Note on Port Num b er HP recommends using the default IP port number (443). However, you can use web-management ssl tcp-port to specify any TCP port for SSL connections except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http).
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key (“CLI commands used to generate a Server Host Certificate” on page 5-10) Enabling SSL on the CLI or Web browser interface You have not generated a host certificate (“Generate a SelfSigned Host Certificate with the Web browser interface” on page 5-13) You may be using a reserved TCP port (“Note on Port Number”
6 Configuring Port-Based Access Control (802.1x) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 How 802.1x Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 General Operating Rules and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Port-Based Access Control (802.1x) Overview Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1x Authenticators Disabled n/a page 6-14 n/a Configuring 802.1x Open VLAN Mode Disabled n/a page 6-20 n/a Configuring Switch Ports to Operate as 802.1x Supplicants Disabled n/a page 6-33 n/a n/a n/a page 6-37 n/a n/a n/a page 6-43 n/a Displaying 802.1x Configuration, Statistics, and Counters How 802.
Configuring Port-Based Access Control (802.1x) Overview ■ Local authentication of 802.1x clients using the switch’s local username and password (as an alternative to RADIUS authentication). ■ Temporary on-demand change of a port’s VLAN membership status to support a current client’s session. (This does not include ports that are members of a trunk.) ■ Session accounting with a RADIUS server, including the accounting update interval. ■ Use of Show commands to display session counters.
Configuring Port-Based Access Control (802.1x) Overview Authenticating One Switch to Another. 802.1x authentication also enables the switch to operate as a supplicant when connected to a port on another switch running 802.1x authentication. Switch Running 802.1x and Operating as an Authenticator 802.1x-Aware Client (Supplicant) LAN Core Switch Running 802.1x and Connected as a Supplicant RADIUS Server Figure 6-1. Example of an 802.1x Application Accounting .
Configuring Port-Based Access Control (802.1x) How 802.1x Operates How 802.1x Operates Authenticator Operation This operation provides security on a direct, point-to-point link between a single client and the switch, where both devices are 802.1x-aware. (If you expect desirable clients that do not have the necessary 802.1x supplicant software, you can provide a path for downloading such software by using the 802.1x Open VLAN mode—refer to “802.1x Open VLAN Mode” on page 6-20.
Configuring Port-Based Access Control (802.1x) How 802.1x Operates Switch-Port Supplicant Operation This operation provides security on links between 802.1x-aware switches. For example, suppose that you want to connect two switches, where: ■ Switch "A" has port A1 configured for 802.1x supplicant operation. ■ You want to connect port A1 on switch "A" to port B5 on switch "B". Switch "B" Port B5 Port A1 Switch "A" Port A1 Configured as an 802.1x Supplicant LAN Core RADIUS Server Figure 6-2.
Configuring Port-Based Access Control (802.1x) Terminology • Note A "failure" response continues the block on port B5 and causes port A1 to wait for the "held-time" period before trying again to achieve authentication through port B5. You can configure a switch port to operate as both a supplicant and an authenticator at the same time. Terminology 802.1x-Aware: Refers to a device that is running either 802.1x authenticator software or 802.
Configuring Port-Based Access Control (802.1x) Terminology EAP (Extensible Authentication Protocol): EAP enables network access that supports multiple authentication methods. EAPOL : Extensible Authentication Protocol Over LAN, as 802.1x standard. defined in the Friendly Client: A client that does not pose a security risk if given access to the switch and your network. MD5: An algorithm for calculating a unique digital signature over a stream of bytes.
Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unauthorized-Client VLAN. Untagged VLAN Membership: A port can be an untagged member of only one VLAN. (In the factory-default configuration, all ports on the switch are untagged members of the default VLAN.) An untagged VLAN membership is required for a client that does not support 802.
Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes ■ If a client already has access to a switch port when you configure the port for 802.1x authenticator operation, the port will block the client from further network access until it can be authenticated. ■ On a port configured for 802.1x with RADIUS authentication, if the RADIUS server specifies a VLAN for the supplicant and the port is a trunk member, the port will be blocked.
Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) Do These Steps Before You Configure 802.1x Operation 1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.
Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) Overview: Configuring 802.1x Authentication on the Switch This section outlines the steps for configuring 802.1x on the switch. For detailed information on each step, refer to “Configuring the Switch for RADIUS Authentication” on page 3-6 or “Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches” on page 6-33. 1. Enable 802.
Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) 7. If you are using Port Security on the switch, configure the switch to allow only 802.1x access on ports configured for 802.1x operation, and (if desired) the action to take if an unauthorized device attempts access through an 802.1x port. See page 6-31. 8. If you want a port on the switch to operate as a supplicant in a connection with a port operating as an 802.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Configuring Switch Ports as 802.1x Authenticators 802.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 1. Enable 802.1x Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1x authenticators for point-to-point links to 802.1x-aware clients or switches. (Actual 802.1x operation does not commence until you perform step 5 on page 6-12 to activate 802.1x authentication on the switch.) Note When you enable 802.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Syntax Continued) [quiet-period < 0 .. 65535 > ] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt auth orized by the max-requests parameter fails (next page ). (Default: 60 seconds) [ tx-period < 0 ..
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Syntax Continued) [ unauth-vid < vlan-id >] Configures an exsiting static VLAN to be the UnauthorizedClient VLAN. This enables you to provide a path for clients without supplicant software to download the software and begin an authentication session. Refer to “802.1x Open VLAN Mode” on page 6-20.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 3. Configure the 802.1x Authentication Method This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1x authenticator. Syntax: aaa authentication port-access < local | eap-radius | chap-radius > Determines the type of RADIUS authentication to use.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, refer to “RADIUS Authentication and Accounting” on page 3-1.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Open VLAN Mode 802.1x Authentication Commands page 6-14 802.1x Supplicant Commands page 6-34 802.1x Open VLAN Mode Commands [no] aaa port-access authenticator [ e ] < port-list > page 6-29 [ auth-vid < vlan-id > ] [ unauth-vid < vlan-id > ] 802.1x-Related Show Commands page 6-37 RADIUS server configuration pages 6-19 This section describes how to use the 802.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode ■ 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during authentication. ■ 2nd Priority: If RADIUS authentication does not include assigning a VLAN to the port, then the switch assigns the port to the VLAN entered in the port’s 802.1x configuration as an Authorized-Client VLAN, if configured.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Table 6-1. 802.1x Open VLAN Mode Options 802.1x Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN • When the port detects a client, it automatically becomes an untagged member of this VLAN.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as AuthorizedThese must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1x authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Condition Rule Multiple Authenticator Ports Using the Same Unauthorized-Client and Authorized-Client VLANs You can use the same static VLAN as the Unauthorized-Client VLAN for all 802.1x authenticator ports configured on the switch. Similarly, you can use the same static VLAN as the Authorized-Client VLAN for all 802.1x authenticator ports configured on the switch.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Setting Up and Configuring 802.1x Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 6-1 on page 6-22 for other options. Before you configure the 802.1x Open VLAN mode on a port: ■ Caution Statically configure an "Unauthorized-Client VLAN" in the switch.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges. Also, you must use 802.1x supplicant software that supports the use of local switch passwords.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration. [ key < server-specific key-string > ] Optional. Specifies an encryption key for use with the specified server. This key must match the key used on the RADIUS server.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Configuring 802.1x Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 6-26. Syntax: aaa port-access authenticator [e] < port-list > [ auth-vid < vlan-id > ] Configures an existing, static VLAN to be the AuthorizedClient VLAN.
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Inspecting 802.1x Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1x Open VLAN Mode Status” on page 6-38. 802.1x Open VLAN Operating Notes 6-30 ■ Although you can configure Open VLAN mode the same VLAN for both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this is not recommended.
Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices ■ If an authenticated client loses authentication during a session in 802.1x Open VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices If you are using port-security on authenticator ports, you can configure it to learn only the MAC address of the first 802.
Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices Note on If the port’s 802.1x authenticator control mode is configured to authorized (as B l o c k i n g a N o n - shown below, instead of auto), then the first source MAC address from any device, whether 802.1x-aware or not, becomes the only authorized device on 80 2 . 1x D e v i c e the port. aaa port-access authenticator < port-list > control authorized With 802.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches 802.1x Authentication Commands page 6-14 802.1x Supplicant Commands [no] aaa port-access < supplicant < [ethernet] < port-list > [ auth-timeout | held-period | start-period | max-start | initialize | identity | secret | clear-statistics ] page 6-34 page 6-35 802.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches 1. Note When port A1 on switch "A" is first connected to a port on switch "B", or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch "B". • If, after the supplicant port sends the configured number of start request packets, it does not receive a response, it assumes that switch "B" is not 802.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring a Supplicant Switch Port. Note that you must enable supplicant operation on a port before you can change the supplicant configuration. This means you must execute the supplicant command once without any other parameters, then execute it again with a supplicant parameter you want to configure.
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches aaa port-access supplicant [ ethernet ] < port-list > (Syntax Continued) [ auth-timeout < 1 - 300 > ] Sets the period of time the port waits to receive a challenge from the authenticator. If the request times out, the port sends another authentication request, up to the number of attempts specified by the max-start parameter. (Default: 30 seconds). [ max-start < 1 ..
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Displaying 802.1x Configuration, Statistics, and Counters 802.1x Authentication Commands page 6-14 802.1x Supplicant Commands page 6-33 802.1x Open VLAN Mode Commands page 6-20 802.1x-Related Show Commands show port-access authenticator below show port-access supplicant page 6-42 Details of 802.
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters show port-access authenticator (Syntax Continued) config [ [e] < port-list >] Shows: • Whether port-access authenticator is active • The 802.1x configuration of the ports configured as 802.1x authenticators If you do not specify < port-list >, the command lists all ports configured as 802.1x port-access authenticators. Does not display data for a specified port that is not enabled as an authenticator.
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters An Unauth VLAN ID appearing in the Current VLAN ID column for the same port indicates an unauthenticated client is connected to this port. (Assumes that the port is not a statically configured member of VLAN 100.) 1 2 3 Items 1 through 3 indicate that an authenticated client is connected to port B2: 1. Open in the Status column 2. Authorized in the Authenticator State column 3.
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters 25 as an authorized VLAN, then the port’s membership in VLAN 1 will be temporarily suspended whenever an authenticated 802.1x client is attached to the port. Table 6-1. Open VLAN Mode Status Status Indicator Meaning Port Lists the ports configured as 802.1x port-access authenticators. Status Closed: Either no client is connected or the connected client has not received authorization through 802.
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Syntax: show vlan < vlan-id > Displays the port status for the selected VLAN, including an indication of which port memberships have been temporarily overridden by Open VLAN mode. Note that ports B1 and B3 are not in the upper listing, but are included under "Overridden Port VLAN configuration".
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [ [e] < port-list >] [ statistics ] show port-access supplicant [ [e] < port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < portlist > ports configured on the switch as supplicants. The Supplicant State can include the following: Connecting - Starting authentication.
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1x Authentication Affects VLAN Operation RADIUS authentication for an 802.1x client on a given port can include a (static) VLAN requirement. (Refer to the documentation provided with your RADIUS application.
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1x-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1x client requires access to VLAN 22 from port A2. However, access to VLAN 22 is blocked (not untagged or tagged) on port A2 and Figure 6-7.
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1x session. This is to accomodate an 802.1x client’s access , authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22. Note: With the current VLAN configuration (figure 6-7), the only time port A2 appears in this show vlan 22 listing is during an 802.
