- Hewlett-Packard Switch User Manual

ManualsBrandsHP ManualsSwitchPROCURVE W.14.03

Access Security Guide

ProCurve Switches

W.14.03

2910al

www.procurve.com

Summary of content (594 pages)

PAGE 1
Access Security Guide 2910al ProCurve Switches W.14.03 www.procurve.
PAGE 2
PAGE 3
HP ProCurve 2910al Switch February 2009 W.14.
PAGE 4
© Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change with out notice. All Rights Reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another langauge without the prior written consent of Hewlett-Packard.
PAGE 5
Contents Product Documentation About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Software Feature Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx 1 Security Overview Contents . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
2 Configuring Username and Password Security Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
Disabling or Re-Enabling the Password Recovery Process . . . . 2-32 Password Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 3 Web and MAC Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 8
4 TACACS+ Authentication Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 General Authentication Setup Procedure . . . . . . . . . . . . .
PAGE 9
RADIUS-Administered CoS and Rate-Limiting . . . . . . . . . . . . . . . . . . . 5-4 SNMP Access to the Switch’s Authentication Configuration MIB . . . 5-4 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 Switch Operating Rules for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 General RADIUS Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 Configuring the Switch for RADIUS Authentication . . .
PAGE 10
General RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-43 RADIUS Authentication Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-45 RADIUS Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-46 Changing RADIUS-Server Access Order . . . . . . . . . . . . . . . . . . . . . . . 5-47 Messages Related to RADIUS Operation . . . . . . . . . . . . . . . . . . . . . . .
PAGE 11
Configuring the Switch To Support RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-24 Displaying the Current RADIUS-Assigned ACL Activity on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-26 ICMP Type Numbers and Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-28 Event Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 12
8 Configuring Secure Socket Layer (SSL) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 13
ACL Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14 Static Port ACL and Dynamic Port ACL Applications . . . . . . . . . 9-15 Dynamic (RADIUS-assigned) Port ACL Applications . . . . . . . . . 9-15 Multiple ACLs on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16 Features Common to All ACL Applications . . . . . . . . . . . . . . . . . . . . . 9-16 General Steps for Planning and Configuring ACLs . . . . . . . . . . . . .
PAGE 14
Configuring Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-44 Configuring Named, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-46 Creating Numbered, Standard ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-49 Configuring Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-53 Configuring Named, Extended ACLs . . . . . . . . . . . . . . . . . . . . . . . 9-55 Configuring Numbered, Extended ACLs . . . . . . . . . . . .
PAGE 15
10 Configuring Advanced Threat Protection Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 16
11 Traffic/Security Filters and Monitors Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 17
802.1X Port-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . 12-5 Alternative To Using a RADIUS Server . . . . . . . . . . . . . . . . . . . . . 12-6 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6 General 802.1X Authenticator Operation . . . . . . . . . . . . . . . . . . . . . .
PAGE 18
802.1X Open VLAN Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . . 12-46 Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices . . . . . . . . . . . . . . . . . 12-47 Port-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-48 Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches . . . . . . . . 12-49 Example . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 19
MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22 Differences Between MAC Lockdown and Port Security . . . . . . . . 13-24 MAC Lockdown Operating Notes . . . . . . . . . . . . . . . . . . . . . . . . 13-25 Deploying MAC Lockdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-26 MAC Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30 Port Security and MAC Lockout . . . . .
PAGE 20
Using a Web Proxy Server to Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9 Web-Based Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-9 Building IP Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10 Configuring One Station Per Authorized Manager IP Entry . . . . . . 14-10 Configuring Multiple Stations Per Authorized Manager IP Entry .
PAGE 21
Product Documentation About Your Switch Manual Set Note For the latest version of all ProCurve switch documentation, including Release Notes covering recently added features, please visit the ProCurve Networking Web site at www.procurve.com, click on Customer Care, and then click on Manuals. Printed Publications The publications listed below are printed and shipped with your switch.
PAGE 22
Software Feature Index For the software manual set supporting your 2910al switch model, this feature index indicates which manual to consult for information on a given software feature. Note This Index does not cover IPv6 capable software features. For information on IPv6 protocol operations and features (such as DHCPv6, DNS for IPv6, Ping6, and MLD Snooping), refer to the IPv6 Configuration Guide. Intelligent Edge Software Features Manual Management Advanced and Traffic Configuration Management 802.
PAGE 23
Intelligent Edge Software Features Manual Management Advanced and Traffic Configuration Management DHCP/Bootp Operation X Diagnostic Tools X Downloading Software X Multicast and Routing Access Security Guide Dynamic ARP Protection X Dynamic Configuration Arbiter X Eavesdrop Protection X Event Log X Factory Default Settings X Flow Control (802.
PAGE 24
Intelligent Edge Software Features Manual Management Advanced and Traffic Configuration Management Multicast and Routing Access Security Guide MAC Lockdown X MAC Lockout X MAC-based Authentication X Management VLAN Monitoring and Analysis X X Multicast Filtering X Multiple Configuration Files X Network Management Applications (SNMP) X OpenView Device Management X Passwords and Password Clear Protection X ProCurve Manager (PCM) X Ping X Port Configuration X Port Monitoring X Por
PAGE 25
Intelligent Edge Software Features RMON 1,2,3,9 Manual Management Advanced and Traffic Configuration Management Multicast and Routing Access Security Guide X Routing X Routing - IP Static X Secure Copy X sFlow X SFTP X SNMPv3 X Software Downloads (SCP/SFTP, TFPT, Xmodem) X Source-Port Filters X Spanning Tree (STP, RSTP, MSTP) X SSHv2 (Secure Shell) Encryption X SSL (Secure Socket Layer) X Stack Management (3500yl/6200yl switches only) X Syslog X System Information X TACACS+
PAGE 26
Intelligent Edge Software Features Manual Management Advanced and Traffic Configuration Management Voice VLAN Multicast and Routing Access Security Guide X Web Authentication RADIUS Support X Web-based Authentication X Web UI X Xmodem X xxiv
PAGE 27
Security Overview Contents 1 Security Overview Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Access Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 28
Security Overview Introduction Introduction This chapter provides an overview of the security features included on your switch. Table 1-1 on page 1-3 outlines the access security and authentication features, while Table 1-2 on page 1-7 highlights the additional features designed to help secure and protect your network. For detailed information on individual features, see the references provided.
PAGE 29
Security Overview Access Security Features Access Security Features This section provides an overview of the switch’s access security features, authentication protocols, and methods. Table 1-1 lists these features and provides summary configuration guidelines. For more in-depth information, see the references provided (all chapter and page references are to this Access Security Guide unless a different manual name is indicated). Note Beginning with software release W.14.
PAGE 30
Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details Telnet and Web-browser access enabled The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL (see below for details) should be used for remote access.
PAGE 31
Security Overview Access Security Features Feature Default Setting Security Guidelines More Information and Configuration Details SSL disabled Secure Socket Layer (SSL) and Transport Layer Security (TLS) provide remote Web browser access to the switch via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operation. The authenticated type includes server certificate authentication with user password authentication.
PAGE 32
Security Overview Access Security Features Feature Default Setting Security Guidelines RADIUS Authentication disabled For each authorized client, RADIUS can be used to Chapter 6, “RADIUS authenticate operator or manager access privileges on Authentication and the switch via the serial port (CLI and Menu interface), Accounting” Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access methods. 802.
PAGE 33
Security Overview Network Security Features Network Security Features This section outlines features and defence mechanisms for protecting access through the switch to the network. For more detailed information, see the indicated chapters. Table 1-2.
PAGE 34
Security Overview Network Security Features Feature Default Setting Security Guidelines Access Control Lists (ACLs) none ACLs can filter traffic to or from a host, a group of hosts, Chapter 10, “IPv4 Access or entire subnets. Layer 3 IP filtering with Access Control Control Lists (ACLs)” Lists (ACLs) enables you to improve network performance and restrict network use by creating policies for: • Switch Management Access: Permits or denies inband management access.
PAGE 35
Security Overview Network Security Features Feature Default Setting Security Guidelines More Information and Configuration Details Key Management System (KMS) none KMS is available in several ProCurve switch models and Chapter 16, “Key is designed to configure and maintain key chains for use Management System” with KMS-capable routing protocols that use timedependent or time-independent keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys.
PAGE 36
Security Overview Getting Started with Access Security Getting Started with Access Security ProCurve switches are designed as “plug and play” devices, allowing quick and easy installation in your network. In its default configuration the switch is open to unauthorized access of various types.
PAGE 37
Security Overview Getting Started with Access Security Keeping the switch in a locked wiring closet or other secure space helps to prevent unauthorized physical access. As additional precautions, you can do the following: ■ Disable or re-enable the password-clearing function of the Clear button. ■ Configure the Clear button to reboot the switch after clearing any local usernames and passwords.
PAGE 38
Security Overview Getting Started with Access Security CLI: Management Interface Wizard To configure security settings using the CLI wizard, follow the steps below: 1. At the command prompt, type setup mgmt-interfaces. The welcome banner appears and the first setup option is displayed (Operator password). As you advance through the wizard, each setup option displays the current value in brackets [ ] as shown in Figure 1-1.
PAGE 39
Security Overview Getting Started with Access Security 2. When you enter the wizard, you have the following options: • To update a setting, type in a new value, or press [Enter] to keep the current value. • To quit the wizard without saving any changes, press [CTRL-C] at any time. • To access online Help for any option, press [?].
PAGE 40
Security Overview Getting Started with Access Security The Welcome window appears. Figure 1-2. Management Interface Wizard: Welcome Window This page allows you to choose between two setup types: 3. • Typical—provides a multiple page, step-by-step method to configure security settings, with on-screen instructions for each option. • Advanced—provides a single summary screen in which to configure all security settings at once. To enter the wizard, choose a setup option and then click Continue.
PAGE 41
Security Overview Getting Started with Access Security 4. The summary setup screen displays the current configuration settings for all setup options (see Figure 1-3). Figure 1-3. Management Interface Wizard: Summary Setup From this screen, you have the following options: • To change any setting that is shown, type in a new value or make a different selection. • To apply the settings permanently, click Apply. • To quit the Setup screen without saving any changes, click Exit.
PAGE 42
Security Overview Getting Started with Access Security SNMP Security Guidelines In the default configuration, the switch is open to access by management stations running SNMP (Simple Network Management Protocol) management applications capable of viewing and changing the settings and status data in the switch’s MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.
PAGE 43
Security Overview Getting Started with Access Security If SNMP access to the hpSwitchAuth MIB is considered a security risk in your network, then you should implement the following security precautions: ■ If SNMP access to the authentication configuration (hpSwitchAuth) MIB described above is not desirable for your network, use the following command to disable this feature: snmp-server mib hpswitchauthmib excluded ■ If you choose to leave the authentication configuration MIB accessible, then you should
PAGE 44
Security Overview Precedence of Security Options Precedence of Security Options This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch. Precedence of Port-Based Security Options Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest.
PAGE 45
Security Overview Precedence of Security Options DCA allows client-specific parameters configured in any of the following ways to be applied and removed as needed in a specified hierarchy of precedence. When multiple values for an individual configuration parameter exist, the value applied to a client session is determined in the following order (from highest to lowest priority) in which a value configured with a higher priority overrides a value configured with a lower priority: 1.
PAGE 46
Security Overview Precedence of Security Options NIM also allows you to configure and apply client-specific profiles on ports that are not configured to authenticate clients (unauthorized clients), provided that a client’s MAC address is known in the switch’s forwarding database. The profile of attributes applied for each client (MAC address) session is stored in the hpicfUsrProfile MIB, which serves as the configuration interface for Network Immunity Manager.
PAGE 47
Security Overview Precedence of Security Options Client-specific configurations are applied on a per-parameter basis on a port. In a client-specific profile, if DCA detects that a parameter has configured values from two or more levels in the hierarchy of precedence described above, DCA decides which parameters to add or remove, or whether to fail the authentication attempt due to an inability to apply the parameters.
PAGE 48
Security Overview ProCurve Identity-Driven Manager (IDM) ProCurve Identity-Driven Manager (IDM) IDM is a plug-in to ProCurve Manager Plus (PCM+) and uses RADIUS-based technologies to create a user-centric approach to network access management and network activity tracking and monitoring. IDM enables control of access security policy from a central management server, with policy enforcement to the network edge, and protection against both external and internal threats.
PAGE 49
2 Configuring Username and Password Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Configuring Local Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Menu: Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 CLI: Setting Passwords and Usernames . . . . . . . . . . . . . . . . . . . . . . . . . 2-8 Web: Setting Passwords and Usernames . . . . . . . .
PAGE 50
Configuring Username and Password Security Contents Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29 Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation . . . . . 2-30 Changing the Operation of the Reset+Clear Combination . . . . . 2-31 Password Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 51
Configuring Username and Password Security Overview Overview Feature Default Menu CLI Web Set Usernames none — — page 2-9 Set a Password none page 2-6 page 2-8 page 2-9 Delete Password Protection n/a page 2-7 page 2-8 page 2-9 show front-panel-security n/a — page 1-13 — — page 1-13 — front-panel-security password-clear enabled — page 1-13 — reset-on-clear disabled — page 1-14 — factory-reset enabled — page 1-15 — password-recovery enabled — page 1-15 — Consol
PAGE 52
Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level. That is, if a Manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface. Operator: Access to the Status and Counters menu, the Event Log, and the CLI*, but no Configuration capabilities.
PAGE 53
Configuring Username and Password Security Overview Notes The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface. If you configure only a Manager password (with no Operator password), and in a later session the Manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session.
PAGE 54
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a username requires either the CLI or the web browser interface. 1. From the Main Menu select: 3. Console Passwords Figure 2-1. The Set Password Screen 2. To set a new password: a. Select Set Manager Password or Set Operator Password. You will then be prompted with Enter new password. b.
PAGE 55
Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass words (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
PAGE 56
Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below. Configuring Manager and Operator Passwords. Note The password command has changed. You can now configure manager and operator passwords in one step. See “Saving Security Credentials in a Config File” on page 2-10 of this guide.
PAGE 57
Configuring Username and Password Security Configuring Local Password Security If you want to remove both operator and manager password protection, use the no password all command. Web: Setting Passwords and Usernames In the web browser interface you can enter passwords and (optional) usernames. To Configure (or Remove) Usernames and Passwords in the Web Browser Interface. 1. Click on the Security tab. Click on [Device Passwords]. 2. 3.
PAGE 58
Configuring Username and Password Security Saving Security Credentials in a Config File Saving Security Credentials in a Config File You can store and view the following security settings in the running-config file associated with the current software image by entering the includecredentials command (formerly this information was stored only in internal flash memory): ■ Local manager and operator passwords and (optional) user names that control access to a management session on the switch through the CLI,
PAGE 59
Configuring Username and Password Security Saving Security Credentials in a Config File ■ By storing different security settings in different files, you can test different security configurations when you first download a new software version that supports multiple configuration files, by changing the configuration file used when you reboot the switch.
PAGE 60
Configuring Username and Password Security Saving Security Credentials in a Config File ■ SNMP security credentials, including SNMPv1 community names and SNMPv3 usernames, authentication, and privacy settings ■ 802.
PAGE 61
Configuring Username and Password Security Saving Security Credentials in a Config File Password Command Options The password command has the following options: Syntax: [no] password ] > Set or clear a local username/password for a given access level. manager: configures access to the switch with manager-level privileges. operator: configures access to the switch with operator-level privileges.
PAGE 62
Configuring Username and Password Security Saving Security Credentials in a Config File SNMP Security Credentials SNMPv1 community names and write-access settings, and SNMPv3 usernames continue to be saved in the running configuration file even when you enter the include-credentials command. In addition, the following SNMPv3 security parameters are also saved: snmpv3 user “" [auth “”] [priv “"] where: is the name of an SNMPv3 management station.
PAGE 63
Configuring Username and Password Security Saving Security Credentials in a Config File 802.1X Port-Access Credentials 802.1X authenticator (port-access) credentials can be stored in a configuration file. 802.1X authenticator credentials are used by a port to authenticate supplicants requesting a point-to-point connection to the switch. 802.1X supplicant credentials are used by the switch to establish a point-to point connection to a port on another 802.1X-aware switch. Only 802.
PAGE 64
Configuring Username and Password Security Saving Security Credentials in a Config File TACACS+ server application. (The encryption key is sometimes referred to as “shared secret” or “secret” key.) For more information, see “TACACS+ Authentication” on page 4-1 in this guide.
PAGE 65
Configuring Username and Password Security Saving Security Credentials in a Config File The SSH security credential that is stored in the running configuration file is configured with the ip ssh public-key command used to authenticate SSH clients for manager or operator access, along with the hashed content of each SSH client public-key. Syntax: ip ssh public-key keystring Set a key for public-key authentication. manager: allows manager-level access using SSH public-key authentication.
PAGE 66
Configuring Username and Password Security Saving Security Credentials in a Config File To display the SSH public-key configurations (72 characters per line) stored in a configuration file, enter the show config or show running-config command. The following example shows the SSH public keys configured for manager access, along with the hashed content of each SSH client public-key, that are stored in a configuration file: ...
PAGE 67
Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes Caution ■ When you first enter the include-credentials command to save the additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file. You are prompted by a warning message to perform a write memory operation to save the security credentials to the startup configuration.
PAGE 68
Configuring Username and Password Security Saving Security Credentials in a Config File • copy config config : Makes a local copy of an existing startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot. • copy config tftp: Uploads a configuration file from the switch to a TFTP server. • copy tftp config: Downloads a configuration file from a TFTP server to the switch.
PAGE 69
Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command: ■ The private keys of an SSH host cannot be stored in the running configuration. Only the public keys used to authenticate SSH clients can be stored. An SSH host’s private key is only stored internally, for example, on the switch or on an SSH client device.
PAGE 70
Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. You can store the password port-access values in the running configuration file by using the include-credentials command. Note that the password port-access values are configured separately from local operator username and passwords configured with the password operator command and used for management access to the switch.
PAGE 71
Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together). The ability to disable Password Recovery is also provided for situations which require a higher level of switch security.
PAGE 72
Configuring Username and Password Security Front-Panel Security As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch. Front-Panel Button Functions The System Support Module (SSM) of the switch includes the System Reset button and the Clear button. Figure 2-6.
PAGE 73
Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-8. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch. To do this: 1. Press and hold the Reset button. Reset 2.
PAGE 74
Configuring Username and Password Security Front-Panel Security Reset Clear Test 4. When the Test LED to the right of the Clear button begins flashing, release the Clear button. . Reset Clear Test It can take approximately 20-25 seconds for the switch to reboot. This process restores the switch configuration to the factory default settings.
PAGE 75
Configuring Username and Password Security Front-Panel Security • Modify the operation of the Reset+Clear combination (page 2-25) so that the switch still reboots, but does not restore the switch’s factory default configuration settings. (Use of the Reset button alone, to simply reboot the switch, is not affected.) • Disable or re-enable Password Recovery.
PAGE 76
Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to “Password Recovery Process” on page 2-34.) (Default: Enabled.) CAUTION: Disabling this option removes the ability to recover a password on the switch. Disabling this option is an extreme measure and is not recommended unless you have the most urgent need for high security.
PAGE 77
Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel Syntax: no front-panel-security password-clear In the factory-default configuration, pressing the Clear button on the switch’s front panel erases any local usernames and passwords configured on the switch. This command disables the password clear function of the Clear button, so that pressing it has no effect on any local usernames and passwords.
PAGE 78
Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel. • Specifies whether the switch reboots if the Clear button is pressed.
PAGE 79
Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on clear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-11.
PAGE 80
Configuring Username and Password Security Front-Panel Security The command to disable the factory-reset operation produces this caution. To complete the command, press [Y]. To abort the command, press [N]. Completes the command to disable the factory reset option. Displays the current frontpanel-security configuration, with Factory Reset disabled. Figure 2-12.
PAGE 81
Configuring Username and Password Security Front-Panel Security Caution Disabling password-recovery requires that factory-reset be enabled, and locks out the ability to recover a lost manager username (if configured) and pass word on the switch. In this event, there is no way to recover from a lost manager username/password situation without resetting the switch to its factory-default configuration.
PAGE 82
Configuring Username and Password Security Front-Panel Security • If you want to abort the command, press [N] (for “No”) Figure 2-13 shows an example of disabling the password-recovery parameter. Figure 2-13.
PAGE 83
Configuring Username and Password Security Front-Panel Security Note The alternate password provided by the ProCurve Customer Care Center is valid only for a single login attempt. You cannot use the same “one-time-use” password if you lose the password a second time. Because the password algorithm is randomized based upon your switch's MAC address, the pass word will change as soon as you use the “one-time-use” password provided to you by the ProCurve Customer Care Center.
