- Hewlett-Packard Switches Access Security Guide

ManualsBrandsHP ManualsSwitchProCurve 4100 Series

ProCurve Switches

Access Security Guide

Switch 2600 Series

Switch 2600-PWR Series

Switch 2800 Series

Switch 4100 Series

Switch 6108 Series

Summary of content (306 pages)

PAGE 1
ProCurve Switches Access Security Guide Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100 Series Switch 6108 Series
PAGE 2
PAGE 3
ProCurve Switch 2600 Series Switch 2600-PWR Series Switch 2800 Series Switch 4100gl Series Switch 6108 December 2008 Access Security Guide
PAGE 5
Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xii 1 Getting Started Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 When Security Is Important . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 Front-Panel Button Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8 Configuring Front-Panel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 General Authentication Setup Procedure . . . .
PAGE 8
1. Configure Authentication for the Access Methods You Want RADIUS To Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 2. Configure the Switch To Access a RADIUS Server . . . . . . . . . . . . 5-10 3. Configure the Switch’s Global RADIUS Parameters . . . . . . . . . . . 5-12 Local Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 9
6. Use an SSH Client To Access the Switch . . . . . . . . . . . . . . . . . . . . . 6-21 Further Information on SSH Client Public-Key Authentication . . . . . . . . 6-21 Messages Related to SSH Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27 7 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 10
Configuring Switch Ports as 802.1X Authenticators . . . . . . . . . . . . . . . . . 8-15 1. Enable 802.1X Authentication on Selected Ports . . . . . . . . . . . . . . 8-15 3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . . 8-19 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . . 8-20 5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . . 8-20 802.1X Open VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 11
MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17 Differences Between MAC Lockdown and Port Security . . . . . . . . . 9-19 Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21 MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25 Port Security and MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27 IP Lockdown . . . .
PAGE 12
Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Overview of IP Mask Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Menu: Viewing and Configuring IP Authorized Managers . . . . . . . . . 11-5 CLI: Viewing and Configuring Authorized IP Managers . . . . . . . . . . . 11-6 Web: Configuring IP Authorized Managers . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 13
Product Documentation About Your Switch Manual Set The switch manual set includes the following: Note ■ Read Me First - a printed guide shipped with your switch. Provides software update information, product notes, and other information. ■ Installation and Getting Started Guide - a printed guide shipped with your switch. This guide explains how to prepare for and perform the physical installation and connection to your network.
PAGE 14
Product Documentation Feature Index For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. (Note that some software features are not supported on all switch models.) Feature Management and Configuration Advanced Traffic Management Access Security Guide 802.1Q VLAN Tagging - X - 802.
PAGE 15
Product Documentation Feature Management and Configuration Advanced Traffic Management Access Security Guide LACP X - - Link X - - LLDP X - - MAC Address Management X - - MAC Lockdown - - X MAC Lockout - - X MAC-based Authentication - - X Monitoring and Analysis X - - Multicast Filtering - X - Network Management Applications (LLDP, SNMP) X - - Passwords - - X Ping X - - Port Configuration X - - Port Security - - X Port Status X - - Port Trunki
PAGE 16
Product Documentation Feature Management and Configuration Advanced Traffic Management Access Security Guide Source-Port Filters - - X Spanning Tree (STP, RSTP, MSTP) - X - SSH (Secure Shell) Encryption - - X SSL (Secure Socket Layer) - - X Stack Management (Stacking) - X - Syslog X - - System Information X - - TACACS+ Authentication - - X Telnet Access X - - TFTP X - - Time Protocols (TimeP, SNTP) X - - Traffic/Security Filters - - X Troubleshooting X
PAGE 17
1 Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Overview of Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Management Access Security Protection . . . . . . . . . . . . . . . . . . . . . . . . 1-3 General Switch Traffic Security Guidelines . . . . . . . . . . . . . . . . . . . . . . 1-4 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 18
Getting Started Introduction Introduction This Access Security Guide describes how to use ProCurve’s switch security features to protect access to your switch. This guide is intended to support the following switches: ■ ProCurve Series 2600 ■ ProCurve Series 2600-PWR ■ ProCurve Series 2800 ■ ProCurve Series 4100gl ■ ProCurve Switch 6108 For an overview of other product documentation for the above switches, refer to “Product Documentation” on page xi.
PAGE 19
Getting Started Overview of Access Security Features ■ Secure Socket Layer (SSL) (page 7-1): Provides remote web access to the switch via encrypted authentication paths between the switch and management station clients capable of SSL/TLS operation. ■ Port-Based Access Control (802.1X) (page 8-1): On point-to-point connections, enables the switch to allow or deny traffic between a port and an 802.1X-aware device (supplicant) attempting to access the switch.
PAGE 20
Getting Started Overview of Access Security Features Table 1-1.
PAGE 21
Getting Started Conventions Conventions This guide uses the following conventions for command syntax and displayed information. Feature Descriptions by Model In cases where a software feature is not available in all of the switch models covered by this guide, the section heading specifically indicates which product or product series offer the feature. For example (the switch model is highlighted here in bold italics): “Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches”.
PAGE 22
Getting Started Conventions Command Prompts In the default configuration, your switch displays one of the following CLI prompts: ProCurve ProCurve ProCurve ProCurve ProCurve Switch Switch Switch Switch Switch 4104# 4108# 2626# 2650# 6108# To simplify recognition, this guide uses ProCurve to represent command prompts for all models. For example: ProCurve# (You can use the hostname command to change the text in the CLI prompt.
PAGE 23
Getting Started Sources for More Information Sources for More Information For additional information about switch operation and features not covered in this guide, consult the following sources: ■ Note For information on which product manual to consult on a given software feature, refer to “Product Documentation” on page xi. For the latest version of all ProCurve switch documentation, including release notes covering recently added features, visit the ProCurve Networking website at http://www.procurve.
PAGE 24
Getting Started Need Only a Quick Start? Figure 1-3. Getting Help in the CLI ■ For information on specific features in the Web browser interface, use the online help. For more information, refer to the Management and Configuration Guide for your switch. ■ For further information on ProCurve Networking switch technology, visit the ProCurve website at: http://www.procurve.
PAGE 25
Getting Started Need Only a Quick Start? To Set Up and Install the Switch in Your Network I m po r t a n t ! Use the Installation and Getting Started Guide shipped with your switch for the following: ■ Notes, cautions, and warnings related to installing and using the switch and its related modules ■ Instructions for physically installing the switch in your network ■ Quickly assigning an IP address and subnet mask, setting a Manager password, and (optionally) configuring other basic features.
PAGE 26
Getting Started Need Only a Quick Start? — This page is intentionally unused.
PAGE 27
2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Web: Setting Passwords and Usernames . . . .
PAGE 28
Configuring Username and Password Security Overview Overview Feature Default Menu CLI Web Set Usernames none — — page 2-6 Set a Password none page 2-4 page 2-5 page 2-6 n/a page 2-4 page 2-6 page 2-6 Delete Password Protection The following features apply only to the Series 2600, 2600-PWR, and 2800 Switches.
PAGE 29
Configuring Username and Password Security Overview To configure password security: 1. Set a Manager password pair (and an Operator password pair, if applicable for your system). 2. Exit from the current console session. A Manager password pair will now be needed for full access to the console. If you do steps 1 and 2, above, then the next time a console session is started for either the menu interface or the CLI, a prompt appears for a password.
PAGE 30
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a username requires either the CLI or the web browser interface. 1. From the Main Menu select: 3. Console Passwords Figure 2-1. The Set Password Screen 2. To set a new password: a. Select Set Manager Password or Set Operator Password. You will then be prompted with Enter new password. b.
PAGE 31
Configuring Username and Password Security Configuring Local Password Security If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter. If you do not have physical access to the switch, you will need Manager-Level access: 1. Enter the console at the Manager level. 2. Go to the Set Passwords screen as described above. 3.
PAGE 32
Configuring Username and Password Security Configuring Local Password Security To Remove Password Protection. Removing password protection means to eliminate password security. This command prompts you to verify that you want to remove one or both passwords, then clears the indicated password(s). (This command also clears the username associated with a password you are removing.
PAGE 33
Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together). The ability to disable Password Recovery is also provided for situations which require a higher level of switch security.
PAGE 34
Configuring Username and Password Security Front-Panel Security As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch. Front-Panel Button Functions The front panel of the switch includes the Reset button and the Clear button.
PAGE 35
Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch. To do this: 1. Press and hold the Reset button. Reset 2.
PAGE 36
Configuring Username and Password Security Front-Panel Security 3. Release the Reset button and wait for about one second for the Self-Test LED to start flashing. Reset Clear Self Test 4. When the Self-Test LED begins flashing, release the Clear button . Reset Clear Self Test This process restores the switch configuration to the factory default settings.
PAGE 37
Configuring Username and Password Security Front-Panel Security • Modify the operation of the Reset+Clear combination (page 2-9) so that the switch still reboots, but does not restore the switch’s factory default configuration settings. (Use of the Reset button alone, to simply reboot the switch, is not affected.) • Disable or re-enable Password Recovery.
PAGE 38
Configuring Username and Password Security Front-Panel Security For example, show front-panel-security produces the following output when the switch is configured with the default front-panel security settings. Figure 2-7.
PAGE 39
Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. • Specifies whether the switch reboots if the Clear button is pressed.
PAGE 40
Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-onclear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-9.