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation When the 802.1x client’s session on port A2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN actually configured as untagged on the port again becomes available. Thus, when the RADIUS-authenticated 802.1x session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored. After the 802.
Configuring Port-Based Access Control (802.1x) Messages Related to 802.1x Operation Messages Related to 802.1x Operation Table 6-2. 802.1x Operating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.1x authenticators. Use this command to enable the ports as authenticators: HPswitch(config)# aaa port-access authenticator e 10 Port < port-list > is not a supplicant.
7 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Basic Operation Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Trunk Group Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 Planning Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring and Monitoring Port Security Overview Overview Feature Default Menu CLI Web Displaying Current Port Security n/a — page 7-9 page 7-15 Configuring Port Security disabled — page 7-10 page 7-15 Intrusion Alerts and Alert Flags n/a page 7-19 page 7-22 page 7-21 Using Port Security, you can configure each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port.
Configuring and Monitoring Port Security Basic Operation General Operation for Port Security. On a per-port basis, you can configure security measures to block unauthorized devices, and to send notice of security violations.
Configuring and Monitoring Port Security Basic Operation Physical Topology Switch A Port Security Configured Logical Topology for Access to Switch A Switch A PC 1 Port Security Configured Switch B MAC Address Authorized by Switch A PC 1 MAC Address Authorized by Switch A MAC Address Authorized by Switch A PC 2 Switch B MAC Address NOT Authorized by Switch A MAC Address Authorized by Switch A PC 3 Switch C MAC Address NOT Authorized by Switch A MAC Address NOT Authorized by Switch A • PC1 can a
Configuring and Monitoring Port Security Planning Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to the following: a. On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port (up to 8 per port)? c. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmitting to the network.
Configuring and Monitoring Port Security Port Security Command Options and Operation Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 7-9 port-security 7-10 < [ethernet] port-list > 7-10 [learn-mode] 7-10 [address-limit] 7-10 [mac-address] 7-10 [action] 7-10 [clear-intrusion-flag] no port-security 7-10 7-10 This section describes the CLI port security command and how the switch acquires and maintains authorized addresses.
Configuring and Monitoring Port Security Port Security Command Options and Operation Table 7-1. Port Security Parameters Parameter Description Port List <[ethernet] port-list> Identifies the port or ports on which to apply a port security command. Learn learn-mode < static | continuous | port-access > Specifies how the port acquires authorized addresses: Mode Continuous (Default): Appears in the factory-default setting or when you execute no port-security.
Configuring and Monitoring Port Security Port Security Command Options and Operation Parameter Description Action action Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port. None (the default): Prevents an SNMP trap from being sent.
Configuring and Monitoring Port Security Port Security Command Options and Operation Assigned/Authorized Addresses. : If you manually assign a MAC address (using port-security address-list ) and then execute write memory, the assigned MAC address remains in memory until you do one of the following: ■ Delete it by using no port-security < port-number > mac-address < mac addr >. ■ Download a configuration file that does not include the unwanted MAC address assignment.
Configuring and Monitoring Port Security Port Security Command Options and Operation With port numbers included in the command, show port-security displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the specified ports on a switch. The following example lists the full port security configuration for a single port: Figure 7-3.
Configuring and Monitoring Port Security Port Security Command Options and Operation For information on the individual control parameters, see the Port Security Parameter table on page 7-7. Specifying Authorized Devices and Intrusion Responses. This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port. (The default device limit is 1.
Configuring and Monitoring Port Security Port Security Command Options and Operation Although the Address Limit is set to 2, only one device has been authorized for this port. In this case you can add another without having to also increase the Address Limit. The Address Limit has not been reached. Figure 7-4. Example of Adding an Authorized Device to a Port With the above configuration for port A1, the following command adds the 0c0090-456456 MAC address as the second authorized address.
Configuring and Monitoring Port Security Port Security Command Options and Operation If you are adding a device (MAC address) to a port on which the Authorized Addresses list is already full (as controlled by the port’s current Address Limit setting), then you must increase the Address Limit in order to add the device, even if you want to replace one device with another. Using the CLI, you can simultaneously increase the limit and add the MAC address with a single command.
