Page 1 5300xl switches www.hp.com/go/hpprocurve...
Page 3 HP Procurve Series 5300XL Switches Software Release E.08.xx or Greater Access Security Guide...
Page 4 The information contained in this document is subject to Software Credits and Notices change without notice. SSH on HP Procurve Switches is based on the OpenSSH HEWLETT-PACKARD COMPANY MAKES NO WARRANTY software toolkit. This product includes software developed OF ANY KIND WITH REGARD TO THIS MATERIAL, by the OpenSSH Project for use in the OpenSSH Toolkit.
Page 5: Table Of Contents
Contents 1 Getting Started Contents ............1-1 Introduction .
Page 6 Front Panel Security ......... . 2-8 When Security Is Important .
Page 7 Configuring MAC Authentication on the Switch ....3-21 Overview ..........3-21 Configure the Switch for MAC-Based Authentication .
Page 8 5 RADIUS Authentication and Accounting Contents ............5-1 Overview .
Page 9 Steps for Configuring and Using SSH for Switch and Client Authentication ..........6-6 General Operating Rules and Notes .
Page 10 8 Configuring Port-Based Access Control (802.1x) Contents ............8-1 Overview .
Page 11 How RADIUS/802.1x Authentication Affects VLAN Operation . . 8-43 Messages Related to 802.1x Operation ......8-47 9 Configuring and Monitoring Port Security Contents .
Page 12 10 Using Authorized IP Managers Contents ........... . . 10-1 Overview .
Page 13 Getting Started Contents Getting Started Contents Introduction ..........1-2 Overview of Access Security Features .
Page 14: Getting Started
Getting Started Introduction Introduction This Access Security Guide is intended for use with the HP Procurve Switch Series 5300XL devices. The Product Documentation CD-ROM shipped with the switch includes this guide. You can also download the latest version from the HP ProCurve website.
Page 15: General Switch Traffic Security Guideline
Key Management System (page 11-1): Centralizes the mechanisms used ■ to configure and maintain security information for all routing protocols. HP recommends that you use local passwords together with the switch’s other security features to provide a more comprehensive security fabric than if you use only local passwords.
Page 16: Applications For Access Control Lists (Acls)
Applications for Access Control Lists (ACLs) Applications for Access Control Lists (ACLs) Layer 3 IP filtering with Access Control Lists (ACLs) on the HP Procurve Series 5300XL switches enables you to improve network performance and restrict network use by creating policies for: ■...
Page 17: Command Syntax Conventions
Command Prompts In the default configuration, your Series 5300XL switch displays one of the following CLI prompts: HP Procurve Switch 5304# HP Procurve Switch 5308# To simplify recognition, this guide uses HPswitch to represent command prompts for all models. That is: HPswitch# (You can use the hostname command to change the text in the CLI prompt.)
Page 18 For example, the Tab key appears as [Tab] and the “Y” key appears as Related Publications Software Release Notes. Release notes are posted on the HP ProCurve website and provide information on new software updates: ■ New features and how to configure and use them Software management, including downloading software to the switch ■...
Page 19 Related Publications guide is also provided on the Product Documentation CD-ROM shipped with the switch. And you can download a copy from the HP Procurve website. (See “Getting Documentation From the Web” on page 1-8.) Management and Configuration Guide. Use the Management and Con- figuration Guide for information on: ■...
Page 20: Getting Documentation From The Web
Go to the HP Procurve website at http://www.hp.com/go/hpprocurve. Click on technical support. Click on Product manuals. Click on the product for which you want to view or download a manual. Figure 1-2. Example of How To Locate Product Manuals on the HP ProCurve Website...
Page 21: Sources For More Information
Figure 1-4.Example of How To Display Help for a CLI Command ■ If you need information on specific features in the HP Web Browser Interface (hereafter referred to as the “web browser interface”), use the online help available for the web browser interface. For more information on web browser Help options, refer to the Management and Configura- tion Guide for your switch.
Page 22: Need Only A Quick Start
IP Addressing. If you just want to give the switch an IP address so that it can communicate on your network, or if you are not using VLANs, HP recommends that you use the Switch Setup screen to quickly configure IP addressing.
Page 23 Configuring Username and Password Security Contents Overview ........... . . 2-2 Configuring Local Password Security .
Page 24: Configuring Username And Password Security
Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames none — — page 2-8 Set a Password none page 2-5 page 2-7 page 2-8 Delete Password Protection page 2-6 page 2-7 page 2-8 show front-panel-security — page 1-13 —...
Page 25 Configuring Username and Password Security Overview Level Actio Permitted Manager: Access to all console interface areas. This is the default level. That is, if a Manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface.
Page 26 Configuring Username and Password Security Overview If the switch has a password for both the Manager and Operator levels, and neither is entered correctly in response to the switch’s password prompt, then the switch does not allow management access for that session. Passwords are case-sensitive.
Page 27: Configuring Local Password Security
Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the web browser interface. 1. From the Main Menu select: 3.
Page 28: To Delete Password Protection
Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass- words (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.
Page 29: Cli: Setting Passwords And Usernames
Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below. Configuring Manager and Operator Passwords. Syntax: [ no ] password <manager | operator > [ user-name ASCII-STR ] [ no ] password <...
Page 30: Web: Setting Passwords And Usernames
Configuring Username and Password Security Front Panel Security Web: Setting Passwords and Usernames In the web browser interface you can enter passwords and (optional) user- names. To Configure (or Remove) Usernames and Passwords in the Web Browser Interface. Click on the tab.
Page 31: When Security Is Important
Configuring Username and Password Security Front Panel Security When Security Is Important Some customers require a high level of security for information. Also, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires that systems handling and transmitting confidential medical records must be secure.
Page 32: Front Panel Button Functions
Clear Button (to reset Reset Button (to r e store configuration) Reset Clear Figure 2-4. Front Panel Buttons on the HP ProCurve 5308XL Switch Clear Button Pressing the Clear button alone for one second resets the password(s) con- figured on the switch.
Page 33: Reset Button
Configuring Username and Password Security Front Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-6. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.
Page 34 Configuring Username and Password Security Front Panel Security 3. Release the Reset button and wait for about one second for the Self-Test LED to start flashing. Reset Clear Self Test When the Self-Test LED begins flashing, release the Clear button Reset Clear Self...
Page 35: Configuring Front Panel Security
Configuring Username and Password Security Front Panel Security Configuring Front Panel Security Using the front-panel-security command from the global configuration context in the CLI you can: • Disable or re-enable the password-clearing function of the Clear button. Disabling the Clear button means that pressing it does not remove local password protection from the switch.
Page 36: Disabling The Clear Password Function Of The Clear Button On The Switch's Front Panel
Configuring Username and Password Security Front Panel Security Password Recovery: Shows whether the switch is configured with the ability to to recover a lost password. (Refer to “Password Recovery Process” on page 2-20.) (Default: Enabled.) CAUTION: Disabling this option removes the ability to recover a password on the switch.
Page 37 Configuring Username and Password Security Front Panel Security Indicates the command has disabled the Clear button on the switch’s front panel. In this case the Show command does not include the reset- on-clear status because it is inoperable while the Clear Password functionality is disabled, and must be r e configured when ever Cle ar Passwor d is re-enabled .
Page 38: Re-Enabling The Clear Button On The Switch's Front Panel
Configuring Username and Password Security Front Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel. Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel.