PAGE 41
Configuring Username and Password Security Front-Panel Security The command to disable the factory-reset operation produces this caution. To complete the command, press [Y]. To abort the command, press [N]. Completes the command to disable the factory reset option. Displays the current frontpanel-security configuration, with Factory Reset disabled. Figure 2-10.
PAGE 42
Configuring Username and Password Security Front-Panel Security Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form of the command) disables the ability to recover a lost password. When this feature is enabled, the switch allows management access through the password recovery process described below. This provides a method for recovering from a lost manager username (if configured) and password.
PAGE 43
Configuring Username and Password Security Front-Panel Security Figure 2-11. Example of the Steps for Disabling Password-Recovery Password Recovery Process If you have lost the switch’s manager username/password, but passwordrecovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by ProCurve.
PAGE 44
Configuring Username and Password Security Front-Panel Security — This page is intentionally unused.
PAGE 45
3 Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 How Web and MAC Authentication Operate . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 46
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Overview Overview Feature Default Menu CLI Web Configure Web Authentication n/a — 3-17 — Configure MAC Authentication n/a — 3-22 — Display Web Authentication Status and Configuration n/a — 3-26 — Display MAC Authentication Status and Configuration n/a — 3-27 — Applicable Switch Models.
PAGE 47
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Overview MAC Authentication (MAC-Auth). This method grants access to a secure network by authenticating devices for access to the network. When a device connects to the switch, either by direct link or through the network, the switch forwards the device’s MAC address to the RADIUS server for authentication.
PAGE 48
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Overview General Features Web and MAC Authentication on the ProCurve Series 2600, 2600-PWR, and 2800 switches include the following: 3-4 ■ On a port configured for Web or MAC Authentication, the switch operates as a port-access authenticator using a RADIUS server and the CHAP protocol. Inbound traffic is processed by the switch alone, until authentication occurs.
PAGE 49
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches How Web and MAC Authentication Operate How Web and MAC Authentication Operate Authenticator Operation Before gaining access to the network clients first present their authentication credentials to the switch. The switch then verifies the supplied credentials with a RADIUS authentication server. Successfully authenticated clients receive access to the network, as defined by the System Administrator.
PAGE 50
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches How Web and MAC Authentication Operate Figure 3-2. Progress Message During Authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access. If specified, the client is redirected to a specific URL (redirect-url). Figure 3-3.
PAGE 51
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches How Web and MAC Authentication Operate moves have not been enabled (client-moves) on the ports, the session ends and the client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port’s VLAN memberships made while it is an authorized port take affect at the end of the session.
PAGE 52
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches How Web and MAC Authentication Operate 4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked. The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate).
PAGE 53
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN.
PAGE 54
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Operating Rules and Notes Operating Rules and Notes ■ ■ Note on Port Access M a na g e m e nt • Web Authentication • MAC Authentication • 802.1X Order of Precedence for Port Access Management (highest to lowest): • MAC lockout • MAC lockdown or Port Security • Port-based Access Control (802.
PAGE 55
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Operating Rules and Notes 2. 3. 4. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (if configured) and temporarily drops all other VLAN memberships. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.
PAGE 56
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches General Setup Procedure for Web/MAC Authentication N o t e o n Web / MAC A u t h e n t i c a t i on and LACP The switch does not allow Web or MAC Authentication and LACP to both be enabled at the same time on the same port. The switch automatically disables LACP on ports configured for Web or MAC Authentication.
PAGE 57
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches General Setup Procedure for Web/MAC Authentication a. If you configure the RADIUS server to assign a VLAN for an authenticated client, this assignment overrides any VLAN assignments configured on the switch while the authenticated client session remains active. Note that the VLAN must be statically configured on the switch. b.
PAGE 58
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches General Setup Procedure for Web/MAC Authentication Additional Information for Configuring the RADIUS Server To Support MAC Authentication On the RADIUS server, configure the client device authentication in the same way that you would any other client, except: ■ Configure the client device’s (hexadecimal) MAC address as both username and password. Be careful to configure the switch to use the same format that the RADIUS server uses.
PAGE 59
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring the Switch To Access a RADIUS Server Configuring the Switch To Access a RADIUS Server RADIUS Server Configuration Commands radius-server [host ] below [key < global-key-string >] below radius-server host key 3-15 This section describes the minimal commands for configuring a RADIUS server to support Web-Auth and MAC Auth.
PAGE 60
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring the Switch To Access a RADIUS Server Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key, above.
PAGE 61
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring Web Authentication Configuring Web Authentication This feature is available only on the Series 2600, 2600-PWR, and 2800 switches. Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. Identify or create a redirect URL for use by authenticated clients. ProCurve recommends that you provide a redirect URL when using Web Authentication.
PAGE 62
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring Web Authentication Configure the Switch for Web-Based Authentication Command Page Configuration Level aaa port-access web-based dhcp-addr 3-18 aaa port-access web-based dhcp-lease 3-18 [no] aaa port-access web-based [e] < port-list > 3-19 [auth-vid] 3-19 [client-limit] 3-19 [client-moves] 3-19 [logoff-period] 3-20 [max-requests] 3-20 [max-retries] 3-20 [quiet-period] 3-20 [reauth-period] 3-20 [reau
PAGE 63
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring Web Authentication Syntax: [no] aaa port-access web-based [e] < port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable webbased authentication on the specified ports. Syntax: aaa port-access web-based [e] < port-list> [auth-vid ]] no aaa port-access web-based [e] < port-list> [auth-vid] Specifies the VLAN to use for an authorized client.
PAGE 64
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring Web Authentication Syntax: aaa port-access web-based [e] < port-list > [logoff-period] <60-9999999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its preauthentication state.
PAGE 65
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring Web Authentication Syntax: aaa port-access web-based [e] < port-list > [redirect-url ] no aaa port-access web-based [e] < port-list > [redirect-url] Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. ProCurve recommends that you provide a redirect URL when using Web Authentication.
PAGE 66
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch This feature is available only on the Series 2600, 2600-PWR, and 2800 Switches. Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2.
PAGE 67
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring MAC Authentication on the Switch Configure the Switch for MAC-Based Authentication Command Page Configuration Level aaa port-access mac-based addr-format 3-23 [no] aaa port-access mac-based [e] < port-list > 3-23 [addr-limit] 3-24 [addr-moves] 3-24 [auth-vid] 3-24 [logoff-period] 3-24 [max-requests] 3-24 [quiet-period] 3-25 [reauth-period] 3-25 [reauthenticate] 3-25 [server-timeout] 3-25 [unauth-vi
PAGE 68
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-32>] Specifies the maximum number of authenticated MACs to allow on the port. (Default: 1) Syntax: [no] aaa port-access mac-based [e] < port-list > [addr-moves] Allows client moves between the specified ports under MAC Auth control. When enabled, the switch allows addresses to move without requiring a re-authentication.
PAGE 69
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [quiet-period <1 - 65535>] Specifies the time period, in seconds, the switch should wait before attempting an authentication request for a MAC address that failed authentication.
PAGE 70
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of Web-Based Authentication Show Status and Configuration of Web-Based Authentication Command Page show port-access [port-list] web-based 3-26 [clients] 3-26 [config] 3-26 [config [auth-server]] 3-27 [config [web-server]] 3-27 show port-access port-list web-based config detail Syntax: 3-27 show port-access [port-list] web-based Shows the status of all Web-Authentication enabled ports or th
PAGE 71
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-server]] Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.
PAGE 72
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] mac-based [clients]] Shows the port address, MAC address, session status, and elapsed session time for attached clients on all ports or the specified ports. Ports with multiple clients have an entry for each attached client. Ports without any attached clients are not listed.
PAGE 73
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Client Status Show Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Connection Possible Explanations authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires. authenticating Switch only Pending RADIUS request.
PAGE 74
Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches Show Client Status — This page is intentionally unused.
PAGE 75
4 TACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Configuring TACACS+ on the Switch . . . . . . . . . . . . . . .
PAGE 76
TACACS+ Authentication Configuring TACACS+ on the Switch Overview Feature Default Menu CLI Web view the switch’s authentication configuration n/a — page 4-9 — view the switch’s TACACS+ server contact configuration n/a — page 4-10 — configure the switch’s authentication methods disabled — page 4-11 — configure the switch to contact TACACS+ server(s) disabled — page 4-15 — TACACS+ authentication enables you to use a central server to allow or deny access to the switch (and other TACAC
PAGE 77
TACACS+ Authentication Configuring TACACS+ on the Switch tion services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/write) privilege level access. Notes The software does not support TACACS+ authorization or accounting services. TACACS+ does not affect web browser interface access.
PAGE 78
TACACS+ Authentication Configuring TACACS+ on the Switch 4-4 • Local Authentication: This method uses username/password pairs configured locally on the switch; one pair each for managerlevel and operator-level access to the switch. You can assign local usernames and passwords through the CLI or web browser interface. (Using the menu interface you can assign a local password, but not a username.
PAGE 79
TACACS+ Authentication Configuring TACACS+ on the Switch General System Requirements To use TACACS+ authentication, you need the following: Notes ■ A TACACS+ server application installed and configured on one or more servers or management stations in your network. (There are several TACACS+ software packages available.) ■ A switch configured for TACACS+ authentication, with access to one or more TACACS+ servers.
PAGE 80
TACACS+ Authentication Configuring TACACS+ on the Switch other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation” in the Troubleshooting chapter of the Management and Configuration Guide for your switch. 1.