Configuring and Monitoring Port Security Port Security Command Options and Operation Note You can reduce the address limit below the number of currently authorized addresses on a port. This enables you to subsequently remove a device from the “Authorized” list without opening the possibility for an unwanted device to automatically become authorized.
Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features 1. Click on the Security tab. 2. Click on [Port Security]. 3. Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field. 4. Implement your new data by clicking on [Apply Changes]. To access the web-based Help provided for the switch, click on [?] in the web browser screen.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • • • – The show port-security intrusion-log command displays the Intrusion Log – The log command displays the Event Log In the menu interface: – The Port Status screen includes a per-port intrusion alert – The Event Log includes per-port entries for security violations In the web browser interface: – The Alert Log’s Status | Overview window includes entries for per-port security violations – The Intru
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The Intrusion Alert column shows “Yes” for any port on which a security violation has been detected. Figure 7-10. Example of Port Status Screen with Intrusion Alert on Port A3 2. Type [I] (Intrusion log) to display the Intrusion Log.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags (The intrusion log holds up to 20 intrusion records and deletes an intrusion record only when the log becomes full and a new intrusion is subsequently detected.) Note also that the “prior to” text in the record for the earliest intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset. 3.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Intrusion Alert on port A1. Figure 7-12. Example of an Unacknowledged Intrusion Alert in a Port Status Display If you wanted to see the details of the intrusion, you would then enter the show port-security intrusion-log command.
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Intrusion Alert on port A1 is now cleared. Figure 7-14.
Configuring and Monitoring Port Security Operating Notes for Port Security From the Menu Interface: In the Main Menu, click on 4. Event Log and use Next page and Prev page to review the Event Log contents. For More Event Log Information. See “Using the Event Log To Identify Problem Sources” in the "Troubleshooting" chapter of the Management and Configuration Guide for your switch. Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags 1.
Configuring and Monitoring Port Security Operating Notes for Port Security Without both of the above configured, the switch detects only the proxy server’s MAC address, and not your PC or workstation MAC address, and interprets your connection as unauthorized. “Prior To” Entries in the Intrusion Log. If you reset the switch (using the Reset button, Device Reset, or Reboot Switch), the Intrusion Log will list the time of all currently logged intrusions as “prior to” the time of the reset.
8 Using Authorized IP Managers Contents Using Authorized IP Managers Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI Web Listing (Showing) Authorized Managers n/a page 8-5 page 8-6 page 8-8 Configuring Authorized IP Managers None page 8-5 page 8-6 page 8-8 Building IP Masks n/a page 8-9 page 8-9 page 8-9 Operating and Troubleshooting Notes n/a page 8-12 page 8-12 page 8-12 The Authorized IP Managers feature enhances security on the switch by using IP addresses and masks to determine which statio
Using Authorized IP Managers Options Options You can configure: Caution ■ Up to 10 authorized manager addresses, where each address applies to either a single management station or a group of stations ■ Manager or Operator access privileges Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port.
Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations ■ Authorizing Single Stations: The table entry authorizes a single management station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Authorized Manager IP column, and leave the IP Mask set to 255.255.255.255. This is the easiest way to use the Authorized Managers feature.
Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Masks” on page 8-9. Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch. This mask serves a different purpose than IP subnet masks and is applied in a different manner.
Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See “Building IP Masks”on page 8-9. 4. Use the Space bar to select Manager or Operator access. 5. Press [Enter], then [S] (for Save) to configure the IP Authorized Manager entry. Figure 8-2.
Using Authorized IP Managers Defining Authorized Management Stations The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: Access Mode: 255.255.255.252 10.28.227.100 through 103 Manager 255.255.255.254 10.28.227.104 through 105 Manager 255.255.255.255 10.28.227.125 Manager 255.255.255.0 10.28.227.