PAGE 84
Configuring Username and Password Security Front-Panel Security 2-36
PAGE 85
3 Web and MAC Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 MAC Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Concurrent Web and MAC Authentication . . . . . . . . . . . . . . . . . . . . . . 3-3 Authorized and Unauthorized Client VLANs . . . . . . . . .
PAGE 86
Web and MAC Authentication Overview Overview Feature Default Menu CLI Web Configure Web Authentication n/a — 3-18 — Configure MAC Authentication n/a — 3-32 — Display Web Authentication Status and Configuration n/a — 3-26 — Display MAC Authentication Status and Configuration n/a — 3-36 — Web and MAC authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and a switch from unauthorized access.
PAGE 87
Web and MAC Authentication Overview Note A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web authentication. ■ In the login page, a client enters a username and password, which the switch forwards to a RADIUS server for authentication. After authenticat ing a client, the switch grants access to the secured network. Besides a web browser, the client needs no special supplicant software.
PAGE 88
Web and MAC Authentication Overview ■ Each new Web/MAC Auth client always initiates a MAC authentication attempt. This same client can also initiate Web authentication at any time before the MAC authentication succeeds. If either authentication suc ceeds then the other authentication (if in progress) is ended. No further Web/MAC authentication attempts are allowed until the client is deau thenticated.
PAGE 89
Web and MAC Authentication How Web and MAC Authentication Operate You configure access to an optional, unauthorized VLAN when you configure Web and MAC authentication on a port. RADIUS-Based Authentication In Web and MAC authentication, you use a RADIUS server to temporarily assign a port to a static VLAN to support an authenticated client. When a RADIUS server authenticates a client, the switch-port membership during the client’s connection is determined according to the following hierarchy: 1.
PAGE 90
Web and MAC Authentication How Web and MAC Authentication Operate Web-based Authentication When a client connects to a Web-Auth enabled port, communication is redi rected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their username and password. The default User Login screen is shown in Figure 3-1. Figure 3-1.
PAGE 91
Web and MAC Authentication How Web and MAC Authentication Operate If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access. After a successful login, a client may be redirected to a URL if you specify a URL value (redirect-url) when you configure web authentication. Figure 3-3. Authentication Completed The assigned VLAN is determined, in order of priority, as follows: 1.
PAGE 92
Web and MAC Authentication How Web and MAC Authentication Operate A client may not be authenticated due to invalid credentials or a RADIUS server timeout. The max-retries parameter specifies how many times a client may enter their credentials before authentication fails. The server-timeout parameter sets how long the switch waits to receive a response from the RADIUS server before timing out.
PAGE 93
Web and MAC Authentication How Web and MAC Authentication Operate The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate). An implicit logoff period can be set if there is no activity from the client after a given amount of time (logoff-period). In addition, a session ends if the link on the port is lost, requiring reauthenti cation of all clients.
PAGE 94
Web and MAC Authentication Terminology Terminology Authorized-Client VLAN: Like the Unauthorized-Client VLAN, this is a conventional, static, untagged, port-based VLAN previously configured on the switch by the System Administrator. The intent in using this VLAN is to provide authenticated clients with network access and services. When the client connection terminates, the port drops its membership in this VLAN. Authentication Server: The entity providing an authentication service to the switch.
PAGE 95
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ ■ Port Access Management The switch supports concurrent 802.1X, Web and MAC authentication operation on a port (with up to 2 clients allowed). However, concurrent operation of Web and MAC authentication with other types of authentica tion on the same port is not supported. That is, the following authentica tion types are mutually exclusive on a given port: • Web and/or MAC Authentication (with or without 802.
PAGE 96
Web and MAC Authentication Operating Rules and Notes 1. 2. 3. 4. 3-12 If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (if configured) and temporarily drops all other VLAN memberships.
PAGE 97
Web and MAC Authentication Setup Procedure for Web/MAC Authentication Web/MAC Authentication and LACP Web or MAC authentication and LACP are not supported at the same time on a port. The switch automatically disables LACP on ports configured for Web or MAC authentication. ■ Use the show port-access web-based commands to display session status, port-access configuration settings, and statistics for Web-Auth sessions. ■ When spanning tree is enabled on a switch that uses 802.
PAGE 98
Web and MAC Authentication Setup Procedure for Web/MAC Authentication ProCurve(config)# show port-access config Port Access Status Summary Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes Port ---1 2 3 4 5 6 7 8 9 10 11 12 ...
PAGE 99
Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that when configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100” or “vlan100” to specify the VLAN. 4. Determine whether to use the optional “Unauthorized VLAN” mode for clients that the RADIUS server does not authenticate.
PAGE 100
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server aa-bb-cc-dd-ee-ff aa:bb:cc:dd:ee:ff AABBCCDDEEFF AABBCC-DDEEFF AA-BB-CC-DD-EE-FF AA:BB:CC:DD:EE:FF ■ If the device is a switch or other VLAN-capable device, use the base MAC address assigned to the device, and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch. Note that the switch applies a single MAC address to all VLANs configured in the switch.
PAGE 101
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Syntax: [no] radius-server [host < ip-address >] Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can config ure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (Refer to “RADIUS Authentication and Accounting” on page 5-1.
PAGE 102
Web and MAC Authentication Configuring Web Authentication Configuring Web Authentication Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. Identify or create a redirect URL for use by authenticated clients. ProCurve recommends that you provide a redirect URL when using Web Authentication. If a redirect URL is not specified, web browser behavior following authentication may not be acceptable. 3.
PAGE 103
Web and MAC Authentication Configuring Web Authentication Configuration Commands for Web Authentication Command Page Configuration Level aaa port-access controlled-directions 3-20 [no] aaa port-access web-based 3-22 [auth-vid] 3-22 [clear-statistics] 3-22 [client-limit] 3-22 [client-moves] 3-23 [dhcp-addr] 3-23 [dhcp-lease] 3-23 [logoff-period] 3-23 [max-requests] 3-23 [max-retries] 3-24 [quiet-period] 3-24 [reauth-period] 3-24 [reauthentica
PAGE 104
Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access controlled-directions After you enable web-based authentication on specified ports, you can use the aaa port-access controlled-direc tions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state. both (default): Incoming and outgoing traffic is blocked on a port configured for web authentication before authentication occurs.
PAGE 105
Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access controlled-directions — Continued — Notes: ■ For information on how to configure the prerequisites for using the aaa port-access controlled-directions in command, see Chapter 4, “Multi ple Instance Spanning-Tree Operation” in the Advanced Traffic Man agement Guide.
PAGE 106
Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based Enables web-based authentication on the specified ports. Use the no form of the command to disable webbased authentication on the specified ports. Syntax: aaa port-access web-based [auth-vid ]] no aaa port-access web-based [auth-vid] Specifies the VLAN to use for an authorized client. The Radius server can override the value (accept-response includes a vid).
PAGE 107
Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based [client-moves] Configures whether the client can move between ports. Default: Disabled Syntax: aaa port-access web-based [dhcp-addr ] Specifies the base address/mask for the temporary IP pool used by DHCP. The base address can be any valid ip address (not a multicast address). Valid mask range value is <255.255.240.0 - 255.255.255.0>. (Default: 192.168.0.0/255.255.255.
PAGE 108
Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based [max-retries <1-10>] Specifies the number of the number of times a client can enter their user name and password before authen tication fails. This allows the reentry of the user name and password if necessary.
PAGE 109
Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access web-based [redirect-url ] no aaa port-access web-based [redirect-url] Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. ProCurve recommends that you provide a redirect URL when using Web Authentica tion.
PAGE 110
Web and MAC Authentication Configuring Web Authentication Show Commands for Web Authentication Command Page show port-access web-based [port-list] 3-26 show port-access web-based clients [port-list] 3-27 show port-access web-based clients detailed 3-28 show port-access web-based config [port-list] 3-29 show port-access web-based config detailed 3-30 show port-access web-based config [port-list] auth-server 3-31 show port-access web-based config [port-list] web-server
PAGE 111
Web and MAC Authentication Configuring Web Authentication ProCurve(config)# show port-access web-based Port Access Web-Based Status Port ----1 2 3 Auth Clients -------1 2 4 Unauth Clients -------1 0 0 Untagged VLAN -------4006 MACbased 1 Tagged VLANs -----Yes No Yes Port COS -------70000000 Yes No % In Limit -----100 Yes No RADIUS ACL -----Yes Yes No Figure 3-6.
PAGE 112
Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based clients detailed Displays detailed information on the status of webauthenticated client sessions on specified switch ports.
PAGE 113
Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config [port-list] Displays the currently configured Web Authentication settings for all switch ports or specified ports, including: • Temporary DHCP base address and mask • Support for RADIUS-assigned dynamic VLANs (Yes or No) • Controlled directions setting for transmitting Wake-onLAN traffic on egress ports • Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0, the default
PAGE 114
Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config detailed Displays more detailed information on the currently config ured Web Authentication settings for specified ports.
PAGE 115
Web and MAC Authentication Configuring Web Authentication Syntax: show port-access web-based config [port-list] auth-server Displays the currently configured Web Authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as: • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts ProCurve(config)# show port-access web-based config auth-s
PAGE 116
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made. 3.
PAGE 117
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuration Commands for MAC Authentication Command Page Configuration Level aaa port-access mac-based addr-format 3-33 [no] aaa port-access mac-based [e] < port-list > 3-34 Syntax: [addr-limit] 3-34 [addr-moves] 3-34 [auth-vid] 3-34 [logoff-period] 3-35 [max-requests] 3-35 [quiet-period] 3-35 [reauth-period] 3-35 [reauthenticate] 3-35 [server-timeout] 3-35 [unauth-vid] 3-36 aaa port-access mac-based addr-f
PAGE 118
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: [no] aaa port-access mac-based < port-list > Enables MAC-based authentication on the specified ports. Use the no form of the command to disable MACbased authentication on the specified ports. Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-32>] Specifies the maximum number of authenticated MACs to allow on the port. (Default: 1) Note: On switches where MAC Auth and 802.
PAGE 119
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [logoff-period] <60-9999999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its preauthentication state.
PAGE 120
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [unauth-vid ] no aaa port-access mac-based [e] < port-list > [unauth-vid] Specifies the VLAN to use for a client that fails authen tication. If unauth-vid is 0, no VLAN changes occur. Use the no form of the command to set the unauth-vid to 0.
PAGE 121
Web and MAC Authentication Configuring MAC Authentication on the Switch ProCurve(config)# show port-access mac-based Port Access MAC-Based Status Port ---1 2 3 Auth Clients ------1 2 4 Unauth Clients ------1 0 0 Untagged VLAN -------2003 MACbased 1 Tagged VLANs -----Yes No Yes Port COS -------70000000 Yes No % In Limit -----100 Yes No RADIUS ACL -----Yes Yes No Figure 3-12.
PAGE 122
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based clients detailed Displays detailed information on the status of MACauthenticated client sessions on specified ports.
PAGE 123
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config [port-list] Displays the currently configured MAC Authentication settings for all switch ports or specified ports, including: • MAC address format • Support for RADIUS-assigned dynamic VLANs (Yes or No) • Controlled directions setting for transmitting Wake-onLAN traffic on egress ports • Authorized and unauthorized VLAN IDs If the authorized or unauthorized VLAN ID value is 0, the default VLAN
PAGE 124
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config detailed Displays more detailed information on the currently config ured MAC Authentication settings for specified ports.
PAGE 125
Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: show port-access mac-based config [port-list] auth-server Displays the currently configured Web Authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as: • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts ProCurve(config)# show port-access mac-based
PAGE 126
Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. 3-42 Reported Status Available Network Connection Possible Explanations authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires. authenticating Switch only Pending RADIUS request.
PAGE 127
4 TACACS+ Authentication Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Terminology Used in TACACS Applications: . . . . . . . . . . . . . . . . . . . . 4-3 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 General Authentication Setup Procedure . . . . . . . . . . . . . . . . . . . . . . . 4-5 Configuring TACACS+ on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 128
TACACS+ Authentication Overview Overview Feature Default Menu CLI Web view the switch’s authentication configuration n/a — page 4-9 — view the switch’s TACACS+ server contact configuration n/a — page 410 — configure the switch’s authentication methods disabled — page 411 — configure the switch to contact TACACS+ server(s) disabled — page 418 — TACACS+ authentication enables you to use a central server to allow or deny access to the switches covered in this guide (and other TACACS-aw
PAGE 129
TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/ write) privilege level access. TACACS+ does not affect web browser interface access.
PAGE 130
TACACS+ Authentication Terminology Used in TACACS Applications: everyone who needs to access the switch, and you must configure and manage password protection on a per-switch basis. (For more on local authentication, refer to chapter 2, “Configuring Username and Password Security”.
PAGE 131
TACACS+ Authentication General System Requirements General System Requirements To use TACACS+ authentication, you need the following: Notes ■ A TACACS+ server application installed and configured on one or more servers or management stations in your network. (There are several TACACS+ software packages available.) ■ A switch configured for TACACS+ authentication, with access to one or more TACACS+ servers.
PAGE 132
TACACS+ Authentication General Authentication Setup Procedure Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation” in the Trouble shooting chapter of the Management and Configuration Guide for your switch. 1. Familiarize yourself with the requirements for configuring your TACACS+ server application to respond to requests from the switch. (Refer to the documentation provided with the TACACS+ server soft ware.
PAGE 133
TACACS+ Authentication General Authentication Setup Procedure If you are a first-time user of the TACACS+ service, ProCurve recom mends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment. After you have success with the minimum feature set, you may then want to try additional features that the application offers. 4. Caution Ensure that the switch has the correct local username and password for Manager access.
PAGE 134
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring TACACS+ on the Switch Before You Begin If you are new to TACACS+ authentication, ProCurve recommends that you read the “General Authentication Setup Procedure” on page 4-5 and configure your TACACS+ server(s) before configuring authentication on the switch. The switch offers three command areas for TACACS+ operation: 4-8 ■ show authentication and show tacacs: Displays the switch’s TACACS+ configuration and status.
PAGE 135
TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication 4-9 show tacacs 4-10 aaa authentication 4-11 through 4-17 console Telnet num-attempts <1-10 > tacacs-server 4-18 host < ip-addr > 4-18 key 4-22 timeout < 1-255 > 4-23 Viewing the Switch’s Current Authentication Configuration This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configu
PAGE 136
TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact.
PAGE 137
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures access control for the following access methods: ■ Console ■ Telnet ■ SSH ■ Web ■ Port-access (802.1X) However, TACACS+ authentication is only used with the console, Telnet, or SSH access methods.
PAGE 138
TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: aaa authentication < console | telnet | ssh | web | port-access > Selects the access method for configuration. < enable> The server grants privileges at the Manager privilege level. The server grants privileges at the Operator privilege level. If the privilege-mode option is entered, TACACS+ is enabled for a single login.
PAGE 139
TACACS+ Authentication Configuring TACACS+ on the Switch Authentication Parameters Table 4-1. AAA Authentication Parameters Parameters Name Default Range Function console, Telnet, SSH, web or portaccess n/a n/a Specifies the access method used when authenticating. TACACS+ authentication only uses the console, Telnet or SSH access methods. enable n/a n/a Specifies the Manager (read/write) privilege level for the access method being configured.
PAGE 140
TACACS+ Authentication Configuring TACACS+ on the Switch numbers 0 through 15, with zero allowing only Operator privileges (and requiring two logins) and 15 representing root privileges. The root privilege level is the only level that will allow Manager level access on the switch. Figure 4-4. Advanced TACACS+ Settings Section of the TACACS+ Server User Setup Then scroll down to the section that begins with “Shell” (See Figure 4-5). Check the Shell box.
PAGE 141
TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of the TACACS+ Server User Setup As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch’s console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.
PAGE 142
TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Privilege Level Authentication Options Console — Login Console — Enable Telnet — Login Telnet — Enable Caution Regarding the Use of Local for Login Primary Access 4-16 Effect on Access Attempts Primary Secondary local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access.
PAGE 143
TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server. Secondary using Local.
PAGE 144
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s TACACS+ Server Access The tacacs-server command configures these parameters: Note ■ The host IP address(es) for up to three TACACS+ servers; one firstchoice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server. ■ An optional encryption key.
PAGE 145
TACACS+ Authentication Configuring TACACS+ on the Switch tacacs-server key Enters the optional global encryption key. [no] tacacs-server key Removes the optional global encryption key. (Does not affect any server-specific encryption key assignments.) tacacs-server timeout < 1-255 > Changes the wait period for a TACACS server response. (Default: 5 seconds.
PAGE 146
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host [key none n/a Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, perserver encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key” on page 4-26 and the documentation provided with your TACACS+ server application.
PAGE 147
TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range key none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server” key.
PAGE 148
TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-7. Example of the Switch After Assigning a Different “First-Choice” Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.
PAGE 149
TACACS+ Authentication Configuring TACACS+ on the Switch To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs-server host 10.28.227.
PAGE 150
TACACS+ Authentication How Authentication Operates How Authentication Operates General Authentication Process Using a TACACS+ Server Authentication through a TACACS+ server operates generally as described below. For specific operating details, refer to the documentation you received with your TACACS+ server application.
PAGE 151
TACACS+ Authentication How Authentication Operates 4. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs: • If the username/password pair received from the requesting terminal matches a username/password pair previously stored in the server, then the server passes access permission through the switch to the terminal.
PAGE 152
TACACS+ Authentication How Authentication Operates attempt limit without a successful authentication, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again. Note The switch’s menu allows you to configure only the local Operator and Manager passwords, and not any usernames. In this case, all prompts for local authentication will request only a local password.
PAGE 153
TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication in the switch must be identical to the encryption key configured in the corresponding TACACS+ server. If the key is the same for all TACACS+ servers the switch will use for authentication, then configure a global key in the switch. If the key is different for one or more of these servers, use “serverspecific” keys in the switch.
PAGE 154
TACACS+ Authentication Messages Related to TACACS+ Operation ■ Configure the switch’s Authorized IP Manager feature to allow web browser access only from authorized management stations. (The Autho rized IP Manager feature does not interfere with TACACS+ operation.) ■ Disable web browser access to the switch by going to the System Infor mation screen in the Menu interface and configuring the Web Agent Enabled parameter to No.
PAGE 155
TACACS+ Authentication Operating Notes Operating Notes ■ If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized man ager list. That is, authentication traffic between a TACACS+ server and the switch is not subject to Authorized IP Manager controls configured on the switch.
PAGE 156
TACACS+ Authentication Operating Notes 4-30
PAGE 157
5 RADIUS Authentication and Accounting Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Accounting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 RADIUS-Administered CoS and Rate-Limiting . . . . . . . . . . . . . . . . . . .
PAGE 158
RADIUS Authentication and Accounting Contents Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-34 Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-35 Operating Rules for RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . 5-37 Steps for Configuring RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . 5-37 1. Configure the Switch To Access a RADIUS Server . . . . . . . . . 5-38 2.
PAGE 159
RADIUS Authentication and Accounting Overview Overview Feature Default Menu CLI Web Configuring RADIUS Authentication None n/a 5-8 n/a Configuring RADIUS Accounting None n/a 5-35 n/a Configuring RADIUS Authorization None n/a 5-26 n/a n/a n/a 5-43 n/a Viewing RADIUS Statistics RADIUS (Remote Authentication Dial-In User Service) enables you to use up to three servers (one primary server and one or two backups) and maintain separate authentication and accounting for each RADIUS server
PAGE 160
RADIUS Authentication and Accounting Overview Note The switch does not support RADIUS security for SNMP (network manage ment) access. For information on blocking access through the web browser interface, refer to “Controlling Web Browser Interface Access” on page 5-25. Accounting Services RADIUS accounting on the switch collects resource consumption data and forwards it to the RADIUS server. This data can be used for trend analysis, capacity planning, billing, auditing, and cost analysis.
PAGE 161
RADIUS Authentication and Accounting Terminology Terminology AAA: Authentication, Authorization, and Accounting groups of services pro vided by the carrying protocol. CHAP (Challenge-Handshake Authentication Protocol): A challengeresponse authentication protocol that uses the Message Digest 5 (MD5) hashing scheme to encrypt a response to a challenge from a RADIUS server. CoS (Class of Service): Support for priority handling of packets traversing the switch, based on the IEEE 802.
PAGE 162
RADIUS Authentication and Accounting Switch Operating Rules for RADIUS Shared Secret Key: A text value used for encrypting data in RADIUS packets. Both the RADIUS client and the RADIUS server have a copy of the key, and the key is never transmitted across the network. Vendor-Specific Attribute: A vendor-defined value configured in a RADIUS server to specific an optional switch feature assigned by the server during an authenticated client session.