PAGE 81
TACACS+ Authentication Configuring TACACS+ on the Switch Note on Privil ege Levels When a TACACS+ server authenticates an access request from a switch, it includes a privilege level code for the switch to use in determining which privilege level to grant to the terminal requesting access. The switch interprets a privilege level code of “15” as authorization for the Manager (read/write) privilege level access. Privilege level codes of 14 and lower result in Operator (read-only) access.
PAGE 82
TACACS+ Authentication Configuring TACACS+ on the Switch configuration in your TACACS+ server application for mis-configurations or missing data that could affect the server’s interoperation with the switch. 8. After your testing shows that Telnet access using the TACACS+ server is working properly, configure your TACACS+ server application for console access. Then test the console access.
PAGE 83
TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication 4-9 show tacacs 4-10 aaa authentication pages 4-11 through 4-14 console Telnet num-attempts <1-10 > tacacs-server pages 4-15 host < ip-addr > pages 4-15 key 4-19 timeout < 1-255 > 4-20 Viewing the Switch’s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary acce
PAGE 84
TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact.
PAGE 85
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied).
PAGE 86
TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-1. AAA Authentication Parameters Name Default Range Function console - or telnet n/a n/a Specifies whether the command is configuring authentication for the console port or Telnet access method for the switch. enable - or login n/a n/a Specifies the privilege level for the access method being configured.
PAGE 87
TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Privilege Level Authentication Options Console — Login Console — Enable Telnet — Login Telnet — Enable Effect on Access Attempts Primary Secondary local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. local none* Local username/password access only.
PAGE 88
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server. Secondary using Local.
PAGE 89
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these parameters: Note ■ The host IP address(es) for up to three TACACS+ servers; one firstchoice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server. ■ An optional encryption key.
PAGE 90
TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string >] Adds a TACACS+ server and optionally assigns a server-specific encryption key. [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its serverspecific encryption key, if any). tacacs-server key Enters the optional global encryption key. [no] tacacs-server key Removes the optional global encryption key.
PAGE 91
TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-3. Details on Configuring TACACS Servers and Keys Name Default Range tacacs-server host none n/a This command specifies the IP address of a device running a TACACS+ server application. Optionally, it can also specify the unique, per-server encryption key to use when each assigned server has its own, unique key.
PAGE 92
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range [ key ] none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server” key.
PAGE 93
TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-5. Example of the Switch After Assigning a Different “First-Choice” Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.
PAGE 94
TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs-server host 10.28.227.104 Note The show tacacs command lists the global encryption key, if configured.
PAGE 95
TACACS+ Authentication Configuring TACACS+ on the Switch Using figure 4-6, above, after either switch detects an operator’s logon request from a remote or directly connected terminal, the following events occur: 1. The switch queries the first-choice TACACS+ server for authentication of the request. • If the switch does not receive a response from the first-choice TACACS+ server, it attempts to query a secondary server.
PAGE 96
TACACS+ Authentication Configuring TACACS+ on the Switch Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentication only if one of these two conditions exists: ■ “Local” is the authentication option for the access method being used. ■ TACACS+ is the primary authentication mode for the access method being used.
PAGE 97
TACACS+ Authentication Configuring TACACS+ on the Switch Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “secret key”, or “secret”) helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.
PAGE 98
TACACS+ Authentication Configuring TACACS+ on the Switch For example, you would use the next command to configure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch: ProCurve(config)# tacacs-server key north40campus Suppose that you subsequently add a third TACACS+ server (with an IP address of 10.28.
PAGE 99
TACACS+ Authentication Configuring TACACS+ on the Switch Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For information on such messages, refer to the documentation you received with the application.
PAGE 100
TACACS+ Authentication Configuring TACACS+ on the Switch ■ 4-26 When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unauthorized persons.
PAGE 101
5 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 102
RADIUS Authentication and Accounting Overview Overview Default Menu CLI Web Configuring RADIUS Authentication Feature None n/a 5-6 n/a Configuring RADIUS Accounting None n/a 5-17 n/a n/a n/a 5-25 n/a Viewing RADIUS Statistics RADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one primary server and one or two backups) and maintain separate authentication and accounting for each RADIUS server employed.
PAGE 103
RADIUS Authentication and Accounting Terminology Terminology CHAP (Challenge-Handshake Authentication Protocol): A challengeresponse authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a challenge from a RADIUS server. EAP (Extensible Authentication Protocol): A general PPP authentication protocol that supports multiple authentication mechanisms.
PAGE 104
RADIUS Authentication and Accounting Switch Operating Rules for RADIUS Switch Operating Rules for RADIUS 5-4 ■ You must have at least one RADIUS server accessible to the switch. ■ The switch supports authentication and accounting using up to three RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius (page 5-25). If the first server does not respond, the switch tries the next one, and so-on.
PAGE 105
RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: Table 5-1. 1. Configure one to three RADIUS servers to support the switch. (That is, one primary server and one or two backups.) Refer to the documentation provided with the RADIUS server application. 2. Before configuring the switch, collect the information outlined below. Preparation for Configuring RADIUS on the Switch • Determine the access methods (console, Telnet, Port-Access (802.
PAGE 106
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Determine an acceptable timeout period for the switch to wait for a server to respond to a request. ProCurve recommends that you begin with the default (five seconds). • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you have configured the switch to access.
PAGE 107
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: 1. 2. Note Configure RADIUS authentication for controlling access through one or more of the following • Serial port • Telnet • SSH • Web browser interface (2600, 2600-PWR, and 2800 switches running software releases H.08.58 and I.08.60 or greater) • Port-Access (802.
PAGE 108
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Server Dead-Time: The period during which the switch will not send new authentication requests to a RADIUS server that has failed to respond to a previous request. This avoids a wait for a request to time out on a server that is unavailable. If you want to use this feature, select a dead-time period of 1 to 1440 minutes. (Default: 0—disabled; range: 1 - 1440 minutes.
PAGE 109
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa authentication < console | telnet | ssh | web > < enable | login > < radius > Configures RADIUS as the primary password authentication method for console, Telnet, SSH and/or the Web browser interface. (The default primary < enable | login > authentication is local.) [< local | none >] Provides options for secondary authentication (default: none).
PAGE 110
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 5-17: “Configuring RADIUS Accounting” instead of continuing here.
PAGE 111
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have configured the switch as shown in figure 5-3 and you now need to make the following changes: 1. Change the encryption key for the server at 10.33.18.127 to “source0127”. 2. Add a RADIUS server with an IP address of 10.33.18.119 and a serverspecific encryption key of “source0119”. Figure 5-3.
PAGE 112
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch’s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters: 5-12 ■ Number of login attempts: In a given session, specifies how many tries at entering the correct username and password pair are allowed before access is denied and the session terminated. (This is a general aaa authentication parameter and is not specific to RADIUS.
PAGE 113
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Syntax: aaa authentication num-attempts < 1 - 10 > Specifies how many tries for entering the correct username and password before shutting down the session due to input errors. (Default: 3; Range: 1 - 10). [no] radius-server key < global-key-string > Specifies the global encryption key the switch uses with servers for which the switch does not have a serverspecific key assignment.
PAGE 114
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose that your switch is configured to use three RADIUS servers for authenticating access through Telnet and SSH. Two of these servers use the same encryption key. In this case your plan is to configure the switch with the following global authentication parameters: ■ Allow only two tries to correctly enter username and password.
PAGE 115
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication ProCurve# show authentication Status and Counters - Authentication Information After two attempts failing due to username or password entry errors, the switch will terminate the session.
PAGE 116
RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: ■ “Local” is the authentication option for the access method being used. ■ The switch has been configured to query one or more RADIUS servers for a primary authentication request, but has not received a response, and local is the configured secondary option.
PAGE 117
RADIUS Authentication and Accounting Controlling Web Browser Interface Access When Using RADIUS Authentication Controlling Web Browser Interface Access When Using RADIUS Authentication To prevent unauthorized access through the web browser interface, do one or more of the following: ■ For Series 2600, 2600-PWR, and Series 2800 switches, configure RADIUS authentication access (software releases H.08.58 and I.08.60 or greater).
PAGE 118
RADIUS Authentication and Accounting Configuring RADIUS Accounting Note This section assumes you have already: ■ Configured RADIUS authentication on the switch for one or more access methods ■ Configured one or more RADIUS servers to support the switch If you have not already done so, refer to “General RADIUS Setup Procedure” on page 5-5 before continuing here.
PAGE 119
RADIUS Authentication and Accounting Configuring RADIUS Accounting The switch forwards the accounting information it collects to the designated RADIUS server, where the information is formatted, stored, and managed by the server. For more information on this aspect of RADIUS accounting, refer to the documentation provided with your RADIUS server. Operating Rules for RADIUS Accounting ■ You can configure up to three types of accounting to run simultaneously: exec, system, and network.
PAGE 120
RADIUS Authentication and Accounting Configuring RADIUS Accounting – 2. 3. Optional—if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are designating, configure a server-specific key. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server.
PAGE 121
RADIUS Authentication and Accounting Configuring RADIUS Accounting Syntax: [no] radius-server host < ip-address > Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. [acct-port < port-number >] Optional. Changes the UDP destination port for accounting requests to the specified RADIUS server. If you do not use this option, the switch automatically assigns the default accounting port number. (Default: 1813) [key < key-string >] Optional.
PAGE 122
RADIUS Authentication and Accounting Configuring RADIUS Accounting Because the radius-server command includes an acct-port element with a nondefault 1750, the switch assigns this value to the accounting port UDP port numbers. Because auth-port was not included in the command, the authentication UDP port is set to the default 1812. Figure 5-7.
