HP ProCurve Series 6120 Blade Switches Access Security Guide

Manuals Brands HP Manuals Computer Accessories HP 6120G/XG Ethernet Blade Switch

ProCurve Series 6120 Switches

Access Security Guide

November 2010

Version Z.14.22

Summary of content (606 pages)

PAGE 1

ProCurve Series 6120 Switches Access Security Guide November 2010 Version Z.14.
PAGE 2
PAGE 3

HP ProCurve 6120G/XG Switch 6120XG Switch November 2010 Z.14.
PAGE 4

© Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another lan- gauge without the prior written consent of Hewlett-Packard.
PAGE 5

Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Software Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx 1 Security Overview Contents . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6

2 Configuring Username and Password Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7

Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32 Disabling or Re-Enabling the Password Recovery Process . . . . . . . . 2-32 Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 3 Web and MAC Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 8

Configuration Commands for MAC Authentication . . . . . . . . . . . . . . 3-51 Configuring the Global MAC Authentication Password . . . . . . . 3-51 Configuring a MAC-based Address Format . . . . . . . . . . . . . . . . . 3-53 Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . 3-55 Client Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-62 4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 9

5 RADIUS Authentication, Authorization, and Accounting Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 10

Using Vendor Specific Attributes (VSAs) . . . . . . . . . . . . . . . . . . . 5-37 Example Configuration on Cisco Secure ACS for MS Windows 5-39 Example Configuration Using FreeRADIUS . . . . . . . . . . . . . . . . . 5-41 VLAN Assignment in an Authentication Session . . . . . . . . . . . . . . . . 5-43 Tagged and Untagged VLAN Attributes . . . . . . . . . . . . . . . . . . . . . . . . 5-44 Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 11

Contrasting Dynamic (RADIUS-Assigned) and Static ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 How a RADIUS Server Applies a RADIUS-Assigned ACL to a Switch Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 General ACL Features, Planning, and Configuration . . . . . . . . . . . . . 6-15 The Packet-filtering Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 12

Configuring the Switch for SSH Operation . . . . . . . . . . . . . . . . . . . . . . 7-9 1. Assigning a Local Login (Operator) and Enable (Manager) Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10 2. Generating the Switch’s Public and Private Key Pair . . . . . . . . . . 7-10 Configuring Key Lengths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13 3. Providing the Switch’s Public Key to Clients . . . . . . . . . . . . . . . . . . 7-13 4.
PAGE 13

3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-17 Using the CLI Interface to Enable SSL . . . . . . . . . . . . . . . . . . . . . 8-19 Using the Web Browser Interface to Enable SSL . . . . . . . . . . . . . 8-19 Common Errors in SSL setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-21 9 IPv4 Access Control Lists (ACLs) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 14

Guidelines for Planning the Structure of an ACL . . . . . . . . . . . . . . . . 9-24 ACL Configuration and Operating Rules . . . . . . . . . . . . . . . . . . . . . . . 9-25 How an ACE Uses a Mask To Screen Packets for Matches . . . . . . . . 9-26 What Is the Difference Between Network (or Subnet) Masks and the Masks Used with ACLs? . . . . . . . . . . . . . . . . . . . . 9-27 Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 15

Editing ACLs and Creating an ACL Offline . . . . . . . . . . . . . . . . . . . . 9-61 Using the CLI To Edit ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-61 General Editing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-62 Deleting Any ACE from an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-62 Working Offline To Create or Edit an ACL . . . . . . . . . . . . . . . . . . . . . 9-64 Creating an ACL Offline . . . . . . . . . . . . . . .
PAGE 16

Verifying the Configuration of Dynamic ARP Protection . . . . . . . . 10-21 Displaying ARP Packet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22 Monitoring Dynamic ARP Protection . . . . . . . . . . . . . . . . . . . . . . . . . 10-23 Dynamic IP Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23 Protection Against IP Source Address Spoofing . . . . . . . . . . . . . . . . 10-24 Prerequisite: DHCP Snooping . . . . . . . . . . . . . . . . . .
PAGE 17

Viewing a Named Source-Port Filter . . . . . . . . . . . . . . . . . . . . . . . 11-8 Using Named Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Configuring Traffic/Security Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15 Configuring a Source-Port Traffic Filter . . . . . . . . . . . . . . . . . . . . . . 11-16 Example of Creating a Source-Port Filter . . . . . . . . . . . . . . . . . . 11-17 Configuring a Filter on a Port Trunk . . . . . . . . . . . . . . . . .
PAGE 18

B. Specify User-Based Authentication or Return to Port-Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-21 Example: Configuring User-Based 802.1X Authentication . . . . 12-22 Example: Configuring Port-Based 802.1X Authentication . . . . 12-22 2. Reconfigure Settings for Port-Access . . . . . . . . . . . . . . . . . . . . . . . 12-22 3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . 12-25 4. Enter the RADIUS Host IP Address(es) . . . . . . . . .
PAGE 19

How RADIUS/802.1X Authentication Affects VLAN Operation . 12-68 VLAN Assignment on a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-69 Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-69 Example of Untagged VLAN Assignment in a RADIUS-Based Authentication Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-71 Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions . . . . . .
PAGE 20

How the Intrusion Log Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-33 Keeping the Intrusion Log Current by Resetting Alert Flags . . . . . . 13-34 Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-35 CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 21

Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10 Configuring One Station Per Authorized Manager IP Entry . . . . . . 14-10 Configuring Multiple Stations Per Authorized Manager IP Entry . . 14-11 Additional Examples for Authorizing Multiple Stations . . . . . . . . . 14-13 Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 22

xx
PAGE 23

Product Documentation About Your Switch Manual Set Note For the latest version of switch documentation, please visit any of the follow ing websites: www.hp.com/networking/support www.hp.com/go/bladesystem/documentation h18004.www1.hp.com/products/blades/components/c-class-tech-installing.html Printed Publications The publication listed below is printed and shipped with your switch. The latest version is also available in PDF format, as described in the Note at the top of this page.
PAGE 24

Software Feature Index This feature index indicates which manual to consult for information on a given software feature. Note This Index does not cover IPv6 capable software features. For information on IPv6 protocol operations and features (such as DHCPv6, DNS for IPv6, and Ping6), refer to the IPv6 Configuration Guide. Intelligent Edge Software Features. These features are automatically included on all switches. Premium License Software Features.
PAGE 25

Intelligent Edge Software Features Manual Management Advanced and Traffic Configuration Management Authorized Manager List (Web, Telnet, TFTP) Access Security Guide X Auto MDIX Configuration X BOOTP X CEE (Converged Enhanced Ethernet) (6120XG only) X Config File X Console Access X Copy Command X CoS (Class of Service) X Debug X DHCP Configuration X DHCP Option 82 DHCP/Bootp Operation Multicast and Routing X X DHCP Snooping X Diagnostic Tools X Downloading Software X Dynamic AR
PAGE 26

Intelligent Edge Software Features Manual Management Advanced and Traffic Configuration Management IGMP Access Security Guide X Interface Access (Telnet, Console/Serial, Web) X IP Addressing X IP Routing X Jumbo Packets X LACP X LLDP X LLDP-MED X Loop Protection MAC Address Management Multicast and Routing X X MAC Lockdown X MAC Lockout X MAC-based Authentication X Monitoring and Analysis X Network Management Applications (SNMP) X Passwords and Password Clear Protection X P
PAGE 27

Intelligent Edge Software Features Manual Management Advanced and Traffic Configuration Management Multicast and Routing Access Security Guide RADIUS Authentication and Accounting X RADIUS-Based Configuration X RMON 1,2,3,9 X Routing - IP static X Secure Copy X sFlow X SFTP X SNMPv3 X Software Downloads (SCP/SFTP, TFPT, Xmodem) X Source-Port Filters X Spanning Tree (STP, RSTP, MSTP) X SSHv2 (Secure Shell) Encryption X SSL (Secure Socket Layer) X Syslog X System Information X
PAGE 28

Intelligent Edge Software Features Web UI xxiv Manual Management Advanced and Traffic Configuration Management X Multicast and Routing Access Security Guide
PAGE 29

Security Overview Contents 1 Security Overview Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 30

Security Overview Introduction Introduction This chapter provides an overview of the security features included on your switch. Table 1-1 on page 1-3 outlines the access security and authentication features, while Table 1-2 on page 1-7 highlights the additional features designed to help secure and protect your network. For detailed information on individual features, see the references provided.
PAGE 31

Security Overview Access Security Features Access Security Features This section provides an overview of the switch’s access security features, authentication protocols, and methods. Table 1-1 lists these features and provides summary configuration guidelines. For more in-depth information, see the references provided (all chapter and page references are to this Access Security Guide unless a different manual name is indicated).
PAGE 32

Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details Telnet and Web-browser access enabled The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL (see below for details) should be used for remote access.
PAGE 33

Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details SSL disabled Secure Socket Layer (SSL) and Transport Layer Security (TLS) provide remote Web browser access to the switch via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operation. The authenticated type includes server certificate authentication with user password authentication.
PAGE 34

Security Overview Access Security Features Feature Default Setting Security Guidelines 802.1X Access Control none This feature provides port-based or user-based Chapter 13 “Configuring authentication through a RADIUS server to protect the Port-Based and User-Based switch from unauthorized access and to enable the use Access Control (802.1X)” of RADIUS-based user profiles to control client access to network services.
PAGE 35

Security Overview Network Security Features Network Security Features This section outlines features and defence mechanisms for protecting access through the switch to the network. For more detailed information, see the indicated chapters. Table 1-2.
PAGE 36

Security Overview Network Security Features Feature Default Setting Security Guidelines ConnectionRate Filtering based on Virus-Throttling Technology none This feature helps protect the network from attack and Chapter 3, “Virus Throttling (Connection-Rate Filtering)” is recommended for use on the network edge. It is primarily focused on the class of worm-like malicious code that tries to replicate itself by taking advantage of weaknesses in network applications behind unsecured ports.
PAGE 37

Security Overview Getting Started with Access Security Getting Started with Access Security ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types.
PAGE 38

Security Overview Getting Started with Access Security Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you can do the following: ■ Disable or re-enable the password-clearing function of the Clear button. ■ Configure the Clear button to reboot the switch after clearing any local usernames and passwords.
PAGE 39

Security Overview Getting Started with Access Security The welcome banner appears and the first setup option is displayed (Operator password). As you advance through the wizard, each setup option displays the current value in brackets [ ] as shown in Figure 1-1. Welcome to the Management Interface Setup Wizard This wizard will help you with the initial setup of the various management interfaces. The current values are shown in brackets[]. Type in a new value, or press to keep the current value.
PAGE 40

Security Overview Getting Started with Access Security 2. When you enter the wizard, you have the following options: • To update a setting, type in a new value, or press [Enter] to keep the current value. • To quit the wizard without saving any changes, press [CTRL-C] at any time. • To access online Help for any option, press [?].
PAGE 41

Security Overview Getting Started with Access Security The Welcome window appears. Figure 1-2. Management Interface Wizard: Welcome Window This page allows you to choose between two setup types: 3. • Typical—provides a multiple page, step-by-step method to configure security settings, with on-screen instructions for each option. • Advanced—provides a single summary screen in which to configure all security settings at once. To enter the wizard, choose a setup option and then click Continue.
PAGE 42

Security Overview Getting Started with Access Security 4. The summary setup screen displays the current configuration settings for all setup options (see Figure 1-3). Figure 1-3. Management Interface Wizard: Summary Setup From this screen, you have the following options: • To change any setting that is shown, type in a new value or make a different selection. • To apply the settings permanently, click Apply. • To quit the Setup screen without saving any changes, click Exit.
PAGE 43

Security Overview Getting Started with Access Security SNMP Security Guidelines In the default configuration, the switch is open to access by management stations running SNMP (Simple Network Management Protocol) management applications capable of viewing and changing the settings and status data in the switch’s MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.
PAGE 44

Security Overview Getting Started with Access Security If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then you should implement the following security precautions when downloading and booting from the software: ■ If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above is not desirable for your network, then immediately after downloading and booting from the software for the first time, use the following command to disable this feature: s
PAGE 45

Security Overview Precedence of Security Options Precedence of Security Options This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch. Precedence of Port-Based Security Options Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest.
PAGE 46

Security Overview Precedence of Security Options value applied to a client session is determined in the following order (from highest to lowest priority) in which a value configured with a higher priority overrides a value configured with a lower priority: 1. Attribute profiles applied through the Network Immunity network-man agement application using SNMP (see “Network Immunity Manager”) 2. 802.1X authentication parameters (RADIUS-assigned) 3.
PAGE 47

Security Overview Precedence of Security Options The profile of attributes applied for each client (MAC address) session is stored in the hpicfUsrProfile MIB, which serves as the configuration interface for Network Immunity Manager. A client profile consists of NIM-configured, RADIUS-assigned, and statically configured parameters. Using show commands for 802.
PAGE 48

Security Overview Precedence of Security Options Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.
PAGE 49

Security Overview ProCurve Identity-Driven Manager (IDM) ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+) and uses RADIUS-based technologies to create a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of access security policy from a central management server, with policy enforcement to the network edge, and protection against both external and internal threats.
PAGE 50

Security Overview ProCurve Identity-Driven Manager (IDM) 1-22
PAGE 51

2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-8 Web: Setting Passwords and Usernames . . . . . . . .
PAGE 52

Configuring Username and Password Security Contents Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation . . . . . . . . . . . . . . . . . . 2-30 Changing the Operation of the Reset+Clear Combination . . . . . 2-31 Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32 Disabling or Re-Enabling the Password Recovery Process . . . . . . . . 2-32 Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 53

Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames none — Set a Password none page 2-6 page 2-8 page 2-9 Delete Password Protection n/a page 2-7 page 2-8 page 2-9 show front-panel-security n/a — page 1-13 — — page 1-13 — front-panel-security CLI Web — page 2-9 password-clear enabled — page 1-13 — reset-on-clear disabled — page 1-14 — factory-reset enabled — page 1-15 — password-recovery enabled — page 1-15 — Console
PAGE 54

Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level. That is, if a Manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface. Operator: Access to the Statusand Counters menu, the Event Log, and the CLI*, but no Configuration capabilities.
PAGE 55

Configuring Username and Password Security Overview Notes The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface. If you configure only a Manager password (with no Operator password), and in a later session the Manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session.
PAGE 56

Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a username requires either the CLI or the web browser interface. 1. From the Main Menu select: 3. Console Passwords Figure 2-1. 2. The Set Password Screen To set a new password: a. Select Set Manager Password or Set Operator Password. You will then be prompted with Enter new password. b.
PAGE 57

Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass words (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
PAGE 58

Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below. Configuring Manager and Operator Passwords. Note You can configure manager and operator passwords in one step. See “Saving Security Credentials in a Config File” on page 2-10 of this guide.
PAGE 59

Configuring Username and Password Security Configuring Local Password Security If you want to remove both operator and manager password protection, use the no password all command. Web: Setting Passwords and Usernames In the web browser interface you can enter passwords and (optional) usernames. To Configure (or Remove) Usernames and Passwords in the Web Browser Interface. 1. Click on the Security tab. Click on [Device Passwords]. 2. 3.
PAGE 60

Configuring Username and Password Security Saving Security Credentials in a Config File Saving Security Credentials in a Config File You can store and view the following security settings in internal flash memory by entering the include-credentials command: ■ Local manager and operator passwords and (optional) user names that control access to a management session on the switch through the CLI, menu interface, or web browser interface ■ SNMP security credentials used by network management stations to ac
PAGE 61

Configuring Username and Password Security Saving Security Credentials in a Config File ■ The chapter on “Switch Memory and Configuration” in the Management and Configuration Guide. ■ “Configuring Local Password Security” on page 2-6 in this guide. Enabling the Storage and Display of Security Credentials To enable the security settings, enter the include-credentials command.
PAGE 62

Configuring Username and Password Security Saving Security Credentials in a Config File Local Manager and Operator Passwords The information saved to the running-config file when the include-credentials command is entered includes: password manager [user-name ] password operator [user-name ] where is an alphanumeric string for the user name assigned to the manager or operator.
PAGE 63

Configuring Username and Password Security Saving Security Credentials in a Config File user-name : the optional text string of the user name associated with the password. : specifies the type of algorithm (if any) used to hash the password. Valid values are plaintext or sha-1 : the clear ASCII text string or SHA-1 hash of the password. You can enter a manager, operator, or 802.1X port-access password in clear ASCII text or hashed format.
PAGE 64

Configuring Username and Password Security Saving Security Credentials in a Config File [priv ] is the (optional) hashed privacy password used by a privacy protocol to encrypt SNMPv3 messages between the switch and the station.
PAGE 65

Configuring Username and Password Security Saving Security Credentials in a Config File The password port-access values are configured separately from the manager and operator passwords configured with the password manager and password operator commands and used for management access to the switch. For information on the new password command syntax, see “Password Command Options” on page 2-12. After you enter the complete password port-access command syntax, the password is set.
PAGE 66

Configuring Username and Password Security Saving Security Credentials in a Config File during authentication sessions. Both the switch and the server have a copy of the key; the key is never transmitted across the network. For more information, refer to “3. Configure the Switch To Access a RADIUS Server” on page 5-14 in this guide.
PAGE 67

Configuring Username and Password Security Saving Security Credentials in a Config File “keystring”: a legal SSHv2 (RSA or DSA) public key. The text string for the public key must be a single quoted token. If the keystring contains double-quotes, it can be quoted with single quotes ('keystring'). The following restrictions for a keystring apply: Note ■ A keystring cannot contain both single and double quotes. ■ A keystring cannot have extra characters, such as a blank space or a new line.
PAGE 68

Configuring Username and Password Security Saving Security Credentials in a Config File To display the SSH public-key configurations (72 characters per line) stored in a configuration file, enter the show config or show running-config command. The following example shows the SSH public keys configured for manager access, along with the hashed content of each SSH client public-key, that are stored in a configuration file: ...
PAGE 69

Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes Caution ■ When you first enter the include-credentials command to save the additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file. You are prompted by a warning message to perform a write memory operation to save the security credentials to the startup configuration.
PAGE 70

Configuring Username and Password Security Saving Security Credentials in a Config File • copy config config : Makes a local copy of an existing startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot. • copy config tftp: Uploads a configuration file from the switch to a TFTP server. • copy tftp config: Downloads a configuration file from a TFTP server to the switch.
PAGE 71

Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command: ■ The private keys of an SSH host cannot be stored in the running configuration. Only the public keys used to authenticate SSH clients can be stored. An SSH host’s private key is only stored internally, for example, on the switch or on an SSH client device.
PAGE 72

Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. You can store the password port-access values in the running configuration file by using the include-credentials command. Note that the password port-access values are configured separately from local operator username and passwords configured with the password operator command and used for management access to the switch.
PAGE 73

Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together). The ability to disable Password Recovery is also provided for situations which require a higher level of switch security.
PAGE 74

Configuring Username and Password Security Front-Panel Security As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch. Front-Panel Button Functions This section describes the functionality of the Clear and Reset buttons located on the front panel of the switch. Reset Button Clear Button Figure 2-6.
PAGE 75

Configuring Username and Password Security Front-Panel Security Clear Button Pressing the Clear button alone for five seconds resets the password(s) configured on the switch. Clear Reset Figure 2-8. Press the Clear Button for Five Seconds To Reset the Password(s) Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Clear Reset Figure 2-9.
PAGE 76

Configuring Username and Password Security Front-Panel Security 2. While holding the Reset button, press and hold the Clear button for five seconds. Clear 3. Release the Reset button. Clear 4. Reset Reset If the Clear button is held for greater then 2.5 seconds, configuration will be cleared, and the switch will reboot. It can take approximately 20-25 seconds for the switch to reboot. This process restores the switch config uration to the factory default settings. .
PAGE 77

Configuring Username and Password Security Front-Panel Security Configuring Front-Panel Security Using the front-panel-security command from the global configuration context in the CLI you can: • Disable or re-enable the password-clearing function of the Clear button. Disabling the Clear button means that pressing it does not remove local password protection from the switch.
PAGE 78

Configuring Username and Password Security Front-Panel Security Reset-on-clear: Shows the status of the reset-on-clear option (Enabled or Disabled). When reset-on-clear is disabled and Clear Password is enabled, then pressing the Clear button erases the local usernames and passwords from the switch. When reset-on-clear is enabled, pressing the Clear button erases the local usernames and passwords from the switch and reboots the switch. (Enabling reset-on-clear automatically enables clear-password.
PAGE 79

Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button Syntax: no front-panel-security password-clear In the factory-default configuration, pressing the Clear button on the switch’s front panel erases any local usernames and passwords configured on the switch. This command disables the password clear function of the Clear button, so that pressing it has no effect on any local usernames and passwords. (Default: Enabled.
PAGE 80

Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. • Specifies whether the switch reboots if the Clear button is pressed.
PAGE 81

Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on clear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-12.
PAGE 82

Configuring Username and Password Security Password Recovery The command to disable the factory-reset operation produces this caution. To complete the command, press [Y]. To abort the command, press [N]. Completes the command to disable the factory reset option. Displays the current front panel-security configuration, with Factory Reset disabled. Figure 2-13.
PAGE 83

Configuring Username and Password Security Password Recovery factory-default configuration. This can disrupt network operation and make it necessary to temporarily disconnect the switch from the network to prevent unauthorized access and other problems while it is being reconfigured. Also, with factory-reset enabled, unauthorized users can use the Reset+Clear button combination to reset the switch to factory-default configuration and gain management access to the switch.
PAGE 84

Configuring Username and Password Security Password Recovery Figure 2-14. Example of the Steps for Disabling Password-Recovery Password Recovery Process If you have lost the switch’s manager username/password, but passwordrecovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by ProCurve.
PAGE 85

3 Web and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Concurrent Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . 3-4 Authorized and Unauthorized Client VLANs . . . . . . . . .
PAGE 86

Web and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-50 Configuration Commands for MAC Authentication . . . . . . . . . . . . . . 3-51 Configuring the Global MAC Authentication Password . . . . . . . 3-51 Configuring a MAC-based Address Format . . . . . . . . . . . . . . . . . 3-53 Show Commands for MAC-Based Authentication . . . . . . . . . . . . . . . 3-55 Client Status . . . . . . . . . . . . . . . . . . . . .
PAGE 87

Web and MAC Authentication Overview Overview Feature Default Menu CLI Web Configure Web Authentication n/a — 3-20 — Configure MAC Authentication n/a — 3-50 — Display Web Authentication Status and Configuration n/a — 3-28 — Display MAC Authentication Status and Configuration n/a — 3-55 — Web and MAC authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and a switch from unauthorized access.
PAGE 88

Web and MAC Authentication Overview ■ In the login page, a client enters a username and password, which the switch forwards to a RADIUS server for authentication. After authen ticating a client, the switch grants access to the secured network. Besides a web browser, the client needs no special supplicant soft ware. MAC Authentication The MAC Authentication (MAC-Auth) method grants access to a secure network by authenticating devices for access to the network.
PAGE 89

Web and MAC Authentication Overview ■ Each new Web/MAC Auth client always initiates a MAC authentica tion attempt. This same client can also initiate Web authentication at any time before the MAC authentication succeeds. If either authenti cation succeeds then the other authentication (if in progress) is ended. No further Web/MAC authentication attempts are allowed until the client is deauthenticated.
PAGE 90

Web and MAC Authentication How Web and MAC Authentication Operate clients by using an “unauthorized” VLAN for each session. The unauthorized VLAN ID assignment can be the same for all ports, or different, depending on the services and access you plan to allow for unauthenticated clients. You configure access to an optional, unauthorized VLAN when you configure Web and MAC authentication on a port.
PAGE 91

Web and MAC Authentication How Web and MAC Authentication Operate Web-based Authentication When a client connects to a Web-Auth enabled port, communication is redi rected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their username and password. The default User Login screen is shown in Figure 3-1. Figure 3-1.
PAGE 92

Web and MAC Authentication How Web and MAC Authentication Operate If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access. After a successful login, a client may be redirected to a URL if you specify a URL value (redirect-url) when you configure web authentication. Figure 3-3. Authentication Completed The assigned VLAN is determined, in order of priority, as follows: 1.
PAGE 93

Web and MAC Authentication How Web and MAC Authentication Operate A client may not be authenticated due to invalid credentials or a RADIUS server timeout. The max-retries parameter specifies how many times a client may enter their credentials before authentication fails. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out.
PAGE 94

Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period). In addition, a session ends if the link on the port is lost, requiring reauthenti cation of all clients.
PAGE 95

Web and MAC Authentication Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN. Authentication Server: The entity providing an authentication service to the switch.
PAGE 96

Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ ■ P o r t A cc e s s M a na g e m e nt • Web and/or MAC Authentication (with or without 802.1X) • MAC lockdown • MAC lockout • Port-Security Order of Precedence for Port Access Management (highest to lowest): a. MAC lockout b. MAC lockdown or Port Security c. Port-based Access Control (802.
PAGE 97

Web and MAC Authentication Operating Rules and Notes 1. 2. 3. 4. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (if configured) and temporarily drops all other VLAN memberships.
PAGE 98

Web and MAC Authentication Setup Procedure for Web/MAC Authentication We b / M A C Authentication and LACP Web or MAC authentication and LACP are not supported at the same time on a port. The switch automatically disables LACP on ports configured for Web or MAC authentication. ■ Use the show port-access web-based commands to display session status, port-access configuration settings, and statistics for Web-Auth sessions. ■ When spanning tree is enabled on a switch that uses 802.
PAGE 99

Web and MAC Authentication Setup Procedure for Web/MAC Authentication ProCurve (config)# show port-access config Port Access Status Summary Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes Port ---1 2 3 4 5 6 7 8 9 10 11 12 ...
PAGE 100

Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that when configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100” or “vlan100” to specify the VLAN. 3-16 4. Determine whether to use the optional “Unauthorized VLAN” mode for clients that the RADIUS server does not authenticate.
PAGE 101

Web and MAC Authentication Setup Procedure for Web/MAC Authentication Configuring the RADIUS Server To Support MAC Authentication On the RADIUS server, configure the client device authentication in the same way that you would any other client, except: ■ Configure the client device’s (hexadecimal) MAC address as both username and password. Be careful to configure the switch to use the same format that the RADIUS server uses. Otherwise, the server will deny access.
PAGE 102

Web and MAC Authentication Setup Procedure for Web/MAC Authentication Syntax: [no] radius-server [host < ip-address >] [oobm] Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can config ure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (Refer to “RADIUS Authentication, Authorization, and Account ing” on page 5-1.
PAGE 103

Web and MAC Authentication Setup Procedure for Web/MAC Authentication For example, to configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of ‘1A7rd’ Figure 3-5.
PAGE 104

Web and MAC Authentication Configuring Web Authentication Configuring Web Authentication Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. Identify or create a redirect URL for use by authenticated clients. ProCurve recommends that you provide a redirect URL when using Web Authentication. If a redirect URL is not specified, web browser behavior following authentication may not be acceptable. 3.
PAGE 105

Web and MAC Authentication Configuring Web Authentication • You can block only incoming traffic on a port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web authentication. For example, Wake-on-LAN traffic is transmitted on a web-authenti cated egress port that has not yet transitioned to the authenticated state; 10.
PAGE 106

Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access controlled-directions After you enable web-based authentication on specified ports, you can use the aaa port-access controlled-direc tions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state. both (default): Incoming and outgoing traffic is blocked on a port configured for web authentication before authentication occurs.
PAGE 107

Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access controlled-directions — Continued — Notes: ■ For information on how to configure the prerequisites for using the aaa port-access controlled-directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation” in the Advanced Traffic Management Guide.
PAGE 108

Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based Enables web-based authentication on the specified ports. Use the no form of the command to disable webbased authentication on the specified ports. Syntax: aaa port-access web-based [auth-vid ]] no aaa port-access web-based [auth-vid] Specifies the VLAN to use for an authorized client. The Radius server can override the value (accept-response includes a vid).
PAGE 109

Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based [dhcp-addr ] Specifies the base address/mask for the temporary IP pool used by DHCP. The base address can be any valid ip address (not a multicast address). Valid mask range value is <255.255.240.0 - 255.255.255.0>. (Default: 192.168.0.0/255.255.255.
PAGE 110

Web and MAC Authentication Configuring Web Authentication ProCurve Switch (config)# no aaa port-access web-based 47 ewa-server 10.0.12.181 ProCurve Switch (config)# Figure 3-7. Removing a Web Server with the aaa port-access web-based ews-server Command Syntax: aaa port-access web-based [logoff-period] <60-9999999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense.
PAGE 111

Web and MAC Authentication Configuring Web Authentication Specifies the time period, in seconds, the switch enforces on a client to re-authenticate. When set to 0, reauthentication is disabled. (Default: 300 seconds) Syntax: aaa port-access web-based [reauthenticate] Forces a reauthentication of all attached clients on the port.
PAGE 112

Web and MAC Authentication Configuring Web Authentication Show Commands for Web Authentication Command Page show port-access web-based [port-list] 3-28 show port-access web-based clients [port-list] 3-29 show port-access web-based clients detailed 3-30 show port-access web-based config [port-list] 3-31 show port-access web-based config detailed 3-32 show port-access web-based config [port-list] auth-server 3-33 show port-access web-based config [port-list] web-server
PAGE 113

Web and MAC Authentication Configuring Web Authentication ProCurve (config)# show port-access web-based Port Access Web-Based Status Port ----1 2 3 Auth Clients -------1 2 4 Unauth Clients -------1 0 0 Untagged VLAN -------4006 MACbased 1 Tagged VLANs -----Yes No Yes Port COS -------70000000 Yes No Cntrl Dir ------ Figure 3-8.
PAGE 114

Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based clients detailed Displays detailed information on the status of webauthenticated client sessions on specified switch ports.
PAGE 115

Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config [port-list] Displays the currently configured Web Authentication settings for all switch ports or specified ports, including: • Temporary DHCP base address and mask • Support for RADIUS-assigned dynamic VLANs (Yes or No) • Controlled directions setting for transmitting Wake-onLAN traffic on egress ports • Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0, the default
PAGE 116

Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config detailed Displays more detailed information on the currently config ured Web Authentication settings for specified ports.
PAGE 117

Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config [port-list] auth-server Displays the currently configured Web Authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as: • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts ProCurve (config)# show port-access web-based config auth-
PAGE 118

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Customizing Web Authentication HTML Files (Optional) The Web Authentication process displays a series of web pages and status messages to the user during login. The web pages that are displayed can be: ■ Generic, default pages generated directly by the switch software ■ Customized pages hosted on a local web server.
PAGE 119

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) ■ To configure a web server on your network, follow the instructions in the documentation provided with the server. ■ Before you enable custom Web Authentication pages, you should: • Determine the IP address or host name of the web server(s) that will host your custom pages. • Determine the path on the server(s) where the HTML files (including all graphics) used for the login pages are stored.
PAGE 120

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Customizable HTML Templates The sample HTML files described in the following sections are customizable templates. To help you create your own set HTML files, a set of the templates can be found on the download page for ‘K’ software. File Name Page index.html 3-36 accept.html 3-38 authen.html 3-40 reject_unauthvlan.html 3-41 timout.html 3-43 retry_login.html 3-44 sslredirect.html 3-46 rejectnovlan.
PAGE 121

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) User Login
User Login

In order to access this network, you must first log in.
PAGE 122

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Access Granted Page (accept.html). Figure 3-16. Access Granted Page The accept.html file is the web page used to confirm a valid client login. This web page is displayed after a valid username and password are entered and accepted. The client device is then granted access to the network.
PAGE 123

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Access Granted
Access Granted
PAGE 124

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Authenticating Page (authen.html). Figure 3-18. Authenticating Page The authen.html file is the web page used to process a client login and is refreshed while user credentials are checked and verified.
PAGE 125

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Invalid Credentials Page (reject_unauthvlan.html). Figure 3-20. Invalid Credentials Page The reject_unauthvlan.html file is the web page used to display login failures in which an unauthenticated client is assigned to the VLAN configured for unauthorized client sessions. You can configure the VLAN used by unauthor ized clients with the aaa port-access web-based unauth-vid command when you enable Web Authentication.
PAGE 126

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Invalid Credentials
Invalid Credentials

Your credentials were not accepted. However, you have been granted gues account status.
PAGE 127

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Timeout Page (timeout.html). Figure 3-22. Timeout Page The timeout.html file is the web page used to return an error message if the RADIUS server is not reachable. You can configure the time period (in seconds) that the switch waits for a response from the RADIUS server used to verify client credentials with the aaa port-access web-based server-timeout command when you enable Web Authentication.
PAGE 128

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Retry Login Page (retry_login.html). Figure 3-24. Retry Login Page The retry_login.html file is the web page displayed to a client that has entered an invalid username and/or password, and is given another opportunity to log in. The WAUTHRETRIESLEFTGET ESI displays the number of login retries that remain for a client that entered invalid login credentials.
PAGE 129

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Invalid Credentials
Invalid Credentials

Your credentials were not accepted. You have retries left. Please try again.
PAGE 130

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) SSL Redirect Page (sslredirect.html). Figure 3-26. SSL Redirect Page The sslredirect file is the web page displayed when a client is redirected to an SSL server to enter credentials for Web Authentication. If you have enabled SSL on the switch, you can enable secure SSL-based Web Authentication by entering the aaa port-access web-based ssl-login command when you enable Web Authentication.
PAGE 131

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) User Login SSL Redirect
User Login SSL Redirect

In order to access this network, you must first log in.
PAGE 132

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Access Denied Page (reject_novlan.html). Figure 3-28. Access Denied Page The reject_novlan file is the web page displayed after a client login fails and no VLAN is configured for unauthorized clients. The WAUTHQUIETTIMEGET ESI inserts the time period used to block an unauthorized client from attempting another login.
PAGE 133

Web and MAC Authentication Customizing Web Authentication HTML Files (Optional) Access Denied
Access Denied

Your credentials were not accepted. Please wait seconds to retry.
PAGE 134

Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made. 3.
PAGE 135

Web and MAC Authentication Configuring MAC Authentication on the Switch Configuration Commands for MAC Authentication Command Page Configuration Level aaa port-access mac-based password 3-51 aaa port-access mac-based addr-format 3-51 [no] aaa port-access mac-based [e] < port-list > 3-53 [addr-limit] 3-53 [addr-moves] 3-54 [auth-vid] 3-54 [logoff-period] 3-54 [max-requests] 3-54 [quiet-period] 3-54 [reauth-period] 3-55 [reauthenticate] 3-55 [server-timeout] 3-55 [u
PAGE 136

Web and MAC Authentication Configuring MAC Authentication on the Switch ProCurve(config)# aaa port-access mac-based password secretMAC1 ProCurve(config)# show port-access mac-based config Port Access MAC-Based Configuration MAC Address Format : no-delimiter Password : secretMAC1 Unauth Redirect Configuration URL : Unauth Redirect Client Timeout (sec) : 1800 Unauth Redirect Restrictive Filter : Disabled Total Unauth Redirect Client Count : 0 Port ----1 2 3 4 5 6 7 8 Enabled -------No No No No No No No No
PAGE 137

Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring a MAC-based Address Format Syntax: aaa port-access mac-based addr-format Specifies the MAC address format to be used in the RADIUS request message. This format must match the format used to store the MAC addresses in the RADIUS server.
PAGE 138

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: [no] aaa port-access mac-based [e] < port-list > [addr-moves] Allows client moves between the specified ports under MAC Auth control. When enabled, the switch allows addresses to move without requiring a re-authentica tion. When disabled, the switch does not allow moves and when one does occur, the user will be forced to reauthenticate. At least two ports (from port(s) and to port(s)) must be specified.
PAGE 139

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [reauth-period <0 - 9999999>] Specifies the time period (in seconds) that the switch enforces on a client to re-authenticate. The client remains authenticated while the reauthentication occurs. When set to 0, reauthentication is disabled.
PAGE 140

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based [port-list] Displays the status of all ports or specified ports that are enabled for MAC authentication. The information displayed for each port includes: • Number of authorized and unauthorized clients • VLAN ID number of the untagged VLAN used. If the switch supports MAC-based (untagged) VLANs, MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions.
PAGE 141

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based clients [port-list] Displays the session status, name, and address for each MAC-authenticated client on the switch. The IP address displayed is taken from the DHCP binding table (learned through the DHCP Snooping feature). If DHCP snooping is not enabled on the switch, n/a (not available) is displayed for a client’s IP address.
PAGE 142

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based clients detailed Displays detailed information on the status of MACauthenticated client sessions on specified ports.
PAGE 143

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config [port-list] Displays the currently configured MAC Authentication settings for all switch ports or specified ports, including: • MAC address format • Support for RADIUS-assigned dynamic VLANs (Yes or No) • Controlled directions setting for transmitting Wake-onLAN traffic on egress ports • Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0, the default VLAN
PAGE 144

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config detailed Displays more detailed information on the currently config ured MAC Authentication settings for specified ports.
PAGE 145

Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config [port-list] auth-server Displays the currently configured Web Authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as: • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts ProCurve (config)# show port-access mac-base
PAGE 146

Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. 3-62 Reported Status Available Network Connection Possible Explanations authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires. authenticating Switch only Pending RADIUS request.
PAGE 147

4 TACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 4-5 Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 148

TACACS+ Authentication Overview Overview Feature Default Menu CLI Web view the switch’s authentication configuration n/a — page 4-9 — view the switch’s TACACS+ server contact configuration n/a — page 4-10 — configure the switch’s authentication methods disabled — page 4-11 — configure the switch to contact TACACS+ server(s) disabled — page 4-18 — TACACS+ authentication enables you to use a central server to allow or deny access to the switches covered in this guide (and other TACACS
PAGE 149

TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/ write) privilege level access. TACACS+ does not affect web browser interface access.
PAGE 150

TACACS+ Authentication Terminology Used in TACACS Applications: face. (Using the menu interface you can assign a local password, but not a username.) Because this method assigns passwords to the switch instead of to individuals who access the switch, you must distribute the password information on each switch to everyone who needs to access the switch, and you must configure and manage password protection on a per-switch basis.
PAGE 151

TACACS+ Authentication General System Requirements General System Requirements To use TACACS+ authentication, you need the following: Notes ■ A TACACS+ server application installed and configured on one or more servers or management stations in your network. (There are several TACACS+ software packages available.) ■ A switch configured for TACACS+ authentication, with access to one or more TACACS+ servers.
PAGE 152

TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation” in the Trouble shooting chapter of the Management and Configuration Guide for your switch. 1.
PAGE 153

TACACS+ Authentication General Authentication Setup Procedure Note on Privil ege Levels When a TACACS+ server authenticates an access request from a switch, it includes a privilege level code for the switch to use in determining which privilege level to grant to the terminal requesting access. The switch interprets a privilege level code of “15” as authorization for the Manager (read/write) privilege level access. Privilege level codes of 14 and lower result in Operator (read-only) access.
PAGE 154

TACACS+ Authentication Configuring TACACS+ on the Switch configuration in your TACACS+ server application for mis-configura tions or missing data that could affect the server’s interoperation with the switch. 8. After your testing shows that Telnet access using the TACACS+ server is working properly, configure your TACACS+ server application for console access. Then test the console access.
PAGE 155

TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication 4-9 show tacacs 4-10 aaa authentication 4-11 through 4-17 console Telnet num-attempts <1-10 > tacacs-server 4-18 host < ip-addr > 4-18 key 4-22 timeout < 1-255 > 4-23 Viewing the Switch’s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configu
PAGE 156

TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact.
PAGE 157

TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures access control for the following access methods: ■ Console ■ Telnet ■ SSH ■ Web ■ Port-access (802.1X) However, TACACS+ authentication is only used with the console, Telnet, or SSH access methods.
PAGE 158

TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: aaa authentication < console | telnet | ssh | web | port-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level. The server grants privileges at the Operator privilege level. If the privilege-mode option is entered, TACACS+ is enabled for a single login.
PAGE 159

TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Function enable n/a n/a Specifies the Manager (read/write) privilege level for the access method being configured. login privilege-mode disabled n/a login: Specifies the Operator (read-only) privilege level for the access method being configured. The privilege-mode option enables TACACS+ for a single login.
PAGE 160

TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-4. Advanced TACACS+ Settings Section of the TACACS+ Server User Setup Then scroll down to the section that begins with “Shell” (See Figure 4-5). Check the Shell box. Check the Privilege level box and set the privilege level to 15 to allow “root” privileges. This allows you to use the single login option.
PAGE 161

TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of the TACACS+ Server User Setup As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch’s console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.
PAGE 162

TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Privilege Level Authentication Options Console — Login Console — Enable Telnet — Login Telnet — Enable Caution Regarding the Use of Local for Login Primary Access 4-16 Effect on Access Attempts Primary Secondary local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access.
PAGE 163

TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server. Secondary using Local.
PAGE 164

TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these parameters: Note 4-18 ■ The host IP address(es) for up to three TACACS+ servers; one firstchoice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server. ■ An optional encryption key.
PAGE 165

TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [oobm] [key < key-string >] Adds a TACACS+ server and optionally assigns a server-specific encryption key. The oobm parameter specifies that the operation will go out from the out-of-band management interface. If this parameter is not specified, the operation goes out from the data interface.
PAGE 166

TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per-server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key” on page 4-27 and the documentation provided with your TACACS+ server application.
PAGE 167

TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server” key. (See the host [key entry at the beginning of this table.
PAGE 168

TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-7. Example of the Switch After Assigning a Different “First-Choice” Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.
PAGE 169

TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs-server host 10.28.227.
PAGE 170

TACACS+ Authentication How Authentication Operates How Authentication Operates General Authentication Process Using a TACACS+ Server Authentication through a TACACS+ server operates generally as described below. For specific operating details, refer to the documentation you received with your TACACS+ server application.
PAGE 171

TACACS+ Authentication How Authentication Operates 4. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs: • If the username/password pair received from the requesting terminal matches a username/password pair previously stored in the server, then the server passes access permission through the switch to the terminal.
PAGE 172

TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authenti cation only if one of these two conditions exists: ■ “Local” is the authentication option for the access method being used. ■ TACACS+ is the primary authentication mode for the access method being used.
PAGE 173

TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “secret key”, or “secret”) helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.
PAGE 174

TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to configure a global encryp tion key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.
PAGE 175

TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa tion on such messages, refer to the documentation you received with the application.
PAGE 176

TACACS+ Authentication Operating Notes 4-30 ■ When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unauthor ized persons.
PAGE 177

5 RADIUS Authentication, Authorization, and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 RADIUS-Administered CoS and Rate-Limiting . . . . . . . . . . . . . . . . . . .
PAGE 178

RADIUS Authentication, Authorization, and Accounting Contents Controlling Web Browser Interface Access . . . . . . . . . . . . . . . . . . . . 5-34 Commands Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35 Enabling Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-36 Displaying Authorization Information . . . . . . . . . . . . . . . . . . . . . . . . . 5-37 Configuring Commands Authorization on a RADIUS Server . . . . . .
PAGE 179

RADIUS Authentication, Authorization, and Accounting Overview Overview Feature Default Menu CLI Web Configuring RADIUS Authentication None n/a 5-8 n/a Configuring RADIUS Accounting None n/a 5-47 n/a Configuring RADIUS Authorization None n/a 5-35 n/a n/a n/a 5-56 n/a Viewing RADIUS Statistics RADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one primary server and one or two backups) and maintain separate authentication and accounting for ea
PAGE 180

RADIUS Authentication, Authorization, and Accounting Overview Note The switch does not support RADIUS security for SNMP (network manage ment) access. For information on blocking access through the web browser interface, refer to “Controlling Web Browser Interface Access” on page 5-34. Accounting Services RADIUS accounting on the switch collects resource consumption data and forwards it to the RADIUS server.
PAGE 181

RADIUS Authentication, Authorization, and Accounting Terminology Terminology AAA: Authentication, Authorization, and Accounting groups of services pro vided by the carrying protocol. CHAP (Challenge-Handshake Authentication Protocol): A challengeresponse authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a challenge from a RADIUS server. CoS (Class of Service): Support for priority handling of packets traversing the switch, based on the IEEE 802.
PAGE 182

RADIUS Authentication, Authorization, and Accounting Switch Operating Rules for RADIUS Vendor-Specific Attribute: A vendor-defined value configured in a RADIUS server to specific an optional switch feature assigned by the server during an authenticated client session. Switch Operating Rules for RADIUS ■ ■ ■ ■ ■ ■ ■ 5-6 You must have at least one RADIUS server accessible to the switch. The switch supports authentication and accounting using up to three RADIUS servers.
PAGE 183

RADIUS Authentication, Authorization, and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: 1. Configure one to three RADIUS servers to support the switch. (That is, one primary server and one or two backups.) Refer to the documentation provided with the RADIUS server application. 2. Before configuring the switch, collect the information outlined below. Table 5-1.
PAGE 184

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication • Determine how many times you want the switch to trycontacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you have configured the switch to access.) • Determine whether you want to bypass aRADIUS server that fails to respond to requests for service.
PAGE 185

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: 1. Configure RADIUS authentication for controlling access through one or more of the following • Serial port • Telnet • SSH • Port-Access (802.1X) • Web browser interface 2.
PAGE 186

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication • Timeout Period: The timeout period the switch waits for a RADIUS server to reply. (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no server response to a RADIUS authentication request. (Default: 3; range of 1 to 5.
PAGE 187

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail.
PAGE 188

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Figure 5-2 shows an example of the show authentication command displaying authorized as the secondary authentication method for port-access, Web-auth access, and MAC-auth access. Since the configuration of authorized means no authentication will be performed and the client has unconditional access to the network, the “Enable Primary” and “Enable Secondary” fields are not applicable (N/A).
PAGE 189

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in this guide. The switch now allows Telnet and SSH authentication only through RADIUS. Figure 5-3.
PAGE 190

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication this default behavior for clients with Enable (manager) access. That is, with privilege-mode enabled, the switch immediately allows Enable (Manager) access to a client for whom the RADIUS server specifies this access level. Syntax: [no] aaa authentication login privilege-mode When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server.
PAGE 191

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Note If you want to configure RADIUS accounting on the switch, go to page 5-47: “Configuring RADIUS Accounting” instead of continuing here. Syntax: [no] radius-server host < ip-address > [oobm] Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can configure up to three RADIUS server addresses. You can configure up to 15 RADIUS server addresses.
PAGE 192

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication [dyn-authorization] Enables or disables the processing of Disconnect and Change of Authorization messages from this host. When enabled, the RADIUS server can dynamically terminate or change the authorization parameters (such as VLAN assignment) used in an active client session on the switch.
PAGE 193

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication 2. Add a RADIUS server with an IP address of 10.33.18.119 and a serverspecific encryption key of “source0119”. Figure 5-4. Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server To make the changes listed prior to figure 5-4, you would do the following: Changes the key for the existing server to “source0127” (step 1, above).
PAGE 194

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication ■ Number of login attempts: In a given session, specifies how many tries at entering the correct username and password pair are allowed before access is denied and the session terminated. (This is a general aaa authentication parameter and is not specific to RADIUS.
PAGE 195

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication dead-time < 1 - 1440 > Optional. Specifies the time in minutes during which the switch will not attempt to use a RADIUS server that has not responded to an earlier authentication attempt. (Default: 0; Range: 1 - 1440 minutes) dyn-autz-port <1024-49151> Specifies the UDP port number that listens for Change of Authorization or Disconnect messages. The range of ports is 1024-49151.
PAGE 196

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication ■ Allow three seconds for request timeouts. ■ Allow two retries following a request that did not receive a response. Figure 5-6. Example of Global Configuration Exercise for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in this guide.
PAGE 197

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Using Multiple RADIUS Server Groups The authentication and accounting features on the switch can use up to fifteen RADIUS servers. This option allows the RADIUS servers to be put into groups. Up to 5 groups of 3 RADIUS servers each can be configured. The authentica tion and accounting features can choose which RADIUS server group to communicate with. End-user authentication methods (802.
PAGE 198

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa server-group radius host no aaa server-group radius host Associates a RADIUS server with a server group. Each group can contain up to 3 RADIUS servers. The default group (called ‘radius’) can only contain the first three RADIUS servers. The default group cannot be edited.
PAGE 199

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication [ local | none | authorized ]: Provides options for secondary authentication (default: none). Note that for console access, secondary authentication must be local if primary access is not local. This prevents you from being locked out of the switch in the event of a failure in other access methods.
PAGE 200

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication Displaying the RADIUS Server Group Information The show server-group radius command displays the same information as the show radius command, but displays the servers in their server groups.
PAGE 201

RADIUS Authentication, Authorization, and Accounting Configuring the Switch for RADIUS Authentication ProCurve(config)# show authentication Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Disabled Access Task ----------Console Telnet Port-Access Webui SSH Web-Auth MAC-Auth | | + | | | | | | | Login Primary ---------Local Local Local Local Local ChapRadius ChapRadius Login Server Group -----------radius radius Access Task ----------Console Telnet Webui SSH | | +
PAGE 202

RADIUS Authentication, Authorization, and Accounting Cached Reauthentication Cached Reauthentication Cached reauthentication allows 802.1X, web, or MAC reauthentications to succeed when the RADIUS server is unavailable. Users already authenticated retain their currently-assigned RADIUS attributes. Uninterrupted service is provided for authenticated users with RADIUS-assigned VLANS if the RADIUS server becomes temporarily unavailable during periodic reauthentications.
PAGE 203

RADIUS Authentication, Authorization, and Accounting Cached Reauthentication Syntax: [no] aaa authentication < secondary-method> Allows reauthentications to succeed when the RADIUS server is unavailable. Users already authenticated retain their currently-assigned session attributes. The primary methods for port-access authentication are local, chap-radius, or eap-radius. The primary method for web-based or mac-based authentica tion is chap-radius.
PAGE 204

RADIUS Authentication, Authorization, and Accounting Cached Reauthentication authentication have been changed from their default values. The period of time represented by X is how long 802.1X or Web MAC authentication will wait for a RADIUS response. For example: 1. A cached-reauth-period is set to 900 seconds (15 minutes) and the reauth period is 180 seconds. 2. A client is successfully authenticated or reauthenticated. 3. The RADIUS server becomes unavailable.
PAGE 205

RADIUS Authentication, Authorization, and Accounting Cached Reauthentication Note 4. The time between step 8 and step 9 is X seconds. 5. The total time is 180 + X + 900 + 180 + X, which equals 900 +2(180+X) seconds. The period of 1 to 30 seconds, represented by X, is not a firm time period; the time can vary depending on other 802.1X and Web/MAC auth parameters.
PAGE 206

RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Switch Authentication Features Using SNMP To View and Configure Switch Authentication Features SNMP MIB object access is available for switch authentication configuration (hpSwitchAuth) features.
PAGE 207

RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Switch Authentication Features Changing and Viewing the SNMP Access Configuration Syntax: snmp-server mib hpswitchauthmib < excluded | included > included: Enables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB. excluded: Disables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB.
PAGE 208

RADIUS Authentication, Authorization, and Accounting Using SNMP To View and Configure Switch Authentication Features An alternate method of determining the current Authentication MIB access state is to use the show run command. ProCurve(config)# show run Running configuration: ; 498358-B21 Configuration Editor; Created on release #Z.14.XX hostname "ProCurve" snmp-server mib hpSwitchAuthMIB excluded ip default-gateway 10.10.24.
PAGE 209

RADIUS Authentication, Authorization, and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: ■ Local is the authentication option for the access method being used. ■ The switch has been configured to query one or more RADIUS servers for a primary authentication request, but has not received a response, and Local is the configured secondary option.
PAGE 210

RADIUS Authentication, Authorization, and Accounting Controlling Web Browser Interface Access Controlling Web Browser Interface Access To help prevent unauthorized access through the web browser interface, do one or more of the following: ■ Configure the switch to support RADIUS authentication for web browser interface access.
PAGE 211

RADIUS Authentication, Authorization, and Accounting Commands Authorization Commands Authorization The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server will send authorization information (from the user’s profile) to the Network Access Server (NAS).
PAGE 212

RADIUS Authentication, Authorization, and Accounting Commands Authorization Enabling Authorization To configure authorization for controlling access to the CLI commands, enter this command at the CLI. Syntax: [no] aaa authorization Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed.
PAGE 213

RADIUS Authentication, Authorization, and Accounting Commands Authorization Displaying Authorization Information You can show the authorization information by entering this command: Syntax: show authorization Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed. An example of the output is shown.
PAGE 214

RADIUS Authentication, Authorization, and Accounting Commands Authorization The results of using the HP-Command-String and HP-Command-Exception attributes in various combinations are shown below. HP-Command-String HP-Command-Exception Description Not present Not present If command authorization is enabled and the RADIUS server does not provide any authorization attributes in an Access-Accept packet, the user is denied access to the server.
PAGE 215

RADIUS Authentication, Authorization, and Accounting Commands Authorization Example Configuration on Cisco Secure ACS for MS Windows It is necessary to create a dictionary file that defines the VSAs so that the RADIUS server application can determine which VSAs to add to its user interface. The VSAs will appear below the standard attributes that can be configured in the application. The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps. 1.
PAGE 216

RADIUS Authentication, Authorization, and Accounting Commands Authorization Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). 3. From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils> csutil -addudv 0 hp.ini The zero (0) is the slot number.
PAGE 217

RADIUS Authentication, Authorization, and Accounting Commands Authorization 6. Right click and then select New > key. Add the vendor Id number that you determined in step 4 (100 in the example). 7. Restart all Cisco services. 8. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry.
PAGE 218

RADIUS Authentication, Authorization, and Accounting Commands Authorization # # # # # # # dictionary.hp As posted to the list by User Version: $Id: dictionary.hp, v 1.0 2006/02/23 17:07:07 VENDOR Hp 11 # HP Extensions ATTRIBUTE ATTRIBUTE Hp-Command-String Hp-Command-Exception 2 3 string integer Hp Hp # Hp-Command-Exception Attribute Values VALUE VALUE Hp-Command-Exception Hp-Command-Exception Permit-List Deny-List 0 1 2.
PAGE 219

RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session VLAN Assignment in an Authentication Session A switch supports concurrent 802.1X and either Web- or MAC-authentication sessions on a port (with up to 32 clients allowed).
PAGE 220

RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session Tagged and Untagged VLAN Attributes When you configure a user profile on a RADIUS server to assign a VLAN to an authenticated client, you can use either the VLAN’s name or VLAN ID (VID) number. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100” or “vlan100” to specify the VLAN.
PAGE 221

RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session Additional RADIUS Attributes The following attributes are included in Access-Request and Access-Account ing packets sent from the switch to the RADIUS server to advertise switch capabilities, report information on authentication sessions, and dynamically reconfigure authentication parameters: ■ MS-RAS-Vendor (RFC 2548): Allows ProCurve switches to inform a Microsoft RADIUS server that the switches are from P
PAGE 222

RADIUS Authentication, Authorization, and Accounting VLAN Assignment in an Authentication Session ProCurve(config)# show radius dyn-authorization Status and Counters - RADIUS Dynamic Authorization Information NAS Identifier : LAB-8212 Invalid Client Addresses (CoA-Reqs) : 0 Invalid Client Addresses (Disc-Reqs) : 0 Client IP Addr --------------154.34.23.106 154.45.234.
PAGE 223

RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting Note RADIUS Accounting Commands Page [no] radius-server host < ip-address > 5-50 [acct-port < port-number >] 5-50 [key < key-string >] 5-50 [no] aaa accounting < exec | network | system | commands> < start-stop | stop-only> radius 5-54 [no] aaa accounting update periodic < 1 - 525600 > (in minutes) 5-54 [no] aaa accounting suppress null-username 5-54 show accounting 5-59 show a
PAGE 224

RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting ■ Exec accounting: Provides records holding the information listed below about login sessions (console, Telnet, and SSH) on the switch: • • • • ■ Acct-Status-Type Acct-Terminate-Cause Calling-Station-Id MS-RAS-Vendor • • • • NAS-Identifier NAS-IP-Address Service-Type Username Acct-Authentic Acct-Delay-Time Acct-Session-Id Acct-Session-Time • • • • Acct-Terminate-Cause Calling-Station-Id MS-RAS-Vendor NAS-Identifier •
PAGE 225

RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting minute, it sends the accounting request packet to the RADIUS server without the Framed-IP-Address attribute. If the IP address is learned at a later time, it will be included in the next accounting request packet sent. The switch forwards the accounting information it collects to the designated RADIUS server, where the information is formatted, stored, and managed by the server.
PAGE 226

RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting – – 2. 3. Optional—a UDP destination port for authentication requests. Otherwise the switch assigns the default UDP port (1812; recom mended). Optional—if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are desig nating, configure a server-specific key.
PAGE 227

RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. For switches that have a separate out-of-band manage ment port, the oobm parameter specifies that the RADIUS traffic will go through the out-of-band man agement (OOBM) port. [acct-port < port-number >] Optional. Changes the UDP destination port for accounting requests to the specified RADIUS server.
PAGE 228

RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting For example, suppose you want to the switch to use the RADIUS server described below for both authentication and accounting purposes. ■ IP address: 10.33.18.151 ■ A non-default UDP port number of 1750 for accounting.
PAGE 229

RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting Note that there is no time span associated with using the system option. It simply causes the switch to transmit whatever accounting data it currently has when one of the above events occurs. ■ Network: Use Network if you want to collect accounting information on 802.1X port-based-access users connected to the physical ports on the switch to access the network. (See also “Accounting Services” on page 4.
PAGE 230

RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting For example, to configure RADIUS accounting on the switch with start-stop for exec functions and stop-only for system functions: Configures exec and system accounting and controls. Summarizes the switch’s accounting configuration. Exec and System accounting are active. (Assumes the switch is configured to access a reachable Figure 5-19. Example of Configuring Accounting Types 3.
PAGE 231

RADIUS Authentication, Authorization, and Accounting Configuring RADIUS Accounting To continue the example in figure 5-19, suppose that you wanted the switch to: ■ Send updates every 10 minutes on in-progress accounting sessions. ■ Block accounting for unknown users (no username). Update Period Suppress Unknown User Figure 5-20.
PAGE 232

RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Configuring RADIUS Accounting” on page 5-47.) Figure 5-21.
PAGE 233

RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics Figure 5-22. RADIUS Server Information From the Show Radius Host Command Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the AccountingRequest that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
PAGE 234

RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics Term Definition Requests The number of RADIUS Accounting-Request packets sent. This does not include retransmissions. AccessChallenges The number of RADIUS Access-Challenge packets (valid or invalid) received from this server. AccessAccepts The number of RADIUS Access-Accept packets (valid or invalid) received from this server.
PAGE 235

RADIUS Authentication, Authorization, and Accounting Viewing RADIUS Statistics Figure 5-24. Example of RADIUS Authentication Information from a Specific Server RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config ured in the switch (using the radius-server host command).
PAGE 236

RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order Figure 5-26. Example of RADIUS Accounting Information for a Specific Server Figure 5-27. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command.
PAGE 237

RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order RADIUS server IP addresses listed in the order in which the switch will try to access them. In this case, the server at IP address 1.1.1.1 is first. Note: If the switch successfully accesses the first server, it does not try to access any other servers in the list, even if the client is denied access by the first server. Figure 5-28.
PAGE 238

RADIUS Authentication, Authorization, and Accounting Changing RADIUS-Server Access Order Removes the “003” and “001” addresses from the RADIUS server list. Inserts the “003” address in the first position in the RADIUS server list, and inserts the “001” address in the last position in the list. Shows the new order in which the switch searches for a RADIUS server. Figure 5-29.
PAGE 239

RADIUS Authentication, Authorization, and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch.
PAGE 240

RADIUS Authentication, Authorization, and Accounting Messages Related to RADIUS Operation 5-64
PAGE 241

6 Configuring RADIUS Server Support for Switch Services Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting . . . . . . . . . . . . . . . 6-4 Applied Rates for RADIUS-Assigned Rate Limits . . . . . . . . . . . . . . . . . 6-5 Viewing the Currently Active Per-Port CoS and Rate-Limiting Configuration Specified by a RADIUS Server . . . . . . . . . . . . .
PAGE 242

Configuring RADIUS Server Support for Switch Services Contents Configuring the Switch To Support RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24 Displaying the Current RADIUS-Assigned ACL Activity on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26 ICMP Type Numbers and Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28 Event Log Messages . . . . .
PAGE 243

Configuring RADIUS Server Support for Switch Services Overview Overview This chapter provides information that applies to setting up a RADIUS server to configure the following switch features on ports supporting RADIUSauthenticated clients: ■ CoS ■ Rate-Limiting ■ ACLS Optional Network Management Applications. Per-port CoS and ratelimiting assignments through a RADIUS server are also supported in the ProCurve Manager (PCM) application.
PAGE 244

Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and RateLimiting This section provides general guidelines for configuring a RADIUS server to dynamically apply CoS (Class of Service) and Rate-Limiting for inbound traffic on ports supporting authenticated clients.
PAGE 245

Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Service Control Method and Operating Notes: Rate-Limiting on inbound traffic This feature assigns a bandwidth limit to all inbound packets received on a port supporting an authenticated client. Vendor-Specific Attribute configured in the RADIUS server.
PAGE 246

Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Table 6-2.
PAGE 247

Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Syntax: show port-access authenticator [ port-list ] show rate-limit all show qos port-priority These commands display the CoS and Rate-Limiting settings specified by the RADIUS server used to grant authentication for a given client on a given port.
PAGE 248

Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.
PAGE 249

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuring and Using RADIUS-Assigned Access Control Lists Introduction A RADIUS-assigned ACL is configured on a RADIUS server and dynamically assigned by the server to filter traffic entering the switch through a specific port after the client is authenticated by the server. Note that client authenti cation can be enhanced by using ProCurve Manager with the optional IDM application.
PAGE 250

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists • RADIUS-assigned ACL: dynamic ACL assigned to a port by a RADIUS server to filter inbound traffic from an authenticated client on that port An ACL can be configured on an interface as a static port ACL. (RADIUS assigned ACLs are configured on a RADIUS server.) ACL Mask: Follows a destination IP address listed in an ACE.
PAGE 251

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Permit: An ACE configured with this action allows the switch to forward an inbound packet for which there is a match within an applicable ACL. Permit Any Any: An abbreviated form of permit in ip from any to any, which permits any inbound IP traffic from any source to any destination.
PAGE 252

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Overview of RADIUS-Assigned, Dynamic ACLs RADIUS-assigned ACLs enhance network and switch management access security and traffic control by permitting or denying authenticated client access to specific network resources and to the switch management interface.
PAGE 253

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note A RADIUS-assigned ACL assignment filters all inbound IP traffic from an authenticated client on a port, regardless of whether the client’s IP traffic is to be switched or routed. RADIUS-assigned ACLs can be used either with or without PCM and IDM support. (Refer to “Optional PCM and IDM Applications” on page 6-3.
PAGE 254

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists RADIUS-assigned ACLs Static Port ACLs Allows one RADIUS-assigned ACL per authenticated client Supports static ACLs on a port. (Each such ACL filters traffic from a different, authenticated client.) Note: The switch provides ample resources for supporting RADIUS-assigned ACLs and other features.
PAGE 255

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists the same username/password pair. Where the client MAC address is the selection criteria, only the client having that MAC address can use the corre sponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured with that client’s credentials to the port.
PAGE 256

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 3. Configure the ACLs on a RADIUS server accessible to the intended clients. 4. Configure the switch to use the desired RADIUS server and to support the desired client authentication scheme. Options include 802.1X, Web authentication, or MAC authentication. (Note that the switch supports the option of simultaneously using 802.1X with either Web or MAC authenti cation.) 5.
PAGE 257

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists through MAC Authentication, then the client MAC address forms the credential set.) For more on this topic, refer to “Configuring an ACL in a RADIUS Server” on page 6-17. ■ Multiple Clients Using the Same Username/Password Pair: Multiple clients using the same username/password pair will use duplicate instances of the same ACL.
PAGE 258

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists ■ ACL configuration, including: • one or more explicit “permit”and/or “deny” ACEs created by the system operator • implicit deny any any ACE automatically active after the last operatorcreated ACE Nas-Filter-Rule-Options Table 6-4.
PAGE 259

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Nas-filter-Rule = : Standard attribute for filtering inbound IPv4 traffic from an authenticated client. Refer also to table 6-4, “Nas-Filter-Rule Attribute Options” on page 6-18. HP-Nas-filter-Rule = : Legacy HP VSA for filtering inbound IPv4 traffic from an authenticated client. Refer also to table 6-4, “Nas-Filter-Rule Attribute Options” on page 6-18. “ . . .
PAGE 260

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists < ipv4-addr >: Specifies a single destination IPv4 address. < ipv4-addr /< mask >: Specifies a series of contiguous destination addresses or all destination addresses in a subnet. The < mask > is CIDR notation for the number of leftmost bits in a packet’s destination IPv4 address that must match the corre sponding bits in the destination IPv4 address listed in the ACE.
PAGE 261

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists client 10.10.10.125 nastype = other secret = 1234 Note: The key configured in the switch and the secret configured in the RADIUS server supporting the switch must be identical. Refer to the chapter titled “RADIUS Authentication and Accounting” in the latest Access Security Guide for your switch. Figure 6-3. Example of Switch Identity Information for a FreeRADIUS Application 3.
PAGE 262

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists VENDOR BEGIN-VENDOR ATTRIBUTE END-VENDOR HP 11 ProCurve (HP) Vendor-Specific ID HP HP-IP-FILTER-RAW 61 STRING HP ProCurve (HP) Vendor-Specific Attribute for RADIUS-assigned ACLs Note that if you were also using the RADIUS server to administer 802.1p (CoS) priority, you would also insert the ATTRIBUTE entries for these functions above the END VENDOR entry. Figure 6-4.
PAGE 263

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note For syntax details on RADIUS-assigned ACLs, refer to the next section, “Format Details for ACEs Configured in a RADIUS-Assigned ACL”. Client’s Username (802.1X or Web Authentication) Client’s Password (802.1X or Web Authentication) mobile011 Auth-Type:= Local, User-Password == run101112 HP-IP-FILTER-RAW = “permit in tcp from any to 10.10.10.
PAGE 264

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuration Notes Explicitly Permitting Any IP Traffic. Entering a permit in ip from any to any (permit any any) ACE in an ACL permits all IP traffic not previously permitted or denied by that ACL. Any ACEs listed after that point do not have any effect. Explicitly Denying Any IP Traffic.
PAGE 265

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Syntax: aaa accounting network < start-stop | stop-only > radius Note Refer to the documentation provided with your RADIUS server for infor mation on how the server receives and manages network accounting information, and how to perform any configuration steps necessary to enable the server to support network accounting data from the switch. 3. Configure an authentication method.
PAGE 266

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Displaying the Current RADIUS-Assigned ACL Activity on the Switch These commands output data indicating the current ACL activity imposed perport by RADIUS server responses to client authentication.
PAGE 267

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Syntax: show port-access authenticator < port-list > For ports, in < port-list > that are configured for authentication, this command indicates whether there are any RADIUS-assigned features active on the port(s). (Any ports in < port-list > that are not configured for authentication do not appear in this listing.) Port: Port number of port configured for authentication.
PAGE 268

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists ProCurve(config)# show port-access authenticator 2-3 Port Access Authenticator Status Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Port ---2 3 Auth Clients -------1 1 Unauth Clients -------0 0 Untagged Tagged VLAN VLANs Port COS -------- ------ --------1 7 1 5 Kbps In Limit ----------90 50 RADIUS ACL -----No Yes Cntrl Dir ----In In Fi
PAGE 269

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Event Log Messages Message Meaning ACE parsing error, permit/deny keyword < ace-# > client < mac-address > port < port-# >. Notifies of a problem with the permit/deny keyword in the indicated ACE included in the access list for the indicated client on the indicated switch port. Could not add ACL entry. Notifies that the ACE entry could not be added to the internal ACL storage.
PAGE 270

Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Message Meaning Invalid Access-list entry length, client < mac-address > port < port-# >. Notifies that the string configured for an ACE entry on the Radius server exceeds 80 characters. Memory allocation failure for IDM ACL. Notifies of a memory allocation failure for a RADIUS assigned ACL assigned by a RADIUS server performing client authentication.
PAGE 271

7 Configuring Secure Shell (SSH) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 272

Configuring Secure Shell (SSH) Overview Overview Feature Generating a public/private key pair on the switch Using the switch’s public key Default Menu CLI Web No n/a page 7-10 n/a n/a n/a page 7-13 n/a Enabling SSH Disabled n/a page 7-15 n/a Enabling client public-key authentication Disabled n/a pages 7-21, 7-24 n/a Enabling user authentication Disabled n/a page 7-20 n/a The switches covered in this guide use Secure Shell version 2 (SSHv2) to provide remote access to management
PAGE 273

Configuring Secure Shell (SSH) Terminology Note SSH in ProCurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit www.openssh.com. Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication shown in figure 7-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key. As in figure 7-1, the switch authen ticates itself to SSH clients.
PAGE 274

Configuring Secure Shell (SSH) Terminology 7-4 ■ Enable Level: Manager privileges on the switch. ■ Login Level: Operator privileges on the switch. ■ Local password or username: A Manager-level or Operator-level password configured in the switch. ■ SSH Enabled: (1) A public/private key pair has been generated on the switch (generate ssh [dsa | rsa]) and (2) SSH is enabled (ip ssh). (You can generate a key pair without enabling SSH, but you cannot enable SSH without first generating a key pair.
PAGE 275

Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 7-2), then the client program must have the capability to generate or import keys.
PAGE 276

Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 7-1.
PAGE 277

Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch (page 7-10). 2. Generate a public/private key pair on the switch (page 7-10). You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. (You can remove or replace this key pair, if necessary.) 3.
PAGE 278

Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes 7-8 ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store 10 client key pairs. ■ The switch’s own public/private key pair and the (optional) client public key file are stored in the switch’s flash memory and are not affected by reboots or the erase startup-config command.
PAGE 279

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 7-19 show crypto client-public-key [] [keylist-str] [< babble | fingerprint>] 7-27 show crypto host-public-key [< babble | fingerprint >] 7-14 show authentication 7-23 crypto key < generate | zeroize > [autorun-key [rsa] | cert [rsa] | ssh [ dsa | rsa [bits ]] 7-11 ip ssh 7-16 cipher
PAGE 280

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration. To Configure Local Passwords. You can configure both the Operator and Manager password with one command.
PAGE 281

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be “permanent”; that is, avoid re-generating the key pair without a compelling reason.
PAGE 282

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation show crypto host-public-key Displays switch’s public key. Displays the version 1 and version 2 views of the key. [ babble ] Displays hashes of the switch’s public key in phonetic format. (See “Displaying the Public Key” on page 7-14.) [ fingerprint ] Displays fingerprints of the switch’s public key in hexadecimal format. (See “Displaying the Public Key” on page 7-14.
PAGE 283

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes "Zeroizing" the switch’s key automatically disables SSH (sets ip ssh to no). Thus, if you zeroize the key and then generate a new key, you must also reenable SSH with the ip ssh command before the switch can resume SSH operation. Configuring Key Lengths The crypto key generate ssh command allows you to specify the type and length of the generated host key.
PAGE 284

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation (The generated public key on the switch is always 896 bits.) With a direct serial connection from a management station to the switch: 1. Use a terminal application such as HyperTerminal to display the switch’s public key with the show crypto host-public-key command (figure 7-5). 2. Bring up the SSH client’s "known host" file in a text editor such as Notepad as straight ASCII text, and copy the switch’s public key into the file. 3.
PAGE 285

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation ■ Non-encoded ASCII numeric string: Requires a client ability to display the keys in the “known hosts” file in the ASCII format. This method is tedious and error-prone due to the length of the keys. (See figure 7-7 on page 7-14.) ■ Phonetic hash: Outputs the key as a relatively short series of alpha betic character groups. Requires a client ability to convert the key to this format.
PAGE 286

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note Before enabling SSH on the switch you must generate the switch’s public/ private key pair. If you have not already done so, refer to “2. Generating the Switch’s Public and Private Key Pair” on page 7-10. When configured for SSH, the switch uses its host public-key to authenticate itself to SSH clients.
PAGE 287

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation To disable SSH on the switch, do either of the following: ■ Execute no ip ssh. ■ Zeroize the switch’s existing key pair. (page 7-11). Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher ] Specify a cipher type to use for connection. Valid types are: • aes128-cbc • 3des-cbc • aes192-cbc • aes256-cbc • rijndael-cbc@lysator.liu.
PAGE 288

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [mac ] Allows configuration of the set of MACs that can be selected. Valid types are: • hmac-md5 • hmac-sha1 • hmac-sha1-96 • hmac-md5-96 Default: All MAC types are available. Use the no form of the command to disable a MAC type. [port < 1-65535 | default >] The TCP port number for SSH connections (default: 22). Important: See “Note on Port Number” on page 7-19.
PAGE 289

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note on Port Num b er ProCurve recommends using the default TCP port number (22). However, you can use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http). Some other reserved TCP ports on the switch are 49, 80, 1506, and 1513.
PAGE 290

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation access to the serial port (and the Clear button, which removes local password protection), keep physical access to the switch restricted to authorized per sonnel. 5. Configuring the Switch for SSH Authentication Note that all methods in this section result in authentication of the switch’s public key by an SSH client. However, only Option B, below results in the switch also authenticating the client’s public key.
PAGE 291

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option B: Configuring the Switch for Client Public-Key SSH Authentication. If configured with this option, the switch uses its public key to authenticate itself to a client, but the client must also provide a client public-key for the switch to authenticate. This option requires the additional step of copying a client public-key file from a TFTP server into the switch. This means that before you can use this option, you must: 1.
PAGE 292

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh enable < local | tacacs | radius > < local | none > Configures a password method for the primary and second ary enable (Manager) access. If you do not specify an optional secondary method, it defaults to none. If the primary access method is local, you can only specify none for a secondary access method. Note: The configuration of SSH clients’ public keys is stored in flash memory on the switch.
PAGE 293

Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configures Manager username and password. ProCurve(config)# password manager user-name leader New password for Manager: ******** Please retype new password for Manager: ******** ProCurve(config)# aaa authentication ssh login public-key none ProCurve(config)# aaa authentication ssh enable tacacs local ProCurve(config)# coy tftp pub-key-file 10.33.18.117 ProCurve(config)# write memory Copies a public key file named "Client-Keys.
PAGE 294

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 6. Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems" in the Troubleshooting chapter of the Manage ment and Configuration Guide for your switch. Further Information on SSH Client Public-Key Authentication The section titled “5.
PAGE 295

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 1. The client sends its public key to the switch with a request for authenti cation. 2. The switch compares the client’s public key to those stored in the switch’s client-public-key file. (As a prerequisite, you must use the switch’s copy tftp command to download this file to flash.) 3.
PAGE 296

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication To Create a Client-Public-Key Text File. These steps describe how to copy client-public-keys into the switch for challenge-response authentication, and require an understanding of how to use your SSH client application. Bit Size Modulus Exponent Comment Figure 7-13. Example of a Client Public Key Notes Comments in public key files, such as smith@support.cairns.
PAGE 297

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 2. Copy the client’s public key into a text file (filename.txt). (For example, you can use the Notepad editor included with the Microsoft® Windows® software. If you want several clients to use client public-key authentica tion, copy a public key for each of these clients (up to ten) into the file. Each key should be separated from the preceding key by a . 3.
PAGE 298

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The operator option replaces the key(s) for operator access (default); follow with the ‘append’ option to add the key(s). For switches that have a separate out-of-band manage ment port, the oobm parameter specifies that the traffic will go through the out-of-band management interface. If this parameter is not specified, the traffic goes through the data interface.
PAGE 299

Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication For example, if you wanted to copy a client public-key file named clientkeys.txt from a TFTP server at 10.38.252.195 and then display the file contents: Key Index Number Figure 7-14. Example of Copying and Displaying a Client Public-Key File Containing Two Different Client Public Keys for the Same Client Replacing or Clearing the Public Key File.
PAGE 300

Configuring Secure Shell (SSH) Messages Related to SSH Operation Syntax: aaa authentication ssh login public-key none Allows SSH client access only if the switch detects a match between the client’s public key and an entry in the client public-key file most recently copied into the switch. Caution To enable client public-key authentication to block SSH clients whose public keys are not in the client-public-key file copied into the switch, you must configure the Login Secondary as none.
PAGE 301

Configuring Secure Shell (SSH) Messages Related to SSH Operation Meaning Message The client key does not exist in the switch. Use copy Client public key file corrupt or not found. Use 'copy tftp pub-key-file ' to download new file. Download failed: overlength key in key file. Download failed: too many keys in key file. Download failed: one or more keys is not a valid public key.
PAGE 302

Configuring Secure Shell (SSH) Messages Related to SSH Operation Debug Logging To add ssh messages to the debug log output, enter this command: ProCurve# debug ssh LOGLEVEL where LOGLEVEL is one of the following (in order of increasing verbosity): 7-32 • fatal • error • info • verbose • debug • debug2 • debug3
PAGE 303

8 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Steps for Configuring and Using SSL for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 304

Configuring Secure Socket Layer (SSL) Overview Overview Feature Generating a Self Signed Certificate on the switch Generating a Certificate Request on the switch Enabling SSL Default Menu CLI Web No n/a page 8-8 page 8-12 No n/a n/a page 8-15 Disabled n/a page 8-17 page 8-19 The switches covered in this guide use Secure Socket Layer Version 3 (SSLv3) and support for Transport Layer Security(TLSv1) to provide remote web access to the switches via encrypted paths between the switch and manag
PAGE 305

Configuring Secure Socket Layer (SSL) Terminology 1. Switch-to-Client SSL Cert. ProCurve Switch SSL Client Browser 2. User-to-Switch (login password and enable password authentication) options: – Local – TACACS+ – RADIUS (SSL Server) Figure 8-1.
PAGE 306

Configuring Secure Socket Layer (SSL) Terminology 8-4 ■ Root Certificate: A trusted certificate used by certificate authorities to sign certificates (CA-Signed Certificates) and used later on to verify that authenticity of those signed certificates. Trusted certificates are distrib uted as an integral part of most popular web clients. (see browser docu mentation for which root certificates are pre-installed). ■ Manager Level: Manager privileges on the switch.
PAGE 307

Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include: A. Client Preparation 1.
PAGE 308

Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes 8-6 ■ Once you generate a certificate on the switch you should avoid re generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all management stations (clients) you previously set up for SSL access to the switch. In some situations this can temporarily allow security breaches.
PAGE 309

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 8-19 show config page 8-19 show crypto host-cert page 8-12 crypto key generate cert [rsa] <512 | 768 |1024> page 8-10 zeroize cert page 8-10 crypto host-cert generate self-signed [arg-list] page 8-10 zeroize page 8-10 1.
PAGE 310

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Security Tab Password Button Figure 8-2. Example of Configuring Local Passwords 1. Proceed to the security tab and select device passwords button. 2. Click in the appropriate box in the Device Passwords window and enter user names and passwords. You will be required to repeat the password strings in the confirmation boxes. Both the user names and passwords can be up to 16 printable ASCII characters. 3.
PAGE 311

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation to connect via SSL to the switch. (The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client session, and then discarded.) The server certificate is stored in the switch’s flash memory. The server certificate should be added to your certificate folder on the SSL clients who you want to have access to the switch.
PAGE 312

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. Syntax: crypto key generate cert [rsa] < 512 | 768 |1024 > Generates a key pair for use in the certificate. crypto key zeroize cert Erases the switch’s certificate key and disables SSL opera tion. crypto host-cert generate self-signed [arg-list] Generates a self signed host certificate for the switch.
PAGE 313

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Table 8-1. Certificate Field Descriptions Field Name Description Valid Start Date This should be the date you desire to begin using the SSL functionality. Valid End Date This can be any future date, however good security practices would suggest a valid duration of about one year between updates of passwords and keys. Common name This should be the IP address or domain name associated with the switch.
PAGE 314

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. Syntax: show crypto host-cert Displays switch’s host certificate To view the current host certificate from the CLI you use the show crypto host cert command. For example, to display the new server host certificate: Show host certificate command Figure 8-4.
PAGE 315

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To generate a self signed host certificate from the web browser interface: i. Proceed to the Security tab then the SSL button. The SSL config uration screen is split up into two halves. The left half is used in creating a new certificate key pair and (self-signed / CA-signed) certificate. The right half displays information on the currently installed certificate. ii. Select the Generate Certificate button. iii.
PAGE 316

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter face: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments Figure 8-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface: 8-14 1. Proceed to the Security tab 2.
PAGE 317

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 8-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web browser interface To install a CA-Signed server host certificate from the web browser interface.
PAGE 318

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.
PAGE 319

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE---- MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEU
PAGE 320

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generating the Switch’s Server Host Certificate” on page 8-8.
PAGE 321

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443). Important: See “Note on Port Number” on page 8-20. show config Shows status of the SSL server. When enabled webmanagement ssl will be present in the config list. To enable SSL on the switch 1.
PAGE 322

Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 8-8. Using the web browser interface to enable SSL and select TCP port number Note on Port Number ProCurve recommends using the default IP port number (443). However, you can use web-management ssl tcp-port to specify any TCP port for SSL connec tions except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http).
PAGE 323

Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 8-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host certificate. (Refer to “Generate a SelfSigned Host Certificate with the Web browser interface” on page 8-12.) You may be using a reserved TCP port.
PAGE 324

Configuring Secure Socket Layer (SSL) Common Errors in SSL setup 8-22
PAGE 325

9 IPv4 Access Control Lists (ACLs) Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Optional Network Management Applications . . . . . . . . . . . . . . . . . . . . 9-4 Optional PCM and IDM Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 General Application Options . . . . . . . . . . . . . . . . . . .
PAGE 326