PAGE 163
RADIUS Authentication and Accounting General RADIUS Setup Procedure General RADIUS Setup Procedure Preparation: Table 5-1. 1. Configure one to three RADIUS servers to support the switch. (That is, one primary server and one or two backups.) Refer to the documentation provided with the RADIUS server application. 2. Before configuring the switch, collect the information outlined below. Preparation for Configuring RADIUS on the Switch • Determine the access methods (console, Telnet, Port-Access (802.
PAGE 164
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you have configured the switch to access.) • Determine whether you want to bypass a RADIUS server that fails to respond to requests for service.
PAGE 165
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: 1. Configure RADIUS authentication for controlling access through one or more of the following • Serial port • Telnet • SSH • Port-Access (802.1X) • Web browser interface 2.
PAGE 166
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Timeout Period: The timeout period the switch waits for a RADIUS server to reply. (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no server response to a RADIUS authentication request. (Default: 3; range of 1 to 5.
PAGE 167
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail.
PAGE 168
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-2 shows an example of the show authentication command displaying authorized as the secondary authentication method for port-access, Web-auth access, and MAC-auth access. Since the configuration of authorized means no authentication will be performed and the client has unconditional access to the network, the “Enable Primary” and “Enable Secondary” fields are not applicable (N/A).
PAGE 169
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in this guide. The switch now allows Telnet and SSH authentication only through RADIUS. Figure 5-3.
PAGE 170
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication this default behavior for clients with Enable (manager) access. That is, with privilege-mode enabled, the switch immediately allows Enable (Manager) access to a client for whom the RADIUS server specifies this access level. Syntax: [no] aaa authentication login privilege-mode When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server.
PAGE 171
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 5-35: “Configuring RADIUS Accounting” instead of continuing here.
PAGE 172
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication [key < key-string >] Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key.
PAGE 173
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-4. Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server To make the changes listed prior to figure 5-4, you would do the following: Changes the key for the existing server to “source0127” (step 1, above). Adds the new RADIUS server with its required “source0119” key. Lists the switch’s new RADIUS server configuration. Compare this with Figure 5-5.
PAGE 174
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication ■ Global server key: The server key the switch will use for contacts with all RADIUS servers for which there is not a server-specific key configured by radius-server host < ip-address > key < key-string >. This key is optional if you configure a server-specific key for each RADIUS server entered in the switch. (Refer to “3. Configure the Switch To Access a RADIUS Server” on page 5-15.
PAGE 175
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server timeout < 1 - 15 > Specifies the maximum time the switch waits for a response to an authentication request before counting the attempt as a failure. (Default: 3 seconds; Range: 1 - 15 seconds) radius-server retransmit < 1 - 5 > If a RADIUS server fails to respond to an authentica tion request, specifies how many retries to attempt before closing the session.
PAGE 176
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in this guide. After two attempts failing due to username or password entry errors, the switch will terminate the session. Global RADIUS parameters from figure 5-6. Server-specific encryption key for the RADIUS server that will not use the global encryption key. These two servers will use the global encryption key. Figure 5-7.
PAGE 177
RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features Using SNMP To View and Configure Switch Authentication Features SNMP MIB object access is available for switch authentication configuration (hpSwitchAuth) features.
PAGE 178
RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features Changing and Viewing the SNMP Access Configuration Syntax: snmp-server mib hpswitchauthmib < excluded | included > included: Enables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB. excluded: Disables manager-level SNMP read/write access to the switch’s authentication configuration (hpSwitchAuth) MIB.
PAGE 179
RADIUS Authentication and Accounting Using SNMP To View and Configure Switch Authentication Features An alternate method of determining the current Authentication MIB access state is to use the show run command. ProCurve(config)# show run Running configuration: ; J8715A Configuration Editor; Created on release #W.14.XX hostname "ProCurve" snmp-server mib hpSwitchAuthMIB excluded ip default-gateway 10.10.24.
PAGE 180
RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: ■ Local is the authentication option for the access method being used. ■ The switch has been configured to query one or more RADIUS servers for a primary authentication request, but has not received a response, and Local is the configured secondary option.
PAGE 181
RADIUS Authentication and Accounting Controlling Web Browser Interface Access Controlling Web Browser Interface Access To help prevent unauthorized access through the web browser interface, do one or more of the following: ■ Configure the switch to support RADIUS authentication for web browser interface access (See chapter 3, “Web and MAC Authentica tion” ).
PAGE 182
RADIUS Authentication and Accounting Commands Authorization Commands Authorization The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server will send authorization information (from the user’s profile) to the Network Access Server (NAS). After user authentication has occurred, the authorization information provided by the RADIUS server is stored on the NAS for the duration of the user’s session.
PAGE 183
RADIUS Authentication and Accounting Commands Authorization Enabling Authorization To configure authorization for controlling access to the CLI commands, enter this command at the CLI. Syntax: [no] aaa authorization Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed.
PAGE 184
RADIUS Authentication and Accounting Commands Authorization Displaying Authorization Information You can show the authorization information by entering this command: Syntax: show authorization Configures authorization for controlling access to CLI commands. When enabled, the switch checks the list of commands supplied by the RADIUS server during user authentication to determine if a command entered by the user can be executed. An example of the output is shown.
PAGE 185
RADIUS Authentication and Accounting Commands Authorization The results of using the HP-Command-String and HP-Command-Exception attributes in various combinations are shown below. HP-Command-String HP-Command-Exception Description Not present Not present If command authorization is enabled and the RADIUS server does not provide any authorization attributes in an Access-Accept packet, the user is denied access to the server.
PAGE 186
RADIUS Authentication and Accounting Commands Authorization Example Configuration on Cisco Secure ACS for MS Windows It is necessary to create a dictionary file that defines the VSAs so that the RADIUS server application can determine which VSAs to add to its user interface. The VSAs will appear below the standard attributes that can be configured in the application. The dictionary file must be placed in the proper directory on the RADIUS server. Follow these steps. 1.
PAGE 187
RADIUS Authentication and Accounting Commands Authorization Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). 3. From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils> csutil -addudv 0 hp.ini The zero (0) is the slot number.
PAGE 188
RADIUS Authentication and Accounting Commands Authorization 6. Right click and then select New > key. Add the vendor Id number that you determined in step 4 (100 in the example). 7. Restart all Cisco services. 8. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes. Select Network Configuration and add (or modify) an AAA entry. In the Authenticate Using field choose RADIUS(HP) as an option for the type of security control protocol. 9.
PAGE 189
RADIUS Authentication and Accounting Commands Authorization # # # # # # # dictionary.hp As posted to the list by User Version: $Id: dictionary.hp, v 1.0 2006/02/23 17:07:07 VENDOR Hp 11 # HP Extensions ATTRIBUTE ATTRIBUTE Hp-Command-String Hp-Command-Exception 2 3 string integer Hp Hp # Hp-Command-Exception Attribute Values VALUE VALUE Hp-Command-Exception Hp-Command-Exception Permit-List Deny-List 0 1 2.
PAGE 190
RADIUS Authentication and Accounting Commands Authorization Additional RADIUS Attributes The following attributes are included in Access-Request and Access-Account ing packets sent from the switch to the RADIUS server to advertise switch capabilities, report information on authentication sessions, and dynamically 42reconfigure authentication parameters: ■ MS-RAS-Vendor (RFC 2548): Allows ProCurve switches to inform a Microsoft RADIUS server that the switches are from ProCurve Networking.
PAGE 191
RADIUS Authentication and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting Note RADIUS Accounting Commands Page [no] radius-server host < ip-address > 5-38 [acct-port < port-number >] 5-38 [key < key-string >] 5-38 [no] aaa accounting < exec | network | system | commands> < start-stop | stop-only> radius 5-41 [no] aaa accounting update periodic < 1 - 525600 > (in minutes) 5-42 [no] aaa accounting suppress null-username 5-42 show accounting 5-46 show accounting sessio
PAGE 192
RADIUS Authentication and Accounting Configuring RADIUS Accounting ■ Exec accounting: Provides records holding the information listed below about login sessions (console, Telnet, and SSH) on the switch: • • • • ■ Acct-Authentic Acct-Delay-Time Acct-Session-Id Acct-Session-Time • • • • Acct-Status-Type Acct-Terminate-Cause Calling-Station-Id MS-RAS-Vendor • • • • NAS-Identifier NAS-IP-Address Service-Type Username System accounting: Provides records containing the information listed below when system
PAGE 193
RADIUS Authentication and Accounting Configuring RADIUS Accounting Operating Rules for RADIUS Accounting ■ You can configure up to four types of accounting to run simulta neously: exec, system, network, and commands. ■ RADIUS servers used for accounting are also used for authentication. ■ The switch must be configured to access at least one RADIUS server. ■ RADIUS servers are accessed in the order in which their IP addresses were configured in the switch. Use show radius to view the order.
PAGE 194
RADIUS Authentication and Accounting Configuring RADIUS Accounting must match the encryption key used on the specified RADIUS server. For more information, refer to the “[key < key-string >]” parameter on page 5-15. (Default: null) 2. 3. Configure accounting types and the controls for sending reports to the RADIUS server.
PAGE 195
RADIUS Authentication and Accounting Configuring RADIUS Accounting [key < key-string >] Optional. Specifies an encryption key for use during accounting or authentication sessions with the speci fied server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key. Note: When you save the config file using Xmodem or TFTP, the key information is not saved in the file.
PAGE 196
RADIUS Authentication and Accounting Configuring RADIUS Accounting The radius-server command as shown in figure 5-11, above, configures the switch to use a RADIUS server at IP address 10.33.18.151, with a (non-default) UDP accounting port of 1750, and a server-specific key of “source0151”. 2.
PAGE 197
RADIUS Authentication and Accounting Configuring RADIUS Accounting ■ Stop-Only: • Send a stop record accounting notice at the end of the accounting session. The notice includes the latest data the switch has collected for the requested accounting type (Network, Exec, Commands, or System). • Do not wait for an acknowledgment. The system option (page 5-40) always delivers stop-only operation because the switch sends the accumulated data only when there is a reboot, reload, or accounting on/off event.
PAGE 198
RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additional control over accounting data. ■ Updates: In addition to using a Start-Stop or Stop-Only trigger, you can optionally configure the switch to send periodic accounting record updates to a RADIUS server. ■ Suppress: The switch can suppress accounting for an unknown user having no username.
PAGE 199
RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which. requires prior use of the radius-server host command. (See “Configuring RADIUS Accounting” on page 5-35.) Figure 5-14.
PAGE 200
RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 5-15. RADIUS Server Information From the Show Radius Host Command Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the AccountingRequest that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
PAGE 201
RADIUS Authentication and Accounting Viewing RADIUS Statistics Term Definition Requests The number of RADIUS Accounting-Request packets sent. This does not include retransmissions. AccessChallenges The number of RADIUS Access-Challenge packets (valid or invalid) received from this server. AccessAccepts The number of RADIUS Access-Accept packets (valid or invalid) received from this server. AccessRejects The number of RADIUS Access-Reject packets (valid or invalid) received from this server.
PAGE 202
RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 5-17. Example of RADIUS Authentication Information from a Specific Server RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config ured in the switch (using the radius-server host command).
PAGE 203
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 5-19. Example of RADIUS Accounting Information for a Specific Server Figure 5-20. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.
PAGE 204
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order RADIUS server IP addresses listed in the order in which the switch will try to access them. In this case, the server at IP address 1.1.1.1 is first. Note: If the switch successfully accesses the first server, it does not try to access any other servers in the list, even if the client is denied access by the first server. Figure 5-21.
PAGE 205
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Removes the “003” and “001” addresses from the RADIUS server list. Inserts the “003” address in the first position in the RADIUS server list, and inserts the “001” address in the last position in the list. Shows the new order in which the switch searches for a RADIUS server. Figure 5-22.
PAGE 206
RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch. If the server is accessible, then verify that the switch is using the correct encryption key and that the server is correctly configured to receive an authentication request from the switch.
PAGE 207
6 Configuring RADIUS Server Support for Switch Services Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting . . . . . . . . . . . . . . . 6-3 Applied Rates for RADIUS-Assigned Rate Limits . . . . . . . . . . . . . . . . . 6-4 Viewing the Currently Active Per-Port CoS and Rate-Limiting Configuration Specified by a RADIUS Server . . . . . . . . . . . . .
PAGE 208
Configuring RADIUS Server Support for Switch Services Contents Configuring the Switch To Support RADIUS-Assigned ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-23 Displaying the Current RADIUS-Assigned ACL Activity on the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25 ICMP Type Numbers and Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-27 Event Log Messages . . . . .
PAGE 209
Configuring RADIUS Server Support for Switch Services Overview Overview This chapter provides information that applies to setting up a RADIUS server to configure the following switch features on ports supporting RADIUSauthenticated clients: ■ CoS ■ Rate-Limiting ■ ACLS Optional Network Management Applications. Per-port CoS and ratelimiting assignments through a RADIUS server are also supported in the ProCurve Manager (PCM) application.
PAGE 210
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and RateLimiting This section provides general guidelines for configuring a RADIUS server to dynamically apply CoS (Class of Service) and Rate-Limiting for inbound traffic on ports supporting authenticated clients.
PAGE 211
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Service Control Method and Operating Notes: Rate-Limiting on inbound traffic This feature assigns a bandwidth limit to all inbound packets received on a port supporting an authenticated client. Vendor-Specific Attribute configured in the RADIUS server.
PAGE 212
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Table 6-2.
PAGE 213
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.1p Priority) and Rate-Limiting Syntax: show port-access authenticator [ port-list ] show rate-limit all show qos port-priority These commands display the CoS and Rate-Limiting settings specified by the RADIUS server used to grant authentication for a given client on a given port.
PAGE 214
Configuring RADIUS Server Support for Switch Services RADIUS Server Configuration for Per-Port CoS (802.
PAGE 215
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuring and Using RADIUS-Assigned Access Control Lists Introduction A RADIUS-assigned ACL is configured on a RADIUS server and dynamically assigned by the server to filter traffic entering the switch through a specific port after the client is authenticated by the server. Note that client authenti cation can be enhanced by using ProCurve Manager with the optional IDM application.
PAGE 216
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists • RADIUS-assigned ACL: dynamic ACL assigned to a port by a RADIUS server to filter inbound traffic from an authenticated client on that port An ACL can be configured on an interface as a static port ACL. (RADIUS assigned ACLs are configured on a RADIUS server.) ACL Mask: Follows a destination IP address listed in an ACE.
PAGE 217
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Permit: An ACE configured with this action allows the switch to forward an inbound packet for which there is a match within an applicable ACL. Permit Any Any: An abbreviated form of permit in ip from any to any, which permits any inbound IP traffic from any source to any destination.
PAGE 218
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Overview of RADIUS-Assigned, Dynamic ACLs RADIUS-assigned ACLs enhance network and switch management access security and traffic control by permitting or denying authenticated client access to specific network resources and to the switch management interface.
PAGE 219
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note A RADIUS-assigned ACL assignment filters all inbound IP traffic from an authenticated client on a port, regardless of whether the client’s IP traffic is to be switched or routed. RADIUS-assigned ACLs can be used either with or without PCM and IDM support. (Refer to “Optional PCM and IDM Applications” on page 6-3.
PAGE 220
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists RADIUS-assigned ACLs Static Port ACLs Allows one RADIUS-assigned ACL per authenticated client Supports static ACLs on a port. (Each such ACL filters traffic from a different, authenticated client.) Note: The switch provides ample resources for supporting RADIUS-assigned ACLs and other features.
PAGE 221
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists the same username/password pair. Where the client MAC address is the selection criteria, only the client having that MAC address can use the corre sponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured with that client’s credentials to the port.
PAGE 222
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 3. Configure the ACLs on a RADIUS server accessible to the intended clients. 4. Configure the switch to use the desired RADIUS server and to support the desired client authentication scheme. Options include 802.1X, Web authentication, or MAC authentication. (Note that the switch supports the option of simultaneously using 802.1X with either Web or MAC authenti cation.) 5.
PAGE 223
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Operating Rules for RADIUS-Assigned ACLs ■ Relating a Client to a RADIUS-Assigned ACL: A RADIUS-assigned ACL for a particular client must be configured in the RADIUS server under the authentication credentials the server should expect for that client. (If the client must authenticate using 802.1X and/or Web Authentication, the username/password pair forms the credential set.
PAGE 224
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Elements in a RADIUS-assigned ACL Configuration.
PAGE 225
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuring ACE Syntax in RADIUS Servers The following syntax and operating information applies to ACLs configured in a RADIUS server.
PAGE 226
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists any: • Specifies any IPv4 destination address if one of the following is true: – the ACE uses the standard attribute (Nas-filter-Rule). For example: Nas-filter-Rule=”permit in tcp from any to any 23” Nas-filter-Rule+=”permit in ip from any to 10.10.10.1/24” Nas-filter-Rule+=”deny in ip from any to any” – the HP-Nas-Filter-Rule VSA is used instead of the above option.
PAGE 227
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 1. Enter the ACL standard attribute in the FreeRADIUS dictionary.rfc4849 file. ATTRIBUTE 2. Nas-FILTER-Rule 92 Enter the switch IP address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key (“secret”) is “1234”, you would enter the following in the server’s clients.conf file: client 10.
PAGE 228
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists 1. VENDOR BEGIN-VENDOR ATTRIBUTE END-VENDOR Enter the ProCurve vendor-specific ID and the ACL VSA in the FreeRADIUS dictionary file: HP 11 ProCurve (HP) Vendor-Specific ID HP HP-IP-FILTER-RAW 61 STRING HP ProCurve (HP) Vendor-Specific Attribute for RADIUS-assigned ACLs Note that if you were also using the RADIUS server to administer 802.
PAGE 229
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note For syntax details on RADIUS-assigned ACLs, refer to the next section, “Format Details for ACEs Configured in a RADIUS-Assigned ACL”. Client’s Username (802.1X or Web Authentication) Client’s Password (802.1X or Web Authentication) mobile011 Auth-Type:= Local, User-Password == run101112 HP-IP-FILTER-RAW = “permit in tcp from any to 10.10.10.
PAGE 230
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Configuration Notes Explicitly Permitting Any IP Traffic. Entering a permit in ip from any to any (permit any any) ACE in an ACL permits all IP traffic not previously permitted or denied by that ACL. Any ACEs listed after that point do not have any effect. Explicitly Denying Any IP Traffic.
PAGE 231
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Note Refer to the documentation provided with your RADIUS server for infor mation on how the server receives and manages network accounting information, and how to perform any configuration steps necessary to enable the server to support network accounting data from the switch. 3. Configure an authentication method. Options include 802.1X, Web authen tication, and MAC authentication.
PAGE 232
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Displaying the Current RADIUS-Assigned ACL Activity on the Switch These commands output data indicating the current ACL activity imposed perport by RADIUS server responses to client authentication.
PAGE 233
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Syntax: show port-access authenticator < port-list > For ports, in < port-list > that are configured for authentication, this command indicates whether there are any RADIUS-assigned features active on the port(s). (Any ports in < port-list > that are not configured for authentication do not appear in this listing.) Port: Port number of port configured for authentication.
PAGE 234
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists ProCurve(config)# show port-access authenticator 2-3 Port Access Authenticator Status Port-access authenticator activated [No] : No Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Port ---2 3 Auth Clients -------1 1 Unauth Clients -------0 0 Untagged Tagged VLAN VLANs Port COS -------- ------ --------1 7 1 5 Kbps In Limit ----------90 50 RADIUS ACL -----No Yes Cntrl Dir ---In In Fig
PAGE 235
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Event Log Messages Message Meaning ACE parsing error, permit/deny keyword < ace-# > client < mac-address > port < port-# >. Notifies of a problem with the permit/deny keyword in the indicated ACE included in the access list for the indicated client on the indicated switch port. Could not add ACL entry. Notifies that the ACE entry could not be added to the internal ACL storage.
PAGE 236
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists Message Meaning Invalid Access-list entry length, client < mac-address > port < port-# >. Notifies that the string configured for an ACE entry on the Radius server exceeds 80 characters. Memory allocation failure for IDM ACL. Notifies of a memory allocation failure for a RADIUS assigned ACL assigned by a RADIUS server performing client authentication.
PAGE 237
7 Configuring Secure Shell (SSH) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Prerequisite for Using SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 Public Key Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 238
Configuring Secure Shell (SSH) Overview Overview Feature Generating a public/private key pair on the switch Using the switch’s public key Default Menu CLI Web No n/a page 7-9 n/a n/a n/a page 7-12 n/a Enabling SSH Disabled n/a page 7-15 n/a Enabling client public-key authentication Disabled n/a pages 7-20, 7-23 n/a Enabling user authentication Disabled n/a page 7-20 n/a The switches covered in this guide use Secure Shell version 2 (SSHv2) to provide remote access to management f
PAGE 239
Configuring Secure Shell (SSH) Terminology Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication shown in figure 7-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key. As in figure 7-1, the switch authen ticates itself to SSH clients.