PAGE 123
RADIUS Authentication and Accounting Configuring RADIUS Accounting ■ Start-Stop: • Send a start record accounting notice at the beginning of the accounting session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type (Network, Exec, or System). • Do not wait for an acknowledgement.
PAGE 124
RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additional control over accounting data. ■ Updates: In addition to using a Start-Stop or Stop-Only trigger, you can optionally configure the switch to send periodic accounting record updates to a RADIUS server. ■ Suppress: The switch can suppress accounting for an unknown user having no username.
PAGE 125
RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Configuring RADIUS Accounting” on page 5-17.) Figure 5-10.
PAGE 126
RADIUS Authentication and Accounting Viewing RADIUS Statistics Table 5-2. Values for Show Radius Host Output (Figure 5-11) Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the AccountingRequest that matched it from this RADIUS accounting server. Pending Requests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
PAGE 127
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Syntax: show authentication Displays the primary and secondary authentication methods configured for the Console, Telnet, Port-Access (802.1X), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.
PAGE 128
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppression status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) configured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch. Figure 5-14.
PAGE 129
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.
PAGE 130
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order To exchange the positions of the addresses so that the server at 10.10.10.003 will be the first choice and the server at 10.10.10.001 will be the last, you would do the following: 1. Delete 10.10.10.003 from the list. This opens the third (lowest) position in the list. 2. Delete 10.10.10.001 from the list. This opens the first (highest) position in the list. 3. Re-enter 10.10.10.003.
PAGE 131
RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch. If the server is accessible, then verify that the switch is using the correct encryption key and that the server is correctly configured to receive an authentication request from the switch.
PAGE 132
RADIUS Authentication and Accounting Messages Related to RADIUS Operation — This page is intentionally unused.
PAGE 133
6 Configuring Secure Shell (SSH) Contents Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 134
Configuring Secure Shell (SSH) Overview Overview Feature Generating a public/private key pair on the switch Using the switch’s public key Default Menu CLI Web No n/a page 6-10 n/a n/a n/a page 6-12 n/a Enabling SSH Disabled n/a page 6-15 n/a Enabling client public-key authentication Disabled n/a pages 6-19, 6-21 n/a Enabling user authentication Disabled n/a page 6-18 n/a The ProCurve switches covered in this guide use Secure Shell version 1 or 2 (SSHv1 or SSHv2) to provide remot
PAGE 135
Configuring Secure Shell (SSH) Overview Note SSH in the ProCurve is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http://www.openssh.com. Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 6-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key. As in figure 6-1, the switch authenticates itself to SSH clients.
PAGE 136
Configuring Secure Shell (SSH) Terminology Terminology 6-4 ■ SSH Server: A ProCurve switch with SSH enabled. ■ Key Pair: A pair of keys generated by the switch or an SSH client application. Each pair includes a public key, that can be read by anyone and a private key, that is held internally in the switch or by a client. ■ PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted client public-key that has been encoded for portability and efficiency.
PAGE 137
Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 6-2), then the client program must have the capability to generate or import keys.
PAGE 138
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 6-1.
PAGE 139
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch (page 6-9). 2. Generate a public/private key pair on the switch (page 6-10). You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. (You can remove or replace this key pair, if necessary.) 3.
PAGE 140
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes 6-8 ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store ten keys client key pairs. ■ The switch’s own public/private key pair and the (optional) client public key file are stored in the switch’s flash memory and are not affected by reboots or the erase startup-config command.
PAGE 141
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 6-17 show crypto client-public-key [keylist-str] [< babble | fingerprint >] 6-24 show crypto host-public-key [< babble | fingerprint >] 6-14 show authentication 6-21 crypto key < generate | zeroize > ssh [rsa] 6-11 ip ssh 6-16 key-size < 512 | 768 | 1024 > 6-16 port < 1 - 65535|default > 6-16 timeout < 5 - 120 > 6-16 versi
PAGE 142
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-5. Example of Configuring Local Passwords 2. Generate the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
PAGE 143
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be "permanent"; that is, avoid re-generating the key pair without a compelling reason.
PAGE 144
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch Version 1 and Version 2 Views of Same Host Public Key Figure 6-6. Example of Generating a Public/Private Host Key Pair for the Switch The 'show crypto host-public-key' displays data in two different formats because your client may store it in either of these formats after learning the key.
PAGE 145
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below.
PAGE 146
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Inserted IP Address Bit Size Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Exponent Modulus Figure 6-9. Example of a Switch Public Key Edited To Include the Switch’s IP Address For more on this topic, refer to the documentation provided with your SSH client application.
PAGE 147
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 6-10. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 6-10 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host” file. The switch has only one RSA host key.
PAGE 148
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you have not copied the switch’s public key into the client, your client’s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing.
PAGE 149
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (default: 22). Important: See “Note on Port Number” on page 6-17. [timeout < 5 - 120 >] The SSH login timeout value (default: 120 seconds). [version <1 | 2 | 1-or-2 > The version of SSH to accept connections from. (default: 1-or-2) The ip ssh key-size command affects only a per-session, internal server key the switch creates, uses, and discards.
PAGE 150
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution Protect your private key file from access by anyone other than yourself. If someone can access your private key file, they can then penetrate SSH security on the switch by appearing to be you. SSH does not protect the switch from unauthorized access via the web interface, Telnet, SNMP, or the serial port.
PAGE 151
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< local | none >] Configures a password method for the primary and secondary login (Operator) access. If you do not specify a secondary method, it defaults to none. If the primary method is local, the secondary method is always none, which may or may not be specified.
PAGE 152
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: copy tftp pub-key-file < ip-address > < filename > Copies a public key file into the switch. aaa authentication ssh login public-key < none > Configures the switch to authenticate a client public-key for primary login (Operator) access. When the primary method is public-key, the secondary method is always none, which may or may not be specified.
PAGE 153
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Figure 6-13 shows how to check the results of the above commands. Lists the current SSH authentication configuration. Client Key Index Number Shows the contents of the public key file downloaded with the copy tftp command in figure 6-12. In this example, the file contains two client public-keys. Figure 6-13. SSH Configuration and Client-Public-Key Listing From Figure 6-12 6.
PAGE 154
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication When configured for SSH operation, the switch automatically attempts to use its own host public-key to authenticate itself to SSH clients. To provide the optional, opposite service—client public-key authentication to the switch—you can configure the switch to store up to ten RSA or DSA public keys for authenticating clients.
PAGE 155
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 7. a. Combines the decrypted byte sequence with specific session data. b. Uses a secure hash algorithm to create a hash version of this information. c. Returns the hash version to the switch. The switch computes its own hash version of the data in step 6 and compares it to the client’s hash version. If they match, then the client is authenticated. Otherwise, the client is denied access.
PAGE 156
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 1. Use your SSH client application to create a public/private key pair. Refer to the documentation provided with your SSH client application for details. The switch supports the following client-public-key properties: Property Supported Value Comments Key Format ASCII See figure 6-8 on page 6-13. The key must be one unbroken ASCII string.
PAGE 157
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: copy tftp pub-key-file Copies a public key file from a TFTP server into flash memory in the switch. show crypto client-public-key [babble | fingerprint] Displays the client public key(s) in the switch’s current client-public-key file. The babble option converts the key data to phonetic hashes that are easier for visual comparisons.
PAGE 158
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Enabling Client Public-Key Authentication. After you TFTP a clientpublic-key file into the switch (described above), you can configure the switch to allow one of the following: ■ If an SSH client’s public key matches the switch’s client-public-key file, allow that client access to the switch. If there is not a public-key match, then deny access to that client.
PAGE 159
Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. Indicates an error in communicating with the tftp server or not finding the file to download. Causes include such factors as: • Incorrect IP configuration on the switch • Incorrect IP address in the command • Case (upper/lower) error in the filename used in the command • Incorrect configuration on the TFTP server • The file is not in the expected location.
PAGE 160
Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning Generating new RSA host key. If the cache is depleted, this could take up to two minutes. After you execute the crypto key generate ssh [rsa] command, the switch displays this message while it is generating the key. Host RSA key file corrupt or not found. Use 'crypto key generate ssh rsa' to create new host key. The switch’s key is missing or corrupt.
PAGE 161
7 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 Steps for Configuring and Using SSL for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . .
PAGE 162
Configuring Secure Socket Layer (SSL) Overview Overview Feature Generating a Self Signed Certificate on the switch Generating a Certificate Request on the switch Enabling SSL Default Menu CLI Web No n/a page 7-9 page 7-13 No n/a n/a page 7-15 Disabled n/a page 7-17 page 7-19 The ProCurve switches covered by this manual use Secure Socket Layer Version 3 (SSLv3) and support for Transport Layer Security(TLSv1) to provide remote web access to the switches via encrypted paths between the switch
PAGE 163
Configuring Secure Socket Layer (SSL) Terminology 1. Switch-to-Client SSL Cert. ProCurve Switch SSL Client Browser 2. User-to-Switch (login password and enable password authentication) options: – Local – TACACS+ – RADIUS (SSL Server) Figure 7-1. Switch/User Authentication SSL on the ProCurve switches supports these data encryption methods: Note: ■ 3DES (168-bit, 112 Effective) ■ DES (56-bit) ■ RC4 (40-bit, 128-bit) ProCurve switches use RSA public key algorithms and Diffie-Hellman.
PAGE 164
Configuring Secure Socket Layer (SSL) Terminology 7-4 ■ Self-Signed Certificate: A certificate not verified by a third-party certificate authority (CA). Self-signed certificates provide a reduced level of security compared to a CA-signed certificate. ■ CA-Signed Certificate: A certificate verified by a third party certificate authority (CA). Authenticity of CA-Signed certificates can be verified by an audit trail leading to a trusted root certificate.