Page 39: Changing The Operation Of The Reset+Clear Combination
Configuring Username and Password Security Front Panel Security Shows password-clear disabled. Enables password-clear, with reset-on- clear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-9. Example of Re-Enabling the Clear Button’s Default Operation Changing the Operation of the Reset+Clear Combination In their default configuration, using the Reset+Clear buttons in the combina...
Page 40: Password Recovery
(the default) on the switch prior to an attempt ■ to recover from a lost username/password situation ■ Contacting your HP Customer Care Center to acquire a one-time use password Disabling or Re-Enabling the Password Recovery Process Disabling the password recovery process means that the only method for...
Page 41 Configuring Username and Password Security Front Panel Security with factory-reset enabled, unauthorized users can use the Reset+Clear button combination to reset the switch to factory-default configuration and gain management access to the switch. Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form of the command) disables the ability to recover a lost password.
Page 42: Password Recovery Process
If you have lost the switch’s manager username/password, but password- recovery is enabled, then you can use the Password Recovery Process to gain management access to the switch with an alternate password supplied by HP. If you have disabled password-recovery, which locks out the ability to recover a...
Page 43: Web And Mac Authentication
Web and MAC Authentication Contents Overview ........... . . 3-2 Client Options .
Page 44: Overview
Web and MAC Authentication Overview Overview Feature Default Menu Configure Web Authentication — 3-16 — Configure MAC Authentication — 3-21 — Display Web Authentication Status and Configuration — 3-25 — Display MAC Authentication Status and Configuration — 3-26 — Web and MAC Authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access.
Page 45: Client Options
Web and MAC Authentication Overview password, and grants or denies network access in the same way that it does for clients capable of interactive logons. (The process does not use either a client device configuration or a logon session.) MAC authentication is well- suited for clients that are not capable of providing interactive logons, such as telephones, printers, and wireless access points.
Page 46: General Features
Web and MAC Authentication Overview General Features Web and MAC Authentication on the Series 5300XL switches include the following: On a port configured for Web or MAC Authentication, the switch ■ operates as a port-access authenticator using a RADIUS server and the CHAP protocol.
Page 47: How Web And Mac Authentication Operate
Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Authenticator Operation Before gaining access to the network clients first present their authentication credentials to the switch. The switch then verifies the supplied credentials with a RADIUS authentication server.
Page 48 Web and MAC Authentication How Web and MAC Authentication Operate Figure 3-2.Progress Message During Authentication If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access.
Page 49: Mac-Based Authentication
Web and MAC Authentication How Web and MAC Authentication Operate moves have not been enabled (client-moves) on the ports, the session ends and the client must reauthenticate for network access. At the end of the session the port returns to its pre-authentication state. Any changes to the port’s VLAN memberships made while it is an authorized port take affect at the end of the session.
Page 50: Terminology
Web and MAC Authentication Terminology 4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked. The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate).
Page 51 In the case of a Series 5300XL switch running Web/MAC- Authentication, this is a RADIUS server. Authenticator: In HP ProCurve switch applications, a device such as a Series 5300XL switch that requires a client or device to provide the proper credentials (MAC address, or username and password) before being allowed access to the network.
Page 52: Operating Rules And Notes
Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ You can configure one type of authentication on a port. That is, the following authentication types are mutually exclusive on a given port: • Web Authentication • MAC Authentication •...
Page 53 Web and MAC Authentication Operating Rules and Notes 3. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN. 4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked.
Page 54: General Setup Procedure For Web/Mac Authentication
1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this is not required for a Web- or MAC-based configuration, HP recommends that you use a local user name and password pair, at least until your other security measures are in place, to protect the switch configuration from unauthorized access.)
Page 55: Additional Information For Configuring The Radius Server To Support Mac Authentication
Web and MAC Authentication General Setup Procedure for Web/MAC Authentication 4. Determine whether to use the optional “Unauthorized VLAN” mode for clients that the RADIUS server does not authenticate. This VLAN must be statically configured on the switch. If you do not configure an “Unautho rized VLAN”, the switch simply blocks access to unauthenticated clients trying to use the port.
Page 56: Configuring The Switch To Access A Radius Server
Web and MAC Authentication Configuring the Switch To Access a RADIUS Server If the device is a switch or other VLAN-capable device, use the base ■ MAC address assigned to the device, and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch.
Page 57 Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Syntax: radius-server host < ip-address > key <server-specific key-string> [no] radius-server host < ip-address > key Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the speci fied server.
Page 58: Configuring Web Authentication On The Switch
1. If you have not already done so, configure a local username and password pair on the switch. 2. Identify or create a redirect URL for use by authenticated clients. HP recommends that you provide a redirect URL when using Web Authenti...
Page 59: Configure The Switch For Web-Based Authentication
Web and MAC Authentication Configuring Web Authentication on the Switch Configure the Switch for Web-Based Authentication Command Page Configuration Level aaa port-access web-based dhcp-addr 3-17 aaa port-access web-based dhcp-lease 3-17 [no] aaa port-access web-based [e] < port-list > 3-18 [auth-vid] 3-18 [client-limit] 3-18...
Page 60 Web and MAC Authentication Configuring Web Authentication on the Switch Syntax: [no] aaa port-access web-based [e] < port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax: aaa port-access web-based [e] <...
Page 61 Web and MAC Authentication Configuring Web Authentication on the Switch aaa port-access web-based [e] < port-list > Syntax: [logoff-period] <60-9999999>] Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense.
Page 62 Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. HP recommends that you provide a redirect URL when using Web Authentication. Use the no form of the command to remove a specified redirect URL.
Page 63: Configuring Mac Authentication On The Switch
Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made.
Page 64: Configure The Switch For Mac-Based Authentication
Web and MAC Authentication Configuring MAC Authentication on the Switch Configure the Switch for MAC-Based Authentication Command Page Configuration Level aaa port-access mac-based addr-format 3-22 [no] aaa port-access mac-based [e] < port-list > 3-22 [addr-limit] 3-23 [addr-moves] 3-23 [auth-vid] 3-23 [logoff-period] 3-23 [max-requests]...
Page 65 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [addr-limit <1-32>] Specifies the maximum number of authenticated MACs to allow on the port. (Default: 1) Syntax: [no] aaa port-access mac-based [e] < port-list > [addr-moves] Allows client moves between the specified ports under MAC Auth control.
Page 66 Web and MAC Authentication Configuring MAC Authentication on the Switch aaa port-access mac-based [e] < port-list > [quiet-period <1 - 65535>] Syntax: Specifies the time period, in seconds, the switch should wait before attempting an authentication request for a MAC address that failed authentication. (Default: 60 seconds) aaa port-access mac-based [e] <...
Page 67: Show Status And Configuration Of Web-Based Authentication
Web and MAC Authentication Show Status and Configuration of Web-Based Authentication Show Status and Configuration of Web- Based Authentication Command Page port-list show port-access [ ] web-based 3-25 [clients] 3-25 [config] 3-25 [config [auth-server]] 3-26 [config [web-server]] 3-26 port-list show port-access web-based config detail 3-26 Syntax:...
Page 68: Show Status And Configuration Of Mac-Based Authentication
Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] web-based [config [auth-server]] Shows Web Authentication settings for all ports or the specified ports, along with the RADIUS server specific settings for the timeout wait, the number of timeout failures before authentication fails, and the length of time between authentication requests.
Page 69 Web and MAC Authentication Show Status and Configuration of MAC-Based Authentication Syntax: show port-access [port-list] mac-based [clients]] Shows the port address, MAC address, session status, and elapsed session time for attached clients on all ports or the specified ports. Ports with multiple clients have an entry for each attached client.