PAGE 240
Configuring Secure Shell (SSH) Prerequisite for Using SSH ■ Local password or username: A Manager-level or Operator-level pass word configured in the switch. ■ SSH Enabled: (1) A public/private key pair has been generated on the switch (generate ssh [dsa | rsa]) and (2) SSH is enabled (ip ssh). (You can generate a key pair without enabling SSH, but you cannot enable SSH without first generating a key pair. See “2. Generating the Switch’s Public and Private Key Pair” on page 7-9 and “4.
PAGE 241
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 7-1.
PAGE 242
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch (page 7-8). 2. Generate a public/private key pair on the switch (page 7-9). You need to do this only once. The key remains in the switch even if you reset the switch to its factory-default configuration. (You can remove or replace this key pair, if necessary.) 3.
PAGE 243
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store 10 client key pairs. ■ The switch’s own public/private key pair and the (optional) client public key file are stored in the switch’s flash memory and are not affected by reboots or the erase startup-config command.
PAGE 244
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configuring the Switch for SSH Operation SSH-Related Commands in This Section Page show ip ssh 7-18 show crypto client-public-key [] [keylist-str] [< babble | fingerprint>] 7-26 show crypto host-public-key [< babble | fingerprint >] 7-14 show authentication 7-22 crypto key < generate | zeroize > [autorun-key [rsa] | cert [rsa] | ssh [ dsa | rsa [bits ]] 7-10 ip ssh 7-16 cipher
PAGE 245
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation To Configure Local Passwords. You can configure both the Operator and Manager password with one command. Syntax:password < manager | operator | all > Figure 7-4. Example of Configuring Local Passwords 2. Generating the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch.
PAGE 246
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be “permanent”; that is, avoid re-generating the key pair without a compelling reason.
PAGE 247
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation show crypto host-public-key Displays switch’s public key. Displays the version 1 and version 2 views of the key. See “SSH Client Public-Key Authentication” on page 2-16 in this guide for information about public keys saved in a configuration file. [ babble ] Displays hashes of the switch’s public key in phonetic format. (See “Displaying the Public Key” on page 7-14.
PAGE 248
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation hosts file, note that the formatting and comments need not match. For version 1 keys, the three numeric values bit size, exponent , and modulus must match; for PEM keys, only the PEM-encoded string itself must match. Notes "Zeroizing" the switch’s key automatically disables SSH (sets ip ssh to no).
PAGE 249
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation The public key generated by the switch consists of three parts, separated by one blank space each: Bit Size Exponent Modulus 896 35 427199470766077426366625060579924214851527933248752021855126493 2934075407047828604329304580321402733049991670046707698543529734853020 0176777055355544556880992231580238056056245444224389955500310200336191 3610469786020092436232649374294060627777506601747146563337525446401 Figure 7-6.
PAGE 250
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Inserted IP Address Bit Size Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Exponent Modulus Figure 7-8. Example of a Switch Public Key Edited To Include the Switch’s IP Address For more on this topic, refer to the documentation provided with your SSH client application.
PAGE 251
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 7-9. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 7-9 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host” file. The switch has only one RSA host key.
PAGE 252
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if the switch’s public key has not been copied into the client, then the client’s first connection to the switch will question the connection and, for security reasons, provide the option of accepting or refusing.
PAGE 253
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: [no] ip ssh Enables or disables SSH on the switch. [cipher ] Specify a cipher type to use for connection. Valid types are: • aes128-cbc • 3des-cbc • aes192-cbc • aes256-cbc • rijndael-cbc@lysator.liu.se • aes128-ctr • aes192-ctr • aes256-ctr Default: All cipher types are available. Use the no form of the command to disable a cipher type. [filetransfer] Enable/disable secure file transfer capability.
PAGE 254
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [port < 1-65535 | default >] The TCP port number for SSH connections (default: 22). Important: See “Note on Port Number” on page 7-18. [public-key ] Configures a client public key. manager: Select manager public keys (ASCII formatted). operator: Select operator public keys (ASCII formatted).
PAGE 255
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Caution Protect your private key file from access by anyone other than yourself. If someone can access your private key file, they can then penetrate SSH security on the switch by appearing to be you. SSH does not protect the switch from unauthorized access via the web interface, Telnet, SNMP, or the serial port.
PAGE 256
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Option A: Configuring SSH Access for Password-Only SSH Authentication. When configured with this option, the switch uses its pub lic key to authenticate itself to a client, but uses only passwords for client authentication. Syntax: aaa authentication ssh login < local | tacacs | radius | public-key >[< local | none | authorized >] Configures a password method for the primary and second ary login (Operator) access.
PAGE 257
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: copy tftp pub-key-file < ipv4-address | ipv6-address > < filename > Copies a public key file into the switch. aaa authentication ssh login public-key Configures the switch to authenticate a client public-key at the login level with an optional secondary password method (default: none).
PAGE 258
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Configures Manager username and password. ProCurve(config)# password manager user-name leader New password for Manager: ******** Please retype new password for Manager: ******** ProCurve(config)# aaa authentication ssh login public-key none ProCurve(config)# aaa authentication ssh enable tacacs local ProCurve(config)# coy tftp pub-key-file 10.33.18.117 ProCurve(config)# write memory Copies a public key file named "Client-Keys.
PAGE 259
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 6. Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems" in the Troubleshooting chapter of the Manage ment and Configuration Guide for your switch. Further Information on SSH Client Public-Key Authentication The section titled “5.
PAGE 260
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication If you enable client public-key authentication, the following events occur when a client tries to access the switch using SSH: 1. The client sends its public key to the switch with a request for authenti cation. 2. The switch compares the client’s public key to those stored in the switch’s client-public-key file. (As a prerequisite, you must use the switch’s copy tftp command to download this file to flash.) 3.
PAGE 261
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication To Create a Client-Public-Key Text File. These steps describe how to copy client-public-keys into the switch for challenge-response authentication, and require an understanding of how to use your SSH client application. Bit Size Modulus Exponent Comment Figure 7-13. Example of a Client Public Key Notes Comments in public key files, such as smith@support.cairns.
PAGE 262
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 2. Copy the client’s public key into a text file (filename.txt). (For example, you can use the Notepad editor included with the Microsoft® Windows® software. If you want several clients to use client public-key authentica tion, copy a public key for each of these clients (up to ten) into the file. Each key should be separated from the preceding key by a . 3.
PAGE 263
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The babble option converts the key data to phonetic hashes that are easier for visual comparisons. The fingerprint option converts the key data to hexadec imal hashes that are for the same purpose. The keylist-str selects keys to display (comma-delimited list). The manager option allows you to select manager public keys The operator option allows you to select operator public keys.
PAGE 264
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: clear crypto public-key Deletes the client-public-key file from the switch. Syntax: clear crypto public-key 3 Deletes the entry with an index of 3 from the client-public-key file on the switch. Enabling Client Public-Key Authentication.
PAGE 265
Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning 00000K Peer unreachable. File transfer did not occur. Indicates an error in communicating with the tftp server or not finding the file to download.
PAGE 266
Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning Generating new RSA host key. If the cache is depleted, this could take up to two minutes. After you execute the generate ssh [dsa | rsa] command, the switch displays this message while it is generating the key. Host RSA key file corrupt or not found. The switch’s key is missing or corrupt. Use the Use ' generate ssh [dsa | rsa]' to cre- generate ssh [dsa | rsa] command to generate a new key for the switch. ate new host key.
PAGE 267
8 Configuring Secure Socket Layer (SSL) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Prerequisite for Using SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 Steps for Configuring and Using SSL for Switch and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 268
Configuring Secure Socket Layer (SSL) Overview Overview Feature Generating a Self Signed Certificate on the switch Generating a Certificate Request on the switch Enabling SSL Default Menu CLI Web No n/a page 8-8 page 8-12 No n/a n/a page 8-15 Disabled n/a page 8-17 page 8-19 The switches covered in this guide use Secure Socket Layer Version 3 (SSLv3) and support for Transport Layer Security(TLSv1) to provide remote web access to the switches via encrypted paths between the switch and manag
PAGE 269
Configuring Secure Socket Layer (SSL) Terminology 1. Switch-to-Client SSL Cert. ProCurve Switch SSL Client Browser 2. User-to-Switch (login password and enable password authentication) options: – Local – TACACS+ – RADIUS (SSL Server) Figure 8-1.
PAGE 270
Configuring Secure Socket Layer (SSL) Terminology 8-4 ■ Root Certificate: A trusted certificate used by certificate authorities to sign certificates (CA-Signed Certificates) and used later on to verify that authenticity of those signed certificates. Trusted certificates are distrib uted as an integral part of most popular web clients. (see browser docu mentation for which root certificates are pre-installed). ■ Manager Level: Manager privileges on the switch.
PAGE 271
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include: A. Client Preparation 1.
PAGE 272
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes 4. Use your SSL enabled browser to access the switch using the switch’s IP address or DNS name (if allowed by your browser). Refer to the documentation provided with the browser application. General Operating Rules and Notes 8-6 ■ Once you generate a certificate on the switch you should avoid re generating the certificate without a compelling reason.
PAGE 273
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Configuring the Switch for SSL Operation SSL-Related CLI Commands in This Section Page web-management ssl page 8-19 show config page 8-19 show crypto host-cert 8-12 crypto key generate cert [rsa] <512 | 768 |1024> 8-10 zeroize cert 8-10 crypto host-cert generate self-signed [arg-list] 8-10 zeroize 8-10 1.
PAGE 274
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Security Tab Password Button Figure 8-2. Example of Configuring Local Passwords 1. Proceed to the security tab and select device passwords button. 2. Click in the appropriate box in the Device Passwords window and enter user names and passwords. You will be required to repeat the password strings in the confirmation boxes. Both the user names and passwords can be up to 16 printable ASCII characters. 3.
PAGE 275
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The server certificate is stored in the switch’s flash memory. The server certificate should be added to your certificate folder on the SSL clients who you want to have access to the switch. Most browser applications automati cally add the switch’s host certificate to there certificate folder on the first use. This method does allow for a security breach on the first access to the switch.
PAGE 276
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. Syntax: crypto key generate cert [rsa] < 512 | 768 |1024 > Generates a key pair for use in the certificate. crypto key zeroize cert Erases the switch’s certificate key and disables SSL opera tion. crypto host-cert generate self-signed [arg-list] Generates a self signed host certificate for the switch.
PAGE 277
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Table 8-1.Certificate Field Descriptions Field Name Description Valid Start Date This should be the date you desire to begin using the SSL functionality. Valid End Date This can be any future date, however good security practices would suggest a valid duration of about one year between updates of passwords and keys. Common name This should be the IP address or domain name associated with the switch.
PAGE 278
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI Command to view host certificates. Syntax: show crypto host-cert Displays switch’s host certificate To view the current host certificate from the CLI you use the show crypto host cert command. For example, to display the new server host certificate: Show host certificate command Figure 8-4.
PAGE 279
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To generate a self signed host certificate from the web browser interface: i. Proceed to the Security tab then the SSL button. The SSL config uration screen is split up into two halves. The left half is used in creating a new certificate key pair and (self-signed / CA-signed) certificate. The right half displays information on the currently installed certificate. ii. Select the Generate Certificate button. iii.
PAGE 280
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter face: Certificate Type Box Key Size Selection Certificate Arguments Figure 8-5. Self-Signed Certificate generation via SSL Web Browser Interface Screen To view the current host certificate in the web browser interface: 8-14 1. Proceed to the Security tab 2.
PAGE 281
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Current SSL Host Certificate Figure 8-6. Web browser Interface showing current SSL Host Certificate Generate a CA-Signed server host certificate with the Web browser interface To install a CA-Signed server host certificate from the web browser interface.
PAGE 282
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation that involves having the certificate authority verify the certificate request and then digitally signing the request to generate a certificate response (the usable server host certificate).
PAGE 283
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE---- MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEU
PAGE 284
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Note Before enabling SSL on the switch you must generate the switch’s host certificate and key. If you have not already done so, refer to “2. Generating the Switch’s Server Host Certificate” on page 8-8.
PAGE 285
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443). Important: See “Note on Port Number” on page 8-20. show config Shows status of the SSL server. When enabled webmanagement ssl will be present in the config list. To enable SSL on the switch 1.
PAGE 286
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Enable SLL and port number Selection Figure 8-8. Using the web browser interface to enable SSL and select TCP port number Note on Port Number ProCurve recommends using the default IP port number (443). However, you can use web-management ssl tcp-port to specify any TCP port for SSL connec tions except those reserved for other purposes. Examples of reserved IP ports are 23 (Telnet) and 80 (http).
PAGE 287
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 8-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host certificate. (Refer to “Generate a SelfSigned Host Certificate with the Web browser interface” on page 8-12.) You may be using a reserved TCP port.
PAGE 288
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup 8-22
PAGE 289
9 IPv4 Access Control Lists (ACLs) Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Overview of Options for Applying IPv4 ACLs on the Switch . . . . . . 9-6 Static ACLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Dynamic Port ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Terminology . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 290
IPv4 Access Control Lists (ACLs) Contents Configuring and Assigning an IPv4 ACL . . . . . . . . . . . . . . . . . . . . . . . 9-34 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-34 General Steps for Implementing ACLs . . . . . . . . . . . . . . . . . . . . . 9-34 Options for Permit/Deny Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-35 ACL Configuration Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 291
IPv4 Access Control Lists (ACLs) Contents Displaying ACL Configuration Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-85 Display an ACL Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-86 Display the Content of All ACLs on the Switch . . . . . . . . . . . . . . . . . . 9-87 Display Static Port ACL Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . 9-88 Displaying the Content of a Specific ACL . . . . . . . . . . . . . . . . . . . . . .
PAGE 292
IPv4 Access Control Lists (ACLs) Introduction Introduction An Access Control List (ACL) is a list of one or more Access Control Entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing the switch’s interfaces. This chapter describes how to configure, apply, and edit IPv4 ACLs in a network populated with the switches covered by this guide, and how to monitor IPv4 ACL actions.
PAGE 293
IPv4 Access Control Lists (ACLs) Introduction Notes IPv4 ACLs can enhance network security by blocking selected traffic, and can serve as part of your network security program. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IPv4 packet transmissions, they should not be relied upon for a complete security solution.
PAGE 294
IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Overview of Options for Applying IPv4 ACLs on the Switch To apply IPv4 ACL filtering, assign a configured IPv4 ACL to the interface on which you want traffic filtering to occur. Port traffic ACLs can be applied either statically or dynamically (using a RADIUS server). Static ACLS Static ACLs are configured on the switch. To apply a static ACL, you must assign it to an interface.
PAGE 295
IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Create a Standard, Numbered ACL or Add an ACE to the End of an Existing Standard, Numbered ACL ProCurve(config)# access-list < 1-99 > < deny | permit > < any | host | SA/< mask-length > | SA < mask >> [log]2 9-49 Use a Sequence Number To Insert an ACE in a Standard ACL ProCurve(config)# ip access-list standard < name-str | 1-99 > ProCurve(config-std-nacl)# 1-2147483647 < deny | permit > < any | host | S
PAGE 296
IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Table 9-2.
PAGE 297
IPv4 Access Control Lists (ACLs) Overview of Options for Applying IPv4 ACLs on the Switch Action Command(s) Enter or Remove a Remark ProCurve(config)# ip access-list extended < name-str | 100-199 > ProCurve(config-ext-nacl)# [ remark < remark-str > | no remark ] Page 9-81 9-83 For numbered, extended ACLs only, the following remark commands can be substituted for the above: ProCurve(config)# access-list < 100 - 199 > remark < remark-str > ProCurve(config)# [no] access-list < 100 - 199 > remark Delete an
PAGE 298
IPv4 Access Control Lists (ACLs) Terminology Terminology Access Control Entry (ACE): A policy consisting of criteria and an action (permit or deny) to execute on a packet if it meets the criteria.
PAGE 299
IPv4 Access Control Lists (ACLs) Terminology ACL Mask: Follows any IPv4 address (source or destination) listed in an ACE. Defines which bits in a packet’s corresponding IPv4 addressing must exactly match the addressing in the ACE, and which bits need not match (wildcards). See also “How an ACE Uses a Mask To Screen Packets for Matches” on page 9-28.) CIDR: This is the acronym for Classless Inter-Domain Routing. DA: The acronym used in text to represent Destination Address.
PAGE 300
IPv4 Access Control Lists (ACLs) Terminology Inbound Traffic: For the purpose of defining where the switch applies IPv4 ACLs to filter traffic, inbound traffic is a packet that meets one of the following criteria: • Static Port ACL: Inbound traffic is a packet entering the switch on the port. • Dynamic Port ACL: Where a RADIUS server has authenticated a client and assigned an ACL to the port to filter the client’s IPv4 traffic, inbound traffic is a packet entering the switch from that client.
PAGE 301
IPv4 Access Control Lists (ACLs) Terminology whether there is a match between a packet and the ACE. In an extended ACE, this is the first of two IPv4 addresses used by the ACE to determine whether there is a match between a packet and the ACE. See also “DA”. seq-#: The term used in ACL syntax statements to represent the sequence number variable used to insert an ACE within an existing list. The range allowed for sequence numbers is 1 - 2147483647.
PAGE 302
IPv4 Access Control Lists (ACLs) Overview Overview Types of IPv4 ACLs A permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, or on source address plus other factors. Standard ACL: Use a standard ACL when you need to permit or deny IPv4 traffic based on source address only. Standard ACLs are also useful when you need to quickly control a performance problem by limiting IPv4 traffic from a subnet, group of devices, or a single device.
PAGE 303
IPv4 Access Control Lists (ACLs) Overview Static Port ACL and Dynamic Port ACL Applications An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port, regardless of whether the traffic is switched or routed.
PAGE 304
IPv4 Access Control Lists (ACLs) Overview 802.1X User-Based and Port-Based Applications. User-Based 802.1X access control allows up to 8 individually authenticated clients on a given port. However, port-based access control does not set a client limit, and requires only one authenticated client to open a given port (and is recommended for applications where only one client at a time can connect to the port). ■ If you configure 802.
PAGE 305
IPv4 Access Control Lists (ACLs) Overview • The CLI remark command option allows you to enter a separate comment for each ACE. ■ A source or destination IPv4 address and a mask, together, can define a single host, a range of hosts, or all hosts. ■ Every ACL populated with one or more explicit ACEs includes an Implicit Deny as the last entry in the list. The switch applies this action to any packets that do not match other criteria in the ACL. (For standard ACLs, the Implicit Deny is deny any.
PAGE 306
IPv4 Access Control Lists (ACLs) Overview General Steps for Planning and Configuring ACLs 1. Identify the ACL application to apply. As part of this step, determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted IPv4 traffic at the edge of the network instead of in the core. Also, on the switch itself, you can improve performance by filtering unwanted IPv4 traffic where it is inbound to the switch instead of outbound.
PAGE 307
IPv4 Access Control Lists (ACLs) Overview For more details on ACL planning considerations, refer to “Planning an ACL Application” on page 9-24. Caution Regarding the Use of Source Routing Source routing is enabled by default on the switch and can be used to override ACLs. For this reason, if you are using ACLs to enhance network security, the recommended action is to use the no ip source-route command to disable source routing on the switch.
PAGE 308
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation IPv4 Static ACL Operation Introduction An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). A static ACL applies only to the switch in which it is configured. ACLs operate on assigned interfaces, and offer these traffic filtering options: IPv4 traffic inbound on a port.
PAGE 309
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation ACL. This directs the ACL to permit (forward) packets that do not have a match with any earlier ACE listed in the ACL, and prevents these packets from being filtered by the implicit “deny any”. Example. Suppose the ACL in figure 9-2 is assigned to filter the IPv4 traffic from an authenticated client on a given port in the switch: For an inbound packet with a destination IP address of 18.28.156.3, the ACL: Permit in ip from any to 18.28.136.
PAGE 310
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation Test a packet against criteria in first ACE. Is there a match? 1. If a match is not found with the first ACE in an ACL, the switch proceeds to the next ACE and so on. Yes Perform action (permit or deny). End No Test the packet against criteria in second ACE. Is there a match? Yes Perform action (permit or deny). End No Test packet against criteria in Nth ACE. Is there a match? Yes Perform action (permit or deny). End 2.