PAGE 165
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the computer(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include: A. Client Preparation 1.
PAGE 166
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes 7-6 ■ Once you generate a certificate on the switch you should avoid regenerating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all management stations (clients) you previously set up for SSL access to the switch. In some situations this can temporarily allow security breaches.
PAGE 167
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 7-19 show config page 7-19 show crypto host-cert page 7-12 crypto key generate cert [rsa] <512 | 768 |1024> page 7-10 zeroize cert page 7-10 crypto host-cert generate self-signed [arg-list] page 7-10 zeroize page 7-10 1.
PAGE 168
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface refer to the chapter titled “Using the Web Browser Interface” in the Management and Configuration Guide for your switch. Security Tab Password Button Figure 7-2. Example of Configuring Local Passwords 1.
PAGE 169
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generate the Switch’s Server Host Certificate You must generate a server certificate on the switch before enabling SSL. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch. (The session key pair mentioned above is not visible on the switch.
PAGE 170
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To Generate or Erase the Switch’s Server Certificate with the CLI Because the host certificate is stored in flash instead of the running-config file, it is not necessary to use write memory to save the certificate. Erasing the host certificate automatically disables SSL. CLI commands used to generate a Server Host Certificate.
PAGE 171
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on Certificate Fields. There are a number arguments used in the generation of a server certificate. table 7-1, “Certificate Field Descriptions” describes these arguments. Table 7-1. Certificate Field Descriptions Field Name Description Valid Start Date This should be the date you desire to begin using the SSL functionality.
PAGE 172
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Notes “Zeroizing” the switch’s server host certificate or key automatically disables SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation. CLI Command to view host certificates.
PAGE 173
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Generate a Self-Signed Host Certificate with the Web browser interface You can configure SSL from the web browser interface. For more information on how to access the web browser interface, refer to the chapter titled “Using the Web Browser Interface” in the Management and Configuration Guide for your switch. To generate a self signed host certificate from the web browser interface: i.
PAGE 174
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers interface: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments Figure 7-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface: 7-14 1. Proceed to the Security tab 2.
PAGE 175
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 7-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web Browser Interface This section describes how to install a CA-Signed server host certificate from the web browser interface.
PAGE 176
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.
PAGE 177
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE----MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMB
PAGE 178
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generate the Switch’s Server Host Certificate” on page 7-9.
PAGE 179
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443). Important: See “Note on Port Number” on page 7-20. show config Shows status of the SSL server. When enabled, webmanagement ssl appears in the config list. To enable SSL on the switch 1.
PAGE 180
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 7-8. Using the web browser interface to enable SSL and select TCP port number Note on Port Num b er ProCurve recommends using the default IP port number (443). However, you can use web-management ssl tcp-port to specify any TCP port for SSL connections except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http).
PAGE 181
Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup Common Errors in SSL Setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 7-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host certificate. (Refer to “Generate a SelfSigned Host Certificate with the Web browser interface” on page 7-13.) You may be using a reserved TCP port.
PAGE 182
Configuring Secure Socket Layer (SSL) Common Errors in SSL Setup — This page is intentionally unused.
PAGE 183
8 Configuring Port-Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Why Use Port-Based Access Control? . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 How 802.1X Operates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 184
Configuring Port-Based Access Control (802.1X) Contents Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-34 Displaying 802.1X Configuration, Statistics, and Counters . . . . . . . . . . . . 8-38 Show Commands for Port-Access Authenticator . . . . . . . . . . . . . . . . 8-38 Viewing 802.1X Open VLAN Mode Status . . . . . . . . . . . . . . . . . . . . . . 8-40 Show Commands for Port-Access Supplicant . . . .
PAGE 185
Configuring Port-Based Access Control (802.1X) Overview Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1X Authenticators Disabled n/a page 8-15 n/a Configuring 802.1X Open VLAN Mode Disabled n/a page 8-21 n/a Configuring Switch Ports to Operate as 802.1X Supplicants Disabled n/a page 8-34 n/a n/a n/a page 8-38 n/a n/a n/a page 8-44 n/a Displaying 802.1X Configuration, Statistics, and Counters How 802.
PAGE 186
Configuring Port-Based Access Control (802.1X) Overview ■ Local authentication of 802.1X clients using the switch’s local username and password (as an alternative to RADIUS authentication). ■ Temporary on-demand change of a port’s VLAN membership status to support a current client’s session. (This does not include ports that are members of a trunk.) ■ Session accounting with a RADIUS server, including the accounting update interval. ■ Use of Show commands to display session counters.
PAGE 187
Configuring Port-Based Access Control (802.1X) Overview Switch Running 802.1X and Operating as an Authenticator 802.1X-Aware Client (Supplicant) LAN Core Switch Running 802.1X and Connected as a Supplicant RADIUS Server Figure 8-1. Example of an 802.1X Application Accounting . The switch also provides RADIUS Network accounting for 802.1X access. Refer to “RADIUS Authentication and Accounting” on page 5-1.
PAGE 188
Configuring Port-Based Access Control (802.1X) How 802.1X Operates How 802.1X Operates Authenticator Operation This operation provides security on a direct, point-to-point link between a single client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode” on page 8-21.
PAGE 189
Configuring Port-Based Access Control (802.1X) How 802.1X Operates Switch-Port Supplicant Operation This operation provides security on links between 802.1X-aware switches. For example, suppose that you want to connect two switches, where: ■ Switch “A” has port A1 configured for 802.1X supplicant operation. ■ You want to connect port A1 on switch “A” to port B5 on switch “B”. Switch “B” Port B5 Port A1 Switch “A” Port A1 Configured as an 802.1X Supplicant LAN Core RADIUS Server Figure 8-2.
PAGE 190
Configuring Port-Based Access Control (802.1X) Terminology • Note A “failure” response continues the block on port B5 and causes port A1 to wait for the “held-time” period before trying again to achieve authentication through port B5. You can configure a switch port to operate as both a supplicant and an authenticator at the same time. Terminology 802.1X-Aware: Refers to a device that is running either 802.1X authenticator software or 802.
PAGE 191
Configuring Port-Based Access Control (802.1X) Terminology EAP (Extensible Authentication Protocol): EAP enables network access that supports multiple authentication methods. EAPOL: Extensible Authentication Protocol Over LAN, 802.1X standard. as defined in the Friendly Client: A client that does not pose a security risk if given access to the switch and your network. MD5: An algorithm for calculating a unique digital signature over a stream of bytes.
PAGE 192
Configuring Port-Based Access Control (802.1X) General Operating Rules and Notes member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unauthorized-Client VLAN. Untagged VLAN Membership: A port can be an untagged member of only one VLAN. (In the factory-default configuration, all ports on the switch are untagged members of the default VLAN.) An untagged VLAN membership is required for a client that does not support 802.
PAGE 193
Configuring Port-Based Access Control (802.1X) General Operating Rules and Notes ■ If a client already has access to a switch port when you configure the port for 802.1X authenticator operation, the port will block the client from further network access until it can be authenticated. ■ On a port configured for 802.1X with RADIUS authentication, if the RADIUS server specifies a VLAN for the supplicant and the port is a trunk member, the port will be blocked.
PAGE 194
Configuring Port-Based Access Control (802.1X) General Setup Procedure for Port-Based Access Control (802.1X) General Setup Procedure for Port-Based Access Control (802.1X) Do These Steps Before You Configure 802.1X Operation 8-12 1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.
PAGE 195
Configuring Port-Based Access Control (802.1X) General Setup Procedure for Port-Based Access Control (802.1X) Overview: Configuring 802.1X Authentication on the Switch This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to “RADIUS Authentication and Accounting” on page 5-1 or “Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches” on page 8-34. 1. Enable 802.
PAGE 196
Configuring Port-Based Access Control (802.1X) General Setup Procedure for Port-Based Access Control (802.1X) 8-14 7. If you are using Port Security on the switch, configure the switch to allow only 802.1X access on ports configured for 802.1X operation, and (if desired) the action to take if an unauthorized device attempts access through an 802.1X port. See page 8-32. 8. If you want a port on the switch to operate as a supplicant in a connection with a port operating as an 802.
PAGE 197
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Configuring Switch Ports as 802.1X Authenticators 802.
PAGE 198
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Syntax: aaa port-access authenticator < port-list > Enables specified ports to operate as 802.1X authenticators with current per- port authenticator configuration. To activate configured 802.1X operation, you must enable 802.1X authentication. Refer to “5. Enable 802.1X Authentication on the switch” on page 8-13.
PAGE 199
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Sets the period of time the switch waits for a supplicant response to an EAP re quest. If the supplicant does not respond within the configured time frame, the session times out. (Default: 30 seconds) aaa port-access authenticator < port-list > (Syntax Continued) [server-timeout < 1 - 300 >] Sets the period of time the switch waits for a server response to an authentication request.
PAGE 200
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Configures an existing, static VLAN to be the Authorized-Client VLAN. Refer to “802.1X Open VLAN Mode” on page 8-21. aaa port-access authenticator < port-list > (Syntax Continued) [initialize] On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process. This happens only on ports configured with control auto and actively operating as 802.1X authenticators.
PAGE 201
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator. Syntax: aaa authentication port-access < local | eap-radius | chap-radius > Determines the type of RADIUS authentication to use.
PAGE 202
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, refer to “RADIUS Authentication and Accounting” on page 5-1.