IPv4 Access Control Lists (ACLs) Contents Guidelines for Planning the Structure of an ACL . . . . . . . . . . . . . . . . 9-24 ACL Configuration and Operating Rules . . . . . . . . . . . . . . . . . . . . . . . 9-25 How an ACE Uses a Mask To Screen Packets for Matches . . . . . . . . 9-26 What Is the Difference Between Network (or Subnet) Masks and the Masks Used with ACLs? . . . . . . . . . . . . . . . . . . . . 9-27 Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) . . . . . .
PAGE 327

IPv4 Access Control Lists (ACLs) Contents Editing ACLs and Creating an ACL Offline . . . . . . . . . . . . . . . . . . . . 9-61 Using the CLI To Edit ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-61 General Editing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-62 Deleting Any ACE from an ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-62 Working Offline To Create or Edit an ACL . . . . . . . . . . . . . . . . . . . . .
PAGE 328

IPv4 Access Control Lists (ACLs) Introduction Introduction Feature Default Menu CLI Web Standard ACLs None — 9-40 — Extended ACLs None — 9-45 — Named ACLs — 9-51 — Enable or Disable an ACL — 9-53 — Numbered ACLs Display ACL Data n/a — 9-55 — Delete an ACL n/a — 9-54 — Configure an ACL from a TFTP Server n/a — 9-64 — Enable ACL Logging n/a — 9-69 — Show ACL Resources n/a — 9-20 — Access-List Resources Help n/a — 9-19 — ACL Applications ACLs can filter tr
PAGE 329

IPv4 Access Control Lists (ACLs) Introduction Optional PCM and IDM Applications ProCurve Manager is a Windows-based network management solution for all manageable ProCurve devices. It provides network mapping and polling capabilities, device auto-discovery and topology, tools for device configura tion and management, monitoring network traffic, and alerts and trouble shooting information for ProCurve networks.
PAGE 330

IPv4 Access Control Lists (ACLs) Introduction For ACL filtering to take effect, configure an ACL and then assign it to the inbound traffic on a statically configured port or trunk. Table 9-1.
PAGE 331

IPv4 Access Control Lists (ACLs) Terminology Action Command Page Deleting an ACL from the Switch ProCurve(config)# no ip access-list < standard < name-str | 1-99 >> ProCurve(config)# no ip access-list < extended < name-str | 100 -199 >> Displaying ACL Data ProCurve(config)# show access-list 9-54 9-55 ProCurve(config)# show access-list [ acl-name-string ] ProCurve(config)# show access-list config ProCurve(config)# show access-list ports < port-list > ProCurve(config)# show access-list radius ProCurve
PAGE 332

IPv4 Access Control Lists (ACLs) Terminology ACL ID: A number or alphanumeric string used to identify an ACL. A standard ACL ID can have either a number from 1 to 99 or an alphanumeric string. An extended ACL ID can have either a number from 100 to 199 or an alphanumeric string. ACL Mask: Follows an IP address (source or destination) listed in an ACE to specify either a subnet or a group of devices.
PAGE 333

IPv4 Access Control Lists (ACLs) Terminology the ACL. Doing so permits an inbound packet that is not explicitly permit ted or denied by other ACEs configured sequentially earlier in the ACL. Unless otherwise noted, “implicit deny IP any” refers to the “deny” action enforced by both standard and extended ACLs. Inbound Traffic: For the purpose of defining where the switch applies ACLs to filter traffic, inbound traffic is any IP packet that: • Enters the switch through a physical port.
PAGE 334

IPv4 Access Control Lists (ACLs) Overview Overview Types of IP ACLs Standard ACL: Use a standard ACL when you need to permit or deny traffic based on source IP address. Standard ACLs are also useful when you need to quickly control a performance problem by limiting traffic from a subnet, group of devices, or a single device. (This can block all inbound IP traffic from the configured source, but does not block traffic from other sources within the network.
PAGE 335

IPv4 Access Control Lists (ACLs) Overview The subnet mask for this example is 255.255.255.0. 2610Switch with IP Routing Enabled Port 1 VLAN B 10.28.20.1 (One Subnet) Port 2 VLAN C 10.28.40.1 10.28.30.1 Port 4 18.28.40.17 Port 3 (Multiple Subnets) 10.28.30.33 Because of multinetting, traffic routed from 10.28.40.17 to 10.28.30.33 remains in VLAN C. To filter inbound traffic from 10.28.40.17, the ACL must configured on port 3. 10.28.20.99 VLAN A 10.28.10.1 (One Subnet) 10.28.10.5 Figure 9-1.
PAGE 336

IPv4 Access Control Lists (ACLs) Overview General Steps for Planning and Configuring ACLs 1. Identify the traffic type to filter. Options include: • Any inbound IP traffic • Inbound TCP traffic only • Inbound UDP traffic only 2. The SA and/or the DA of inbound traffic you want to permit or deny. 3. Determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted traffic at the edge of the network instead of in the core. 4.
PAGE 337

IPv4 Access Control Lists (ACLs) ACL Operation ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). An ACL applies only to the switch in which it is configured. ACLs operate on assigned ports and static trunks, and filter these traffic types: ■ Traffic entering the switch. (Note that ACLs do not screen traffic at any internal point.
PAGE 338

IPv4 Access Control Lists (ACLs) ACL Operation The Packet-Filtering Process Sequential Comparison and Action. When the switch uses an ACL to fil ter a packet, it sequentially compares each ACE’s filtering criteria to the corresponding data in the packet until it finds a match. For a packet with a source IP address of 10.28.156.3, the switch: 1. Compares the packet to this ACE first. 2.
PAGE 339

IPv4 Access Control Lists (ACLs) ACL Operation Note on Implicit Deny For ACLs configured to filter inbound packets, note that Implicit Deny filters any packets, including those with a DA specifying the switch itself. This operation helps to prevent management access from unauthorized IP sources. 1. If a match is not found with the first ACE in an ACL, the switch proceeds to the next ACE and so on. Test a packet against criteria in first ACE. Is there a match? Yes Perform action (permit or deny).
PAGE 340

IPv4 Access Control Lists (ACLs) ACL Operation 2. Deny only the inbound Telnet traffic sent from IP address 11.11.11.101. 3. Permit only inbound Telnet traffic sent from IP address 11.11.11.33. 4. Deny all other inbound traffic on port 12. The following ACL model, when assigned to inbound filtering on port 12, supports the above case: 1 2 3 4 5 1. Permits IP traffic inbound from source address 11.11.11.42.
PAGE 341

IPv4 Access Control Lists (ACLs) Planning an ACL Application Overriding the Implicit “Deny Any”. If you want an ACL to permit any inbound packets that are not explicitly denied by other entries in the ACL, you can do so by configuring a permit any entry as the last entry in the ACL. Doing so permits any packet not explicitly denied by earlier entries. (On extended ACLs, you must configure permit ip any any.
PAGE 342

IPv4 Access Control Lists (ACLs) Planning an ACL Application Rule Usage ■ There is only one implicit “deny any” entry per device for CLI ACLs, and one implicit “deny any” entry per device for IDM ACLs. ■ The implicit “deny any” entry is created only the first time an ACL is applied to a port. After that the port-map is updated for that “deny any” entry to include or remove additional ports. ■ Each ACE, including the implicit deny any ACE in a standard ACL, uses one rule.
PAGE 343

IPv4 Access Control Lists (ACLs) Planning an ACL Application The following two CLI commands are useful for planning and monitoring rule and mask usage in an ACL configuration. Syntax: access-list resources help Provides a quick reference on how ACLs use rule resources. Includes most of the information in table 9-2, plus an ACL usage summary.
PAGE 344

IPv4 Access Control Lists (ACLs) Planning an ACL Application 3. Determine which of the existing policies you can remove to free up rule resources for the ACL policy you want to implement. Depending on your network topology and configuration, you can free up rule resources by moving some policies to other devices. Another alternative is to inspect the switch’s existing configuration for inefficient applications that could be removed or revised to achieve the desired policies with less resource usage.
PAGE 345

IPv4 Access Control Lists (ACLs) Planning an ACL Application (Assume that ports 1-4 are tagged members of VLAN 22, although tagged/ untagged ports do not affect ACL operation because ACLs examine all inbound traffic, regardless of VLAN membership.) The system administrator wants to: ■ Permit inbound VLAN 1 traffic on all ports ■ Permit inbound VLAN 2 traffic on ports 1 - 4 from hosts 10.10.10.1-30 ■ Deny inbound VLAN 2 traffic on ports 1 - 4 from hosts 10.10.10.
PAGE 346

IPv4 Access Control Lists (ACLs) Planning an ACL Application ProCurve(config)# ProCurve(config)# ProCurve(config)# ProCurve(config)# ProCurve(config)# 4. Permit the hosts in the range of 10.10.11.1 - 30. 5. Allow the implicit deny (automatically present in all ACLs) to deny all other traffic, which will automatically include the hosts in the range 10.10.10.32 - 255. access-list 1 permit 10.10.10.1/24 access-list 1 permit 10.10.12.1/24 access-list 1 deny host 10.10.11.31 access-list 1 permit 10.10.11.
PAGE 347

IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance Traffic Management and Improved Network Performance You can use ACLs to block unnecessary traffic caused by individual hosts, workgroups, or subnets, and to block user access to subnets, devices, and services. Answering the following questions can help you to design and properly position ACLs for optimum network usage.
PAGE 348

IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance ■ Preventing the use of specific TCP or UDP functions (such as Telnet, SSH, web browser) for unauthorized access You can also enhance switch management security by using ACLs to block inbound IP traffic that has the switch itself as the destination address (DA). Caution ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security.
PAGE 349

IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance ACL Configuration and Operating Rules ■ Per-Interface ACL Limits. At a minimum an ACL will have one explicit “deny” Access Control Entry.
PAGE 350

IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance ■ ACLs Operate On Ports and Static Trunk Interfaces: You can assign an ACL to any port and/or any statically configured trunk on the switch. ACLs do not operate with dynamic (LACP) trunks. ■ ACLs Screen Only the Traffic Entering the Switch on a Port or Static Trunk Interface: On a given interface, ACLs can screen inbound traffic at the point where it enters the switch.
PAGE 351

IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance What Is the Difference Between Network (or Subnet) Masks and the Masks Used with ACLs? In common IP addressing, a network (or subnet) mask defines which part of the IP address to use for the network number and which part to use for the hosts on the network. For example: IP Address Mask Network Address 18.38.252.195 255.255.255.0 first three octets Host Address The fourth octet. 18.38.252.195 255.255.248.
PAGE 352

IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance Rules for Defining a Match Between a Packet and an Access Control Entry (ACE) ■ For a given ACE, when the switch compares an IP address and corresponding mask in the ACE to an IP address carried in a packet: • A mask-bit setting of 0 (“off”) requires that the corresponding bit in the packet’s IP address and in the ACE’s IP address must be the same.
PAGE 353

IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance ■ Every IP address and mask pair (source or destination) used in an ACE creates one of the following policies: • Any IP address fits the matching criteria. In this case, the switch automatically enters the IP address and mask in the ACE. For exam ple: access-list 1 deny any produces this policy in an ACL listing: IP Address Mask 0.0.0.0 255.255.255.
PAGE 354

IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance Example of How the Mask Bit Settings Define a Match . Assume an ACE where the second octet of the mask for an SA is 7 (the rightmost three bits are “on”, or “1”) and the second octet of the corresponding SA in the ACE is 31 (the rightmost five bits). In this case, a match occurs when the second octet of the SA in a packet being filtered has a value in the range of 24 to 31. Refer to table 9-3, below. Table 9-3.
PAGE 355

IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance . This ACL (a standard ACL named “Fileserver”) includes an ACE (Access Control Entry) that permits matches only with the packets received from IP address 10.28.252.117 (the SA). Packets from any other source do not match and are denied. ip access-list standard Fileserver permit 10.28.252.117 ACE 0.0.0.
PAGE 356

IPv4 Access Control Lists (ACLs) Traffic Management and Improved Network Performance Table 9-5.
PAGE 357

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Configuring and Assigning an ACL ACL Feature Page Configuring and Assigning a Numbered, Standard ACL 9-40 Configuring and Assigning a Numbered, Extended ACL 9-45 Configuring a Named ACL 9-51 Enabling or Disabling ACL Filtering 9-53 Overview General Steps for Implementing ACLs Caution Regarding the Use of Source Routing 1. Configure at least one ACL. This creates and stores the ACL in the switch configuration. 2. Assign an ACL.
PAGE 358

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL You should carefully plan your ACL application before configuring specific ACLs. For more on this topic, refer to “Planning an ACL Application” on page 9-17. ACL Configuration Structure After you enter an ACL command, you may want to inspect the resulting configuration. This is especially true where you are entering multiple ACEs into an ACL.
PAGE 359

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Standard ACL Structure Individual ACEs in a standard ACL include only a permit/deny “type” state ment, the source IP addressing, and an optional log command (available with “deny” statements). ip access-list < type > "< name-str | 1-99 >" permit host < source-ip-address > deny < source-ip-address > < acl-mask > [log] . . . permit any Figure 9-8.
PAGE 360

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL ip access-list < type > “< name-str | 100-199 >”< permit | deny > ip < source-ip-address > < source-acl-mask > < destination-ip-address > < destination-acl-mask > [log] Note: The optional log function appears only with “deny” aces.
PAGE 361

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL ACL Configuration Factors ACL Resource Consumption Consumption of resources can be a significant factor in switches using exten sive ACL applications. In this case, resource usage takes precedence over other factors when planning and configuring ACLs. For more information on this topic, refer to “Planning an ACL Application” on page 9-17.
PAGE 362

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Table 9-6. Line # Effect of the ACL in Figure 9-12 on Inbound Traffic on the Assigned Port Action 1 Shows list type (extended) and ID (101). 2 A packet from IP source address 10.28.235.10 will be denied (dropped). This line filters out all packets received from 10.28.235.10. As a result, IP traffic from that device will not be routed or switched, and packets from that device will not be compared against any later entries in the list.
PAGE 363

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Using the CLI To Create an ACL Command Page access-list (standard ACLs) 9-40 access-list (extended ACLs) 9-45 ip access-list (named ACLs) 9-51 You can use either the switch CLI or an offline text editor to create an ACL. This section describes the CLI method, which is recommended for creating short ACLs. (To use the offline method, refer to “Editing ACLs and Creating an ACL Offline” on page 9-61.
PAGE 364

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Table 9-7. Examples of CIDR Notation for Masks IP Address Used In an ACL with CIDR Notation Resulting ACL Mask Meaning 18.38.240.125/15 0.1.255.255 The leftmost 15 bits must match; the remaining bits are wildcards. 18.38.240.125/20 0.0.15.255 The leftmost 20bits must match; the remaining bits are wildcards. 18.38.240.125/21 0.0.7.255 The leftmost 21 bits must match; the remaining bits are wildcards. 18.38.240.125/24 0.0.0.
PAGE 365

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Note For a summary of ACL commands, refer to table 9-1, “Comprehensive Com mand Summary”, on page 9-6. Syntax: [no] access-list Creates an ACE in the specified (1-99) access list and indicates the action (deny or permit) to take on a packet if there is a match between the packet and the criterion in the entry. If the ACL does not already exist, this command creates the specified ACL and its first ACE.
PAGE 366

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL • IP-addr / mask-length — Performs the specified action on any IP packet having a source address within the range defined by either < src-ip-addr / cidr-mask-bits > or < src-ip-addr < mask >> Use this criterion to filter packets received from either a subnet or a group of contiguous IP addresses. The mask can be in either dotted-decimal format or CIDR format with the number of significant bits.
PAGE 367

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Example of a Standard ACL. Suppose you wanted to configure a standard ACL and assign it to filter inbound traffic on port 10 in a particular switch: ProCurve(config)# ProCurve(config)# ProCurve(config)# ProCurve(config)# ProCurve(config)# ProCurve(config)# ■ The ID you selected for this ACL is “50”. ■ You want the ACL to deny IP traffic from all hosts except these three: • 10.128.100.10 • 10.128.100.27 • 10.128.100.
PAGE 368

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL In a situation opposite to the above, suppose that you wanted to deny inbound IP traffic received on port 20 from 10. 128.93.17 and 10.130.93.25, but permit all other IP traffic on this VLAN.
PAGE 369

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Configuring and Assigning a Numbered, Extended ACL This section describes how to configure numbered, extended ACLs. To con figure other ACL types, refer to the following table.
PAGE 370

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Syntax: [no] access-list Creates an ACE in the specified (100-199) access list and: • Indicates the action (deny or permit) to take on a packet if there is a match between the packet and the criteria in the complete ACE. • Specifies the packet protocol type (IP, TCP, or UDP). • Specifies the source and destination addressing options described in the remainder of this section.
PAGE 371

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL < any | host < src-ip-addr > | ip-addr/mask -length > In an extended ACL, this parameter defines the source IP address (SA) that a packet must carry in order to have a match with the ACE. • any — Specifies all inbound IP packets. • host < src-ip-addr > — Specifies only inbound packets from a single IP address. Use this option when you want to match only the IP packets from one source IP address (device).
PAGE 372

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Comparison Operator: • eq < tcp/udp-port-nbr > — “Equal To”; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to < tcp/udp-port-nbr >. Port Number or Well-Known Port Name: Use the TCP or UDP port number required by your application.
PAGE 373

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Example of an Extended ACL. Suppose that you want to implement these policies on ports 1, 2, and 3: A. Permit Telnet traffic from 10.10.10.44 inbound on port 1 to 10.10.20.78, deny all other inbound IP traffic from network 10.10.10.0 (VLAN 10) to 10.10.20.0 (VLAN 20), and permit all other IP traffic from any source to any destination. (See “A” in figure 9-15, below.) B. Permit FTP traffic from IP address 10.10.20.100 on port 2 to 10.10.30.
PAGE 374

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL ProCurve(config)# eq telnet ProCurve(config)# ProCurve(config)# ProCurve(config)# ProCurve(config)# eq ftp ProCurve(config)# ProCurve(config)# ProCurve config)# ProCurve(config)# ProCurve(config)# access-list 110 permit tcp host 10.10.10.44 host 10.10.20.78 access-list access-list interface 1 access-list 110 deny ip 10.10.10.1/24 10.10.20.1/24 110 permit ip any any A (Refer to figure 9-15, above.
PAGE 375

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL Configuring a Named ACL You can use the “Named ACL” context to configure a standard or extended ACL with an alphanumeric name instead of a number. Note that the command structure for configuring a named ACL differs from that for a numbered ACL.
PAGE 376

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL < name-str | 1-99 | 100-199 > Consists of an alphanumeric string of up to 64 casesensitive characters. If you include a space in the string, you must also enclose the string with quotes. For example, “ACL # 1". You can also enter numbers in the ranges associated with standard (1-99) and extended (100-199) ACLs.
PAGE 377

IPv4 Access Control Lists (ACLs) Configuring and Assigning an ACL ProCurve ProCurve telnet ProCurve ProCurve ProCurve ProCurve (config)# ip access-list extended 150 (config-ext-nacl)# permit tcp host 10.10.20.200 10.10.10.1/24 eq (config-ext-nacl)# exit Command Entry for (config)# write mem Source IP Address (config)# interface 12 ip access-group 150 in and Mask (config)# show config Startup configuration: ; J9085A Configuration Editor; Created on release #A.14.
PAGE 378

IPv4 Access Control Lists (ACLs) Deleting an ACL from the Switch Enabling an ACL from the Global Configuration Level Enabling an ACL from a interface Context. Disabling an ACL from the Global Configuration Level Disabling an ACL from an Interface Context. Figure 9-18.
PAGE 379

IPv4 Access Control Lists (ACLs) Displaying ACL Data Displaying ACL Data ACL Commands Function Page show access-list View a brief listing of all ACLs on the switch. 9-55 show access-list config Display the ACL lists configured in the switch. 9-56 show access-list ports < all | < interface >> List the name and type of ACLs assigned to all ports on the switch or to a particular port configured on the switch.
PAGE 380

IPv4 Access Control Lists (ACLs) Displaying ACL Data ProCurve(config)# show access-list Access Control Lists Type ---ext ext ext std std Appl ---yes yes yes yes yes Name ----------------------------110 120 150 50 60 Figure 9-19. Example of a Summary Table of Access Lists Term Meaning Type Shows whether the listed ACL is std (Standard; source-address only) or ext (Extended; protocol, source, and destination data). Appl Shows whether the listed ACL has been applied to an interface (yes/no).
PAGE 381

IPv4 Access Control Lists (ACLs) Displaying ACL Data Note Notice that you can use the output from this command for input to an offline text file in which you can edit, add, or delete ACL commands. Refer to “Editing ACLs and Creating an ACL Offline” on page 9-61. This information also appears in the show running display. If you executed write memory after configuring an ACL, it appears in the show config display.
PAGE 382