PAGE 311
IPv4 Access Control Lists (ACLs) IPv4 Static ACL Operation 1. Permit inbound IPv4 traffic from IP address 10.11.11.42. 2. Deny only the inbound Telnet traffic from address 10.11.11.101. 3. Permit only inbound Telnet traffic from IP address 10.11.11.33. 4. Deny all other inbound IPv4 traffic. The following ACL model , when assigned to inbound filtering on an interface, supports the above case: ip access-list extended "Test-02" 1 10 permit ip 10.11.11.42 0.0.0.0 0.0.0.0 255.255.255.
PAGE 312
IPv4 Access Control Lists (ACLs) Planning an ACL Application Planning an ACL Application Before creating and implementing ACLs, you need to define the policies you want your ACLs to enforce, and understand how the ACL assignments will impact your network users. Note All IPv4 traffic entering the switch on a given interface is filtered by all ACLs configured for inbound traffic on that interface.
PAGE 313
IPv4 Access Control Lists (ACLs) Planning an ACL Application ■ What are the logical points for minimizing unwanted traffic, and what ACL application(s) should be used? In many cases it makes sense to prevent unwanted traffic from reaching the core of your network by configuring ACLs to drop the unwanted traffic at or close to the edge of the network. (The earlier in the network path you can block unwanted traffic, the greater the benefit for network performance.
PAGE 314
IPv4 Access Control Lists (ACLs) Planning an ACL Application Caution IPv4 ACLs can enhance network security by blocking selected traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.
PAGE 315
IPv4 Access Control Lists (ACLs) Planning an ACL Application ■ Generally, you should list ACEs from the most specific (individual hosts) to the most general (subnets or groups of subnets) unless doing so permits traffic that you want dropped. For example, an ACE allowing a small group of workstations to use a specialized printer should occur earlier in an ACL than an entry used to block widespread access to the same printer.
PAGE 316
IPv4 Access Control Lists (ACLs) Planning an ACL Application ■ Explicitly Permitting Any IPv4 Traffic: Entering a permit any or a permit ip any any ACE in an ACL permits all IPv4 traffic not previously permitted or denied by that ACL. Any ACEs listed after that point do not have any effect. ■ Explicitly Denying Any IPv4 Traffic: Entering a deny any or a deny ip any any ACE in an ACL denies all IPv4 traffic not previously per mitted or denied by that ACL. Any ACEs after that point have no effect.
PAGE 317
IPv4 Access Control Lists (ACLs) Planning an ACL Application Thus, the bits set to 1 in a network mask define the part of an IPv4 address to use for the network number, and the bits set to 0 in the mask define the part of the address to use for the host number. In an ACL, IPv4 addresses and masks provide criteria for determining whether to deny or permit a packet, or to pass it to the next ACE in the list. If there is a match, the configured deny or permit action occurs.
PAGE 318
IPv4 Access Control Lists (ACLs) Planning an ACL Application ACL mask to overlap one bit, which allows matches with hosts in two subnets: 31.30.224.0 and 31.30.240.0. Bit Position in the Third Octet of Subnet Mask 255.255.240.0 128 64 32 16 8 4 2 1 Subnet Mask Bits 1 1 1 1 n/a n/a n/a n/a Mask Bit Settings Affecting Subnet Addresses 0 0 0 1 or 0 n/a n/a n/a n/a Bit Values This ACL supernetting technique can help to reduce the number of ACLs you need.
PAGE 319
IPv4 Access Control Lists (ACLs) Planning an ACL Application • A group of IPv4 addresses fits the matching criteria. In this case you provide both the address and the mask. For example: access-list 1 permit 10.28.32.1 0.0.0.31 Address Mask 10.28.32.1 0.0.0.31 This policy states that: – In the first three octets of a packet’s SA, every bit must be set the same as the corresponding bit in the SA defined in the ACE.
PAGE 320
IPv4 Access Control Lists (ACLs) Planning an ACL Application dictates that a match occurs only when the source address on such packets is identical to the address configured in the ACE. This ACL (a standard ACL named “Fileserver”) includes an ACE (Access Control Entry) that permits matches only with the packets received from 10.28.252.117 (the SA). Packets from any other source do not match and are denied. ACE ip access-list standard Fileserver permit 10.28.252.117 0.0.0.
PAGE 321
IPv4 Access Control Lists (ACLs) Planning an ACL Application Table 9-3. Mask Effect on Selected Octets of the IPv4 Addresses in Table 9-2 Addr Octet Mask Octet Range 128 64 32 16 8 4 2 1 A 3 0 all bits 252 1 1 1 1 1 1 0 0 B 3 7 last 3 bits 248-255 1 1 1 1 1 0 or 1 0 or 1 0 or 1 C 4 0 all bits 195 1 1 0 0 0 0 1 1 D 2 15 last 4 bits 32-47 0 0 1 0 0 or 1 0 or 1 0 or 1 0 or 1 Shaded areas indicate bit settings that must be an exact match.
PAGE 322
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Configuring and Assigning an IPv4 ACL ACL Feature Page Configuring and Assigning a Standard ACL 9-44 Configuring and Assigning an Extended ACL 9-53 Enabling or Disabling ACL Filtering 9-73 Overview General Steps for Implementing ACLs Caution Regarding the Use of IPv4 Source Routing 9-34 1. Configure one or more ACLs. This creates and stores the ACL(s) in the switch configuration. 2. Assign an ACL.
PAGE 323
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Options for Permit/Deny Policies The permit or deny policy for IPv4 traffic you want to filter can be based on source address alone, or on source address plus other IPv4 factors. ■ Standard ACL: Uses only a packet's source IPv4 address as a crite rion for permitting or denying the packet. For a standard ACL ID, use either a unique numeric string in the range of 1-99 or a unique name string of up to 64 alphanumeric characters.
PAGE 324
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL 3. One or more deny/permit list entries (ACEs): One entry per line. Element 4. Notes Type Standard or Extended Identifier • Alphanumeric; Up to 64 Characters, Including Spaces • Numeric: 1 - 99 (Standard) or 100 - 199 (Extended) Remark Allows up to 100 alphanumeric characters, including blank spaces. (If any spaces are used, the remark must be enclosed in a pair of single or double quotes.
PAGE 325
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 9-7 shows how to interpret the entries in a standard ACL. ACE Action (permit or deny) ProCurve(Config)# show running . ACL List Heading with List Type and . Identifier (Name or Number) . ip access-list standard “Sample-List” 10 deny 10.28.150.77 0.0.0.0 log 20 permit 10.28.150.1 0.0.0.255 exit End-of-List Marker Source Address Mask Optional Logging Command Figure 9-7.
PAGE 326
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL ip access-list extended < identifier > [ [ seq-# ] remark < remark-str >] < permit | deny > < ipv4-protocol-type > < SA > < src-acl-mask > < DA > [log] < permit | deny > tcp < SA > < src-acl-mask > [< operator > < port-id >] < DA > < desti-acl-mask > [< operator > < port-id >] [log] [ established ] < permit | deny > udp < SA > < src-acl-mask > [< operator > < port-id >] < DA > < dest-acl-mask > [< operator > < port-id >
PAGE 327
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, figure 9-9 shows how to interpret the entries in an extended ACL. ProCurve(config)# show running Running configuration: ACL List Heading with List Type and ID String (Name or Number) ; J9146A Configuration Editor; Created on release #W.14.XX Protocol Types Indicates all possible destination IPv4 addresses.
PAGE 328
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL For example, suppose that you have applied the ACL shown in figure 9-10 to inbound IPv4 traffic on VLAN 1 (the default VLAN): Source Address Mask DestinationAddress Mask ip access-list extended "Sample-List-2" 10 deny ip 10.28.235.10 0.0.0.0 0.0.0.0 255.255.255.255 20 deny ip 10.28.245.89 0.0.0.0 0.0.0.0 255.255.255.255 30 permit tcp 10.28.18.100 0.0.0.0 10.28.237.1 0.0.0.0 40 deny tcp 10.28.18.100 0.0.0.0 0.0.0.0 255.255.255.
PAGE 329
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Line # Action 50 Any packet from any IPv4 SA to any IPv4 DA will be permitted (forwarded). The only traffic to reach this ACE will be IPv4 packets not specifically permitted or denied by the earlier ACEs. n/a The Implicit Deny is a function the switch automatically adds as the last action in all ACLs. It denies (drops) any IPv4 traffic from any source to any destination that has not found a match with earlier entries in the ACL.
PAGE 330
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL Using the CLI To Create an ACL Command Page access-list (standard ACLs) 9-44 access-list (extended ACLs) 9-53 You can use either the switch CLI or an offline text editor to create an ACL. This section describes the CLI method, which is recommended for creating short ACLs. (To use the offline method, refer to “Creating or Editing ACLs Offline” on page 9-94.
PAGE 331
IPv4 Access Control Lists (ACLs) Configuring and Assigning an IPv4 ACL To insert an ACE anywhere in a numbered ACL, use the same process as described above for inserting an ACE anywhere in a named ACL. For example, to insert an ACE denying IPv4 traffic from the host at 10.10.10.77 as line 52 in an existing ACL identified (named) with the number 11: ProCurve(config)# ip access-list standard 99 ProCurve(config-std-nacl)# 52 deny host 10.10.10.
PAGE 332
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Standard ACLs Table 9-6.
PAGE 333
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs A standard ACL uses only source IPv4 addresses in its ACEs. This type of ACE is useful when you need to: ■ Permit or deny any IPv4 traffic based on source address only. ■ Quickly control the IPv4 traffic from a specific address. This allows you to isolate IPv4 traffic problems generated by a specific device, group of devices, or a subnet threatening to degrade network perfor mance.
PAGE 334
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring Named, Standard ACLs This section describes the commands for performing the following: ■ creating and/or entering the context of a named, standard ACL ■ appending an ACE to the end of an existing list or entering the first ACE in a new list For other IPv4 ACL topics, refer to the following: Topic Page configuring numbered, standard ACLs 9-49 configuring named, extended ACLs 9-55 configuring numbered, extended ACLs 9-65 apply
PAGE 335
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Configuring ACEs in an Named, Standard ACL. Configuring ACEs is done after using the ip access-list standard < name-str > command described above to enter the “Named ACL” (nacl) context of an access list. For a standard ACL syntax summary, refer to table 9-6 on page 9-44. Syntax: < deny | permit > < any | host < SA > | SA > [log] Executing this command appends the ACE to the end of the list of ACEs in the current ACL.
PAGE 336
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs [ log] This option generates an ACL log message if: • The action is deny. • There is a match. • ACL logging is enabled on the switch. (Refer to “” on page 9-96.) (Use the debug command to direct ACL logging output to the current console session and/or to a Syslog server. Note that you must also use the logging < ip-addr > command to specify the addresses of Syslog servers to which you want log messages sent. See also “” on page 9-96.
PAGE 337
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs ProCurve(config)# show access-list Sample-List Access Control Lists Name: Sample-List Type: Standard Applied: No SEQ Entry ------------------------------------------------------------------------------10 Action: permit IP : 10.10.10.104 Mask: 0.0.0.0 Note that each ACE is automatically assigned a 20 Action: deny (log) sequence number. IP : 10.10.10.1 Mask: 0.0.0.255 30 Action: permit IP : 0.0.0.0 Mask: 255.255.255.255 Figure 9-12.
PAGE 338
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Creating or Adding to an Standard, Numbered ACL. This command is an alternative to using ip access-list standard < name-str > and does not use the “Named ACL” (nacl) context. For a standard ACL syntax summary, refer to table 9-6 on page 9-44. Syntax: access-list < 1-99 > < deny | permit > < any | host < SA > | SA < mask | SA/mask-length >> [log] Appends an ACE to the end of the list of ACEs in the current IPv4 standard, numbered ACL.
PAGE 339
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs < any | host < SA > | SA < mask | SA/mask-length >> Defines the source IPv4 address (SA) a packet must carry for a match with the ACE. • any — Allows IPv4 packets from any SA. • host < SA > — Specifies only packets having < SA > as the source. Use this criterion when you want to match only the IPv4 packets from a single SA.
PAGE 340
IPv4 Access Control Lists (ACLs) Configuring Standard ACLs Example of Creating and Viewing a Standard ACL. This example cre ates a standard, numbered ACL with the same ACE content as show in figure 9-11 on page 9-48. ProCurve(config)# ProCurve(config)# ProCurve(config)# ProCurve(config)# access-list 17 permit host 10.10.10.104 access-list 17 deny 10.10.10.
PAGE 341
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Extended ACLs Table 9-7.
PAGE 342
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Action Enter or Remove a Remark Command(s) Page ProCurve(config)# ip access-list extended < name-str | 100-199 > ProCurve(config-ext-nacl)# [ remark < remark-str > | no < 1 - 2147483647 > remark ] 9-81 9-83 For numbered, extended ACLs only, the following remark commands can be substituted for the above: ProCurve(config)# access-list < 100 - 199 > remark < remark-str > ProCurve(config)# [no] access-list < 100 - 199 > remark Delete an Extended AC
PAGE 343
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configuring Named, Extended ACLs For a match to occur with an ACE in an extended ACL, a packet must have the source and destination address criteria specified by the ACE, as well as any IPv4 protocol-specific criteria included in the command. Use the following general steps to create or add to a named, extended ACL: 1. Create and/or enter the context of a named, extended ACL. 2.
PAGE 344
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Creating a Named, Extended ACL and/or Entering the “Named ACL” (nacl) Context. This command is a prerequisite to entering or editing ACEs in a named, extended ACL. (For a summary of the extended ACL syntax options, refer to table 9-7 on page 9-53.) Syntax: ip access-list extended < name-str > Places the CLI in the “Named ACL” (nacl) context specified by the < name-str > alphanumeric identifier.
PAGE 345
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Configure ACEs in a Named, Extended ACL and/or Enter the “Named ACL” (nacl) Context. Configuring ACEs is done after using the ip accesslist standard < name-str > command described on page 9-56 to enter the “Named ACL” (nacl) context of an ACL. For an extended ACL syntax summary, refer to table 9-7 on page 9-53.
PAGE 346
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Used after deny or permit to specify the packet protocol type required for a match. An extended ACL must include one of the following: • ip — any IPv4 packet.
PAGE 347
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < any | host < DA > | DA/mask-length | DA/ < mask >> This is the second instance of IPv4 addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination address (DA) that a packet must carry in order to have a match with the ACE. • any — Allows routed IPv4 packets to any DA. • host < DA > — Specifies only packets having DA as the destination address.
PAGE 348
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ tos < tos-setting > ] This option can be used after the DA to cause the ACE to match packets with the specified Type-of-Service (ToS) setting.
PAGE 349
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for TCP and UDP Traffic in Extended ACLs. An ACE designed to permit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic. (For a summary of the extended ACL syntax options, refer to table 9-7 on page 9-53.
PAGE 350
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Port Number or Well-Known Port Name: Use the TCP or UDP port number required by your appli cation. The switch also accepts these well-known TCP or UDP port names as an alternative to their port numbers: • TCP: bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet • UDP: bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp, snmp-trap, tftp To list the above names, press the [Shift] [?] key combination after entering an operator.
PAGE 351
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Options for ICMP Traffic in Extended ACLs. This option is useful where it is necessary to permit some types of ICMP traffic and deny other types, instead of simply permitting or denying all types of ICMP traffic. That is, an ACE designed to permit or deny ICMP traffic can optionally include an ICMP type and code value to permit or deny an individual type of ICMP packet while not addressing other ICMP traffic types in the same ACE.
PAGE 352
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ icmp-type-name ] These name options are an alternative to the [icmp-type [ icmp-code] ] methodology described above. For more infor mation, visit the IANA website cited above.
PAGE 353
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Option for IGMP in Extended ACLs. This option is useful where it is nec essary to permit some types of IGMP traffic and deny other types instead of simply permitting or denying all types of IGMP traffic. That is, an ACE designed to permit or deny IGMP traffic can optionally include an IGMP packet type to permit or deny an individual type of IGMP packet while not addressing other IGMP traffic types in the same ACE.
PAGE 354
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs For other IPv4 ACL topics, refer to the following: Topic Page configuring named, standard ACLs 9-46 configuring numbered, standard ACLs 9-49 configuring named, extended ACLs 9-55 applying or removing an ACL on an interface 9-73 deleting an ACL 9-74 editing an ACL 9-75 sequence numbering in ACLs 9-76 including remarks in an ACL 9-81 displaying ACL configuration data 9-85 creating or editing ACLs offline 9-94 enabling ACL “Deny”
PAGE 355
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs If the ACL does not already exist, this command creates the specified ACL and its first ACE. If the ACL already exists, the new ACE is appended to the end of the configured list of explicit ACEs. In the default configuration, the ACEs in an ACL will automatically be assigned consecutive sequence numbers in increments of 10 and can be renumbered with resequence (page 9-80).
PAGE 356
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs < ip | ip-protocol | ip-protocol-nbr > Specifies the packet protocol type required for a match. An extended ACL must include one of the following: • ip — any IPv4 packet. • ip-protocol — any one of the following IPv4 protocol names: ip-in-ip ipv6-in-ip gre esp ah ospf pim vrrp sctp tcp* udp* icmp* igmp* • ip-protocol-nbr — the protocol number of an IPv4 packet type, such as “8” for Exterior Gateway Protocol or 121 for Simple Message Protocol.
PAGE 357
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs SA Mask Application: The mask is applied to the SA in the ACL to define which bits in a packet’s source SA must exactly match the address configured in the ACL and which bits need not match. Example: 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any IP address in the range of 10.10.10.(1-255). Note: Specifying a group of contiguous IPv4 addresses may require more than one ACE.
PAGE 358
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs [ precedence < 0 - 7 | precedence-name >] This option causes the ACE to match packets with the specified IP precedence value.
PAGE 359
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Additional Options for TCP and UDP Traffic. An ACE designed to per mit or deny TCP or UDP traffic can optionally include port number criteria for either the source or destination, or both. Use of TCP criteria also allows the established option for controlling TCP connection traffic. (For a summary of the extended ACL syntax options, refer to table 9-7 on page 9-53.
PAGE 360
IPv4 Access Control Lists (ACLs) Configuring Extended ACLs Syntax: access-list < 100 - 199 > < deny | permit > igmp < src-ip > < dest-ip > [ igmp-type ] The IGMP “type” criteria is identical to the criteria described for IGMP in named, extended ACLs, beginning on page 9-65.
PAGE 361
IPv4 Access Control Lists (ACLs) Adding or Removing an ACL Assignment On an Interface Adding or Removing an ACL Assignment On an Interface Filtering Inbound IPv4 Traffic Per Port For a given port, port list, or static port trunk, you can assign an ACL as a static port ACL to filter any IPv4 traffic entering the switch on that interface. You can also use the same ACL for assignment to multiple interfaces. For limits and operating rules, refer to “IPv4 ACL Configuration and Operating Rules” on page 9-27.
PAGE 362
IPv4 Access Control Lists (ACLs) Deleting an ACL ProCurve(config)# interface b10 ip access-group My-List in ProCurve(config)# interface b10 ProCurve(eth-b10)# ip access-group 155 in ProCurve(eth-b10)# exit ProCurve(config)# no interface b10 ip access-group My-List in ProCurve(config)# interface b10 ProCurve(eth-b10)# no ip access-group 155 in ProCurve(eth-b10)# exit Enables a static port ACL from the Global Configuration level. Enables a static port ACL from a port context.
PAGE 363
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Editing an Existing ACL The CLI provides the capability for editing in the switch by using sequence numbers to insert or delete individual ACEs. An offline method is also avail able. This section describes using the CLI for editing ACLs. To use the offline method for editing ACLs, refer to “Creating or Editing ACLs Offline” on page 9-94.
PAGE 364
IPv4 Access Control Lists (ACLs) Editing an Existing ACL ■ You can delete any ACE from any ACL (named or numbered) by using the ip access-list command to enter the ACL’s context, and then using the no < seq-# > command (page 9-79). ■ Deleting the last ACE from an ACL leaves the ACL in memory. In this case, the ACL is “empty” and cannot perform any filtering tasks. (In any ACL the Implicit Deny does not apply unless the ACL includes at least one explicit ACE.
PAGE 365
IPv4 Access Control Lists (ACLs) Editing an Existing ACL For example, to append a fourth ACE to the end of the ACL in figure 9-16: ProCurve(config)# ip access-list standard My-List ProCurve(config-std-nacl)# permit any ProCurve(config-std-nacl)# show run . . . ip access-list standard "My-List" 10 permit 10.10.10.25 0.0.0.0 20 permit 10.20.10.117 0.0.0.0 30 deny 10.20.10.1 0.0.0.255 40 permit 0.0.0.0 255.255.255.255 exit Figure 9-18.