PAGE 203
Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 8-15 802.1X Supplicant Commands page 8-35 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator [e] < port-list > page 8-30 [auth-vid < vlan-id >] [unauth-vid < vlan-id >] 802.1X-Related Show Commands page 8-38 RADIUS server configuration pages 8-20 This section describes how to use the 802.
PAGE 204
Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode 1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during authentication. 2. 2nd Priority: If RADIUS authentication does not include assigning the port to a VLAN, then the switch assigns the port to the VLAN entered in the port’s 802.1X configuration as an Authorized-Client VLAN, if configured. 3.
PAGE 205
Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 8-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN • When the port detects a client, it automatically becomes an untagged member of this VLAN.
PAGE 206
Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
PAGE 207
Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as AuthorizedThese must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1X authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.
PAGE 208
Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Authorized-Client VLAN session on untagged port VLAN membership. • When a client becomes authenticated on a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Authorized-Client VLAN (also untagged). While the Authorized-Client VLAN is in use, the port does not have access to the statically configured, untagged VLAN.
PAGE 209
Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 8-1 on page 8-23 for other options. Before you configure the 802.1X Open VLAN mode on a port: ■ Caution Statically configure an “Unauthorized-Client VLAN” in the switch.
PAGE 210
Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode ■ Ensure that the switch is connected to a RADIUS server configured to support authentication requests from clients using ports configured as 802.1X authenticators. (The RADIUS server should not be on the Unauthorized-Client VLAN.) Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication.
PAGE 211
Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration. [key < server-specific key-string >] Optional. Specifies an encryption key for use with the specified server. This key must match the key used on the RADIUS server.
PAGE 212
Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 8-27. Syntax: aaa port-access authenticator [e] < port-list > [auth-vid < vlan-id >] Configures an existing, static VLAN to be the AuthorizedClient VLAN.
PAGE 213
Configuring Port-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1X Open VLAN Mode Status” on page 8-40. 802.1X Open VLAN Operating Notes ■ Although you can configure Open VLAN mode to use the same VLAN for both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this is not recommended.
PAGE 214
Configuring Port-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices ■ If an authenticated client loses authentication during a session in 802.1X Open VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client VLAN configured, then the client loses access to the port until it can reauthenticate itself. Option For Authenticator Ports: Configure Port-Security To Allow Only 802.
PAGE 215
Configuring Port-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices Note on If the port’s 802.1X authenticator control mode is configured to authorized (as B l o c k i n g a N o n - shown below, instead of auto), then the first source MAC address from any device, whether 802.1X-aware or not, becomes the only authorized device on 80 2 . 1X D e vice the port. aaa port-access authenticator < port-list > control authorized With 802.
PAGE 216
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands page 8-15 802.1X Supplicant Commands [no] aaa port-access < supplicant < [ethernet] < port-list > [auth-timeout | held-period | start-period | max-start | initialize | identity | secret | clear-statistics] page 8-35 page 8-36 802.
PAGE 217
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 1. Note When port A1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch “B”. • If, after the supplicant port sends the configured number of start request packets, it does not receive a response, it assumes that switch “B” is not 802.
PAGE 218
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring a Supplicant Switch Port. Note that you must enable supplicant operation on a port before you can change the supplicant configuration. This means you must execute the supplicant command once without any other parameters, then execute it again with a supplicant parameter you want to configure.
PAGE 219
Configuring Port-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [auth-timeout < 1 - 300 >] Sets the period of time the port waits to receive a challenge from the authenticator. If the request times out, the port sends another authentication request, up to the number of attempts specified by the max-start parameter. (Default: 30 seconds).
PAGE 220
Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 8-15 802.1X Supplicant Commands page 8-34 802.1X Open VLAN Mode Commands page 8-21 802.1X-Related Show Commands show port-access authenticator below show port-access supplicant page 8-43 Details of 802.
PAGE 221
Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters show port-access authenticator (Syntax Continued) config [[e] < port-list >] Shows: • Whether port-access authenticator is active • The 802.1X configuration of the ports configured as 802.1X authenticators If you do not specify < port-list >, the command lists all ports configured as 802.1X port-access authenticators. Does not display data for a specified port that is not enabled as an authenticator.
PAGE 222
Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Viewing 802.1X Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show portaccess authenticator and show vlan < vlan-id > commands as illustrated in this section. Figure 8-5 shows an example of show port-access authenticator output, and table 8-1 describes the data that this command displays.
PAGE 223
Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters ■ When the Unauth VLAN ID is configured and matches the Current VLAN ID in the above command output, an unauthenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Unauth VLAN.
PAGE 224
Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Status Indicator Meaning Unauthorized VLAN < vlan-id >: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated ID port. 0: No unauthorized VLAN has been configured for the indicated port. < vlan-id >: Lists the VID of the static VLAN configured as the authorized VLAN for the indicated port.
PAGE 225
Configuring Port-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [[e] < port-list >] [statistics] show port-access supplicant [[e] < port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < portlist > ports configured on the switch as supplicants. The Supplicant State can include the following: Connecting - Starting authentication.
PAGE 226
Configuring Port-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement. RADIUS authentication for an 802.1X client on a given port can include a (static) VLAN requirement.
PAGE 227
Configuring Port-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1X client requires access to VLAN 22 from port A2. However, access to VLAN 22 is blocked (not untagged or tagged) on port A2 and Figure 8-7.
PAGE 228
Configuring Port-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1X session. This is to accommodate an 802.1X client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22. Note: With the current VLAN configuration (figure 8-7), the only time port A2 appears in this show vlan 22 listing is during an 802.
PAGE 229
Configuring Port-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation When the 802.1X client’s session on port A2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN actually configured as untagged on the port again becomes available. Thus, when the RADIUS-authenticated 802.1X session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored. After the 802.
PAGE 230
Configuring Port-Based Access Control (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation Table 8-3. 802.1X Operating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.1X authenticators. Use this command to enable the ports as authenticators: ProCurve(config)# aaa port-access authenticator e 10 Port < port-list > is not a supplicant.
PAGE 231
9 Configuring and Monitoring Port Security Contents Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Blocking Unauthorized Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 232
Configuring and Monitoring Port Security Overview Overview Feature Default Menu CLI Web Displaying Current Port Security n/a — page 9-10 page 9-29 Configuring Port Security disabled — page 9-12 page 9-29 Intrusion Alerts and Alert Flags n/a page 9-34 page 9-36 page 9-36 Using Port Security, you can configure each switch port with a unique list of the MAC addresses of devices that are authorized to access the network through that port.
PAGE 233
Configuring and Monitoring Port Security Overview General Operation for Port Security. On a per-port basis, you can configure security measures to block unauthorized devices, and to send notice of security violations.
PAGE 234
Configuring and Monitoring Port Security Overview Physical Topology Logical Topology for Access to Switch A Switch A Port Security Configured Switch A Port Security Configured PC 1 Switch B MAC Address Authorized by Switch A PC 1 MAC Address Authorized by Switch A MAC Address Authorized by Switch A PC 2 Switch B MAC Address NOT Authorized by Switch A MAC Address Authorized by Switch A PC 3 Switch C MAC Address NOT Authorized by Switch A MAC Address NOT Authorized by Switch A • PC1 can access
PAGE 235
Configuring and Monitoring Port Security Planning Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to the following: a. On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port and how many devices do you want to allow per port (up to 8)? c.
PAGE 236
Configuring and Monitoring Port Security Port Security Command Options and Operation Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 9-11 port-security 9-12 < [ethernet] port-list > 9-12 [learn-mode] 9-12 [address-limit] 9-12 [mac-address] 9-12 [action] 9-12 [clear-intrusion-flag] no port-security 9-12 9-12 This section describes the CLI port security command and how the switch acquires and maintains authorized addresses.
PAGE 237
Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > learn-mode < continuous | static | configured | port-access > Continuous (Default): Appears in the factory-default setting or when you execute no port-security. Allows the port to learn addresses from inbound traffic from any device(s) to which it is connected. In this state, the port accepts traffic from any device(s) to which it is connected.
PAGE 238
Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > (- Continued -) learn-mode < continuous | static | configured | port-access > (- Continued -) Configured: The static-configured option operates the same as the static-learn option on the preceding page, except that it does not allow the switch to accept non-specified addresses to reach the address limit.
PAGE 239
Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security [e] < port-list > (- Continued -) action < none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a network management station. Operates when: • Learn mode is set to learn-mode static (static-learn) or learn-mode configured (static-configured) and the port detects an unauthorized device. • Learn mode is set to learn-mode continuous and there is a MAC address change on a port.
PAGE 240
Configuring and Monitoring Port Security Port Security Command Options and Operation Retention of Static MAC Addresses Learned MAC Addresses In the following two cases, a port in Static learn mode (learn-mode static) retains a learned MAC address even if you later reboot the switch or disable port security for that port: ■ The port learns a MAC address after you configure the port with learnmode static in both the startup-config file and the running-config file (by executing write memory).
PAGE 241
Configuring and Monitoring Port Security Port Security Command Options and Operation Using the CLI To Display Port Security Settings. Syntax: show port-security show port-security [e] show port-security [e] [-] Without port parameters, show port-security displays operating control settings for all ports on a switch. For example: Figure 9-2.
PAGE 242
Configuring and Monitoring Port Security Port Security Command Options and Operation The following command example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string: ProCurve(config)# show port-security A1-A3,A6,A8 Configuring Port Security Using the CLI, you can: ■ Configure port security and edit security settings.