IPv4 Access Control Lists (ACLs) Displaying ACL Data Note This information also appears in the show running display. If you executed write memory after configuring an ACL, it appears in the show config display. For example, if you assigned a standard ACL with an ACL-ID of “1” to filter inbound traffic on port 10, you could quickly verify this assignment as follows: Indicates that a standard ACL with the ID of “2” is assigned to filter inbound traffic on port 7.
PAGE 383

IPv4 Access Control Lists (ACLs) Displaying ACL Data For example, suppose you configured the following ACL in the switch: ACL ID ACL Type Desired Action 2 Standard • Deny IP traffic from 18.28.236.77 and 18.29.140.107. • Permit IP traffic from all other sources. Inspect the ACL as follows: ProCurve Switch(config)# show access-list 2 Access Control Lists Name: 2 Type: Standard Applied: Yes Indicates whether the ACL is assigned to an interface.
PAGE 384

IPv4 Access Control Lists (ACLs) Displaying ACL Data Table 9-8. Descriptions of Data Types Included in Show Access-List < interface > Output Field Description Name The ACL identifier. Can be a number from 1 to 199, or a name. Type Standard or Extended. The former uses only source IP addressing. The latter uses both source and destination IP addressing and also allows TCP or UDP port specifiers. Applied “Yes” means the ACL has been applied to an interface.
PAGE 385

IPv4 Access Control Lists (ACLs) Editing ACLs and Creating an ACL Offline ProCurve(config)# show access-list resources Policy Engine Resource Usage Rules Rules Group Group Allocated Used Number ------------------------+------------+------------+------------+ QoS | 0 | 0 | 1 | CLI-ACL | 0 | 0 | 2 | IDM-ACL | 256 | 126 | 3 | Free | 128 | Figure 9-23.
PAGE 386

IPv4 Access Control Lists (ACLs) Editing ACLs and Creating an ACL Offline Note Before editing an assigned ACL, you must use the no interface < interface > ip access-group < acl-# > in command to remove the ACL from all interfaces to which it is assigned. Using the CLI To Edit a Short ACL. To insert a new ACE between exist ing ACEs in a short ACL, you may want to delete the ACL and then re-configure it by entering your updated list of ACEs in the correct order. Using the CLI to Edit a Longer ACL.
PAGE 387

IPv4 Access Control Lists (ACLs) Editing ACLs and Creating an ACL Offline no access-list < name-str | 100-199 > < permit | deny > < ip | tcp | udp > < src-addr: any | host | ip-addr/mask-length > [operator < src-port-num >] < dest-addr: any | host | ip-addr-mask-length > [operator < dest-port-num> [log] Deletes an ACE from an extended ACL. All variable param eters in the command must be an exact match with their counterparts in the ACE you want to delete.
PAGE 388

IPv4 Access Control Lists (ACLs) Editing ACLs and Creating an ACL Offline ACL 103 Before Removing the Second “deny” ACE. Use no access-list to remove this line from ACL 103. Use no access-list to remove this line from ACL 103. ACL 103 After Removing the Second “deny” ACE. Figure 9-25. Example of Deleting an ACE from an Extended ACL Working Offline To Create or Edit an ACL Note When creating an ACL offline, ensure that there are sufficient rules available for the ACEs you plan to apply to the ACL.
PAGE 389

IPv4 Access Control Lists (ACLs) Editing ACLs and Creating an ACL Offline • To create a new ACL, just open a text file in the appropriate directory on a TFTP server accessible to the switch. 2. Use the text editor to create or edit the ACL(s). 3. Use copy tftp command-file to download the file as a list of commands to the switch. Creating an ACL Offline Use a text editor that allows you to create an ASCII text file (.txt).
PAGE 390

IPv4 Access Control Lists (ACLs) Editing ACLs and Creating an ACL Offline ■ Permit internet access to the following two IP addresses through port 24, but deny access to all other addresses through this port (without ACL logging). • 10.10.20.98 • 10.10.20.21 ■ Deny all traffic from port 3 to the server at 10.10.10.100 (without ACL logging). ■ Deny all traffic from port 5 to the server at 10.10.10.100 (without ACL logging), but allow any other traffic from port 5. 1.
PAGE 391

IPv4 Access Control Lists (ACLs) Editing ACLs and Creating an ACL Offline 2. After you copy the above .txt file to a TFTP server the switch can access, you would then execute the following command to download the file to the switch’s startup-config file: Figure 9-28. Example of Using “copy tftp command-file” To Configure an ACL in the Switch Note If a transport error occurs, the switch does not execute the command and the ACL is not configured. 3.
PAGE 392

IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging 6. If the configuration appears satisfactory, save it to the startup-config file: ProCurve(config)# write memory Enable ACL “Deny” Logging ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny” action.
PAGE 393

IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includes both the deny action and the optional log parameter, an ACL log message is sent to the designated debug destination. The first time a packet matches an ACE with deny and log configured, the message is sent immediately to the destination and the switch starts a wait-period of approximately five minutes.
PAGE 394

IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging ■ On port 10, configure an extended ACL with an ACL-ID of 143 to deny Telnet traffic from IP address 10.38.100.127. ■ Configure the switch to send an ACL log message to the console and to a Syslog server at IP address 10.38.110.54 on port 11 if the switch detects a match denying Telnet access from 10.38.100.127. Syslog Server Console 10.38.110.
PAGE 395

IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Figure 9-32. Commands for Applying an ACL with Logging to Figure 9-31 Operating Notes for ACL Logging ■ The ACL logging feature generates a message only when packets are explicitly denied as the result of a match, and not when explicitly permitted or implicitly denied. To help test ACL logging, configure an ACL with an explicit deny any and log statements at the end of the list, and apply the ACL to an appropriate interface.
PAGE 396

IPv4 Access Control Lists (ACLs) General ACL Operating Notes General ACL Operating Notes ACLs do not provide DNS hostname support. Protocol Support: ACL criteria includes IP, TCP, and UDP. ACLs do not use these protocols: ■ TOS (Type-of-Service) ■ Precedence ■ MAC information ■ QoS ACLs do not affect switch serial port access. ACLs filter both Layer 2 and Layer 3 on a port. There is no performance degradation with ACLs enabled; traffic is at line rate.
PAGE 397

IPv4 Access Control Lists (ACLs) General ACL Operating Notes < acl-list-# >: Unable to apply access control list. The indicated ACL cannot be applied to an interface because an ACL is already assigned to the interface. The command fails for all included interfaces, including any that do not already have an ACL assigned. Duplicate access control entry. The switch detects an attempt to create a duplicate ACE in the same ACL.
PAGE 398

IPv4 Access Control Lists (ACLs) General ACL Operating Notes 9-74
PAGE 399

10 Configuring Advanced Threat Protection Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Enabling DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 400

Configuring Advanced Threat Protection Contents Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-26 Adding an IP-to-MAC Binding to the DHCP Binding Database . . . . 10-28 Potential Issues with Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28 Adding a Static Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29 Verifying the Dynamic IP Lockdown Configuration . . . . . . . . . . . . .
PAGE 401

Configuring Advanced Threat Protection Introduction Introduction As your network expands to include an increasing number of mobile devices, continuous Internet access, and new classes of users (such as partners, temporary employees, and visitors), additional protection from attacks launched from both inside and outside your internal network is often neces sary. Advanced threat protection can detect port scans and hackers who try to access a port or the switch itself.
PAGE 402

Configuring Advanced Threat Protection DHCP Snooping • Attempts to exhaust system resources so that sufficient resources are not available to transmit legitimate traffic, indicated by an unusually high use of specific system resources • Attempts to attack the switch’s CPU and introduce delay in system response time to new network events • Attempts by hackers to access the switch, indicated by an excessive number of failed logins or port authentication failures • Attempts to deny switch service by fi
PAGE 403

Configuring Advanced Threat Protection DHCP Snooping DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped. Conditions for dropping packets are shown below.
PAGE 404

Configuring Advanced Threat Protection DHCP Snooping option: Add relay information option (Option 82) to DHCP client packets that are being forwarded out trusted ports. The default is yes, add relay information. trust: Configure trusted ports. Only server packets received on trusted ports are forwarded. Default: untrusted. verify: Enables DHCP packet validation.
PAGE 405

Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# show dhcp-snooping stats Packet type ----------server client server server client client client client Action ------forward forward drop drop drop drop drop drop Reason Count ---------------------------- --------from trusted port 8 to trusted port 8 received on untrusted port 2 unauthorized server 0 destination on untrusted port 0 untrusted option 82 field 0 bad DHCP release request 0 failed verify MAC check 0 Figure 10-2.
PAGE 406

Configuring Advanced Threat Protection DHCP Snooping Configuring DHCP Snooping Trusted Ports By default, all ports are untrusted. To configure a port or range of ports as trusted, enter this command: ProCurve(config)# dhcp-snooping trust You can also use this command in the interface context, in which case you are not able to enter a list of ports.
PAGE 407

Configuring Advanced Threat Protection DHCP Snooping Configuring Authorized Server Addresses If authorized server addresses are configured, a packet from a DHCP server must be received on a trusted port AND have a source address in the autho rized server list in order to be considered valid. If no authorized servers are configured, all servers are considered valid. You can configure a maximum of 20 authorized servers.
PAGE 408

Configuring Advanced Threat Protection DHCP Snooping Note DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, not on VLANS without snooping enabled. If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.
PAGE 409

Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the switch as the remoteid in Option 82 additions.
PAGE 410

Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# dhcp-snooping verify mac ProCurve(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans : 4 Verify MAC : yes Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : subnet-ip Figure 10-7. Example Showing the DHCP Snooping Verify MAC Setting The DHCP Binding Database DHCP snooping maintains a database of up to 8192 DHCP bindings on untrusted ports.
PAGE 411

Configuring Advanced Threat Protection DHCP Snooping A message is logged in the system event log if the DHCP binding database fails to update. To display the contents of the DHCP snooping binding database, enter this command. Syntax: show dhcp-snooping binding ProCurve(config)# show dhcp-snooping binding MacAddress ------------22.22.22.22.22.22 IP VLAN Interface Time left --------------- ---- --------- --------10.0.0.1 4 B2 1600 Figure 10-8.
PAGE 412

Configuring Advanced Threat Protection DHCP Snooping ■ ProCurve recommends running a time synchronization protocol such as SNTP in order to track lease times accurately. ■ A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot. Log Messages Server packet received on untrusted port dropped. Indicates a DHCP server on an untrusted port is attempting to transmit a packet.
PAGE 413

Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay information logs for . More than one DHCP client packet received on an untrusted port with a relay information field was dropped. To avoid filling the log file with repeated attempts, untrusted relay information packets will not be logged for the specified . Client address not equal to source MAC detected on port .
PAGE 414

Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings adver tised in the source protocol address and source physical address fields are discarded.
PAGE 415

Configuring Advanced Threat Protection Dynamic ARP Protection • If a binding is valid, the switch updates its local ARP cache and forwards the packet. • If a binding is invalid, the switch drops the packet, preventing other network devices from receiving the invalid IP-to-MAC information. DHCP snooping intercepts and examines DHCP packets received on switch ports before forwarding the packets. DHCP packets are checked against a database of DHCP binding information.
PAGE 416

Configuring Advanced Threat Protection Dynamic ARP Protection Enabling Dynamic ARP Protection To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp-protect vlan command at the global configuration level. Syntax: [no] arp-protect vlan [vlan-range] vlan-range Specifies a VLAN ID or a range of VLAN IDs from one to 4094; for example, 1–200.
PAGE 417

Configuring Advanced Threat Protection Dynamic ARP Protection Figure 10-9. Configuring Trusted Ports for Dynamic ARP Protection Take into account the following configuration guidelines when you use dynamic ARP protection in your network: ■ You should configure ports connected to other switches in the network as trusted ports. In this way, all network switches can exchange ARP packets and update their ARP caches with valid information.
PAGE 418

Configuring Advanced Threat Protection Dynamic ARP Protection Adding an IP-to-MAC Binding to the DHCP Database A routing switch maintains a DHCP binding database, which is used for DHCP and ARP packet validation. Both the DHCP snooping and DHCP Option 82 insertion features maintain the lease database by learning the IP-to-MAC bindings on untrusted ports. Each binding consists of the client MAC address, port number, VLAN identifier, leased IP address, and lease time.
PAGE 419

Configuring Advanced Threat Protection Dynamic ARP Protection Configuring Additional Validation Checks on ARP Packets Dynamic ARP protection can be configured to perform additional validation checks on ARP packets. By default, no additional checks are performed. To configure additional validation checks, enter the arp-protect validate command at the global configuration level.
PAGE 420

Configuring Advanced Threat Protection Dynamic ARP Protection ProCurve(config)# show arp-protect ARP Protection Information Enabled Vlans : 1-4094 Validate : dst-mac, src-mac Port ----B1 B2 B3 B4 B5 Trust ----Yes Yes No No No Figure 10-1.
PAGE 421

Configuring Advanced Threat Protection Dynamic IP Lockdown Monitoring Dynamic ARP Protection When dynamic ARP protection is enabled, you can monitor and troubleshoot the validation of ARP packets with the debug arp-protect command. Use this command when you want to debug the following conditions: ■ The switch is dropping valid ARP packets that should be allowed. ■ The switch is allowing invalid ARP packets that should be dropped. ProCurve(config)# debug arp-protect 1.
PAGE 422

Configuring Advanced Threat Protection Dynamic IP Lockdown Protection Against IP Source Address Spoofing Many network attacks occur when an attacker injects packets with forged IP source addresses into the network. Also, some network services use the IP source address as a component in their authentication schemes. For example, the BSD “r” protocols (rlogin, rcp, rsh) rely on the IP source address for packet authentication.
PAGE 423

Configuring Advanced Threat Protection Dynamic IP Lockdown ■ The DHCP binding database allows VLANs enabled for DHCP snooping to be known on ports configured for dynamic IP lockdown. As new IP-to-MAC address and VLAN bindings are learned, a corre sponding permit rule is dynamically created and applied to the port (preceding the final deny any vlan rule as shown in the example in Figure 10-4.
PAGE 424

Configuring Advanced Threat Protection Dynamic IP Lockdown Assuming that DHCP snooping is enabled and that port 5 is untrusted, dynamic IP lockdown applies the following dynamic VLAN filtering on port 5: permit 10.0.8.5 001122-334455 vlan 2 permit 10.0.8.7 001122-334477 vlan 2 permit 10.0.10.3 001122-334433 vlan 5 permit 10.0.10.1 001122-110011 vlan 5 deny any vlan 1-10 permit any Figure 10-4.
PAGE 425

Configuring Advanced Threat Protection Dynamic IP Lockdown • Dynamic IP lockdown only filters packets in VLANs that are enabled for DHCP snooping. In order for Dynamic IP lockdown to work on a port, the port must be configured for at least one VLAN that is enabled for DHCP snooping. To enable DHCP snooping on a VLAN, enter the dhcp-snooping vlan [vlan-id-range] command at the global configuration level or the dhcp-snooping command at the VLAN configuration level.
PAGE 426

Configuring Advanced Threat Protection Dynamic IP Lockdown Adding an IP-to-MAC Binding to the DHCP Binding Database A switch maintains a DHCP binding database, which is used for dynamic IP lockdown as well as for DHCP and ARP packet validation. The DHCP snooping feature maintains the lease database by learning the IP-to-MAC bindings of VLAN traffic on untrusted ports. Each binding consists of the client MAC address, port number, VLAN identifier, leased IP address, and lease time.
PAGE 427

Configuring Advanced Threat Protection Dynamic IP Lockdown Adding a Static Binding To add the static configuration of an IP-to-MAC binding for a port to the lease database, enter the ip source-binding command at the global configuration level. Use the no form of the command to remove the IP-to-MAC binding from the database.
PAGE 428

Configuring Advanced Threat Protection Dynamic IP Lockdown An example of the show ip source-lockdown status command output is shown in Figure 10-5. Note that the operational status of all switch ports is displayed. This information indicates whether or not dynamic IP lockdown is supported on a port.
PAGE 429

Configuring Advanced Threat Protection Dynamic IP Lockdown ProCurve(config)# show ip source-lockdown bindings Dynamic IP Lockdown (DIPLD) Bindings Mac Address ----------001122-334455 005544-332211 . . . . . . . . IP Address VLAN Port -----------------10.10.10.1 1111 X11 10.10.10.2 2222 Trk11 . . . . . . . . . . . . . . . . Not in HW --------YES . . . Figure 10-6.
PAGE 430

Configuring Advanced Threat Protection Dynamic IP Lockdown ProCurve(config)# debug dynamic-ip-lockdown DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT DIPLD (PORT 01/01/90 00:01:25 4) -> 192.168.2.1 01/01/90 00:06:25 4) -> 192.168.2.1 01/01/90 00:11:25 4) -> 192.168.2.1 01/01/90 00:16:25 4) -> 192.168.2.1 01/01/90 00:21:25 4) -> 192.168.2.1 01/01/90 00:26:25 4) -> 192.168.2.1 01/01/90 00:31:25 4) -> 192.168.2.1 01/01/90 00:36:25 4) -> 192.168.2.
PAGE 431

Configuring Advanced Threat Protection Using the Instrumentation Monitor Using the Instrumentation Monitor The instrumentation monitor can be used to detect anomalies caused by security attacks or other irregular operations on the switch.
PAGE 432

Configuring Advanced Threat Protection Using the Instrumentation Monitor Operating Notes Standard Date/Time Prefix for Event Log Messages ■ To generate alerts for monitored events, you must enable the instru mentation monitoring log and/or SNMP trap. The threshold for each monitored parameter can be adjusted to minimize false alarms (see “Configuring Instrumentation Monitor” on page 10-35).
PAGE 433

Configuring Advanced Threat Protection Using the Instrumentation Monitor Configuring Instrumentation Monitor The following commands and parameters are used to configure the opera tional thresholds that are monitored on the switch. By default, the instrumen tation monitor is disabled.
PAGE 434

Configuring Advanced Threat Protection Using the Instrumentation Monitor To enable instrumentation monitor using the default parameters and thresh olds, enter the general instrumentation monitor command. To adjust specific settings, enter the name of the parameter that you wish to modify, and revise the threshold limits as needed.
PAGE 435

Configuring Advanced Threat Protection Using the Instrumentation Monitor Viewing the Current Instrumentation Monitor Configuration The show instrumentation monitor configuration command displays the config ured thresholds for monitored parameters.
PAGE 436

Configuring Advanced Threat Protection Using the Instrumentation Monitor 10-38
PAGE 437

11 Traffic/Security Filters and Monitors Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Using Port Trunks with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 438

Traffic/Security Filters and Monitors Overview Overview Source-port filters are available on the HP ProCurve switch models covered in this guide. Introduction Feature configure source-port filters display filter data Default Menu CLI Web none n/a page 11-18 n/a n/a n/a page 11-20 n/a You can enhance in-band security and improve control over access to network resources by configuring static filters to forward (the default action) or drop unwanted traffic.
PAGE 439

Traffic/Security Filters and Monitors Filter Types and Operation Filter Types and Operation Table 11-1. Filter Types and Criteria Static Filter Selection Criteria Type Source-Port Inbound traffic from a designated, physical source-port will be forwarded or dropped on a per-port (destination) basis.
PAGE 440

Traffic/Security Filters and Monitors Filter Types and Operation Source-Port Filters This filter type enables the switch to forward or drop traffic from all end nodes on the indicated source-port to specific destination ports.
PAGE 441

Traffic/Security Filters and Monitors Filter Types and Operation ■ When you create a source port filter, all ports and port trunks (if any) on the switch appear as destinations on the list for that filter, even if routing is disabled and separate VLANs and/or subnets exist. Where traffic would normally be allowed between ports and/or trunks, the switch automatically forwards traffic to the outbound ports and/or trunks you do not specifically configure to drop traffic.
PAGE 442

Traffic/Security Filters and Monitors Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to destination port 7 (server "A"). Notice that the filter allows traffic to move from source port 5 to all other destination ports. Figure 11-3. The Filter for the Actions Shown in Figure 11-2 Named Source-Port Filters You can specify named source-port filters that may be used on multiple ports and port trunks.
PAGE 443

Traffic/Security Filters and Monitors Filter Types and Operation ■ A named source-port filter can only be deleted when it is not applied to any ports. Defining and Configuring Named Source-Port Filters The named source-port filter command operates from the global configuration level. Syntax: [no] filter source-port named-filter Defines or deletes a named source-port filter.
PAGE 444

Traffic/Security Filters and Monitors Filter Types and Operation A named source-port filter must first be defined and configured before it can be applied. In the following example two named source-port filters are defined, web-only and accounting. ProCurve(config)# filter source-port named-filter webonly ProCurve(config)# filter source-port named-filter accounting By default, these two named source-port filters forward traffic to all ports and port trunks.
PAGE 445