PAGE 366
IPv4 Access Control Lists (ACLs) Editing an Existing ACL 2. Begin the ACE command with a sequence number that identifies the position you want the ACE to occupy. (The sequence number range is 1 2147483647.) 3. Complete the ACE with the command syntax appropriate for the type of ACL you are editing. For example, inserting a new ACE between the ACEs numbered 10 and 20 in figure 9-18 requires a sequence number in the range of 11-19 for the new ACE.
PAGE 367
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Deleting an ACE from an Existing ACL This action uses ACL sequence numbers to delete ACEs from an ACL. Syntax: ip access-list < standard | extended > < name-str | 1 - 99 | 100 - 199 > no < seq-# > The first command enters the “Named-ACL” context for the specified ACL. The no command deletes the ACE corresponding to the sequence number entered. (Range: 1 - 2147483647 ) 1.
PAGE 368
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Resequencing the ACEs in an ACL This action reconfigures the starting sequence number for ACEs in an ACL, and resets the numeric interval between sequence numbers for ACEs config ured in the ACL. Syntax: ip access-list resequence < name-str | 1 - 99 | 100 - 199 > < starting-seq-# > < interval > Resets the sequence numbers for all ACEs in the ACL. < starting-seq-# > : Specifies the sequence number for the first ACE in the list.
PAGE 369
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Attaching a Remark to an ACE A remark is numbered in the same way as an ACE, and uses the same sequence number as the ACE to which it refers. This operation requires that the remark for a given ACE be entered prior to entering the ACE itself. Syntax: access-list < 1 - 99 | 100 - 199 > remark < remark-str > This syntax appends a remark to the end of a numbered ACL and automatically assigns a sequence number to the remark.
PAGE 370
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Note After a numbered ACL has been created (using access-list < 1 - 99 | 100 - 199 >), it can be managed as either a named or numbered ACL. For example, in an existing ACL with a numeric identifier of “115”, either of the following com mand sets adds an ACE denying IP traffic from any IP source to a host at 10.10.10.100: ProCurve(config)# access-list 115 deny ip host 10.10.10.
PAGE 371
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Inserting Remarks and Related ACEs Within an Existing List. To insert an ACE with a remark within an ACL by specifying a sequence number, insert the numbered remark first, then, using the same sequence number, insert the ACE. (This operation applies only to ACLs accessed using the “Named-ACL” (nacl) context.) For example: ProCurve(config-std-nacl)# 15 remark "HOST 10.10.10.21" ProCurve(config-std-nacl)# 15 permit host 10.10.10.
PAGE 372
IPv4 Access Control Lists (ACLs) Editing an Existing ACL Operating Notes for Remarks ■ The resequence command ignores “orphan” remarks that do not have an ACE counterpart with the same sequence number. For example, if: • a remark numbered “55” exists in an ACE • there is no ACE numbered “55” in the same ACL • resequence is executed on an ACL then the remark retains “55” as its sequence number and will be placed in the renumbered version of the ACL according to that sequence number.
PAGE 373
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying ACL Configuration Data ACL Commands Function Page show access-list Displays a brief listing of all IPv4 ACLs on the switch. 9-86 show access-list config Display the type, identifier, and content of all IPv4 ACLs configured in the switch. 9-87 show access-list ports < all | port-list > Lists the IPv4 ACL static port assignment for either all ports and trunks, or for the specified ports and/ or trunks.
PAGE 374
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display an ACL Summary This command lists the configured IPv4 ACLs. Syntax: show access-list List a summary table of the name, type, and application status of IPv4 ACLs configured on the switch. For example: ProCurve(config)# show access-list Access Control Lists Type ---std ext std Appl ---yes no yes Name In this switch, the ACL named “List-02-v4-----------------------------------------OUT” exists in the configuration.
PAGE 375
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display the Content of All ACLs on the Switch This command lists the configuration details for the IPv4 ACLs in the running config file. Syntax: show access-list config List the configured syntax for all IPv4 ACLs currently config ured on the switch. Note Notice that you can use the output from this command for input to an offline text file in which you can edit, add, or delete ACL commands.
PAGE 376
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Display Static Port ACL Assignments This command briefly lists the identification and type(s) of current static port ACL assignments to individual switch ports and trunks, as configured in the running-config file. (The switch allows one static port ACL assignment per port.) Syntax: show access-list ports < all | interface > Lists the current static port ACL assignments for ports and trunks in the running config file.
PAGE 377
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Displaying the Content of a Specific ACL This command displays a specific ACL configured in the running config file in an easy-to-read tabular format. Note This information also appears in the show running display. If you execute write memory after configuring an ACL, it also appears in the show config display.
PAGE 378
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data ProCurve(config)# show access-list List-120 Access Control Lists Name: List-120 Type: Extended Applied: No Indicates whether the ACL is applied to an interface. SEQ Entry Indicates source and destination entries in the ACL. ---------------------------------------------------------------------10 Action: permit Remark: Telnet Allowed Src IP: 10.30.133.27 Mask: 0.0.0.0 Port(s): eq 23 Dst IP: 0.0.0.0 Mask: 255.255.255.
PAGE 379
IPv4 Access Control Lists (ACLs) Displaying ACL Configuration Data Field Description IP Used for Standard ACLs: The source IP address to which the configured mask is applied to determine whether there is a match with a packet. Src IP Used for Extended ACLs: Same as above. Dst IP Used for Extended ACLs: The source and destination IP addresses to which the corresponding configured masks are applied to determine whether there is a match with a packet.
PAGE 380
IPv4 Access Control Lists (ACLs) Monitoring Static ACL Performance Monitoring Static ACL Performance ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface.
PAGE 381
IPv4 Access Control Lists (ACLs) Monitoring Static ACL Performance ACE Counter Operation: For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset. For example, in ACL line 10 below, there has been a total of 37 matches on the ACE since the last time the ACL’s counters were reset. Total ( 37) 10 permit icmp 10.10.20.
PAGE 382
IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline Creating or Editing ACLs Offline The section titled “Editing an Existing ACL” on page 9-75 describes how to use the CLI to edit an ACL, and is most applicable in cases where the ACL is short or there is only a minor editing task to perform. The offline method provides a useful alternative to using the CLI for creating or extensively editing a large ACL.This section describes how to: ■ move an existing ACL to a TFTP server ■ use a text (.
PAGE 383
IPv4 Access Control Lists (ACLs) Creating or Editing ACLs Offline If you are replacing an ACL on the switch with a new ACL that uses the same number or name syntax, begin the command file with a no ip accesslist command to remove the earlier version of the ACL from the switch’s running-config file. Otherwise, the switch will append the new ACEs in the ACL you download to the existing ACL.
PAGE 384
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enable ACL “Deny” Logging ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny” action.
PAGE 385
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging ACL Logging Operation When the switch detects a packet match with an ACE and the ACE includes both the deny action and the optional log parameter, an ACL log message is sent to the designated debug destination. The first time a packet matches an ACE with deny and log configured, the message is sent immediately to the destination and the switch starts a wait-period of approximately five minutes.
PAGE 386
IPv4 Access Control Lists (ACLs) Enable ACL “Deny” Logging Enabling ACL Logging on the Switch 9-98 1. If you are using a Syslog server, use the logging < ip-addr > command to configure the Syslog server IP address(es). Ensure that the switch can access any Syslog server(s) you specify. 2. Use logging facility syslog to enable the logging for Syslog operation. 3. Use the debug destination command to configure one or more log destina tions. (Destination options include logging and session.
PAGE 387
IPv4 Access Control Lists (ACLs) General ACL Operating Notes General ACL Operating Notes ACLs do not provide DNS hostname support. ACLs cannot be config ured to screen hostname IP traffic between the switch and a DNS. ACLs Do Not Affect Serial Port Access. ACLs do not apply to the switch’s serial port. ACL Screening of IPv4 Traffic Generated by the Switch. ACLs applied on the switch screen IP traffic when other devices generate it.
PAGE 388
IPv4 Access Control Lists (ACLs) General ACL Operating Notes Monitoring Shared Resources. Applied ACLs share internal switch resources with several other features. The switch provides ample resources for all features. However, if the internal resources become fully subscribed, additional ACLs cannot be applied until the necessary resources are released from other applications.
PAGE 389
10 Configuring Advanced Threat Protection Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 Enabling DHCP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 390
Configuring Advanced Threat Protection Introduction Introduction As your network expands to include an increasing number of mobile devices, continuous Internet access, and new classes of users (such as partners, temporary employees, and visitors), additional protection from attacks launched from both inside and outside your internal network is often neces sary. Advanced threat protection can detect port scans and hackers who try to access a port or the switch itself.
PAGE 391
Configuring Advanced Threat Protection DHCP Snooping • Attempts to exhaust system resources so that sufficient resources are not available to transmit legitimate traffic, indicated by an unusually high use of specific system resources • Attempts to attack the switch’s CPU and introduce delay in system response time to new network events • Attempts by hackers to access the switch, indicated by an excessive number of failed logins or port authentication failures • Attempts to deny switch service by fi
PAGE 392
Configuring Advanced Threat Protection DHCP Snooping DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped. Conditions for dropping packets are shown below.
PAGE 393
Configuring Advanced Threat Protection DHCP Snooping option: Add relay information option (Option 82) to DHCP client packets that are being forwarded out trusted ports. The default is yes, add relay information. trust: Configure trusted ports. Only server packets received on trusted ports are forwarded. Default: untrusted. verify: Enables DHCP packet validation.
PAGE 394
Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# show dhcp-snooping stats Packet type ----------server client server server client client client client Action ------forward forward drop drop drop drop drop drop Reason Count ---------------------------- -------from trusted port 8 to trusted port 8 received on untrusted port 2 unauthorized server 0 destination on untrusted port 0 untrusted option 82 field 0 bad DHCP release request 0 failed verify MAC check 0 Figure 10-2.
PAGE 395
Configuring Advanced Threat Protection DHCP Snooping Configuring DHCP Snooping Trusted Ports By default, all ports are untrusted. To configure a port or range of ports as trusted, enter this command: ProCurve(config)# dhcp-snooping trust You can also use this command in the interface context, in which case you are not able to enter a list of ports.
PAGE 396
Configuring Advanced Threat Protection DHCP Snooping Configuring Authorized Server Addresses If authorized server addresses are configured, a packet from a DHCP server must be received on a trusted port AND have a source address in the autho rized server list in order to be considered valid. If no authorized servers are configured, all servers are considered valid. You can configure a maximum of 20 authorized servers.
PAGE 397
Configuring Advanced Threat Protection DHCP Snooping Note DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, not on VLANS without snooping enabled. If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.
PAGE 398
Configuring Advanced Threat Protection DHCP Snooping Changing the Remote-id from a MAC to an IP Address By default, DHCP snooping uses the MAC address of the switch as the remoteid in Option 82 additions.
PAGE 399
Configuring Advanced Threat Protection DHCP Snooping ProCurve(config)# dhcp-snooping verify mac ProCurve(config)# show dhcp-snooping DHCP Snooping Information DHCP Snooping : Yes Enabled Vlans : 4 Verify MAC : yes Option 82 untrusted policy : drop Option 82 Insertion : Yes Option 82 remote-id : subnet-ip Figure 10-7. Example Showing the DHCP Snooping Verify MAC Setting The DHCP Binding Database DHCP snooping maintains a database of up to 8192 DHCP bindings on untrusted ports.
PAGE 400
Configuring Advanced Threat Protection DHCP Snooping A message is logged in the system event log if the DHCP binding database fails to update. To display the contents of the DHCP snooping binding database, enter this command. Syntax: show dhcp-snooping binding ProCurve(config)# show dhcp-snooping binding MacAddress ------------22.22.22.22.22.22 IP VLAN Interface Time left --------------- ---- --------- -------10.0.0.1 4 B2 1600 Figure 10-8.
PAGE 401
Configuring Advanced Threat Protection DHCP Snooping ■ ProCurve recommends running a time synchronization protocol such as SNTP in order to track lease times accurately. ■ A remote server must be used to save lease information or there may be a loss of connectivity after a switch reboot. Log Messages Server packet received on untrusted port dropped. Indicates a DHCP server on an untrusted port is attempting to transmit a packet.
PAGE 402
Configuring Advanced Threat Protection DHCP Snooping Ceasing untrusted relay information logs for . More than one DHCP client packet received on an untrusted port with a relay information field was dropped. To avoid filling the log file with repeated attempts, untrusted relay information packets will not be logged for the specified . Client address not equal to source MAC detected on port .
PAGE 403
Configuring Advanced Threat Protection Dynamic ARP Protection Dynamic ARP Protection Introduction On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings adver tised in the source protocol address and source physical address fields are discarded.
PAGE 404
Configuring Advanced Threat Protection Dynamic ARP Protection ■ Verifies IP-to-MAC address bindings on untrusted ports with the informa tion stored in the lease database maintained by DHCP snooping and userconfigured static bindings (in non-DHCP environments): • If a binding is valid, the switch updates its local ARP cache and forwards the packet. • If a binding is invalid, the switch drops the packet, preventing other network devices from receiving the invalid IP-to-MAC information.
PAGE 405
Configuring Advanced Threat Protection Dynamic ARP Protection Enabling Dynamic ARP Protection To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp protect vlan command at the global configuration level. Syntax: [no] arp protect vlan [vlan-range] vlan-range Specifies a VLAN ID or a range of VLAN IDs from one to 4094; for example, 1–200.
PAGE 406
Configuring Advanced Threat Protection Dynamic ARP Protection Figure 10-9. Configuring Trusted Ports for Dynamic ARP Protection Take into account the following configuration guidelines when you use dynamic ARP protection in your network: ■ You should configure ports connected to other switches in the network as trusted ports. In this way, all network switches can exchange ARP packets and update their ARP caches with valid information.
PAGE 407
Configuring Advanced Threat Protection Dynamic ARP Protection Adding an IP-to-MAC Binding to the DHCP Database A routing switch maintains a DHCP binding database, which is used for DHCP and ARP packet validation. Both the DHCP snooping and DHCP Option 82 insertion features maintain the lease database by learning the IP-to-MAC bindings on untrusted ports. Each binding consists of the client MAC address, port number, VLAN identifier, leased IP address, and lease time.
PAGE 408
Configuring Advanced Threat Protection Dynamic ARP Protection Configuring Additional Validation Checks on ARP Packets Dynamic ARP protection can be configured to perform additional validation checks on ARP packets. By default, no additional checks are performed. To configure additional validation checks, enter the arp protect validate command at the global configuration level.
PAGE 409
Configuring Advanced Threat Protection Dynamic ARP Protection ProCurve(config)# show arp protect ARP Protection Information Enabled Vlans : 1-4094 Validate : dst-mac, src-mac Port ----B1 B2 B3 B4 B5 Trust ----Yes Yes No No No Figure 10-10.
PAGE 410
Configuring Advanced Threat Protection Dynamic ARP Protection Monitoring Dynamic ARP Protection When dynamic ARP protection is enabled, you can monitor and troubleshoot the validation of ARP packets with the debug arp protect command. Use this command when you want to debug the following conditions: ■ The switch is dropping valid ARP packets that should be allowed. ■ The switch is allowing invalid ARP packets that should be dropped. ProCurve(config)# debug arp protect 1.
PAGE 411
Configuring Advanced Threat Protection Using the Instrumentation Monitor Using the Instrumentation Monitor The instrumentation monitor can be used to detect anomalies caused by security attacks or other irregular operations on the switch.
PAGE 412
Configuring Advanced Threat Protection Using the Instrumentation Monitor Operating Notes Standard Date/Time Prefix for Event Log Messages ■ To generate alerts for monitored events, you must enable the instru mentation monitoring log and/or SNMP trap. The threshold for each monitored parameter can be adjusted to minimize false alarms (see “Configuring Instrumentation Monitor” on page 10-25).
PAGE 413
Configuring Advanced Threat Protection Using the Instrumentation Monitor Configuring Instrumentation Monitor The following commands and parameters are used to configure the opera tional thresholds that are monitored on the switch. By default, the instrumen tation monitor is disabled.
PAGE 414
Configuring Advanced Threat Protection Using the Instrumentation Monitor To enable instrumentation monitor using the default parameters and thresh olds, enter the general instrumentation monitor command. To adjust specific settings, enter the name of the parameter that you wish to modify, and revise the threshold limits as needed.
PAGE 415
Configuring Advanced Threat Protection Using the Instrumentation Monitor Viewing the Current Instrumentation Monitor Configuration The show instrumentation monitor configuration command displays the config ured thresholds for monitored parameters.
PAGE 416
Configuring Advanced Threat Protection Using the Instrumentation Monitor 10-28
PAGE 417
11 Traffic/Security Filters and Monitors Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Filter Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3 Using Port Trunks with Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 418
Traffic/Security Filters and Monitors Overview Overview Applicable Switch Models.
PAGE 419
Traffic/Security Filters and Monitors Filter Types and Operation You can enhance in-band security and improve control over access to network resources by configuring static filters to forward (the default action) or drop unwanted traffic. That is, you can configure a traffic filter to either forward or drop all network traffic moving to outbound (destination) ports and trunks (if any) on the switch. Filter Limits The switch accepts up to 101 static filters.
PAGE 420
Traffic/Security Filters and Monitors Filter Types and Operation Source-Port Filters This filter type enables the switch to forward or drop traffic from all end nodes on the indicated source-port to specific destination ports.
PAGE 421
Traffic/Security Filters and Monitors Filter Types and Operation ■ When you create a source port filter, all ports and port trunks (if any) on the switch appear as destinations on the list for that filter, even if routing is disabled and separate VLANs and/or subnets exist. Where traffic would normally be allowed between ports and/or trunks, the switch automatically forwards traffic to the outbound ports and/or trunks you do not specifically configure to drop traffic.
PAGE 422
Traffic/Security Filters and Monitors Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to destination port 7 (server "A"). Notice that the filter allows traffic to move from source port 5 to all other destination ports. Figure 11-3. The Filter for the Actions Shown in Figure 11-2 Named Source-Port Filters You can specify named source-port filters that may be used on multiple ports and port trunks.
PAGE 423
Traffic/Security Filters and Monitors Filter Types and Operation ■ To change the named source-port filter used on a port or port trunk, the current filter must first be removed, using the no filter source-port named-filter command. ■ A named source-port filter can only be deleted when it is not applied to any ports. Defining and Configuring Named Source-Port Filters The named source-port filter command operates from the global configuration level.
PAGE 424
Traffic/Security Filters and Monitors Filter Types and Operation Syntax: filter source-port named-filter forward < destination-port-list > Configures the named source-port filter to forward traffic having a destination on the ports and/or port trunks in the . Since “forward” is the default state for destinations in a filter, this command is useful when destinations in an existing filter are configured for “drop” and you want to change them to ”forward”.
PAGE 425
Traffic/Security Filters and Monitors Filter Types and Operation Viewing a Named Source-Port Filter You can list all source-port filters configured in the switch, both named and unnamed, and their action using the show command below. Syntax: show filter source-port Displays a listing of configured source-port filters, where each filter entry includes a Filter Name, Port List, and Action: Filter Name: The filter-name used when a named source-port filter is defined.
PAGE 426
Traffic/Security Filters and Monitors Filter Types and Operation Defining and Configuring Example Named Source-Port Filters. While named source-port filters may be defined and configured in two steps, this is not necessary. Here we define and configure each of the named source-port filters for our example network in a single step.
PAGE 427
Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter Traffic/Security Filters IDX Filter Type --- -----------1 Source Port 2 Source Port 3 Source Port 4 Source Port 5 Source Port 6 Source Port 7 Source Port 8 Source Port 20 21 22 23 24 25 26 Source Source Source Source Source Source Source Port Port Port Port Port Port Port | + | | | | | | | | Value ------------------2 3 4 5 6 8 9 12 | | | | | | | 24 25 26 7 10 11 1 Indicates the port number or porttrunk nam
PAGE 428
Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 4 Traffic/Security Filters ProCurve(config)# show filter 24 Traffic/Security Filters Filter Type : Source Port Source Port : 5 Filter Type : Source Port Source Port : 10 Dest Port Type | Action --------- --------- + -----1 10/100TX | Forward 2 10/100TX | Drop 3 10/100TX | Drop 4 10/100TX | Drop 5 10/100TX | Drop 6 10/100TX | Drop 7 10/100TX | Drop 8 10/100TX | Drop 9 10/100TX | Drop 10 10/100TX | Drop 11 10/1
PAGE 429
Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- --------- + ----------------------1 10/100TX | Forward 2 10/100TX | Forward 3 10/100TX | Forward 4 10/100TX | Forward 5 10/100TX | Forward 6 10/100TX | Forward 7 10/100TX | Drop 8 10/100TX | Forward 9 10/100TX | Forward 10 10/100TX | Drop 11 10/100TX | Drop 12 10/100TX | Forward . . . Figure 11-9.