PAGE 243
Configuring and Monitoring Port Security Port Security Command Options and Operation ProCurve(config)# port-security a1 learn-mode static mac-address 0c0090-123456 action send-disable This example configures port A5 to: ■ Allow two MAC addresses, 00c100-7fec00 and 0060b0-889e00, as the authorized devices. ■ Send an alarm to a management station if an intruder is detected on the port.
PAGE 244
Configuring and Monitoring Port Security Port Security Command Options and Operation Although the Address Limit is set to 2, only one device has been authorized for this port. In this case you can add another without having to also increase the Address Limit. The Address Limit has not been reached. Figure 9-4. Example of Adding an Authorized Device to a Port With the above configuration for port A1, the following command adds the 0c0090-456456 MAC address as the second authorized address.
PAGE 245
Configuring and Monitoring Port Security Port Security Command Options and Operation If you are adding a device (MAC address) to a port on which the Authorized Addresses list is already full (as controlled by the port’s current Address Limit setting), then you must increase the Address Limit in order to add the device, even if you want to replace one device with another. Using the CLI, you can simultaneously increase the limit and add the MAC address with a single command.
PAGE 246
Configuring and Monitoring Port Security Port Security Command Options and Operation To remove a device (MAC address) from the “Authorized” list and when the current number of devices equals the Address Limit value, you should first reduce the Address Limit value by 1, then remove the unwanted device. Note When you have configured the switch for learn-mode static operation, you can reduce the address limit below the number of currently authorized addresses on a port.
PAGE 247
Configuring and Monitoring Port Security MAC Lockdown Figure 9-8. Example of Port A1 After Removing One MAC Address MAC Lockdown MAC Lockdown is available on the Series 2600, 2600-PWR, and 2800 switches only. MAC Lockdown, also known as “static addressing,” is the permanent assignment of a given MAC address (and VLAN, or Virtual Local Area Network) to a specific port on the switch. MAC Lockdown is used to prevent station movement and MAC address hijacking. It also controls address learning on the switch.
PAGE 248
Configuring and Monitoring Port Security MAC Lockdown How It Works. When a device’s MAC address is locked down to a port (typically in a pair with a VLAN) all information sent to that MAC address must go through the locked-down port. If the device is moved to another port it cannot receive data. Traffic to the designated MAC address goes only to the allowed port, whether the device is connected to it or not.
PAGE 249
Configuring and Monitoring Port Security MAC Lockdown You cannot perform MAC Lockdown and 802.1x authentication on the same port or on the same MAC address. MAC Lockdown and 802.1x authentication are mutually exclusive. Lockdown is permitted on static trunks (manually configured link aggregations). Differences Between MAC Lockdown and Port Security Because port-security relies upon MAC addresses, it is often confused with the MAC Lockdown feature.
PAGE 250
Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.
PAGE 251
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths.
PAGE 252
Configuring and Monitoring Port Security MAC Lockdown Internal Core Network There is no need to lock MAC addresses on switches in the internal core network. 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch 3400cl or 5300xl Switch Network Edge Server “A” Lock Server “A” to these ports. 2600 or 2600-PWR Switch 2800 Switch Edge Devices Mixed Users Figure 9-9. MAC Lockdown Deployed At the Network Edge Provides Security Basic MAC Lockdown Deployment.
PAGE 253
Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
PAGE 254
Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fails, traffic to Server A will not use the backup path via Switch 3 Switch 3 Server A Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 External Network M ixed Users Figure 9-10. Connectivity Problems Using MAC Lockdown with Multiple Paths The resultant connectivity issues would prevent you from locking down Server A to Switch 1.
PAGE 255
Configuring and Monitoring Port Security MAC Lockout Displaying status. Locked down ports are listed in the output of the show running-config command in the CLI. The show static-mac command also lists the locked down MAC addresses, as shown below. ProCurve# show static-mac VLAN MAC Address Port 1 001083-34f8fa 9 Number of locked down MAC addresses = 1 ProCurve# Figure 9-11. Listing Locked Down Ports MAC Lockout MAC Lockout is available on the Series 2600, 2600-PWR, and 2800 switches only.
PAGE 256
Configuring and Monitoring Port Security MAC Lockout Lockout command (lockout-mac ). When the wireless clients then attempt to use the network, the switch recognizes the intruding MAC addresses and prevents them from sending or receiving data on that network. If a particular MAC address can be identified as unwanted on the switch then that MAC Address can be disallowed on all ports on that switch with a single command.
PAGE 257
Configuring and Monitoring Port Security MAC Lockout ProCurve# show lockout-mac Locked Out Addresses 007347-a8fd30 Number of locked out MAC addresses = 1 ProCurve# Figure 9-12. Listing Locked Out Ports Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command.
PAGE 258
Configuring and Monitoring Port Security IP Lockdown IP Lockdown IP lockdown is available on the Series 2600 and 2800 switches only. The “IP lockdown” utility enables you to restrict incoming traffic on a port to a specific IP address/subnet, and deny all other traffic on that port. Operating Rules for IP Lockdown ■ Users cannot specify that certain subnets be denied while others are permitted. ■ Users cannot filter on protocol or destination IP address.
PAGE 259
Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features 1. Click on the Security tab. 2. Click on [Port Security]. 3. Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field. 4. Implement your new data by clicking on [Apply Changes]. To access the web-based Help provided for the switch, click on [?] in the web browser screen.
PAGE 260
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • • • In the menu interface: – The Port Status screen includes a per-port intrusion alert – The Event Log includes per-port entries for security violations In the web browser interface: – The Alert Log’s Status | Overview window includes entries for per-port security violations – The Intrusion Log in the Security | Intrusion Log window lists per-port security violation entries In an active network managem
PAGE 261
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Keeping the Intrusion Log Current by Resetting Alert Flags When a violation occurs on a port, an alert flag is set for that port and the violation is entered in the Intrusion Log. The switch can detect and handle subsequent intrusions on that port, but will not log another intrusion on the port until you reset the alert flag for either all ports or for the individual port.
PAGE 262
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The Intrusion Alert column shows “Yes” for any port on which a security violation has been detected. Figure 9-14. Example of Port Status Screen with Intrusion Alert on Port A3 2. Type [I] (Intrusion log) to display the Intrusion Log.
PAGE 263
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags (The intrusion log holds up to 20 intrusion records and deletes an intrusion record only when the log becomes full and a new intrusion is subsequently detected.) Note also that the “prior to” text in the record for the earliest intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset. 3.
PAGE 264
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags CLI: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The following commands display port status, including whether there are intrusion alerts for any port(s), list the last 20 intrusions, and either reset the alert flag on all ports or for a specific port for which an intrusion was detected. (The record of the intrusion remains in the log.
PAGE 265
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Dates and Times of Intrusions MAC Address of latest Intruder on Port A1 Earlier intrusions on port A1 that have already been cleared (that is, the Alert Flag has been reset at least twice before the most recent intrusion occurred. Figure 9-17. Example of the Intrusion Log with Multiple Entries for the Same Port The above example shows three intrusions for port A1.
PAGE 266
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Using the Event Log To Find Intrusion Alerts The Event Log lists port security intrusions as: W MM/DD/YY HH:MM:SS FFI: port A3 - Security Violation where “W” is the severity level of the log entry and FFI is the system module that generated the entry. For further information, display the Intrusion Log, as shown below. From the CLI. Type the log command from the Manager or Configuration level.
PAGE 267
Configuring and Monitoring Port Security Operating Notes for Port Security a. Click on the Security tab. b. Click on [Intrusion Log]. “Ports with Intrusion Flag” indicates any ports for which the alert flag has not been cleared. c. To clear the current alert flags, click on [Reset Alert Flags]. To access the web-based Help provided for the switch, click on [?] in the web browser screen. Operating Notes for Port Security Identifying the IP Address of an Intruder.
PAGE 268
Configuring and Monitoring Port Security Operating Notes for Port Security LACP Not Available on Ports Configured for Port Security. To maintain security, LACP is not allowed on ports configured for port security. If you configure port security on a port on which LACP (active or passive) is configured, the switch removes the LACP configuration, displays a notice that LACP is disabled on the port(s), and enables port security on that port.
PAGE 269
10 Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Contents Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Using Source-Port Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Operating Rules for Source-Port Filters . . . . . . . . . . . . . . . . .
PAGE 270
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Overview Overview This chapter describes the use of source-port filters on the Series 2600/ 2600-PWR switches and on the Series 2800 switches. For information on filters for the Series 2500 switches, refer to the Management and Configuration Guide provided for these devices. General Operation.
PAGE 271
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Overview from receiving traffic from workstation "X", you would configure a filter to drop traffic from port 5 to port 7. The resulting filter would drop traffic from port 5 to port 7, but would forward all other traffic from any source port to any destination port (refer to figures 10-1 and 10-2). Port 7 Server "A" Port 8 Server "B" Port 9 Server "C" Workstation " X" Port 5 Figure 10-1.
PAGE 272
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Using Source-Port Filters This feature is available only on the Series 2600, 2600-PWR, and 2800 switches. Operating Rules for Source-Port Filters ■ You can configure one source-port filter for each physical port or port trunk on the switch. ■ Each source-port filter you configure is composed of: • One source port or port trunk (trk1, trk2, ...
PAGE 273
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Configuring a Source-Port Filter The source-port filter command operates from the global configuration level. Syntax: [no] filter source-port [e] < source-port-number > [ drop [ forward] | forward [ drop ]] Creates or deletes the source port filter assigned to < source-port-number >.