Page 70: Client Status
Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Possible Explanations Connection authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires.
Page 71: Tacacs+ Authentication
TACACS+ Authentication Contents Overview ........... . . 4-2 Terminology Used in TACACS Applications: .
Page 72: Overview
TACACS+ Authentication Overview Overview Feature Default Menu view the switch’s authentication configuration — page 4-9 — view the switch’s TACACS+ server contact — page — configuration 4-10 configure the switch’s authentication methods disabled — page — 4-11 configure the switch to contact TACACS+ server(s) disabled —...
Page 73: Terminology Used In Tacacs Applications
TACACS+ Authentication Terminology Used in TACACS Applications: server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authen tication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/write) privilege level access.
Page 74 TACACS+ Authentication Terminology Used in TACACS Applications: Authentication: The process for granting user access to a device ■ through entry of a user name and password and comparison of this username/password pair with previously stored username/password data. Authentication also grants levels of access, depending on the privileges assigned to a user name and password pair by a system administrator.
Page 75: General System Requirements
TACACS+ configurations used in your network. TACACS-aware HP switches include the capability of configuring multiple backup TACACS+ servers. HP recommends that you use a TACACS+ server application that supports a redundant backup installation. This allows you to configure the switch to use a backup TACACS+ server if it loses access to the first-choice TACACS+ server.
Page 76 TACACS+ Authentication General Authentication Setup Procedure keeping the other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation”...
Page 77 15. For more on this topic, refer to the documentation you received with your TACACS+ server application. If you are a first-time user of the TACACS+ service, HP recommends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment.
Page 78: Configuring Tacacs+ On The Switch
Configuring TACACS+ on the Switch BeforeYou Begin If you are new to TACACS+ authentication, HP recommends that you read the “General Authentication Setup Procedure” on page 4-5 and configure your TACACS+ server(s) before configuring authentication on the switch.
Page 79: Cli Commands Described In This Section
TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs 4-10 aaa authentication pages 4-11 through 4-14 console Telnet num-attempts <1-10 > tacacs-server pages 4-15 host < ip-addr > pages 4-15 key 4-19 timeout <...
Page 80: Viewing The Switch's Current Tacacs+ Server Contact
TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. show tacacs Syntax: For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a...
Page 81: Configuring The Switch's Authentication Methods
TACACS+ Authentication Configuring TACACS+ on the Switch Configuring the Switch’s Authentication Methods The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied).
Page 82 TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-1. AAA Authentication Parameters Name Default Range Function console Specifies whether the command is configuring authentication for the console port - or - or Telnet access method for the switch. telnet enable Specifies the privilege level for the access method being configured.
Page 83 TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Console — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console —...
Page 84 TACACS+ Authentication Configuring TACACS+ on the Switch For example, here is a set of access options and the corresponding commands to configure them: Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. HPswitch (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server.
Page 85: Configuring The Switch's Tacacs+ Server Access
Note As described under “General Authentication Setup Procedure” on page 4-5, HP recommends that you configure, test, and troubleshoot authentication via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up authentication in either the switch or your TACACS+ server.
Page 86 TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string >] Adds a TACACS+ server and optionally assigns a server-specific encryption key [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its server- specific encryption key, if any) tacacs-server key <key-string>...
Page 87 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host <ip-addr> [key <key-string> none Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per- server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key”...
Page 88 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range key <key-string> none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server”...
Page 89 TACACS+ Authentication Configuring TACACS+ on the Switch The “10” server is now the “first-choice” TACACS+ authentication device. Figure 4-5. Example of the Switch After Assigning a Different “First-Choice” Server To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: HPswitch(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key.
Page 90: How Authentication Operates
Switch Via Switch’s Console Port TACACS+ Server HP Switch Configured for TACACS+ Operation Second-Choice TACACS+ Server (Optional) Terminal “B” Remotely Accessing This Switch Via Telnet HP Switch Configured for TACACS+ Operation Third-Choice TACACS+ Server (Optional) Figure 4-6. Using a TACACS+ Server for Authentication 4-20...
Page 91 TACACS+ Authentication How Authentication Operates Using figure 4-6, above, after either switch detects an operator’s logon request from a remote or directly connected terminal, the following events occur: 1. The switch queries the first-choice TACACS+ server for authentication of the request. •...
Page 92: Local Authentication Process
TACACS+ Authentication How Authentication Operates Local Authentication Process When the switch is configured to use TACACS+, it reverts to local authentica tion only if one of these two conditions exists: “Local” is the authentication option for the access method being used. ■...
Page 93: Using The Encryption Key
TACACS+ Authentication How Authentication Operates Using the Encryption Key General Operation When used, the encryption key (sometimes termed “key”, “secret key”, or “secret”) helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server.
Page 94: Controlling Web Browser Interface Access When Using Tacacs+ Authentication
TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication For example, you would use the next command to configure a global encryp tion key in the switch to match a key entered as in two target north40campus TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch: HPswitch(config)# tacacs-server key north40campus...
Page 95: Messages Related To Tacacs+ Operation
TACACS+ Authentication Messages Related to TACACS+ Operation Messages Related to TACACS+ Operation The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For informa tion on such messages, refer to the documentation you received with the application.
Page 96 TACACS+ Authentication Operating Notes When TACACS+ is not enabled on the switch—or when the switch’s ■ only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unautho rized persons.) 4-26...
Page 97: Radius Authentication And Accounting
RADIUS Authentication and Accounting Contents Overview ........... . . 5-2 Terminology .
Page 98: Overview
For accounting, this can help you track network resource usage. Authentication. You can use RADIUS to verify user identity for the follow ing types of primary password access to the HP switch: ■ Serial port (Console) Telnet ■...
Page 99: Terminology
EAP type, such as MD5-Challenge, Generic Token Card, and TLS (Transport Level Security). Host: See RADIUS Server. NAS (Network Access Server): In this case, an HP switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): RADIUS Client: The device that passes user information to designated RADIUS servers.
Page 100: Switch Operating Rules For Radius
■ type of access. (Only one primary and one secondary access method is allowed for each access type.) In the HP switch, EAP RADIUS uses MD5 and TLS to encrypt a ■ response to a challenge from a RADIUS server.
Page 101: General Radius Setup Procedure
IP address to the switch. • Determine an acceptable timeout period for the switch to wait for a server to respond to a request. HP recommends that you begin with the default (five seconds).
Page 102: Configuring The Switch For Radius Authentication
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Configuring the Switch for RADIUS Authentication RADIUS Authentication Commands Page aaa authentication < console | telnet | ssh > < enable | login > radius < local | none > [no] radius-server host <...
Page 103 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note This step assumes you have already configured the RADIUS server(s) to support the switch. Refer to the documentation provided with the RADIUS server documentation.) • Server IP address • (Optional) UDP destination port for authentication requests (default: 1812;...
Page 104: Configure Authentication For The Access Methods You Want Radius To Protect
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 1. Configure Authentication for the Access Methods You Want RADIUS To Protect This section describes how to configure the switch for RADIUS authentication through the following access methods: ■ Console: Either direct serial-port connection or modem connection. Telnet: Inbound Telnet must be enabled (the default).
Page 105 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have already configured local passwords on the switch, but want to use RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (which would be the switch’s local passwords): The switch now allows Telnet and...
Page 106: Configure The Switch To Access A Radius Server
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 2. Configure the Switch To Access a RADIUS Server This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services. Note If you want to configure RADIUS accounting on the switch, go to page 5-16: “Configuring RADIUS Accounting”...