Traffic/Security Filters and Monitors Filter Types and Operation Using Named Source-Port Filters A company wants to manage traffic to the Internet and its accounting server on a 26-port switch. Their network is pictured in Figure 11-4. Switch port 1 connects to a router that provides connectivity to a WAN and the Internet. Switch port 7 connects to the accounting server. Two workstations in accounting are connected to switch ports 10 and 11. Network Design 1.
PAGE 446

Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# filter source-port named-filter web-only drop 2-26 ProCurve(config)# filter source-port named-filter accounting drop 1-6,8,9,12-26 ProCurve(config)# filter source-port named-filter no-incoming-web drop 7,10,11 ProCurve(config)# show filter source-port Traffic/Security Filters Ports and port trunks using the filter. When NOT USED is displayed the named source-port filter may be deleted.
PAGE 447

Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter Traffic/Security Filters IDX Filter Type --- -----------1 Source Port 2 Source Port 3 Source Port 4 Source Port 5 Source Port 6 Source Port 7 Source Port 8 Source Port 20 21 22 23 24 25 26 Source Source Source Source Source Source Source Port Port Port Port Port Port Port | + | | | | | | | | Value ------------------2 3 4 5 6 8 9 12 | | | | | | | 24 25 26 7 10 11 1 Indicates the port number or port trunk n
PAGE 448

Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 4 Traffic/Security Filters ProCurve(config)# show filter 24 Traffic/Security Filters Filter Type : Source Port Source Port : 5 Filter Type : Source Port Source Port : 10 Dest Port Type | Action --------- --------- + ------1 10/100TX | Forward 2 10/100TX | Drop 3 10/100TX | Drop 4 10/100TX | Drop 5 10/100TX | Drop 6 10/100TX | Drop 7 10/100TX | Drop 8 10/100TX | Drop 9 10/100TX | Drop 10 10/100TX | Drop 11 10/
PAGE 449

Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- --------- + -----------------------1 10/100TX | Forward 2 10/100TX | Forward 3 10/100TX | Forward 4 10/100TX | Forward 5 10/100TX | Forward 6 10/100TX | Forward 7 10/100TX | Drop 8 10/100TX | Forward 9 10/100TX | Forward 10 10/100TX | Drop 11 10/100TX | Drop 12 10/100TX | Forward . . . Figure 11-9.
PAGE 450

Traffic/Security Filters and Monitors Filter Types and Operation The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command.
PAGE 451

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters ProCurve(config)# show filter source-port Traffic/Security Filters Filter Name -------------------web-only accounting no-incoming-web | + | | | Port List -------------------2-6,9,14-26 7-8,10-13 1 | + | | | Action -------------------------drop 2-26 drop 1-6,9,14-26 drop 7-8,10-13 ProCurve(config)# Figure 11-12.
PAGE 452

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Configuring a Source-Port Traffic Filter Syntax: [no] filter [source-port < port-number | trunk-name>] Specifies one inbound port or trunk. Traffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the sourceport filter for < port-number > and returns the destination ports for that filter to the Forward action. (Default: Forward on all ports.
PAGE 453

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a source-port filter that drops all traffic received on port 5 with a destination of port trunk 1 (Trk1) and any port in the range of port 10 to port 15.
PAGE 454

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters filter on port 5, then create a trunk with ports 5 and 6, and display the results, you would see the following: The *5* shows that port 5 is configured for filtering, but the filtering action has been suspended while the port is a member of a trunk. If you want the trunk to which port 5 belongs to filter traffic, then you must explicitly configure filtering on the trunk.
PAGE 455

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Figure 11-14. Assigning Additional Destination Ports to an Existing Filter For example, suppose you wanted to configure the filters in table 11-2 on a switch. (For more on source-port filters, refer to “Configuring a Source-Port Traffic Filter” on page 11-16.) Table 11-2.
PAGE 456

Traffic/Security Filters and Monitors Configuring Traffic/Security Filters new filter will receive the index number “2” and the second new filter will receive the index number "4". This is because the index number “2” was made vacant by the earlier deletion, and was therefore the lowest index number available for the next new filter.
PAGE 457

12 Configuring Port-Based and User-Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 12-4 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5 802.1X User-Based Access Control . .
PAGE 458

Configuring Port-Based and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . 12-25 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 12-26 5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . 12-26 6. Optional: Reset Authenticator Operation . . . . . . . . . . . . . . . . . . . . 12-27 7. Optional: Configure 802.1X Controlled Directions . . . . . . . . . . . .
PAGE 459

Configuring Port-Based and User-Based Access Control (802.1X) Contents Enabling the Use of GVRP-Learned Dynamic VLANs in Authentication Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-74 Messages Related to 802.1X Operation . . . . . . . . . . . . . . . . . . . . . . .
PAGE 460

Configuring Port-Based and User-Based Access Control (802.1X) Overview Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1X Authenticators Disabled n/a page 12-19 n/a Configuring 802.1X Open VLAN Mode Disabled n/a page 12-32 n/a Configuring Switch Ports to Operate as 802.1X Supplicants Disabled n/a page 12-50 n/a n/a n/a page 12-54 n/a n/a n/a page 12-68 n/a Displaying 802.1X Configuration, Statistics, and Counters How 802.
PAGE 461

Configuring Port-Based and User-Based Access Control (802.1X) Overview • Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication. • Supplicant implementation using CHAP authentication and indepen dent user credentials on each port.
PAGE 462

Configuring Port-Based and User-Based Access Control (802.1X) Overview This operation improves security by opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenticated. All sessions must use the same untagged VLAN. Also, an authenticated client can use any tagged VLAN memberships statically configured on the port, provided the client is config ured to use the tagged VLAN memberships available on the port.
PAGE 463

Configuring Port-Based and User-Based Access Control (802.1X) Terminology This operation unblocks the port while an authenticated client session is in progress. In topologies where simultaneous, multiple client access is possible this can allow unauthorized and unauthenticated access by another client while an authenticated client is using the port. If you want to allow only authenticated clients on the port, then user-based access control (page 12-5) should be used instead of port-based access control.
PAGE 464

Configuring Port-Based and User-Based Access Control (802.1X) Terminology a port loses its authenticated client connection, it drops its membership in this VLAN. Note that with multiple clients on a port, all such clients use the same untagged, port-based VLAN membership. Authentication Server: The entity providing an authentication service to the switch when the switch is configured to operate as an authenticator. In the case of a switch running 802.
PAGE 465

Configuring Port-Based and User-Based Access Control (802.1X) Terminology Static VLAN: A VLAN that has been configured as “permanent” on the switch by using the CLI vlan < vid > command or the Menu interface. Supplicant: The entity that must provide the proper credentials to the switch before receiving access to the network. This is usually an end-user work station, but it can be a switch, router, or another device seeking network services.
PAGE 466

Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode” on page 12-32.
PAGE 467

Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation Note The switches covered in this guide can use either 802.1X port-based authen tication or 802.1X user-based authentication. For more information, refer to “User Authentication Methods” on page 12-5. VLAN Membership Priority Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration.
PAGE 468

Configuring Port-Based and User-Based Access Control (802.1X) General 802.
PAGE 469

Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the user-based mode, when there is an authenticated client on a port, the following traffic movement is allowed: • Multicast and broadcast traffic is allowed on the port. • Unicast traffic to authenticated clients on the port is allowed. • All traffic from authenticated clients on the port is allowed.
PAGE 470

Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes ■ If a port on switch “A” is configured as an 802.1X supplicant and is connected to a port on another switch, “B”, that is not 802.1X-aware, access to switch “B” will occur without 802.1X security protection. ■ On a port configured for 802.1X with RADIUS authentication, if the RADIUS server specifies a VLAN for the supplicant and the port is a trunk member, the port will be blocked.
PAGE 471

Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Access Control Do These Steps Before You Configure 802.1X Operation 1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.
PAGE 472

Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control ProCurve(config)# password port-access user-name Jim secret3 Figure 12-2. Example of the Password Port-Access Command You can save the port-access password for 802.1X authentication in the configuration file by using the include-credentials command. For more infor mation, see “Saving Security Credentials in a Config File” on page 2-10. in this guide. 2.
PAGE 473

Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control 3. Determine whether to use user-based access control (page 12-5) or portbased access control (page 12-6). 4. Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for clients that are not running 802.1X supplicant software.
PAGE 474

Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802.1X Authentication on the Switch This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to the following: ■ “802.1X User-Based Access Control” on page 12-5 ■ “802.1X Port-Based Access Control” on page 12-6 ■ “Configuring Switch Ports To Operate As Supplicants for 802.
PAGE 475

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Note If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected. 7. If you are using Port Security on the switch, configure the switch to allow only 802.1X access on ports configured for 802.
PAGE 476

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches, and consists of two steps: A. Enable the selected ports as authenticators. B. Specify either user-based or port-based 802.1X authentication. (Actual 802.
PAGE 477

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User-Based Authentication or Return to Port-Based Authentication User-Based 802.1X Authentication. Syntax: aaa port-access authenticator client-limit < port-list > < 1 - 32 > Used after executing aaa port-access authenticator < port-list > (above) to convert authentication from port-based to userbased. Specifies user-based 802.1X authentication and the maximum number of 802.
PAGE 478

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring User-Based 802.1X Authentication This example enables ports A10-A12 to operate as authenticators, and then configures the ports for user-based authentication. ProCurve(config)# aaa port-access authenticator a10-A12 ProCurve(config)# aaa port-access authenticator a10-A12 client-limit 4 Figure 12-4. Example of Configuring User-Based 802.
PAGE 479

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page). (Default: 60 seconds) [tx-period < 0 - 65535 >] Sets the period the port waits to retransmit the next EAPOL PDU during an authentication session.
PAGE 480

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid < vlan-id >] Configures an existing static VLAN to be the Unauthor ized-Client VLAN.
PAGE 481

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how the switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator You can configure local, chap-radius or eap-radius as the primary password authentication method for the port-access method.
PAGE 482

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the authentication method, configure the switch to use 1, 2, or 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, refer to chapter 5, “RADIUS Authen tication, Authorization, and Accounting”.
PAGE 483

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentication is operating, you can use the following aaa portaccess authenticator commands to reset 802.1X authentication and statistics on specified ports. Syntax: aaa port-access authenticator < port-list > [initialize] On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process.
PAGE 484

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators ■ The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.
PAGE 485

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the aaa port-access controlled-directions command is applied to all authentication methods configured on the switch. For information about how to configure and use MAC and Web authentication, refer to chapter 3, “Web and MAC Authentication”.
PAGE 486

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators when none of the authenticated clients are authorized on the untagged authen ticated VLAN. Instead of having just one client per port, multiple clients can use the guest VLAN. Authenticated clients always have precedence over guests (unauthenticated clients) if access to a client’s untagged VLAN requires removal of a guest VLAN from the port.
PAGE 487

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Configuring Mixed Port Access Mode Syntax: [no] aaa port-access mixed Enables or disables guests on ports with authenticated clients. Default: Disabled; guests do not have access ProCurve(config)# aaa port-access 6 mixed Figure 12-8.
PAGE 488

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands page 12-52 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator < port-list > page 12-46 [auth-vid < vlan-id >] [unauth-vid < vlan-id >] 802.1X-Related Show Commands page 12-54 RADIUS server configuration pages 12-26 Introduction This section describes how to use the 802.
PAGE 489

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports configured to allow multiple sessions using 802.1X user-based access control, all clients must use the same untagged VLAN. On a given port where there are no currently active, authenticated clients, the first authenticated client determines the untagged VLAN in which the port will operate for all subsequent, overlapping client sessions.
PAGE 490

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note After client authentication, the port resumes membership in any tagged VLANs for which it is configured. If the port is a tagged member of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the client is connected. When the client disconnects, the port reverts to tagged membership in the VLAN. Use Models for 802.1X Open VLAN Modes You can apply the 802.
PAGE 491

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Unauthorized-Client VLAN Port Response • When the port detects a client without 802.1X supplicant capability, it automatically becomes an untagged member of this VLAN. If you previously configured the port as a static, tagged member of the VLAN, membership temporarily changes to untagged while the client remains unauthenticated.
PAGE 492

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Authorized-Client VLAN Port Response • After client authentication, the port drops membership in the Unauthorized-Client VLAN and becomes an untagged member of this VLAN. Notes: If the client is running an 802.
PAGE 493

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
PAGE 494

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session. • If the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.
PAGE 495

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule These must be configured on the switch before you configure an Static VLANs used as AuthorizedClient or Unauthorized-Client VLANs 802.1X authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.
PAGE 496

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN session on untagged port VLAN membership • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Unauthorized-Client VLAN (also untagged). (While the Unauthorized-Client VLAN is in use, the port does not access any other VLANs.
PAGE 497

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an untagged member. This rule assumes no other authenticated clients are already using the port on a different VLAN. IP Addressing for a Client Connected A client can either acquire an IP address from a DHCP server or use to a Port Configured for 802.x Open a manually configured IP address before connecting to the switch.
PAGE 498

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Note: Limitation on Using an Unauthorized-Client VLAN on an 802.1X Port Configured to Allow Multiple-Client Access You can optionally enable switches to allow up to 32 clients per-port. The Unauthorized-Client VLAN feature can operate on an 802.1X configured port regardless of how many clients the port is configured to support.
PAGE 499

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 12-1 on page 12-34 for other options. Before you configure the 802.1X Open VLAN mode on a port: ■ Caution Statically configure an “Unauthorized-Client VLAN” in the switch.
PAGE 500

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges. Also, you must use 802.1X supplicant software that supports the use of local switch passwords.
PAGE 501

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > [oobm] Adds a server to the RADIUS configuration. For switches that have a separate out-of-band manage ment port, the oobm parameter specifies that the RADIUS traffic will go through the out-of-band man agement (OOBM) port.
PAGE 502

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 12-43. Syntax: aaa port-access authenticator < port-list > [auth-vid < vlan-id >] Configures an existing, static VLAN to be the AuthorizedClient VLAN.
PAGE 503

Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1X Open VLAN Mode Status” on page 12-63. 802.1X Open VLAN Operating Notes ■ Although you can configure Open VLAN mode to use the same VLAN for both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this is not recommended.
PAGE 504

Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices ■ The first client to authenticate on a port configured to support multiple clients will determine the port’s VLAN membership for any subsequent clients that authenticate while an active session is already in effect. Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices If 802.
PAGE 505

Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices Port-Security Note If 802.1X port-access is configured on a given port, then port-security learnmode for that port must be set to either continuous (the default) or port-access. In addition to the above, to use port-security on an authenticator port (chapter 13), use the per-port client-limit option to control how many MAC addresses of 802.
PAGE 506

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands page 12-19 802.
PAGE 507

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches • If, after the supplicant port sends the configured number of start packets, it does not receive a response, it assumes that switch “B” is not 802.1X-aware, and transitions to the authenticated state. If switch “B” is operating properly and is not 802.1X-aware, then the link should begin functioning normally, but without 802.1X security.
PAGE 508

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. You can configure a switch port as a supplicant for a point-to-point link to an 802.1X-aware port on another switch. Configure the port as a supplicant before configuring any suppli cant-related parameters.
PAGE 509

Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [secret] Enter secret: < password > Repeat secret: < password > Sets the secret password to be used by the port supplicant when an MD5 authentication request is received from an authenticator. The switch prompts you to enter the secret password after the command is invoked.
PAGE 510

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands page 12-50 802.1X Open VLAN Mode Commands page 12-32 802.
PAGE 511

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator [port-list] [config | statistics | session-counters | vlan | clients | clients detailed • Untagged VLAN: VLAN ID number of the untagged VLAN used in client sessions. If the switch supports MAC-based (untagged) VLANs, MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions.
PAGE 512

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Figure 12-11.Example of show port-access authenticator Command The information displayed with the show port-access authenticator command for individual (config | statistics | session-counters | vlan | clients) options is described below. Syntax: show port-access authenticator config [port-list] Displays 802.
PAGE 513

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Port Port number on switch. Re-auth Period Period of time (in seconds) afterwhich clients connected to the port need to be reauthenticated. Access Control Port’s authentication mode: Auto: Network access is allowed to any connected device that supports 802.1X authentication and provides valid 802.1X credentials.
PAGE 514

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator statistics [port-list] Displays statistical information for all switch ports or spec ified ports that are enabled as 802.1X authenticators, includ ing: • Whether port-access authentication is enabled • Whether RADIUS-assigned dynamic VLANs are supported • 802.
PAGE 515

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator session-counters [port-list] Displays information for active 802.1X authentication ses sions on all switch ports or specified ports that are enabled as 802.1X authenticators, including: • 802.1X frames received and transmitted on each port • Duration and status of active 802.1X authentication sessions (in-progress or terminated) • User name of 802.
PAGE 516

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator vlan [port-list] Displays the following information on the VLANs configured for use in 802.1X port-access authentication on all switch ports, or specified ports, that are enabled as 802.
PAGE 517

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator clients [port-list] Displays the session status, name, and address for each 802.1X port-access-authenticated client on the switch. Multiple authenticated clients may be displayed for the same port. The IP address displayed is taken from the DHCP binding table (learned through the DHCP Snooping feature).
PAGE 518

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator clients detailed Displays detailed information on the status of 802.1X authenticated client sessions on specified ports.
PAGE 519

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Viewing 802.1X Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show portaccess authenticator vlan and show port-access authenticator < port-list > com mands as illustrated in figure 12-18. Table 12-1 describes the data that these two commands display.
PAGE 520

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Thus, in the output shown in figure 12-18: ■ When the Auth VLAN ID is configured and matches the Current VLAN ID, an authenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Auth VLAN.
PAGE 521

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 12-2. Output for Determining Open VLAN Mode Status (Figure 12-18, Lower) Status Indicator Meaning Status Closed:Either no client is connected or the connected client has not received authorization through 802.1X authentication. Current VLAN ID < vlan-id >: Lists the VID of the static, untagged VLAN to which the port currently belongs. Open: An authorized 802.
PAGE 522

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Note that ports B1 and B3 are not in the upper listing, but are included under “Overridden Port VLAN configuration”. This shows that static, untagged VLAN memberships on ports B1 and B3 have been overridden by temporary assignment to the authorized or unauthorized VLAN. Using the show portaccess authenticator < portlist > command shown in figure 12-18 provides details. Figure 12-19.
PAGE 523

Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [< port-list >] [statistics] show port-access supplicant [< port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < portlist > ports configured on the switch as supplicants.
PAGE 524

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement. RADIUS authentication for an 802.1X client on a given port can include a (static) VLAN requirement.
PAGE 525

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Note You can use 802.1X (port-based or client-based) authentication and either Web or MAC authentication at the same time on a port, with a maximum of 32 clients allowed on the port. (The default is one client.) Web authentication and MAC authentication are mutually exclusive on the same port. Also, you must disable LACP on ports configured for any of these authentication meth ods.
PAGE 526

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation • If the port is assigned as a member of an untagged dynamic VLAN that was learned through GVRP, the dynamic VLAN configuration must exist on the switch at the time of authentication and GVRPlearned dynamic VLANs for port-access authentication must be enabled.
PAGE 527

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation If this temporary VLAN assignment causes the switch to disable a different untagged static or dynamic VLAN configured on the port (as described in the preceding bullet and in “Example of Untagged VLAN Assignment in a RADIUS-Based Authentication Session” on page 12-71), the disabled VLAN assignment is not advertised.
PAGE 528

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1X client requires access to VLAN 22 from port A2. However, access to VLAN 22 is blocked (not untagged or tagged) on port A2 and Figure 12-20.
PAGE 529

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1X session. This is to accommodate an 802.1X client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22. Note: With the current VLAN configuration (figure 12-20), the only time port A2 appears in this show vlan 22 listing is during an 802.
PAGE 530

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation When the 802.1X client’s session on port A2 ends, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as untagged on the port becomes available again. Therefore, when the RADIUS-authenticated 802.
PAGE 531

Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Syntax: aaa port-access gvrp-vlans —Continued— 2. After you enable dynamic VLAN assignment in an authen tication session, it is recommended that you use the interface unknown-vlans command on a per-port basis to prevent denial-of-service attacks.
PAGE 532

Configuring Port-Based and User-Based Access Control (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation Table 12-3. 802.1X Operating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.1X authenticators. Use this command to enable the ports as authenticators: ProCurve(config)# aaa port-access authenticator e 10 Port < port-list > is not a supplicant.
PAGE 533

13 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Eavesdrop Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 534