PAGE 430
Traffic/Security Filters and Monitors Filter Types and Operation The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command.
PAGE 431
Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter source-port Traffic/Security Filters Filter Name -------------------web-only accounting no-incoming-web | + | | | Port List -------------------2-6,9,14-26 7-8,10-13 1 | + | | | Action ------------------------drop 2-26 drop 1-6,9,14-26 drop 7-8,10-13 ProCurve(config)# Figure 11-13.
PAGE 432
Traffic/Security Filters and Monitors Filter Types and Operation Table 11-2. Multicast Filter Limits Notes Max-VLANs Setting Maximum # of Multicast Filters (Static and IGMP Combined) 1 (the minimum) 420 8 (the default) 413 32 or higher 389 Per-Port IP Multicast Filters. The static multicast filters described in this section filter traffic having a multicast address you specify.
PAGE 433
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Only one filter for a particular protocol type can be configured at any one time. For example, a separate protocol filter can be configured for each of the protocol types listed above, but only one of those can be an IP filter. Also, the destination ports for a protocol filter can be on different VLANs. You can configure up to seven protocol filters.
PAGE 434
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Configuring a Source-Port Traffic Filter Syntax: [no] filter [source-port < port-number | trunk-name>] Specifies one inbound port or trunk. Traffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the sourceport filter for < port-number > and returns the destination ports for that filter to the Forward action. (Default: Forward on all ports.
PAGE 435
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Example of Creating a Source-Port Filter For example, assume that you want to create a source-port filter that drops all traffic received on port 5 with a destination of port trunk 1 (Trk1) and any port in the range of port 10 to port 15.
PAGE 436
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters filter on port 5, then create a trunk with ports 5 and 6, and display the results, you would see the following: The *5* shows that port 5 is configured for filtering, but the filtering action has been suspended while the port is a member of a trunk. If you want the trunk to which port 5 belongs to filter traffic, then you must explicitly configure filtering on the trunk.
PAGE 437
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Figure 11-15. Assigning Additional Destination Ports to an Existing Filter Configuring a Multicast or Protocol Traffic Filter Syntax: [no] filter [multicast < mac- address >] Specifies a multicast address. Inbound traffic received (on any port) with this multicast address will be filtered. (Default: Forward on all ports.
PAGE 438
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters For example, suppose you wanted to configure the filters in table 11-3 on a switch. (For more on source-port filters, refer to “Configuring a Source-Port Traffic Filter” on page 11-18.) Table 11-3.
PAGE 439
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Displaying Traffic/Security Filters This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters. Syntax: show filter Lists the filters configured in the switch, with corresponding filter index (IDX) numbers. IDX: An automatically assigned index number used to identify the filter for a detailed information listing.
PAGE 440
Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Lists all filters configured in the switch. Filter Index Numbers (Automatically Assigned) Criteria for Individual Filters Uses the index number (IDX) for a specific filter to list the details for that filter only. Figure 11-17.
PAGE 441
12 Configuring Port-Based and User-Based Access Control (802.1X) Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 Why Use Port-Based or User-Based Access Control? . . . . . . . . . . . . 12-3 General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3 User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 802.1X User-Based Access Control . .
PAGE 442
Configuring Port-Based and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Authentication Method . . . . . . . . . . . . . . . . 12-26 4. Enter the RADIUS Host IP Address(es) . . . . . . . . . . . . . . . . . . . . . 12-27 5. Enable 802.1X Authentication on the Switch . . . . . . . . . . . . . . . . 12-27 6. Optional: Reset Authenticator Operation . . . . . . . . . . . . . . . . . . . . 12-28 7. Optional: Configure 802.1X Controlled Directions . . . . . . . . . . . .
PAGE 443
Configuring Port-Based and User-Based Access Control (802.1X) Overview Overview Feature Default Menu CLI Web Configuring Switch Ports as 802.1X Authenticators Disabled n/a page 12-19 n/a Configuring 802.1X Open VLAN Mode Disabled n/a page 12-31 n/a Configuring Switch Ports to Operate as 802.1X Supplicants Disabled n/a page 12-49 n/a n/a n/a page 12-53 n/a n/a n/a page 12-67 n/a Displaying 802.1X Configuration, Statistics, and Counters How 802.
PAGE 444
Configuring Port-Based and User-Based Access Control (802.1X) Overview • Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication. • Supplicant implementation using CHAP authentication and indepen dent user credentials on each port.
PAGE 445
Configuring Port-Based and User-Based Access Control (802.1X) Overview credentials. This operation improves security by opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenticated. All sessions must use the same untagged VLAN.
PAGE 446
Configuring Port-Based and User-Based Access Control (802.1X) Terminology This operation unblocks the port while an authenticated client session is in progress. In topologies where simultaneous, multiple client access is possible this can allow unauthorized and unauthenticated access by another client while an authenticated client is using the port. If you want to allow only authenticated clients on the port, then user-based access control (page 12-4) should be used instead of port-based access control.
PAGE 447
Configuring Port-Based and User-Based Access Control (802.1X) Terminology a port loses its authenticated client connection, it drops its membership in this VLAN. Note that with multiple clients on a port, all such clients use the same untagged, port-based VLAN membership. Authentication Server: The entity providing an authentication service to the switch when the switch is configured to operate as an authenticator. In the case of a switch running 802.
PAGE 448
Configuring Port-Based and User-Based Access Control (802.1X) Terminology Static VLAN: A VLAN that has been configured as “permanent” on the switch by using the CLI vlan < vid > command or the Menu interface. Supplicant: The entity that must provide the proper credentials to the switch before receiving access to the network. This is usually an end-user work station, but it can be a switch, router, or another device seeking network services.
PAGE 449
Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode” on page 12-31.
PAGE 450
Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation Note The switches covered in this guide can use either 802.1X port-based authen tication or 802.1X user-based authentication. For more information, refer to “User Authentication Methods” on page 12-4. VLAN Membership Priority Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration.
PAGE 451
Configuring Port-Based and User-Based Access Control (802.1X) General 802.
PAGE 452
Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the user-based mode, when there is an authenticated client on a port, the following traffic movement is allowed: • Multicast and broadcast traffic is allowed on the port. • Unicast traffic to authenticated clients on the port is allowed. • All traffic from authenticated clients on the port is allowed.
PAGE 453
Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes ■ If a port on switch “A” is configured as an 802.1X supplicant and is connected to a port on another switch, “B”, that is not 802.1X-aware, access to switch “B” will occur without 802.1X security protection. ■ On a port configured for 802.1X with RADIUS authentication, if the RADIUS server specifies a VLAN for the supplicant and the port is a trunk member, the port will be blocked.
PAGE 454
Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes not enabled. That is, any non-authenticating client attempting to access the port after another client authenticates with port-based 802.1X would still have to authenticate through Web-Auth or MAC-Auth.
PAGE 455
Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control General Setup Procedure for 802.1X Access Control Do These Steps Before You Configure 802.1X Operation 1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.
PAGE 456
Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control ProCurve(config)# password port-access user-name Jim secret3 Figure 12-2. Example of the Password Port-Access Command You can save the port-access password for 802.1X authentication in the configuration file by using the include-credentials command. For more infor mation, see “Saving Security Credentials in a Config File” on page 2-10. in this guide. 2.
PAGE 457
Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control 3. Determine whether to use user-based access control (page 12-4) or portbased access control (page 12-5). 4. Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware; that is, for clients that are not running 802.1X supplicant software.
PAGE 458
Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802.1X Authentication on the Switch This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to the following: ■ “802.1X User-Based Access Control” on page 12-4 ■ “802.1X Port-Based Access Control” on page 12-5 ■ “Configuring Switch Ports To Operate As Supplicants for 802.
PAGE 459
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Note If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected. 7. If you are using Port Security on the switch, configure the switch to allow only 802.1X access on ports configured for 802.
PAGE 460
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches, and consists of two steps: A. Enable the selected ports as authenticators. B. Specify either user-based or port-based 802.1X authentication. (Actual 802.
PAGE 461
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User-Based Authentication or Return to Port-Based Authentication User-Based 802.1X Authentication. Syntax: aaa port-access authenticator client-limit < port-list > < 1 -8> Used after executing aaa port-access authenticator < port-list > (above) to convert authentication from port-based to userbased. Specifies user-based 802.1X authentication and the maximum number of 802.
PAGE 462
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Example: Configuring User-Based 802.1X Authentication This example enables ports A10-A12 to operate as authenticators, and then configures the ports for user-based authentication. ProCurve(config)# aaa port-access authenticator a10-A12 ProCurve(config)# aaa port-access authenticator a10-A12 client-limit 4 Figure 12-4. Example of Configuring User-Based 802.
PAGE 463
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page). (Default: 60 seconds) [tx-period < 0 - 65535 >] Sets the period the port waits to retransmit the next EAPOL PDU during an authentication session.
PAGE 464
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page). (Default: 60 seconds) [tx-period < 0 - 65535 >] Sets the period the port waits to retransmit the next EAPOL PDU during an authentication session.
PAGE 465
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid < vlan-id >] Configures an existing static VLAN to be the Unautho rized-Client VLAN.
PAGE 466
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how the switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator You can configure local, chap-radius or eap-radius as the primary password authentication method for the port-access method.
PAGE 467
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the authentication method, configure the switch to use 1, 2, or 3 RADIUS servers for authentication. The following syntax shows the basic commands. For coverage of all commands related to RADIUS server configuration, refer to chapter 5, “RADIUS Authen tication and Accounting”.
PAGE 468
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentication is operating, you can use the following aaa portaccess authenticator commands to reset 802.1X authentication and statistics on specified ports. Syntax: aaa port-access authenticator < port-list > [initialize] On the specified ports, blocks inbound and outbound traffic and restarts the 802.1X authentication process.
PAGE 469
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators ■ The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.
PAGE 470
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the aaa port-access controlled-directions command is applied to all authentication methods configured on the switch. For information about how to configure and use MAC and Web authentication, refer to chapter 3, “Web and MAC Authentication”.
PAGE 471
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands page 12-51 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator < port-list > page 12-45 [auth-vid < vlan-id >] [unauth-vid < vlan-id >] 802.1X-Related Show Commands page 12-53 RADIUS server configuration pages 12-27 Introduction This section describes how to use the 802.
PAGE 472
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports configured to allow multiple sessions using 802.1X user-based access control, all clients must use the same untagged VLAN. On a given port where there are no currently active, authenticated clients, the first authenticated client determines the untagged VLAN in which the port will operate for all subsequent, overlapping client sessions.
PAGE 473
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note After client authentication, the port resumes membership in any tagged VLANs for which it is configured. If the port is a tagged member of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the client is connected. When the client disconnects, the port reverts to tagged membership in the VLAN. Use Models for 802.1X Open VLAN Modes You can apply the 802.
PAGE 474
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 12-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN • When the port detects a client without 802.1X supplicant capability, it automatically becomes an untagged member of this VLAN.
PAGE 475
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Authorized-Client VLAN Port Response • After client authentication, the port drops membership in the Unauthorized-Client VLAN and becomes an untagged member of this VLAN. Notes: If the client is running an 802.
PAGE 476
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
PAGE 477
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session. • If the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.
PAGE 478
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Table 12-2. Operating Rules for Client VLANs Condition Rule Static VLANs used as AuthorizedThese must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1X authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.
PAGE 479
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN session on untagged port VLAN membership • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily moves the port to the Unauthorized-Client VLAN (also untagged). (While the Unauthorized-Client VLAN is in use, the port does not access any other VLANs.
PAGE 480
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an untagged member. This rule assumes no other authenticated clients are already using the port on a different VLAN. IP Addressing for a Client Connected A client can either acquire an IP address from a DHCP server or use to a Port Configured for 802.x Open a manually configured IP address before connecting to the switch.
PAGE 481
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Note: Limitation on Using an Unauthorized-Client VLAN on an 802.1X Port Configured to Allow Multiple-Client Access You can optionally enable switches to allow up to eight clients perport. The Unauthorized-Client VLAN feature can operate on an 802.1X configured port regardless of how many clients the port is configured to support.
PAGE 482
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 12-1 on page 12-34 for other options. Before you configure the 802.1X Open VLAN mode on a port: ■ Caution Statically configure an “Unauthorized-Client VLAN” in the switch.
PAGE 483
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges. Also, you must use 802.1X supplicant software that supports the use of local switch passwords.
PAGE 484
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration. [key < server-specific key-string >] Optional. Specifies an encryption key for use with the specified server. This key must match the key used on the RADIUS server.
PAGE 485
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Configuring 802.1X Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 12-42. Syntax: aaa port-access authenticator < port-list > [auth-vid < vlan-id >] Configures an existing, static VLAN to be the AuthorizedClient VLAN.
PAGE 486
Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1X Open VLAN Mode Status” on page 12-62. 802.1X Open VLAN Operating Notes 12-46 ■ Although you can configure Open VLAN mode to use the same VLAN for both the Unauthorized-Client VLAN and the Authorized-Client VLAN, this is not recommended.
PAGE 487
Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices reauthenticate itself. If there are multiple clients authenticated on the port, if one client loses access and attempts to re-authenticate, that client will be handled as a new client on the port.
PAGE 488
Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices Port-Security Note If 802.1X port-access is configured on a given port, then port-security learnmode for that port must be set to either continuous (the default) or port-access. In addition to the above, to use port-security on an authenticator port (chapter 13), use the per-port client-limit option to control how many MAC addresses of 802.
PAGE 489
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands page 12-19 802.
PAGE 490
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 12-50 • If, after the supplicant port sends the configured number of start packets, it does not receive a response, it assumes that switch “B” is not 802.1X-aware, and transitions to the authenticated state. If switch “B” is operating properly and is not 802.1X-aware, then the link should begin functioning normally, but without 802.1X security.
PAGE 491
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. You can configure a switch port as a supplicant for a point-to-point link to an 802.1X-aware port on another switch. Configure the port as a supplicant before configuring any suppli cant-related parameters.
PAGE 492
Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [secret] Enter secret: < password > Repeat secret: < password > Sets the secret password to be used by the port supplicant when an MD5 authentication request is received from an authenticator. The switch prompts you to enter the secret password after the command is invoked.
PAGE 493
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 12-19 802.1X Supplicant Commands page 12-49 802.1X Open VLAN Mode Commands page 12-31 802.
PAGE 494
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator [port-list] [config | statistics | session-counters | vlan | clients]| detailed] —Continued— • Untagged VLAN: VLAN ID number of the untagged VLAN used in client sessions. If the switch supports MAC-based (untagged) VLANs, MACbased is displayed to show that multiple untagged VLANs are configured for authentication sessions.
PAGE 495
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.
PAGE 496
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator config [port-list] Displays 802.1X port-access authenticator configuration settings, including: • Whether port-access authentication is enabled • Whether RADIUS-assigned dynamic VLANs are supported • 802.1X configuration of ports that are enabled as 802.1X authenticators (For a description of each setting, refer to the syntax descriptions in “2.
PAGE 497
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Access Control Port’s authentication mode: Auto: Network access is allowed to any connected device that supports 802.1X authentication and provides valid 802.1X credentials. Authorized: Network access is allowed to any device connected to the port, regardless of whether it meets 802.1X criteria.
PAGE 498
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters ProCurve(config)# show port-access authenticator statistics Port Access Authenticator Statistics Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Source TX Port MAC address ReqId ---- -----------------001560-b3ea48 1 2 TX Req ----0 RX Start -----0 RX Logoff ------0 RX RespId ------0 RX Resp ----0 RX Errors -----0 Figure 12-12.
PAGE 499
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator vlan [port-list] Displays the following information on the VLANs configured for use in 802.1X port-access authentication on all switch ports, or specified ports, that are enabled as 802.
PAGE 500
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator clients [port-list ] Displays the session status, name, and address for each 802.1X port-access-authenticated client on the switch. Multiple authenticated clients may be displayed for the same port. The IP address displayed is taken from the DHCP binding table (learned through the DHCP Snooping feature).
PAGE 501
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Syntax: show port-access authenticator clients detailed Displays detailed information on the status of 802.1X authenticated client sessions on specified ports.
PAGE 502
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Viewing 802.1X Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show portaccess authenticator vlan and show port-access authenticator < port-list > com mands as illustrated in figure 12-17. Table 12-1 describes the data that these two commands display.
PAGE 503
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Thus, in the output shown in figure 12-17: ■ When the Auth VLAN ID is configured and matches the Current VLAN ID, an authenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Auth VLAN.
PAGE 504
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 12-5. Output for Determining Open VLAN Mode Status (Figure 12-18, Lower) Status Indicator Meaning Status Closed: Either no client is connected or the connected client has not received authorization through 802.1X authentication. Current VLAN ID < vlan-id >: Lists the VID of the static, untagged VLAN to which the port currently belongs. Open: An authorized 802.
PAGE 505
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Note that ports B1 and B3 are not in the upper listing, but are included under “Overridden Port VLAN configuration”. This shows that static, untagged VLAN memberships on ports B1 and B3 have been overridden by temporary assignment to the authorized or unauthorized VLAN. Using the show portaccess authenticator < portlist > command shown in figure 12-17 provides details. Figure 12-18.
PAGE 506
Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [< port-list >] [statistics] show port-access supplicant [< port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < portlist > ports configured on the switch as supplicants.
PAGE 507
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement. RADIUS authentication for an 802.1X client on a given port can include a (static) VLAN requirement.
PAGE 508
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Note You can use 802.1X (port-based or client-based) authentication and either Web or MAC authentication at the same time on a port, with a maximum of eight clients allowed on the port. (The default is one client.) Web authentication and MAC authentication are mutually exclusive on the same port. Also, you must disable LACP on ports configured for any of these authentication meth ods.
PAGE 509
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation • If the port is assigned as a member of an untagged dynamic VLAN that was learned through GVRP, the dynamic VLAN configuration must exist on the switch at the time of authentication and GVRPlearned dynamic VLANs for port-access authentication must be enabled.
PAGE 510
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation If this temporary VLAN assignment causes the switch to disable a different untagged static or dynamic VLAN configured on the port (as described in the preceding bullet and in “Example of Untagged VLAN Assignment in a RADIUS-Based Authentication Session” on page 12-70), the disabled VLAN assignment is not advertised.
PAGE 511
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1X client requires access to VLAN 22 from port A2. However, access to VLAN 22 is blocked (not untagged or tagged) on port A2 and Figure 12-19.
PAGE 512
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1X session. This is to accommodate an 802.1X client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22. Note: With the current VLAN configuration (figure 12-19), the only time port A2 appears in this show vlan 22 listing is during an 802.
PAGE 513
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation When the 802.1X client’s session on port A2 ends, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as untagged on the port becomes available again. Therefore, when the RADIUS-authenticated 802.
PAGE 514
Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Syntax: aaa port-access gvrp-vlans —Continued— 2. After you enable dynamic VLAN assignment in an authen tication session, it is recommended that you use the interface unknown-vlans command on a per-port basis to prevent denial-of-service attacks.
PAGE 515
Configuring Port-Based and User-Based Access Control (802.1X) Messages Related to 802.1X Operation Messages Related to 802.1X Operation Table 12-6. 802.1X Operating Messages Message Meaning Port < port-list > is not an authenticator. The ports in the port list have not been enabled as 802.1X authenticators. Use this command to enable the ports as authenticators: ProCurve(config)# aaa port-access authenticator e 10 Port < port-list > is not a supplicant.
PAGE 516
Configuring Port-Based and User-Based Access Control (802.1X) Messages Related to 802.
PAGE 517
13 Configuring and Monitoring Port Security Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3 Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Basic Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-4 Eavesdrop Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 518
Configuring and Monitoring Port Security Contents Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-40 Operating Notes for Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 519
Configuring and Monitoring Port Security Overview Overview Feature Displaying Current Port Security Default Menu CLI Web n/a — page 13-8 page 13-33 disabled — page 13-12 page 13-33 n/a — page 13-17 n/a MAC Lockdown disabled — page 13-22 MAC Lockout disabled — page 13-30 n/a page 13-39 page 13-37 Configuring Port Security Retention of Static Addresses Intrusion Alerts and Alert Flags page 13-40 Port Security (Page 13-4).
PAGE 520
Configuring and Monitoring Port Security Port Security Port Security Basic Operation Default Port Security Operation. The default port security setting for each port is off, or “continuous”. That is, any device can access a port without causing a security reaction. Intruder Protection. A port that detects an “intruder” blocks the intruding device from transmitting to the network through that port. Eavesdrop Protection.