Page 107 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication For example, suppose you have configured the switch as shown in figure 5-3 and you now need to make the following changes: Change the encryption key for the server at 10.33.18.127 to “source0127”. 2. Add a RADIUS server with an IP address of 10.33.18.119 and a server- specific encryption key of “source0119”.
Page 108: Configure The Switch's Global Radius Parameters
RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication 3. Configure the Switch’s Global RADIUS Parameters You can configure the switch for the following global RADIUS parameters: Number of login attempts: In a given session, specifies how many ■ tries at entering the correct username and password pair are allowed before access is denied and the session terminated.
Page 109 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication dead-time < 1 - 1440 > Optional. Specifies the time in minutes during which the switch will not attempt to use a RADIUS server that has not responded to an earlier authentication attempt. (Default: 0;...
Page 110 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-5. Example of Global Configuration Exercise for RADIUS Authentication After two attempts failing due to username or password entry errors, the switch will terminate the session. Global RADIUS parameters from figure 5-5.
Page 111: Local Authentication Process
RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: “Local” is the authentication option for the access method being used. ■...
Page 112: Controlling Web Browser Interface Access When Using Radius Authentication
RADIUS Authentication and Accounting Controlling Web Browser Interface Access When Using RADIUS Authentication Controlling Web Browser Interface Access When Using RADIUS Authentication Configuring the switch for RADIUS authentication does not affect web browser interface access. To prevent unauthorized access through the web browser interface, do one or more of the following: ■...
Page 113: Configuring Radius Accounting
RADIUS Authentication and Accounting Configuring RADIUS Accounting Note This section assumes you have already: Configured RADIUS authentication on the switch for one or more ■ access methods ■ Configured one or more RADIUS servers to support the switch If you have not already done so, refer to “General RADIUS Setup Procedure” on page 5-5 before continuing here.
Page 114: Operating Rules For Radius Accounting
RADIUS Authentication and Accounting Configuring RADIUS Accounting The switch forwards the accounting information it collects to the designated RADIUS server, where the information is formatted, stored, and managed by the server. For more information on this aspect of RADIUS accounting, refer to the documentation provided with your RADIUS server.
Page 115 RADIUS Authentication and Accounting Configuring RADIUS Accounting – Optional—if you are also configuring the switch for RADIUS authentication, and need a unique encryption key for use during authentication sessions with the RADIUS server you are desig nating, configure a server-specific key. This key overrides the global encryption key you can also configure on the switch, and must match the encryption key used on the specified RADIUS server.
Page 116 RADIUS Authentication and Accounting Configuring RADIUS Accounting Syntax: [no] radius-server host < ip-address > Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. [acct-port < port-number >] Optional. Changes the UDP destination port for accounting requests to the specified RADIUS server.
Page 117 RADIUS Authentication and Accounting Configuring RADIUS Accounting Because the radius-server command includes an acct-port element with a non- default 1750, the switch assigns this value to the accounting port UDP port numbers. Because auth-port was not included in the command, the authentication UDP port is set to the default 1812.
Page 118 RADIUS Authentication and Accounting Configuring RADIUS Accounting Start-Stop: ■ • Send a start record accounting notice at the beginning of the account ing session and a stop record notice at the end of the session. Both notices include the latest data the switch has collected for the requested accounting type (Network, Exec, or System).
Page 119 RADIUS Authentication and Accounting Configuring RADIUS Accounting 3. (Optional) Configure Session Blocking and Interim Updating Options These optional parameters give you additional control over accounting data. Updates: In addition to using a Start-Stop or Stop-Only trigger, you ■ can optionally configure the switch to send periodic accounting record updates to a RADIUS server.
Page 120: Viewing Radius Statistics
RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which.
Page 121 RADIUS Authentication and Accounting Viewing RADIUS Statistics Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.
Page 122: Radius Authentication Statistics
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Authentication Statistics Syntax: show authentication Displays the primary and secondary authentication meth ods configured for the Console, Telnet, Port-Access (802.1x), and SSH methods of accessing the switch. Also displays the number of access attempts currently allowed in a session. show radius authentication Displays NAS identifier and data on the configured RADIUS server and the switch’s interactions with this server.
Page 123: Radius Accounting Statistics
RADIUS Authentication and Accounting Viewing RADIUS Statistics RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config ured in the switch (using the radius-server host command). show accounting sessions Lists the accounting sessions currently active on the switch.
Page 124: Changing Radius-Server Access Order
RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 5-16. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command. Also, when you add a new server IP address, it is placed in the highest empty position in the list.
Page 125 RADIUS Authentication and Accounting Changing RADIUS-Server Access Order To exchange the positions of the addresses so that the server at 10.10.10.003 will be the first choice and the server at 10.10.10.001 will be the last, you would do the following: 1. Delete 10.10.10.003 from the list.
Page 126: Messages Related To Radius Operation
RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch.
Page 127 Configuring Secure Shell (SSH) Contents Overview ........... . . 6-2 Terminology .
Page 128: Configuring Secure Shell (Ssh)
Configuring Secure Shell (SSH) Overview Overview Feature Default Menu Generating a public/private key pair on the switch page 6-10 Using the switch’s public key page 6-12 Enabling SSH Disabled page 6-15 Enabling client public-key authentication Disabled pages 6-19, 6-22 Enabling user authentication Disabled page 6-18 The Series 5300XL switches use Secure Shell version 1 or 2 (SSHv1 or SSHv2)
Page 129: Terminology
Configuring Secure Shell (SSH) Terminology Note SSH in the HP Procurve Series 5300XL switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit http:// www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication show in figure 6-1.
Page 130 Configuring Secure Shell (SSH) Terminology PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted ■ client public-key that has been encoded for portability and efficiency. SSHv2 client public-keys are typically stored in the PEM format. See figures 6-3 and 6-4 for examples of PEM-encoded ASCII and non- encoded ASCII keys.
Page 131: Prerequisite For Using Ssh
Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 6-2), then the client program must have the capability to generate or import keys.
Page 132: Steps For Configuring And Using Ssh For Switch And Client
Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 6-1.
Page 133 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch (page 6-9). Generate a public/private key pair on the switch (page 6-10). You need to do this only once.
Page 134: General Operating Rules And Notes
Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store 10 keys client key pairs. The switch’s own public/private key pair and the (optional) client ■...
Page 135: Assigning A Local Login (Operator) And Enable (Manager)
1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Page 136: Generating The Switch's Public And Private Key Pair
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-5. Example of Configuring Local Passwords 2. Generating the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
Page 137 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be "permanent";...
Page 138: Providing The Switch's Public Key To Clients
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation For example, to generate and display a new key: Host Public Key for the Switch Version 1 and Version 2 views of same host public key Figure 6-6. Example of Generating a Public/Private Host Key Pair for the Switch The 'show crypto host-public-key' displays it in two different formats because your client may store it in either of these formats after learning the key.
Page 139 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation distribution to clients is to use a direct, serial connection between the switch and a management device (laptop, PC, or UNIX workstation), as described below. The public key generated by the switch consists of three parts, separated by one blank space each: Bit Size Exponent <e>...
Page 140 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation 4. Add any data required by your SSH client application. For example Before saving the key to an SSH client’s "known hosts" file you may have to insert the switch’s IP address: Modulus <n>...
Page 141: Enabling Ssh On The Switch And Anticipating Ssh Client Contact Behavior
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 6-10. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 6-10 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host”...