Configuring and Monitoring Port Security Contents Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-35 CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-36 Using the Event Log To Find Intrusion Alerts . . . . . . . . . . . . . . . . . .
PAGE 535

Configuring and Monitoring Port Security Overview Overview Feature Displaying Current Port Security Default Menu CLI Web n/a — page 13-10 page 13-32 disabled — page 13-14 page 13-32 n/a — page 13-19 n/a MAC Lockdown disabled — page 13-24 MAC Lockout disabled — page 13-28 n/a page 13-38 page 13-36 Configuring Port Security Retention of Static Addresses Intrusion Alerts and Alert Flags page 13-39 Port Security (Page 13-4).
PAGE 536

Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port security setting for each port is off, or “continuous”. That is, any device can access a port without causing a security reaction. Intruder Protection. A port that detects an “intruder” blocks the intruding device from transmitting to the network through that port. Eavesdrop Protection.
PAGE 537

Configuring and Monitoring Port Security Port Security ■ • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses. (If you specify only some of the authorized addresses, the port learns the remaining authorized addresses from the traffic it receives from connected devices.) • Configured: Requires that you specify all MAC addresses authorized for the port.
PAGE 538

Configuring and Monitoring Port Security Port Security Feature Interactions When Eavesdrop Prevention is Disabled The following table explains the various interactions between learning modes and Eavesdrop Prevention when Eavesdrop Prevention is disabled. Note When the learning mode is “port-access”, Eavesdrop Prevention will not be applied to the port. However, it can still be configured or disabled for the port.
PAGE 539

Configuring and Monitoring Port Security Port Security ProCurve(config)# show port-security Port Security Port -----B1 B2 B3 B4 B5 Learn Mode -------------------Continuous Continuous Continuous Continuous Continuous | + | | | | | Action -----------------------None None None None None Eavesdrop Prevention -------------------Enabled Enabled Enabled Enabled Enabled Figure 13-1.
PAGE 540

Configuring and Monitoring Port Security Port Security Physical Topology Logical Topology for Access to Switch A Switch A Port Security Configured Switch A Port Security Configured PC 1 Switch B MAC Address Authorized by Switch A PC 1 MAC Address Authorized by Switch A MAC Address Authorized by Switch A PC 2 Switch B MAC Address NOT Authorized by Switch A MAC Address Authorized by Switch A PC 3 Switch C MAC Address NOT Authorized by Switch A MAC Address NOT Authorized by Switch A • PC1 can ac
PAGE 541

Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to the following: a. On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port? c. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmit ting to the network.
PAGE 542

Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 13-11 show mac-address port-security 13-14 < port-list > 13-14 learn-mode 13-14 address-limit 13-17 mac-address 13-18 action 13-18 clear-intrusion-flag 13-19 no port-security 13-19 This section describes the CLI port security command and how the switch acquires and maintains authorized addresses.
PAGE 543

Configuring and Monitoring Port Security Port Security Displaying Port Security Settings. Syntax: show port-security show port-security show port-security [-]. . .
PAGE 544

Configuring and Monitoring Port Security Port Security Figure 13-4. Example of the Port Security Configuration Display for a Single Port The next example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string: ProCurve(config)# show port-security A1-A3,A6,A8 Listing Authorized and Detected MAC Addresses.
PAGE 545

Configuring and Monitoring Port Security Port Security Figure 13-5.
PAGE 546

Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security and edit security settings. ■ Add or delete devices from the list of authorized addresses for one or more ports. ■ Clear the Intrusion flag on specific ports Syntax: port-security [e] < learn-mode | address-limit | mac-address | action | clear-intrusion-flag > < port-list >: Specifies a list of one or more ports to which the port-security command applies.
PAGE 547

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limitedcontinuous > (Continued) static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port.
PAGE 548

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limitedcontinuous > (Continued) Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted device to become “authorized”.
PAGE 549

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces.
PAGE 550

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [] [] . . . [] Available for learn-mode with the, static, configured, or limited-continuous option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in the address-limit parameter. The mac-address limited-continuous mode allows up to 32 authorized MAC addresses per port.
PAGE 551

Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) clear-intrusion-flag Clears the intrusion flag for a specific port. (See “Reading Intrusion Alerts and Resetting Alert Flags” on page 13-32.) no port-security mac-address [ ] Removes the specified learned MAC address(es) from the specified port. Retention of Static Addresses Static MAC addresses do not age-out.
PAGE 552

Configuring and Monitoring Port Security Port Security ■ Delete it by using no port-security < port-number > mac-address < mac-addr >. ■ Download a configuration file that does not include the unwanted MAC address assignment. ■ Reset the switch to its factory-default configuration. Specifying Authorized Devices and Intrusion Responses. This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port.
PAGE 553

Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s existing Authorized Addresses list, enter the port number with the mac-address parameter and the device’s MAC address. This assumes that Learn Mode is set to static and the Authorized Addresses list is not full (as determined by the current Address Limit value).
PAGE 554

Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. Note that if you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode.
PAGE 555

Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list. (An Authorized Address list is available for each port for which Learn Mode is currently set to “Static”. Refer to the command syntax listing under “Configuring Port Security” on page 13-14.
PAGE 556

Configuring and Monitoring Port Security MAC Lockdown The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090123456 The above command sequence results in the following configuration for port A1: Figure 13-10.
PAGE 557

Configuring and Monitoring Port Security MAC Lockdown You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you do not specify a VLAN ID (VID) the switch inserts a VID of “1”. How It Works. When a device’s MAC address is locked down to a port (typically in a pair with a VLAN) all information sent to that MAC address must go through the locked-down port. If the device is moved to another port it cannot receive data.
PAGE 558

Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair cannot be locked down on a different port. You cannot perform MAC Lockdown and 802.1X authentication on the same port or on the same MAC address. MAC Lockdown and 802.1X authentication are mutually exclusive. Lockdown is permitted on static trunks (manually configured link aggrega tions).
PAGE 559

Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.
PAGE 560

Configuring and Monitoring Port Security MAC Lockout Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as Spanning Tree Protocol (STP) to speed up network per formance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths.
PAGE 561

Configuring and Monitoring Port Security MAC Lockout To use MAC Lockout you must first know the MAC Address you wish to block. Syntax: [no] lockout-mac < mac-address > How It Works. Let’s say a customer knows there are unauthorized wireless clients who should not have access to the network. The network administrator “locks out” the MAC addresses for the wireless clients by using the MAC Lockout command (lockout-mac ).
PAGE 562

Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti cation.
PAGE 563

Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in conjunction with port-security.
PAGE 564

Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features 1. Click on the Security tab. 2. Click on [Port Security]. 3. Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field. 4. Implement your new data by clicking on [Apply Changes]. To access the web-based Help provided for the switch, click on [?] in the web browser screen.
PAGE 565

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ■ The switch enables notification of the intrusion through the following means: • • • • In the CLI: – The show port-security intrusion-log command displays the Intrusion Log – The log command displays the Event Log In the menu interface: – The Port Status screen includes a per-port intrusion alert – The Event Log includes per-port entries for security viola tions In the web browser interface: – The Ale
PAGE 566

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.
PAGE 567

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen. 1. From the Main Menu select: 1. Status and Counters 4. Port Status The Intrusion Alert column shows “Yes” for any port on which a security violation has been Figure 13-12.
PAGE 568

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 13-12 on page 13-35) does not indicate an intrusion for port A1, the alert flag for the intru sion on port A1 has already been reset. • Since the switch can show only one uncleared intrusion per port, the alert flag for the older intrusion for port A3 in this example has also been previously reset.
PAGE 569

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags clear intrusion-flags Clear intrusion flags on all ports. port-security [e] < port-number > clear-intrusion-flag Clear the intrusion flag on one or more specific ports. In the following example, executing show interfaces brief lists the switch’s port status, which indicates an intrusion alert on port A1. Intrusion Alert on port Figure 13-14.
PAGE 570

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags To clear the intrusion from port A1 and enable the switch to enter any subsequent intrusion for port A1 in the Intrusion Log, execute the port-security clear-intrusion-flag command. If you then re-display the port status screen, you will see that the Intrusion Alert entry for port A1 has changed to “No”.
PAGE 571

Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Command with “security” for Search Log Listing with Security Violation Detected Log Listing with No Security Violation Detected Figure 13-17.Example of Log Listing With and Without Detected Security Violations From the Menu Interface: In the Main Menu, click on 4. Event Log and use Next page and Prev page to review the Event Log contents. For More Event Log Information.
PAGE 572

Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder. The Intrusion Log lists detected intruders by MAC address. If you are using ProCurve Manager to manage your network, you can use the device properties page to link MAC addresses to their corresponding IP addresses. Proxy Web Servers.
PAGE 573

Configuring and Monitoring Port Security Operating Notes for Port Security ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configure LACP on a port on which port security is enabled. For example: ProCurve(config)# int e a17 lacp passive Error configuring port A17: LACP and port security cannot be run together.
PAGE 574

Configuring and Monitoring Port Security Operating Notes for Port Security 13-42
PAGE 575

14 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . 14-4 Overview of IP Mask Operation .
PAGE 576

Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI Web Listing (Showing) Authorized Managers n/a page 14-5 page 14-6 page 14-9 Configuring Authorized IP Managers None page 14-5 page 14-6 page 14-9 Building IP Masks n/a page 14-10 page 14-10 page 14-10 Operating and Troubleshooting Notes n/a page 14-13 page 14-13 page 14-13 The Authorized IP Managers feature uses IP addresses and masks to deter mine which stations (PCs or workstations
PAGE 577

Using Authorized IP Managers Options Options You can configure: Caution ■ Up to 10 authorized manager addresses, where each address applies to either a single management station or a group of stations ■ Manager or Operator access privileges (for Telnet, SNMPv1, and SNMPv2c access only) Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port.
PAGE 578

Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations ■ Authorizing Single Stations: The table entry authorizes a single man agement station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Autho rized Manager IP column, and leave the IP Mask set to 255.255.255.255. This is the easiest way to use the Authorized Managers feature.
PAGE 579

Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Masks” on page 14-10. Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch. This mask serves a different purpose than IP subnet masks and is applied in a different manner.
PAGE 580

Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See “Building IP Masks” on page 14-10. 4. Use the Space bar to select Manager or Operator access. 5. Press [Enter], then [S] (for Save) to configure the IP Authorized Manager entry. Applies only to access through Telnet, SNMPv1, and SNMPv2c.
PAGE 581

Using Authorized IP Managers Defining Authorized Management Stations Figure 14-3.Example of the Show IP Authorized-Manager Display The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: Access Mode: 255.255.255.252 10.28.227.100 through 103 Manager 255.255.255.254 10.28.227.104 through 105 Manager 255.255.255.255 10.28.227.125 Manager 255.255.255.0 10.28.227.
PAGE 582

Using Authorized IP Managers Defining Authorized Management Stations If you omit the < mask bits > when adding a new authorized manager, the switch automatically uses 255.255.255.255. If you do not specify either Manager or Operator access, the switch assigns the Manager access. For example: Omitting a mask in the ip authorized-managers command results in a default mask of 255.255.255.255, which authorizes only the specified station.
PAGE 583

Using Authorized IP Managers Web: Configuring IP Authorized Managers Web: Configuring IP Authorized Managers In the web browser interface you can configure IP Authorized Managers as described below. To Add, Modify, or Delete an IP Authorized Manager address: 1. Click on the Security tab. 2. Click on [Authorized Addresses]. 3. Enter the appropriate parameter settings for the operation you want. 4. Click on [Add], [Replace], or [Delete] to implement the configuration change.
PAGE 584

Using Authorized IP Managers Building IP Masks Using a Web Proxy Server to Access the Web Browser Interface Caution This is NOT recommended. Using a web proxy server between the stations and the switch poses a security risk. If the station uses a web proxy server to connect to the switch, any proxy user can access the switch. If it is necessary to use the switch’s web browser interface and your browser access is through a web proxy server, perform these steps: 1.
PAGE 585

Using Authorized IP Managers Building IP Masks Figure 14-5. Analysis of IP Mask for Single-Station Entries 1st Octet 2nd Octet 3rd Octet 4th Octet Manager-Level or Operator-Level Device Access IP Mask 255 255 255 255 Authorized Manager IP 10 28 227 125 The “255” in each octet of the mask specifies that only the exact value in that octet of the corresponding IP address is allowed. This mask allows management access only to a station having an IP address of 10.33.248.5.
PAGE 586

Using Authorized IP Managers Building IP Masks Figure 14-6. Analysis of IP Mask for Multiple-Station Entries 1st Octet 2nd Octet 3rd Octet 4th Octet Manager-Level or Operator-Level Device Access The “255” in the first three octets of the mask specify that only the exact value in the octet of the corresponding IP address is allowed. However, the zero (0) in the 4th octet of the mask allows any value between 0 and 255 in that octet of the corresponding IP address.
PAGE 587

Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 Authorized Manager IP 10 33 255 248 1 IP Mask 255 238 255 250 Authorized Manager IP 10 This combination specifies an authorized IP address of 10.33.xxx.1.
PAGE 588

Using Authorized IP Managers Operating Notes • • 14-14 Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions” list in the web browser interface you are using on the authorized station.
PAGE 589

Index Numerics 3DES … 8-3 802.1X cached reauthentication … 5-26 802.
PAGE 590

12-66 overview … 12-4 password for port-access … 2-11, 2-21 port, supplicant … 12-17 port-based access … 12-5 client without authentication … 12-6 effect of Web/MAC auth operation … 12-14 enable … 12-20, 12-49 latest client, effect … 12-6 multiple client access … 12-7 multiple clients authenticating … 12-6 no client limit … 12-5 open port … 12-5 operation … 12-6 recommended use … 12-6 return to … 12-21 single client authenticates … 12-6 tagged VLAN membership … 12-6 unauthorized client risk … 12-7 untagged
PAGE 591

unauthorized-client, caution … 12-40 unauthorized-client, on different ports … 12-42 untagged … 12-33, 12-36, 12-37 untagged membership … 12-21 VLAN operation … 12-68 VLAN use, multiple clients … 12-8 VLAN, assignment conflict … 5-43, 12-13 VLAN, membership priority … 12-11, 12-33 VLAN, priority, RADIUS … 12-37 VLAN, tagged membership … 12-37 Wake-on-LAN traffic … 12-28 Web/MAC auth effect … 12-14 A aaa gvrp-vlans … 12-74, 12-75 port-access gvrp-vlans … 12-74, 12-75 aaa authentication … 4-8 authorized … 12
PAGE 592

mask usage … 9-17 mask, ACL … 9-21 mask, CIDR … 9-39 mask, defined … 9-8 mask, multiple IP addresses … 9-31 mask, one IP address … 9-30 match, always … 9-38 match, criteria … 9-29 match, example … 9-30 match, ignored … 9-24 maximum allowed … 9-25 name string, maximum characters … 9-33, 9-40 number of entries … 9-11 offline creation … 9-64 operator, comparison … 9-47 outbound traffic, defined … 9-9 oversubscribing resources … 9-19 packet match, defining … 9-21 performance degraded … 9-12 permit, defined … 9-
PAGE 593

access levels … 14-3 building IP masks … 14-10 configuring in browser interface … 14-7, 14-9 configuring in console … 14-5 definitions of single and multiple … 14-4 effect of duplicate IP addresses … 14-13 IP mask for multiple stations … 14-11 IP mask for single station … 14-10 IP mask operation … 14-4 operating notes … 14-13 overview … 14-1 troubleshooting … 14-13 authorized server … 10-5 authorized server address, configuring … 10-9 authorized, option for authentication … 5-11, 12-25 autorun autorun-key …
PAGE 594

Option 82 remote-id, MAC address … 10-11 Option 82 untrusted-policy, drop … 10-10 trusted ports, disabled … 10-8 DHCP snooping, none … 1-8 dynamic arp protection, none … 1-8 dynamic IP lockdown, none … 1-8 dyn-autz-port 3799 … 5-19 factory reset, enabled … 2-28 front panel security … 2-3, 2-27 instrumentation monitor SNMP traps, disabled … 10-35 thresholds and parameters … 10-35 instrumentation monitor, disabled … 10-35 IP mask, 255.255.255.
PAGE 595

on trusted ports … 10-8 on VLANs … 10-6, 10-7 IP-to-MAC binding database … 10-20, 10-28 log messages … 10-14 Option 82 … 10-9 option parameter … 10-6 remote-id … 10-10 show configuration … 10-6 stats … 10-6 trust … 10-6 untrusted-policy … 10-10 verify … 10-6 documentation feature matrix … -xx latest versions … -xix printed in-box publication … -xix release notes … -xix duplicate IP address effect on authorized IP managers … 14-13 dynamic ARP protection additional validation checks on ARP packets … 10-21 ARP
PAGE 596

effect on client authentication … 12-68, 12-70 static VLAN not advertised … 12-71, 12-75 hierarchy of precedence, used by DCA … 1-17 IP-to-MAC binding … 10-20, 10-28 IPv4, ACL vendor-specific attribute … 6-18 IPv6, ACL vendor-specific attribute … 6-18 ip-version, ipv4or6 … 7-17 I L IANA … 9-48 Identity Driven Manager See IDM. IDM … 6-9, 6-30, 9-5 authentication control features … 6-3 overview … 1-21 RADIUS-based security classifiers … 1-21 See also RADIUS-assigned ACLs RADIUS-assigned ACLs.
PAGE 597

message inconsistent value … 13-22 MIB SNMP access … 1-15 SNMP access to authentication MIB … 1-15 MSCHAPv2 … 5-11 N named source port filters configuring … 11-7 displaying … 11-8 operating rules … 11-6 See also source port filters. NAS … 6-10 Network Immunity Manager (NIM) hierarchy of precedence in authentication session … 1-18 overview … 1-18 network management applications … 6-3 O OOBM … 3-18, 4-19, 4-20, 5-15, 5-50, 5-51, 7-9, 7-18, 7-27, 7-28, 12-26, 12-45 oobm … 4-19 open VLAN mode See 802.
PAGE 598

ports trusted … 10-6 port-security, eavesdrop prevention … 13-6 prior to … 13-36, 13-37, 13-40 Privacy Enhanced Mode (PEM) See SSH.
PAGE 599

shared secret key, saving to configuration file … 2-11, 2-15 show accounting … 5-59 show authentication … 5-58 SNMP access security not supported … 5-4 SNMP access to auth config MIB … 5-4 statistics, viewing … 5-56 terminology … 5-5 TLS … 5-6 Tunnel-Type attribute … 5-44 vendor specific attributes … 5-45 vendor-specific attributes … 5-37, 6-4 VSAs … 5-38 web browser security not supported … 5-7 web-browser access controls … 5-34 web-browser security not supported … 5-4, 5-34 RADIUS-assigned ACLs … 6-9 802.
PAGE 600

saving to startup configuration with write memory … 2-19 SNMPv3 … 2-13 SSH … 2-16 SSH private keys not saved … 2-21 TACACS … 2-15 viewing in running configuration … 2-11 viewing in startup configuration … 2-19 when SNMPv3 credentials in downloaded file are not supported … 2-21 security violations detecting … 10-33 notices of … 13-32 security, ACL See ACL, security use. security, password See SSH.
PAGE 601

private keys not saved to configuration file … 2-21 public key … 7-5, 7-14 public key, displaying … 7-14 public key, saving to configuration file … 2-11, 2-16 reserved IP port numbers … 7-19 security … 7-19 SSHv2 … 7-2 steps for configuring … 7-6 switch key to client … 7-13 terminology … 7-3 unauthorized access … 7-30 version … 7-2 zeroing a key … 7-11 zeroize … 7-11 SSL CA-signed … 8-3, 8-15 CA-signed certificate … 8-3, 8-15 CLI commands … 8-7 client behavior … 8-17, 8-18 crypto key … 8-10 disabling … 8-9,
PAGE 602

local manager password requirement … 4-30 messages … 4-29 NAS … 4-3 precautions … 4-5 preparing to configure … 4-8 preventing switch lockout … 4-18 privilege level code … 4-7 server access … 4-18 server priority … 4-21 setup, general … 4-5 shared secret key, saving to configuration file … 2-15 show authentication … 4-8 single login … 4-13 single sign-on … 4-13 system requirements … 4-5 TACACS+ server … 4-3, 4-8 testing … 4-5 TFTP, configuration … 4-30 timeout … 4-18 troubleshooting … 4-6 unauthorized access
PAGE 603

configuration commands … 3-21 configuring access control on unauthenticated ports … 3-22 controlled directions … 3-22 on the switch … 3-20 switch for RADIUS access … 3-17 display all 802.
PAGE 604

16 – Index
PAGE 605
PAGE 606

ProCurve 5400zl i and Technology for better business outcomes To learn more, visit www.hp.com/go/bladesystem/documentation/ © Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.