Using Authorized IP Managers Web: Configuring IP Authorized Managers The result of entering the preceeding example is: • Authorized Station IP Address: 10.28.227.105 • IP Mask: 255.255.255.255, which authorizes only the specified station (10.28.227.105 in this case). (See “Configuring Multiple Stations Per Authorized Manager IP Entry” on page 8-10.) • Access Level: Manager To Edit an Existing Manager Access Entry.
Using Authorized IP Managers Building IP Masks For web-based help on how to use the web browser interface screen, click on the [?] button provided on the web browser screen. Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network. Configuring One Station Per Authorized Manager IP Entry This is the easiest way to apply a mask.
Using Authorized IP Managers Building IP Masks Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access.
Using Authorized IP Managers Building IP Masks Figure 8-5. Analysis of IP Mask for Multiple-Station Entries 1st Octet 2nd Octet 3rd Octet 4th Octet Manager-Level or Operator-Level Device Access The “255” in the first three octets of the mask specify that only the exact value in the octet of the corresponding IP address is allowed. However, the zero (0) in the 4th octet of the mask allows any value between 0 and 255 in that octet of the corresponding IP address.
Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 Authorized Manager IP 10 IP Mask 255 238 255 250 Authorized Manager IP 10 33 255 248 1 This combination specifies an authorized IP address of 10.33.xxx.1.
Using Authorized IP Managers Operating Notes • • Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions” list in the web browser interface you are using on the authorized station.
Index Numerics 3DES … 4-3, 5-3 802.1x See port-based access control. … 6-1 A aaa authentication … 2-9 access levels, authorized IP managers … 8-3 accounting See RADIUS. address authorized for port security … 7-3 authentication SeeTACACS.
inconsistent value … 7-12 O open VLAN mode See port access control OpenSSH … 4-3, 5-2 operating notes authorized IP managers … 8-12 port security … 7-22 operator password … 1-2, 1-4 P password browser/console access … 1-3 case-sensitive … 1-4 caution … 1-3 delete … 1-4 deleting with the Clear button … 1-5 if you lose the password … 1-5 incorrect … 1-3 length … 1-4 operator only, caution … 1-3 pair … 1-2 setting … 1-4 password pair … 1-2 password security … 4-18 port security configuration … 7-2 port secur
supplicant, enabling … 6-34 switch username and password … 6-3 terminology … 6-7 troubleshooting, gvrp … 6-43 used with port-security … 6-31 VLAN operation … 6-43 prior to … 7-19, 7-20, 7-23 Privacy Enhanced Mode (PEM) See SSH.
host key pair … 4-11 key, babble … 4-11 key, fingerprint … 4-11 keys, zeroizing … 4-11 key-size … 4-17 known-host file … 4-13, 4-15 man-in-the-middle spoofing … 4-16 messages, operating … 4-27 OpenSSH … 4-3 operating rules … 4-8 outbound SSH not secure … 4-8 password security … 4-18 password-only authentication … 4-18 passwords, assigning … 4-9 PEM … 4-4 prerequisites … 4-4 public key … 4-5, 4-13 public key, displaying … 4-14 reserved IP port numbers … 4-17 security … 4-17 SSHv1 … 4-2 SSHv2 … 4-2 steps for
overview … 1-xii precautions … 2-6 preparing to configure … 2-9 preventing switch lockout … 2-15 privilege level code … 2-7 server access … 2-15 server priority … 2-18 setup, general … 2-6 show authentication … 2-9 supported features … 2-3 system requirements … 2-5 TACACS+ server … 2-4 testing … 2-6 timeout … 2-15 troubleshooting … 2-6 unauthorized access, preventing … 2-8 web access, controlling … 2-24 web access, no effect on … 2-6 tacacs-server … 2-9 TCP reserved port numbers … 5-20 Telnet … 2-15 test …
6 – Index
Technical information in this document is subject to change without notice. ©Copyright Hewlett-Packard Company 2000, 2002. All right reserved. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws.