Page 142 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you have not copied the switch’s public key into the client, your client’s first connection to the switch will question the connection and, for security reasons, give you the option of accepting or refusing.
Page 143 896 bits. N o t e o n P o r t HP recommends using the default TCP port number (22). However, you can Num b er use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes.
Page 144: Configuring The Switch For Ssh Authentication
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation C a u t i o n Protect your private key file from access by anyone other than yourself. If someone can access your private key file, they can then penetrate SSH security on the switch by appearing to be you.
Page 145 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< local | none >] Configures a password method for the primary and second ary login (Operator) access. If you do not specify an optional secondary method, it defaults to none.
Page 146 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation C a u t i o n To allow SSH access only to clients having the correct public key, you must configure the secondary (password) method for login public-key to none. Otherwise a client without the correct public key can still gain entry by submitting a correct local login password.
Page 147: Use An Ssh Client To Access The Switch
Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-13 shows how to check the results of the above commands. Lists the current SSH authentication configuration. Shows the contents of the public key file downloaded with the copy tftp command in figure 6-12.
Page 148: Further Information On Ssh Client Public-Key
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Further Information on SSH Client Public-Key Authentication The section titled “5. Configuring the Switch for SSH Authentication” on page 6-18 lists the steps for configuring SSH authentication on the switch. However, if you are new to SSH or need more details on client public-key authentication, this section may be helpful.
Page 149: Authentication
Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 3. If there is not a match, and you have not configured the switch to accept a login password as a secondary authentication method, the switch denies SSH access to the client. If there is a match, the switch: Generates a random sequence of bytes.
Page 150 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Notes Comments in public key files, such as smith@support.cairns.com in figure 6-14, may appear in a SSH client application’s generated public key. While such comments may help to distinguish one key from another, they do not pose any restriction on the use of a key by multiple clients and/or users.
Page 151 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication N o t e o n P u b l i c The actual content of a public key entry in a public key file is determined by K e ys the SSH client application generating the key.
Page 152 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: clear crypto public-key Deletes the client-public-key file from the switch. Syntax: clear crypto public-key 3 Deletes the entry with an index of 3 from the client-public-key file on the switch. Enabling Client Public-Key Authentication.
Page 153: Messages Related To Ssh Operation
Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning Indicates an error in communicating with the tftp server or 00000K Peer unreachable. not finding the file to download. Causes include such factors • Incorrect IP configuration on the switch •...
Page 154 Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning After you execute the crypto key generate ssh [rsa] Generating new RSA host key. If the command, the switch displays this message while it cache is depleted, this could take up to is generating the key.
Page 155 Configuring Secure Socket Layer (SSL) Contents Overview ........... . . 7-2 Terminology .
Page 156: Configuring Secure Socket Layer (Ssl)
The authentication type includes server certificate authentication with user password authentication. Note SSL in the HP Procurve Series 5300XL switches is based on the OpenSSL software toolkit. For more information on OpenSSL, visit http:// www.openssl.com .
Page 157: Terminology
ProCurve Switches use RSA public key algorithms and Diffie-Hellman, and all references to a key mean keys generated using these algorithms unless otherwise noted Terminology SSL Server: An HP switch with SSL enabled. ■ Key Pair: Public/private pair of RSA keys generated by switch, of ■...
Page 158 Configuring Secure Socket Layer (SSL) Terminology CA-Signed Certificate: A certificate verified by a third party certif ■ icate authority (CA). Authenticity of CA-Signed certificates can be verified by an audit trail leading to a trusted root certificate. Root Certificate: A trusted certificate used by certificate authorities ■...
Page 159: Prerequisite For Using Ssl
Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring ssl include:...
Page 160: General Operating Rules And Notes
Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re- generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all manage ment stations (clients) you previously set up for SSL access to the switch.
Page 161: Configuring The Switch For Ssl Operation
1. Assigning a Local Login (Operator) and Enable (Manager)Password At a minimum, HP recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.
Page 162 Using the web browser interface To Configure Local Passwords. You can configure both the Operator and Manager password on one screen. To access the web browser interface see the Series 5300XL switches Management and Configuration guide Chapter titled “Using the HP Web Browser Interface”. Security Tab Password Button Figure 7-2.
Page 163: Generating The Switch's Server Host Certificate
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation 2. Generating the Switch’s Server Host Certificate You must generate a server certificate on the switch before enabling SSL. The switch uses this server certificate, along with a dynamically generated session key pair to negotiate an encryption method and session with a browser trying to connect via SSL to the switch.
Page 164 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To Generate or Erase the Switch’s Server Certificate with the Because the host certificate is stored in flash instead of the running-config file, it is not necessary to use write memory to save the certificate. Erasing the host certificate automatically disables SSL.
Page 165 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Comments on certificate fields. There are a number arguments used in the generation of a server certificate. table 7-1, “Certificate Field Descriptions” describes these arguments. Table 7-1. Certificate Field Descriptions Field Name Description Valid Start Date...
Page 166 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Notes “Zeroizing” the switch’s server host certificate or key automatically disables SSL (sets web-management ssl to No). Thus, if you zeroize the server host certificate or key and then generate a new key and server certificate, you must also re-enable SSL with the web-management ssl command before the switch can resume SSL operation.
Page 167 You can configure SSL from the web browser interface. For more information on how to access the web browser interface see the Series 5300XL switches Management and Configuration guide Chapter titled “Using the HP Web Browser Interface”. To generate a self signed host certificate from the web browser interface: Proceed to the Security tab then the SSL button.
Page 168 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter- face: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments Figure 7-5.
Page 169 To install a CA-Signed server host certificate from the web browser interface. For more information on how to access the web browser interface see the Series 5300XL switches Management and Configuration guide Chapter titled “Using the HP Web Browser Interface”. 7-15...
Page 170 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.
Page 171: Enabling Ssl On The Switch And Anticipating Ssl Browser Contact Behavior
Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE----- MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMBIGA1UEChMLT3Bwb3J0dW5pdGkxGDAW BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0+aMcXgVruVixw/xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B Figure 7-7. Request for Verified Host Certificate Web Browser Interface Screen 3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients.
Page 172 Switch’s Server Host Certificate” on page 7-9. When configured for SSL, the switch uses its host certificate to authenticate itself to SSL clients, however unless you disable the standard HP web browser interface with the no web-management command it will be still available for unsecured transactions.
Page 173 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI interface to enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443).
Page 174 Figure 7-8. Using the web browser interface to enable SSL and select TCP port number N o t e o n P o r t HP recommends using the default IP port number (443). However, you can Num b er use web-management ssl tcp-port to specify any TCP port for SSL connections except those reserved for other purposes.
Page 175: Common Errors In Ssl Setup
Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 7-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host...
Page 176 Configuring Secure Socket Layer (SSL) Common Errors in SSL setup — This page is intentionally unused. — 7-22...
Page 177 Configuring Port-Based Access Control (802.1x) Contents Overview ........... . . 8-2 How 802.1x Operates .
Page 178: Configuring Port-Based Access Control (802.1X)
Configuring Port-Based Access Control (802.1x) Overview Overview Feature Default Menu Configuring Switch Ports as 802.1x Authenticators Disabled page 8-14 Configuring 802.1x Open VLAN Mode Disabled page 8-20 Configuring Switch Ports to Operate as 802.1x Supplicants Disabled page 8-33 Displaying 802.1x Configuration, Statistics, and Counters page 8-37 How 802.1x Affects VLAN Operation page 8-43...