PAGE 521
Configuring and Monitoring Port Security Port Security ■ • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses. (If you specify only some of the authorized addresses, the port learns the remaining authorized addresses from the traffic it receives from connected devices.) • Configured: Requires that you specify all MAC addresses authorized for the port.
PAGE 522
Configuring and Monitoring Port Security Port Security configuration to ports on which hubs, switches, or other devices are connected, and to maintain security while also maintaining network access to authorized users.
PAGE 523
Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to the following: a. On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port? c. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmit ting to the network.
PAGE 524
Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 13-9 show mac-address port-security 13-12 < port-list > 13-12 learn-mode 13-12 address-limit 13-15 mac-address 13-16 action 13-16 clear-intrusion-flag 13-17 no port-security 13-17 This section describes the CLI port security command and how the switch acquires and maintains authorized addresses.
PAGE 525
Configuring and Monitoring Port Security Port Security Displaying Port Security Settings. Syntax: show port-security show port-security show port-security [-]. . .
PAGE 526
Configuring and Monitoring Port Security Port Security Figure 13-3. Example of the Port Security Configuration Display for a Single Port The next example shows the option for entering a range of ports, including a series of non-contiguous ports. Note that no spaces are allowed in the port number portion of the command string: ProCurve(config)# show port-security A1-A3,A6,A8 Listing Authorized and Detected MAC Addresses.
PAGE 527
Configuring and Monitoring Port Security Port Security Figure 13-4.
PAGE 528
Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security and edit security settings. ■ Add or delete devices from the list of authorized addresses for one or more ports. ■ Clear the Intrusion flag on specific ports Syntax: port-security [e] < learn-mode | address-limit | mac-address | action | clear-intrusion-flag > < port-list >: Specifies a list of one or more ports to which the port-security command applies.
PAGE 529
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limitedcontinuous > (Continued) static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port.
PAGE 530
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limitedcontinuous > (Continued) Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted device to become “authorized”.
PAGE 531
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces.
PAGE 532
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) mac-address [] [] . . . [] Available for learn-mode with the, static, configured, or limited-continuous option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in the address-limit parameter. The mac-address limited-continuous mode allows up to 32 authorized MAC addresses per port.
PAGE 533
Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) clear-intrusion-flag Clears the intrusion flag for a specific port. (See “Reading Intrusion Alerts and Resetting Alert Flags” on page 13-33.) no port-security mac-address [ ] Removes the specified learned MAC address(es) from the specified port. Retention of Static Addresses Static MAC addresses do not age-out.
PAGE 534
Configuring and Monitoring Port Security Port Security ■ Delete it by using no port-security < port-number > mac-address < mac-addr >. ■ Download a configuration file that does not include the unwanted MAC address assignment. ■ Reset the switch to its factory-default configuration. Specifying Authorized Devices and Intrusion Responses. This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port.
PAGE 535
Configuring and Monitoring Port Security Port Security Adding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s existing Authorized Addresses list, enter the port number with the mac-address parameter and the device’s MAC address. This assumes that Learn Mode is set to static and the Authorized Addresses list is not full (as determined by the current Address Limit value).
PAGE 536
Configuring and Monitoring Port Security Port Security (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. Note that if you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode.
PAGE 537
Configuring and Monitoring Port Security Port Security Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list. (An Authorized Address list is available for each port for which Learn Mode is currently set to “Static”. Refer to the command syntax listing under “Configuring Port Security” on page 13-12.
PAGE 538
Configuring and Monitoring Port Security MAC Lockdown The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090 123456 The above command sequence results in the following configuration for port A1: Figure 13-9.
PAGE 539
Configuring and Monitoring Port Security MAC Lockdown You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you do not specify a VLAN ID (VID) the switch inserts a VID of “1”. How It Works. When a device’s MAC address is locked down to a port (typically in a pair with a VLAN) all information sent to that MAC address must go through the locked-down port. If the device is moved to another port it cannot receive data.
PAGE 540
Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair cannot be locked down on a different port. You cannot perform MAC Lockdown and 802.1X authentication on the same port or on the same MAC address. MAC Lockdown and 802.1X authentication are mutually exclusive. Lockdown is permitted on static trunks (manually configured link aggrega tions).
PAGE 541
Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.
PAGE 542
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as “meshing” or Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths.
PAGE 543
Configuring and Monitoring Port Security MAC Lockdown Internal Core Network There is no need to lock MAC addresses on switches in the internal core network. Server “A” ProCurve Switch ProCurve Switch ProCurve Switch ProCurve Switch Network Edge Lock Server “A” to these ports. Switch 1 Switch 1 Edge Devices Mixed Users Figure 13-10. MAC Lockdown Deployed At the Network Edge Provides Security Basic MAC Lockdown Deployment.
PAGE 544
Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
PAGE 545
Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fails, traffic to Server A will not use the backup path via Switch 3 Switch 3 Server A Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 External Network MixedUsers Figure 13-11. Connectivity Problems Using MAC Lockdown with Multiple Paths The resultant connectivity issues would prevent you from locking down Server A to Switch 1.
PAGE 546
Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so that any traffic to or from the “locked-out” MAC address will be dropped. This means that all data packets addressed to or from the given address are stopped by the switch. MAC Lockout is implemented on a per switch assignment. You can think of MAC Lockout as a simple blacklist. The MAC address is locked out on the switch and on all VLANs.
PAGE 547
Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti cation. You cannot use MAC Lockout to lock: • Broadcast or Multicast Addresses (Switches do not learn these) • Switch Agents (The switch’s own MAC Address) There are limits for the number of VLANs, Multicast Filters, and Lockout MACs that can be configured concurrently as all use MAC table entries. The limits are shown below. Table 13-1.
PAGE 548
Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in conjunction with port-security.
PAGE 549
Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features 1. Click on the Security tab. 2. Click on [Port Security]. 3. Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field. 4. Implement your new data by clicking on [Apply Changes]. To access the web-based Help provided for the switch, click on [?] in the web browser screen.
PAGE 550
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags ■ The switch enables notification of the intrusion through the following means: • • • • In the CLI: – The show port-security intrusion-log command displays the Intrusion Log – The log command displays the Event Log In the menu interface: – The Port Status screen includes a per-port intrusion alert – The Event Log includes per-port entries for security viola tions In the web browser interface: – The Ale
PAGE 551
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Figure 13-12. Example of Multiple Intrusion Log Entries for the Same Port The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.
PAGE 552
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen. 1. From the Main Menu select: 1. Status and Counters 4. Port Status The Intrusion Alert column shows “Yes” for any port on which a security violation has been Figure 13-13.
PAGE 553
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 13-13 on page 13-36) does not indicate an intrusion for port A1, the alert flag for the intru sion on port A1 has already been reset. • Since the switch can show only one uncleared intrusion per port, the alert flag for the older intrusion for port A3 in this example has also been previously reset.
PAGE 554
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags clear intrusion-flags Clear intrusion flags on all ports. port-security [e] < port-number > clear-intrusion-flag Clear the intrusion flag on one or more specific ports. In the following example, executing show interfaces brief lists the switch’s port status, which indicates an intrusion alert on port A1. Intrusion Alert on port Figure 13-15.
PAGE 555
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags To clear the intrusion from port A1 and enable the switch to enter any subsequent intrusion for port A1 in the Intrusion Log, execute the port-security clear-intrusion-flag command. If you then re-display the port status screen, you will see that the Intrusion Alert entry for port A1 has changed to “No”.
PAGE 556
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Command with “security” for Search Log Listing with Security Violation Detected Log Listing with No Security Violation Detected Figure 13-18. Example of Log Listing With and Without Detected Security Violations From the Menu Interface: In the Main Menu, click on 4. Event Log and use Next page and Prev page to review the Event Log contents. For More Event Log Information.
PAGE 557
Configuring and Monitoring Port Security Operating Notes for Port Security Operating Notes for Port Security Identifying the IP Address of an Intruder. The Intrusion Log lists detected intruders by MAC address. If you are using ProCurve Manager to manage your network, you can use the device properties page to link MAC addresses to their corresponding IP addresses. Proxy Web Servers.
PAGE 558
Configuring and Monitoring Port Security Operating Notes for Port Security ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configure LACP on a port on which port security is enabled. For example: ProCurve(config)# int e a17 lacp passive Error configuring port A17: LACP and port security cannot be run together.
PAGE 559
14 Using Authorized IP Managers Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 Access Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-3 Defining Authorized Management Stations . . . . . . . . . . . . . . . . . . . . 14-3 Overview of IP Mask Operation .
PAGE 560
Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu CLI Web Listing (Showing) Authorized Managers n/a page 14-5 page 14-6 page 14-8 Configuring Authorized IP Managers None page 14-5 page 14-6 page 14-8 Building IP Masks n/a page 14-10 page 14-10 page 14-10 Operating and Troubleshooting Notes n/a page 14-13 page 14-13 page 14-13 The Authorized IP Managers feature uses IP addresses and masks to deter mine which stations (PCs or workstations
PAGE 561
Using Authorized IP Managers Options Options You can configure: Caution ■ Up to 100 authorized manager addresses, where each address applies to either a single management station or a group of stations ■ Manager or Operator access privileges Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port.
PAGE 562
Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP column, and leave the IP Mask set to 255.255.255.255. This is the easiest way to use the Authorized Managers feature. (For more on this topic, see “Configuring One Station Per Authorized Manager IP Entry” on page 14-10.) ■ Authorizing Multiple Stations: The table entry uses the IP Mask to authorize access to the switch from a defined group of stations.
PAGE 563
Using Authorized IP Managers Defining Authorized Management Stations Menu: Viewing and Configuring IP Authorized Managers Only IPv4 is supported when using the menu to set the management access method. From the console Main Menu, select: 2. Switch Configuration … 6. IP Authorized Managers ProCurve 22-Apr-2008 20:17:53 ==========================- CONSOLE - MANAGER MODE -============================ Switch Configuration - IP Managers Authorized Manager IP ---------------------10.10.240.2 10.10.245.3 10.10.
PAGE 564
Using Authorized IP Managers Defining Authorized Management Stations Editing or Deleting an Authorized Manager Entry. Go to the IP Manag ers List screen (figure 14-14-1), highlight the desired entry, and press [E] (for Edit) or [D] (for Delete).
PAGE 565
Using Authorized IP Managers Defining Authorized Management Stations ProCurve(config)# ip authorized-managers 10.10.10.2 255.255.255.255 manager Figure 14-4. Example of Configuring IP Authorized Manager To Authorize Manager Access. This command authorizes manager-level access for any station with an IP address of 10.28.227.0 through 10.28.227.255: ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.
PAGE 566
Using Authorized IP Managers Web: Configuring IP Authorized Managers Web: Configuring IP Authorized Managers In the web browser interface you can configure IP Authorized Managers as described below. To Add, Modify, or Delete an IP Authorized Manager address: 1. Click on the Security tab. 2. Click on the Authorized Addresses button. 3. Enter the appropriate parameter settings for the operation you want. 4. Click on [Add], [Replace], or [Delete] to implement the configuration change. Figure 14-5.
PAGE 567
Using Authorized IP Managers Web: Configuring IP Authorized Managers access through a web proxy server requires that you first add the web proxy server to the Authorized Manager IP list. This reduces security by opening switch access to anyone who uses the web proxy server. How to Eliminate the Web Proxy Server There are two ways to eliminate a web proxy server from the path between a station and the switch: Note 1.
PAGE 568
Using Authorized IP Managers Building IP Masks Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network. Configuring One Station Per Authorized Manager IP Entry This is the easiest way to apply a mask. If you have ten or fewer management and/or operator stations, you can configure them by adding the address of each to the Authorized Manager IP list with 255.255.255.
PAGE 569
Using Authorized IP Managers Building IP Masks IP list. Thus, in the example shown above, a “255” in an IP Mask octet (all bits in the octet are “on”) means only one value is allowed for that octet—the value you specify in the corresponding octet of the Authorized Manager IP list. A “0” (all bits in the octet are “off”) means that any value from 0 to 255 is allowed in the corresponding octet in the IP address of an authorized station.
PAGE 570
Using Authorized IP Managers Building IP Masks Table 14-3. Example of How the Bitmap in the IP Mask Defines Authorized Manager Addresses 4th Octet of IP Mask: 249 4th Octet of Authorized IP Address: 5 Bit Numbers Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0 Bit Values 64 32 16 8 4 2 1 128 Bits 1 and 2 in the mask are “off”, and bits 0 and 3 - 7 are “on”, creating a value of 249 in the 4th octet.
PAGE 571
Using Authorized IP Managers Operating Notes Operating Notes ■ Network Security Precautions: You can enhance your network’s secu rity by keeping physical access to the switch restricted to authorized personnel, using the password features built into the switch, using the additional security features described in this manual, and preventing unauthorized access to data on your management stations.
PAGE 572
Using Authorized IP Managers Operating Notes 14-14
PAGE 573
15 Key Management System Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-2 Configuring Key Chain Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3 Creating and Deleting Key Chain Entries . . . . . . . . . . . . . . . . . . . . . . . 15-3 Assigning a Time-Independent Key to a Chain . . . . . . . . .
PAGE 574
Key Management System Overview Overview The switches covered in this guide provide support for advanced routing capabilities. Security turns out to be extremely important as complex net works and the internet grow and become a part of our daily life and business. This fact forces protocol developers to improve security mechanisms employed by their protocols, which in turn becomes an extra burden for system administrators who have to set up and maintain them.
PAGE 575
Key Management System Configuring Key Chain Management Configuring Key Chain Management KMS-Related CLI Commands in This Section Page show key-chain < chain_name > page 15-3 [ no ] key-chain chain_name page 15-3 [ no ] key-chain chain_name key Key_ID page 15-4 The Key Management System (KMS) has three configuration steps: 1. Create a key chain entry. 2. Assign a time-independent key or set of time-dependent keys to the Key Chain entry.
PAGE 576
Key Management System Configuring Key Chain Management show key-chain Displays the current key chains on the switch and their overall status. For example, to generate a new key chain entry: Add new key chain Entry “Procurve1”. Display key chain entries. Figure 15-1. Adding a New Key Chain Entry After you add an entry, you can assign key(s) to it for use by a KMS-enabled protocol. Assigning a Time-Independent Key to a Chain A time-independent key has no Accept or Send time constraints.
PAGE 577
Key Management System Configuring Key Chain Management [ accept-lifetime infinite ] [ send-lifetime infinite ] accept-lifetime infinite: Allows packets with this key to be accepted at any time from boot-up until the key is removed. send-lifetime infinite: Allows the switch to send this key as authorization, from boot-up until the key is removed. show key-chain < chain_name > Displays the detail information about the keys used in the key chain named < chain_name >.
PAGE 578
Key Management System Configuring Key Chain Management [ key-string < key_str > ] This option specifies the key value referenced by the protocol using the key. The < key_str > can be any string up to 14 characters in length. accept-lifetime < mm/dd/yy [ yy ] hh:mm:ss | now > Specifies the start date and time of the valid period in which the switch can use this key to authenticate inbound packets.
PAGE 579
Key Management System Configuring Key Chain Management Adds a key with full time and date Adds a key with duration expressed in seconds. Figure 15-3. Adding Time-Dependent Keys to a Key Chain Entry Note Given transmission delays and the variations in the time value from switch to switch, it is advisable to include some flexibility in the Accept lifetime of the keys you configure.
PAGE 580
Key Management System Configuring Key Chain Management You can use show key-chain to display the key status at the time the command is issued. Using the information from the example configuration in figures 15-3 and 15-4, if you execute show key-chain at 8:05 on 01/19/03, the display would appear as follows: Figure 15-5. Status of Keys in Key Chain Entry “Procurve2” The “Procurve1” key chain entry is a time-independent key and will not expire.
PAGE 581
Index Numerics 3DES … 8-3 802.1X ACL, effect on … 9-16 802.
PAGE 582
terminology … 12-6, 12-29, 12-67, 12-68, 12-69, 12-13, 12-23, 12-24 unauthenticated port … 12-28, 12-22, 12-25, 12-8, 12-41, 12-25, 12-35, 12-25, 12-33, 12-47 access … 12-4, 12-10 client authentication … 12-5, 12-4, 12-48, 12-21, 12-32, 12-21 enable … 12-20, 12-48 limit … 12-4, 12-21 tagged VLAN … 12-5 VLAN … 12-40, 12-41 Web/MAC authenticated clients … 12-5 See also port-based.
PAGE 583
configure … 9-65 option … 9-71 traffic … 9-18, 9-72 implicit deny See deny any, implicit. … 9-12, 9-20 See ACL, wildcard. IPX … 9-26 log function, with mirroring … 9-17 See ACL, logging.
PAGE 584
state … 12-62 authorized addresses for IP management security … 14-3, 13-5 authorized IP managers access levels … 14-3 building IP masks … 14-10 configuring … 14-6, 14-8, 14-5 definitions of single and multiple … 14-3 effect of duplicate IP addresses … 14-13 IP mask for multiple stations … 14-10, 14-4 operating notes … 14-13, 14-1 troubleshooting … 14-13 authorized server … 10-4 authorized server address, configuring … 10-8 authorized, option for authentication … 5-11, 7-20, 7-21, 12-26 autorun autorun-key
PAGE 585
verify … 10-5 documentation feature matrix … -xx latest versions … -xix printed in-box publications … -xix release notes … -xix duplicate IP address effect on authorized IP managers … 14-13 dynamic ARP protection additional validation checks on ARP packets … 10-20 ARP packet debugging … 10-22 displaying ARP statistics … 10-21 enabling … 10-15 IP-to-MAC binding, adding to DHCP database … 10-19 trusted ports, configuring … 10-17 verifying configuration … 10-20 Dynamic Configuration Arbiter (DCA) applying sett
PAGE 586
address count … 10-23, 14-1 reserved port numbers … 7-18 IP attribute … 5-36 IP masks building … 14-10 for multiple authorized manager stations … 14-10 operation … 14-4 IP routing dynamic ARP protection, enabling … 10-15 validation checks on ARP packets, configuring … 10-20 IP-to-MAC binding … 10-19 IPv4, ACL vendor-specific attribute … 6-18 IPv6, ACL vendor-specific attribute … 6-18 key chain See KMS key chain. key management system See KMS.
PAGE 587
O open VLAN mode See 802.1X access control. OpenSSH … 7-2 OpenSSL … 8-2 operating notes authorized IP managers … 14-13 port security … 13-41 operator password … 2-4, 2-6, 2-7 saving to configuration file … 2-12 Option 82 snooping … 10-5 P packet validation … 10-5 password 802.
PAGE 588
multiple ACL application types in use … 6-15 NAS-Prompt-User service-type value … 5-14 network accounting … 5-35 operating rules, switch … 5-6, 6-7, 6-8, 6-7, 6-8 rate-limiting … 6-4, 6-6, 6-4 security … 5-13, 5-4, 5-37, 5-47, 5-19, 5-8, 5-14, 2-12, 2-16, 5-46, 5-45 SNMP access security not supported … 5-4 statistics, viewing … 5-43 terminology … 5-5 TLS … 5-6 vendor specific attributes … 5-34, 5-28, 6-4 VSAs … 5-29 web browser security not supported … 5-7, 5-25, 5-4, 5-25 RADIUS-assigned ACLs … 6-9, 9-6 80
PAGE 589
saving security credentials to configuration file … 2-12, 2-14, 2-21 snooping authorized server … 10-4, 10-8 binding database … 10-11 changing remote-id … 10-10 DHCP … 10-3 disable MAC check … 10-10 Option 82 … 10-5, 10-8 statistics … 10-5 untrusted-policy … 10-9 verify … 10-5 source port filters configuring … 11-4 named … 11-6 operating rules … 11-4 See also named source port filters.
PAGE 590
configuration, authentication … 4-11, 4-22, 4-18, 4-23, 4-10 encryption key … 4-6, 4-18, 4-19, 4-22, 4-29, 4-26, 4-23, 2-12 general operation … 4-2 IP address, server … 4-18 local manager password requirement … 4-29 messages … 4-28 NAS … 4-3 precautions … 4-5, 4-8, 4-18, 4-6 server access … 4-18, 4-21, 4-5, 2-15, 4-8, 4-13, 4-5 TACACS+ server … 4-3, 4-8 testing … 4-5 TFTP, configuration … 4-29 timeout … 4-18, 4-6 unauthorized access, preventing … 4-7 web access, controlling … 4-27, 4-5 TCP reserved port num
PAGE 591
SSL … 8-18 unsecured access, SSL … 8-18 web server, proxy … 13-41 wildcard See ACL, wildcard. See ACL.
PAGE 592
12 – Index
PAGE 593