PAGE 274
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Configuring a Filter on a Port Trunk. This operation uses the same command as that used for configuring a filter on an individual port. However, the configuration process requires two steps: 1. Configure the port trunk. 2. Configure a filter on the port trunk by using the trunk name (trk1, trk2, ...trk6) instead of a port name.
PAGE 275
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Viewing a Source-Port Filter You can list all source-port filters configured in the switch and, optionally, the detailed information on a specific filter. Syntax: show filter Displays a listing of configured filters, where each filter entry includes an IDX (index) number, Filter Type, and Value : IDX: An automatically assigned index number used to identify the filter for a detailed information listing.
PAGE 276
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters If you wanted to determine the index number for the filter on source port 3 and then view a listing the filter details on source port 3, you would use the show filter and show filter [ INDEX ] commands, as shown in figure 10-4. The show filter command lists the index number for source-port 3. Source Port Numbers The show filter 4 command lists the details for the filter at source-port 3. Figure 10-4.
PAGE 277
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Editing a Source-Port Filter The switch includes in one filter the action(s) for all destination ports and/or trunks configured for a given source port. Thus, if a source-port filter already exists and you want to change the currently configured action for some destination ports or trunks, use the filter source-port command to update the existing filter.
PAGE 278
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Using Named Source-Port Filters This feature is available only on the Series 2600 and 2600-PWR switches. Named source-port filters are filters that may be used on multiple ports and port trunks. As with regular source-port filters, a port or port trunk can only have one source-port filter, but this new capability enables you to define a source-port filter once and apply it to multiple ports and port trunks.
PAGE 279
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Syntax: filter source-port named-filter drop < destination-port-list > Configures the named source-port filter to drop traffic having a destination on the ports and/or port trunks in the < destination-port-list >. Can be followed by the forward option if you have other destination ports or port trunks previously set to drop that you want to change to forward.
PAGE 280
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Viewing a Named Source-Port Filter You can list all source-port filters configured in the switch, both named and unnamed, and their action using the show command below. Syntax: show filter source-port Displays a listing of configured source-port filters, where each filter entry includes a Filter Name, Port List, and Action: Filter Name: The filter-name used when a named source-port filter is defined.
PAGE 281
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Defining and Configuring Example Named Source-Port Filters. While named source-port filters may be defined and configured in two steps, this is not necessary. Here we define and configure each of the named source-port filters for our example network in a single step.
PAGE 282
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters ProCurve(config)# show filter Traffic/Security Filters IDX --1 2 3 4 5 6 7 8 . 20 21 22 23 24 25 26 10-14 Filter Type -----------Source Port Source Port Source Port Source Port Source Port Source Port Source Port Source Port . Source Port Source Port Source Port Source Port Source Port Source Port Source Port | + | | | | | | | | | | | | | | | Value ------------------2 3 4 5 6 8 9 12 .
PAGE 283
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters Using the IDX value in the show filter command, we can see how traffic is filtered on a specific port (Value).The two outputs below show a nonaccounting and an accounting switch port.
PAGE 284
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters The same command, using IDX 26, shows how traffic from the Internet is handled. ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port --------1 2 3 4 5 6 7 8 9 10 11 12 . Type --------10/100TX 10/100TX 10/100TX 10/100TX 10/100TX 10/100TX 10/100TX 10/100TX 10/100TX 10/100TX 10/100TX 10/100TX .
PAGE 285
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command.
PAGE 286
Traffic/Security Filters (ProCurve Series 2600/2600-PWR and 2800 Switches) Using Source-Port Filters — This page is intentionally unused.
PAGE 287
11 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Overview of IP Mask Operation . . .
PAGE 288
Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI Web Listing (Showing) Authorized Managers n/a page 11-5 page 11-6 page 11-9 Configuring Authorized IP Managers None page 11-5 page 11-6 page 11-9 Building IP Masks n/a page 11-9 page 11-9 page 11-9 Operating and Troubleshooting Notes n/a page 11-12 page 11-12 page 11-12 The Authorized IP Managers feature uses IP addresses and masks to determine which stations (PCs or workstations) c
PAGE 289
Using Authorized IP Managers Access Levels Configuration Options You can configure: Caution ■ Up to 10 authorized manager addresses, where each address applies to either a single management station or a group of stations ■ Manager or Operator access privileges (for Telnet, SNMPv1, and SNMPv2c access only) Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port.
PAGE 290
Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations ■ Authorizing Single Stations: The table entry authorizes a single management station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Authorized Manager IP column, and leave the IP Mask set to 255.255.255.255. This is the easiest way to use the Authorized Managers feature.
PAGE 291
Using Authorized IP Managers Defining Authorized Management Stations 255.255.255.252 uses the 4th octet of a given Authorized Manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Masks” on page 11-9. Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch.
PAGE 292
Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See “Building IP Masks” on page 11-9. 4. Use the Space bar to select Manager or Operator access. 5. Press [Enter], then [S] (for Save) to configure the IP Authorized Manager entry. Applies only to access through Telnet, SNMPv1, and SNMPv2c.
PAGE 293
Using Authorized IP Managers Defining Authorized Management Stations Figure 11-3. Example of the Show IP Authorized-Manager Display The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: Access Mode: 255.255.255.252 10.28.227.100 through 103 Manager 255.255.255.254 10.28.227.104 through 105 Manager 255.255.255.255 10.28.227.125 Manager 255.255.255.0 10.28.227.
PAGE 294
Using Authorized IP Managers Defining Authorized Management Stations Similarly, the next command authorizes manager-level access for any station having an IP address of 10.28.227.101 through 103: ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager If you omit the when adding a new authorized manager, the switch automatically uses 255.255.255.255 for the mask.
PAGE 295
Using Authorized IP Managers Web: Configuring IP Authorized Managers Web: Configuring IP Authorized Managers In the web browser interface you can configure IP Authorized Managers as described below. To Add, Modify, or Delete an IP Authorized Manager address: 1. Click on the Security tab. 2. Click on [Authorized Addresses]. 3. Enter the appropriate parameter settings for the operation you want. 4. Click on [Add], [Replace], or [Delete] to implement the configuration change.
PAGE 296
Using Authorized IP Managers Building IP Masks Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access.
PAGE 297
Using Authorized IP Managers Building IP Masks 4th Octet of IP Mask: 249 4th Octet of Authorized IP Address: 5 Bit Numbers Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0 Bit Values 64 32 16 8 4 2 1 128 Bits 1 and 2 in the mask are “off”, and bits 0 and 3 - 7 are “on”, creating a value of 249 in the 4th octet. Where a mask bit is “on”, the corresponding bit setting in the address of a potentially authorized station must match the IP Authorized Address setting for that same bit.
PAGE 298
Using Authorized IP Managers Operating Notes Operating Notes ■ Network Security Precautions: You can enhance your network’s security by keeping physical access to the switch restricted to authorized personnel, using the password features built into the switch, using the additional security features described in this manual, and preventing unauthorized access to data on your management stations.
PAGE 299
Index Numerics 3DES … 6-3, 7-3 802.1X See port-based access control. … 8-1 A aaa authentication … 4-8 aaa port-access See Web or MAC Authentication. access levels, authorized IP managers … 11-3 accounting See RADIUS. address authorized for port security … 9-3 authentication See TACACS.
PAGE 300
I inconsistent value, message … 9-14 intrusion alarms entries dropped from log … 9-37 event log … 9-36 prior to … 9-37 Intrusion Log prior to … 9-33, 9-35 IP authorized IP managers … 11-1 reserved port numbers … 6-17 IP lockdown … 9-28 IP masks building … 11-9 for multiple authorized manager stations … 11-10 for single authorized manager station … 11-9 operation … 11-4 manager password … 2-2, 2-4 manager password recommended … 4-7 MD5 See RADIUS.
PAGE 301
prior to … 9-37 proxy web server … 9-37 port-based access control authenticate switch … 8-4 authenticate users … 8-4 authenticator backend state … 8-38 authenticator operation … 8-6, 8-8 authenticator, show commands … 8-38 authorized IP managers, precedence … 11-2 block traffic … 8-3 blocking non-802.
PAGE 302
accounting, system … 5-18, 5-22 authentication options … 5-2 authentication, local … 5-16 authorized IP managers, precedence … 11-2 bypass RADIUS server … 5-9 commands, accounting … 5-17 commands, switch … 5-6 configuration outline … 5-7 configure server access … 5-10 configuring switch global parameters … 5-12 general setup … 5-5 local authentication … 5-9 MD5 … 5-4 messages … 5-31 network accounting … 5-18 operating rules, switch … 5-4 security … 5-9 security note … 5-2 server access order … 5-19 server a
PAGE 303
zeroing a key … 6-11 zeroize … 6-11 SSL CA-signed … 7-4, 7-15 CA-signed certificate … 7-4, 7-15 CLI commands … 7-7 client behavior … 7-17, 7-18 crypto key … 7-10 disabling … 7-10 enabling … 7-17 erase certificate key pair … 7-10 erase host key pair … 7-10 generate CA-signed certificate … 7-15 generate host key pair … 7-10 generate self-signed … 7-13 generate self-signed certificate … 7-10, 7-13 generate server host certificate … 7-10 generating Host Certificate … 7-9 host key pair … 7-10 key, babble … 7-12
PAGE 304
See also LACP. U user name cleared … 2-5 V value, inconsistent … 9-14 VLAN 802.1X … 8-44 802.1X, ID changes … 8-47 802.
PAGE 305
— This page is intentionally unused.
PAGE 306
© 2000 - 2008 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.