Page 179 Configuring Port-Based Access Control (802.1x) Overview Local authentication of 802.1x clients using the switch’s local user- ■ name and password (as an alternative to RADIUS authentication). Temporary on-demand change of a port’s VLAN membership status ■ to support a current client’s session. (This does not include ports that are members of a trunk.) ■...
Page 180 Configuring Port-Based Access Control (802.1x) Overview Authenticating One Switch to Another. 802.1x authentication also enables the switch to operate as a supplicant when connected to a port on another switch running 802.1x authentication. Switch Running 802.1x and Operating as an Authenticator 802.1x-Aware Client (Supplicant)
Page 181: How 802.1X Operates
Configuring Port-Based Access Control (802.1x) How 802.1x Operates How 802.1x Operates Authenticator Operation This operation provides security on a direct, point-to-point link between a single client and the switch, where both devices are 802.1x-aware. (If you expect desirable clients that do not have the necessary 802.1x supplicant software, you can provide a path for downloading such software by using the 802.1x Open VLAN mode—refer to “802.1x Open VLAN Mode”...
Page 182: Switch-Port Supplicant Operation
Configuring Port-Based Access Control (802.1x) How 802.1x Operates Switch-Port Supplicant Operation This operation provides security on links between 802.1x-aware switches. For example, suppose that you want to connect two switches, where: Switch “A” has port A1 configured for 802.1x supplicant operation. ■...
Page 183: Terminology
Authenticator: In HP Procurve switch applications, a device such as a Series 5300XL switch that requires a supplicant to provide the proper credentials (username and password) before being allowed access to the network.
Page 184 Configuring Port-Based Access Control (802.1x) Terminology EAP (Extensible Authentication Protocol): EAP enables network access that supports multiple authentication methods. as defined in the EAPOL: Extensible Authentication Protocol Over LAN, 802.1x standard Friendly Client: A client that does not pose a security risk if given access to the switch and your network.
Page 185: General Operating Rules And Notes
Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes member of that VLAN as long as at least one other port on the switch is statically configured as a tagged or untagged member of the same Unau thorized-Client VLAN. Untagged VLAN Membership: A port can be an untagged member of only one VLAN.
Page 186 Configuring Port-Based Access Control (802.1x) General Operating Rules and Notes If a client already has access to a switch port when you configure the ■ port for 802.1x authenticator operation, the port will block the client from further network access until it can be authenticated. ■...
Page 187: General Setup Procedure For Port-Based Access Control
1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1x configuration, HP recommends that you use a local username and password pair at least until your other security measures are in place.)
Page 188: Overview: Configuring 802.1X Authentication On The Switch
Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) Overview: Configuring 802.1x Authentication on the Switch This section outlines the steps for configuring 802.1x on the switch. For detailed information on each step, refer to “Configuring the Switch for RADIUS Authentication”...
Page 189 Configuring Port-Based Access Control (802.1x) General Setup Procedure for Port-Based Access Control (802.1x) 7. If you are using Port Security on the switch, configure the switch to allow only 802.1x access on ports configured for 802.1x operation, and (if desired) the action to take if an unauthorized device attempts access through an 802.1x port.
Page 190: Configuring Switch Ports As 802.1X Authenticators
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Configuring Switch Ports as 802.1x Authenticators 802.1x Authentication Commands Page [no] aaa port-access authenticator < [ethernet] < port-list > 8-14 [control | quiet-period | tx-period | supplicant-timeout | 8-14 server -timeout | max-requests | reauth-period | auth-vid | unauth-vid | initialize | reauthenticate | clear-statistics] aaa authentication port-access...
Page 191 Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators Syntax: aaa port-access authenticator < port-list > Enables specified ports to operate as 802.1x authenti cators with current per- port authenticator configura tion. To activate configured 802.1x operation, you must enable 802.1x authentication.
Page 192 Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Syntax Continued) [server-timeout < 1 - 300 >] Sets the period of time the switch waits for a server response to an authentication request. If there is no response within the configured time frame, the switch assumes that the authentication attempt has timed out.
Page 193 Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators aaa port-access authenticator < port-list > (Syntax Continued) [initialize] On the specified ports, blocks inbound and outbound traffic and restarts the 802.1x authentication process. This happens only on ports configured with control auto and actively operating as 802.1x authenticators.
Page 194: Configure The 802.1X Authentication Method
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 3. Configure the 802.1x Authentication Method This task specifies how the switch will authenticate the credentials provided by a supplicant connected to a switch port configured as an 802.1x authenti cator.
Page 195: Enter The Radius Host Ip Address(Es)
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports as 802.1x Authenticators 4. Enter the RADIUS Host IP Address(es) If you selected either eap-radius or chap-radius for the authentication method, configure the switch to use 1 to 3 RADIUS servers for authentication. The following syntax shows the basic commands.
Page 196: 802.1X Open Vlan Mode
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Open VLAN Mode 802.1x Authentication Commands page 8-14 802.1x Supplicant Commands page 8-34 802.1x Open VLAN Mode Commands [no] aaa port-access authenticator [e] < port-list > page 8-29 [auth-vid < vlan-id >] [unauth-vid <...
Page 197: Use Models For 802.1X Open Vlan Modes
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 1. 1st Priority: The port joins a VLAN to which it has been assigned by a RADIUS server during authentication. 2. 2nd Priority: If RADIUS authentication does not include assigning port to a VLAN, then the switch assigns the port to the VLAN entered in the port’s 802.1x configuration as an Authorized-Client VLAN, if config...
Page 198 Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Table 8-1. 802.1x Open VLAN Mode Options 802.1x Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN •...
Page 199 Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 802.1x Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
Page 200: Operating Rules For Authorized-Client And Unauthorized-Client
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorized- These must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1x authenticator port to use them. (Use the vlan < vlan-id > command or the VLAN Menu screen in the Menu interface.) VLAN Assignment Received from a If the RADIUS server specifies a VLAN for an authenticated supplicant...
Page 201 Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Condition Rule Effect of Authorized-Client VLAN • When a client becomes authenticated on a port that is already configured with a static, untagged VLAN, the switch temporarily session on untagged port VLAN moves the port to the Authorized-Client VLAN (also untagged).
Page 202: Setting Up And Configuring 802.1X Open Vlan Mode
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Setting Up and Configuring 802.1x Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 8-1 on page 8-22 for other options. Before you configure the 802.1x Open VLAN mode on a port: Statically configure an “Unauthorized-Client VLAN”...
Page 203 Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges.
Page 204 Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration.
Page 205 Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Configuring 802.1x Open VLAN Mode. Use these commands to actually configure Open VLAN mode. For a listing of the steps needed to prepare the switch for using Open VLAN mode, refer to “Preparation” on page 8-26. Syntax: aaa port-access authenticator [e] <...
Page 206: 802.1X Open Vlan Operating Notes
Configuring Port-Based Access Control (802.1x) 802.1x Open VLAN Mode Inspecting 802.1x Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1x Open VLAN Mode Status” on page 8-39. 802.1x Open VLAN Operating Notes ■...
Page 207: Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X Devices
Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices If an authenticated client loses authentication during a session in ■ 802.1x Open VLAN mode, the port VLAN membership reverts back to the Unauthorized-Client VLAN. If there is no Unauthorized-Client VLAN configured, then the client loses access to the port until it can reauthenticate itself.
Page 208 Configuring Port-Based Access Control (802.1x) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1x Devices N o t e o n If the port’s 802.1x authenticator control mode is configured to authorized (as B l o c k i n g a N o n - shown below, instead of auto), then the first source MAC address from any 80 2 .
Page 209: Configuring Switch Ports To Operate As Supplicants For 802.1X Connections To Other Switches
Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches 802.1x Authentication Commands page 8-14 802.1x Supplicant Commands [no] aaa port-access < supplicant < [ethernet] < port-list > page 8-34...
Page 210 Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches 1. When port A1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch “B”.
Page 211 Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches Configuring a Supplicant Switch Port. Note that you must enable suppli cant operation on a port before you can change the supplicant configuration. This means you must execute the supplicant command once without any other parameters, then execute it again with a supplicant parameter you want to configure.
Page 212 Configuring Port-Based Access Control (802.1x) Configuring Switch Ports To Operate As Supplicants for 802.1x Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [auth-timeout < 1 - 300 >] Sets the period of time the port waits to receive a challenge from the authenticator.
Page 213: Displaying 802.1X Configuration, Statistics, And Counters
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Displaying 802.1x Configuration, Statistics, and Counters 802.1x Authentication Commands page 8-14 802.1x Supplicant Commands page 8-33 802.1x Open VLAN Mode Commands page 8-20 802.1x-Related Show Commands show port-access authenticator below show port-access supplicant page 8-42...
Page 214 Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters show port-access authenticator (Syntax Continued) config [[e] < port-list >] Shows: • Whether port-access authenticator is active • The 802.1x configuration of the ports configured as 802.1x authenticators If you do not specify < port-list >, the command lists all ports configured as 802.1x port-access authenticators.
Page 215: Viewing 802.1X Open Vlan Mode Status
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Viewing 802.1x Open VLAN Mode Status You can examine the switch’s current VLAN status by using the show port- access authenticator and show vlan < vlan-id > commands as illustrated in this section.
Page 216 Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters When the Unauth VLAN ID is configured and matches the Current VLAN ■ ID in the above command output, an unauthenticated client is connected to the port. (This assumes the port is not a statically configured member of the VLAN you are using for Unauth VLAN.) Note that because a temporary Open VLAN port assignment to either an authorized or unauthorized VLAN is an untagged VLAN membership, these...
Page 217 Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Status Indicator Meaning Unauthorized VLAN < vlan-id >: Lists the VID of the static VLAN configured as the unauthorized VLAN for the indicated port. 0: No unauthorized VLAN has been configured for the indicated port. <...
Page 218: Show Commands For Port-Access Supplicant
Configuring Port-Based Access Control (802.1x) Displaying 802.1x Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [[e] < port-list >] [statistics] show port-access supplicant [[e] < port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list >...
Page 219: How Radius/802.1X Authentication Affects Vlan Operation
Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1x Authentication Affects VLAN Operation Static VLAN Requirement.
Page 220 Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1x-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1x client requires access...
Page 221 Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1x session. This is to accommodate an 802.1x client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22.
Page 222 Configuring Port-Based Access Control (802.1x) How RADIUS/802.1x Authentication Affects VLAN Operation When the 802.1x client’s session on port A2 ends, the port discards the temporary untagged VLAN membership. At this time the static VLAN actually configured as untagged on the port again becomes available. Thus, when the RADIUS-authenticated 802.1x session on port A2 ends, VLAN 22 access on port A2 also ends, and the untagged VLAN 33 access on port A2 is restored.
Page 223: Messages Related To 802.1X Operation
Configuring Port-Based Access Control (802.1x) Messages Related to 802.1x Operation Messages Related to 802.1x Operation Table 8-2. 802.1x Operating Messages Message Meaning The ports in the port list have not been enabled as 802.1x Port < port-list > is not an authenticator.
Page 224 Configuring Port-Based Access Control (802.1x) Messages Related to 802.1x Operation — This page is intentionally unused. — 8-48...
Page 225 Configuring and Monitoring Port Security Contents Overview ........... . . 9-2 Basic Operation .
Page 226: Overview
Configuring and Monitoring Port Security Overview Overview Feature Default Menu Displaying Current Port Security n/a — page 9-6 page 9-29 Configuring Port Security disabled — page 9-8 page 9-29 Retention of Static Addresses page 9-13 MAC Lockdown page 9-18 MAC Lockout page 9-26 Intrusion Alerts and Alert Flags 2page 9-35...
Page 227: Blocking Unauthorized Traffic
Once you have configured port security, you can then monitor the network for security violations through one or more of the following: ■ Alert flags that are captured by network management tools such as HP ProCurve Manager Alert Log entries in the switch’s web browser interface ■...
Page 228: Trunk Group Exclusion
Configuring and Monitoring Port Security Overview Physical Topology Logical Topology for Access to Switch A Switch A Switch A Port Security Port Security Configured Configured PC 1 PC 1 MAC Address MAC Address Authorized by Switch A Authorized by Switch A Switch B Switch B PC 2...
Page 229: Planning Port Security
Configuring and Monitoring Port Security Planning Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to the following: On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port? c. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmit...
Page 230: Port Security Command Options And Operation
Configuring and Monitoring Port Security Port Security Command Options and Operation Port Security Command Options and Operation Port Security Commands Used in This Section show port-security port-security < port-list > learn-mode address-limit 9-11 mac-address 9-11 action 9-12 clear-intrusion-flag 9-12 no port-security 9-12 This section describes the CLI port security command and how the switch acquires and maintains authorized addresses.
Page 231 Configuring and Monitoring Port Security Port Security Command Options and Operation Without port parameters, displays Operating Control settings show port-security for all ports on a switch. For example: Figure 9-2. Example Port Security Listing (Ports A7 and A8 Show the Default Setting) With port numbers included in the command, show port-security displays Learn Mode, Address Limit, (alarm) Action, and Authorized Addresses for the spec...
Page 232: Configuring Port Security
Configuring and Monitoring Port Security Port Security Command Options and Operation Configuring Port Security Using the CLI, you can: ■ Configure port security and edit security settings. Add or delete devices from the list of authorized addresses for one or more ■...
Page 233 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port.
Page 234 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) Caution: When you use the static parameter with a device limit greater than the number of MAC addresses you specify with mac-address, an unwanted device can become “authorized”.
Page 235 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) limited-continuous (continued): The default address-limit is 1 but may be set for each port to learn up to 32 addresses. The default action is none.
Page 236 Configuring and Monitoring Port Security Port Security Command Options and Operation Syntax: port-security (Continued) action < none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port.
Page 237: Retention Of Static Addresses
Configuring and Monitoring Port Security Port Security Command Options and Operation Retention of Static Addresses Learned Addresses. In the following two cases, a port in Static learn mode retains a learned MAC address even if you later reboot the switch or disable port security for that port: ■...
Page 238 Configuring and Monitoring Port Security Port Security Command Options and Operation Specifying Authorized Devices and Intrusion Responses. This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port. (The default device limit is 1.) It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port.
Page 239 Configuring and Monitoring Port Security Port Security Command Options and Operation Adding an Authorized Device to a Port. To simply add a device (MAC address) to a port’s existing Authorized Addresses list, enter the port number with the mac-address parameter and the device’s MAC address. This assumes that Learn Mode is set to static and the Authorized Addresses list is not full (as determined by the current Address Limit value).
Page 240 Configuring and Monitoring Port Security Port Security Command Options and Operation (The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. Note that if you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode.
Page 241 Configuring and Monitoring Port Security Port Security Command Options and Operation Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list. (An Authorized Address list is available for each port for which Learn Mode is currently set to “Static”.
Page 242: Mac Lockdown
Configuring and Monitoring Port Security MAC Lockdown The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: HPswitch(config)# port-security a1 address-limit 1 HPswitch(config)# no port-security a1 mac-address 0c0090- 123456 The above command sequence results in the following configuration for port Figure 9-8.
Page 243 Configuring and Monitoring Port Security MAC Lockdown You will need to enter a separate command for each MAC/VLAN pair you wish to lock down. If you do not specify a VLAN ID (VID) the switch inserts a VID of “1”. How It Works.
Page 244: Differences Between Mac Lockdown And Port Security
Configuring and Monitoring Port Security MAC Lockdown Other Useful Information. Once you lock down a MAC address/VLAN pair on one port that pair cannot be locked down on a different port. You cannot perform MAC Lockdown and 802.1x authentication on the same port or on the same MAC address.
Page 245 Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown Operating Notes There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch.
Page 246: Deploying Mac Lockdown
Configuring and Monitoring Port Security MAC Lockdown Deploying MAC Lockdown When you deploy MAC Lockdown you need to consider how you use it within your network topology to ensure security. In some cases where you are using techniques such as “meshing” or Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or else it defeats the purpose of having multiple data paths.
Page 247 Configuring and Monitoring Port Security MAC Lockdown There is no need to lock MAC addresses on switches in the Internal Core Network Server A 5300 5300 Switch Switch Internal Core Network 5300 5300 Switch Switch Network Edge Lock Server A to these ports Switch 1 Switch 2...
Page 248 Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
Page 249 Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fails, Server A traffic to Server A will not use the backup path via Switch 3 Switch 3 Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 External...
Page 250: Mac Lockout
Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so that any traffic to or from the “locked-out” MAC address will be dropped. This means that all data packets addressed to or from the given address are stopped by the switch.
Page 251 Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1x authenti cation. You cannot use MAC Lockout to lock: • Broadcast or Multicast Addresses (Switches do not learn these) • Switch Agents (The switch’s own MAC Address) If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file: Lockout logging format:...
Page 252 Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in conjunction with port-security.
Page 253: Web: Displaying And Configuring Port Security Features
Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features Click on the Security tab. Click on [Port Security] 3. Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field.
Page 254: How The Intrusion Log Operates
The Intrusion Log in the Security | Intrusion Log window lists per-port security violation entries • In network management applications such as HP ProCurve Manager via an SNMP trap sent to a network management station How the Intrusion Log Operates When the switch detects an intrusion attempt on a port, it enters a record of this event in the Intrusion Log.
Page 255: Keeping The Intrusion Log Current By Resetting Alert Flags
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.
Page 256 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen. From the Main Menu select: 1.
Page 257 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 9-12 on page 9-32) does not indicate an intrusion for port A1, the alert flag for the intru sion on port A1 has already been reset. •...
Page 258 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Clear intrusion flags on all ports. port-security [e] < port-number > clear-intrusion-flag Clear the intrusion flag on one or more specific ports. In the following example, executing show interfaces brief lists the switch’s port status, which indicates an intrusion alert on port A1.
Page 259: Using The Event Log To Find Intrusion Alerts
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags To clear the intrusion from port A1 and enable the switch to enter any subsequent intrusion for port A1 in the Intrusion Log, execute the port-security clear-intrusion-flag command. If you then re-display the port status screen, you will see that the Intrusion Alert entry for port A1 has changed to “No”.
Page 260: Web: Checking For Intrusions, Listing Intrusion Alerts, And Resetting Alert Flags
Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Command Log Listing with with Security Violation “security” for Detected Search Log Listing with No Security Violation Detected Figure 9-17. Example of Log Listing With and Without Detected Security Violations From the Menu Interface: In the Main Menu, click on 4.
Page 261: Operating Notes For Port Security
Operating Notes for Port Security Identifying the IP Address of an Intruder. The Intrusion Log lists detected intruders by MAC address. If you are using HP ProCurve Manager to manage your network, you can use the device properties page to link MAC addresses to their corresponding IP addresses.
Page 262 Configuring and Monitoring Port Security Operating Notes for Port Security HPswitch(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). HPswitch(config)# The switch will not allow you to configure LACP on a port on which port security is enabled.
Page 263 Using Authorized IP Managers Contents Overview ........... . 10-2 Options .
Page 264: Using Authorized Ip Managers
Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu Listing (Showing) Authorized page 10-5 page 10-6 page 10-8 Managers Configuring Authorized IP None page 10-5 page 10-6 page 10-8 Managers Building IP Masks page 10-9 page 10-9 page 10-9 Operating and Troubleshooting page 10-12 page 10-12 page 10-12...
Page 265: Options
Using Authorized IP Managers Options Options You can configure: Up to 10 authorized manager addresses, where each address applies ■ to either a single management station or a group of stations Manager or Operator access privileges ■ C a u t i o n Configuring Authorized IP Managers does not protect access to the switch through a modem or direct connection to the Console (RS-232) port.
Page 266: Defining Authorized Management Stations
Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations Authorizing Single Stations: The table entry authorizes a single ■ management station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Authorized Manager IP column, and leave the IP Mask set to 255.255.255.255.
Page 267: Menu: Viewing And Configuring Ip Authorized Managers
Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Masks” on page 10-9. Note The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch.
Page 268: Cli: Viewing And Configuring Authorized Ip Managers
Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See “Building IP Masks”...
Page 269 Using Authorized IP Managers Defining Authorized Management Stations The above example shows an Authorized IP Manager List that allows stations to access the switch as shown below: IP Mask Authorized Station IP Address: Access Mode: 255.255.255.252 10.28.227.100 through 103 Manager 255.255.255.254 10.28.227.104 through 105 Manager...
Page 270: Web: Configuring Ip Authorized Managers
Using Authorized IP Managers Web: Configuring IP Authorized Managers • Access Level: Manager To Edit an Existing Manager Access Entry. To change the mask or access level for an existing entry, use the entry’s IP address and enter the new value(s).
Page 271: Building Ip Masks
Using Authorized IP Managers Building IP Masks Building IP Masks The IP Mask parameter controls how the switch uses an Authorized Manager IP value to recognize the IP addresses of authorized manager stations on your network. Configuring One Station Per Authorized Manager IP Entry This is the easiest way to apply a mask.
Page 272: Configuring Multiple Stations Per Authorized Manager Ip Entry
Using Authorized IP Managers Building IP Masks Configuring Multiple Stations Per Authorized Manager IP Entry The mask determines whether the IP address of a station on the network meets the criteria you specify. That is, for a given Authorized Manager entry, the switch applies the IP mask to the IP address you specify to determine a range of authorized IP addresses for management access.
Page 273 Using Authorized IP Managers Building IP Masks Figure 10-5. Analysis of IP Mask for Multiple-Station Entries Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask The “255” in the first three octets of the mask specify that only the exact value in the octet of the corresponding IP address is allowed.
Page 274: Additional Examples For Authorizing Multiple Stations
Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 This combination specifies an authorized IP address of 10.33.xxx.1. It could be applied, for example, to a subnetted network where each subnet is defined by the Authorized 248 1 third octet and includes a management station defined by the value of “1”...
Page 275 Using Authorized IP Managers Operating Notes • Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch. To do so, add the IP address or DNS name of the switch to the non-proxy, or “Exceptions”...
Page 276 Using Authorized IP Managers Operating Notes — This page is intentionally unused. — 10-14...
Page 277 Key Management System Contents Overview ........... . 11-2 Terminology .
Page 278: Key Management System
Key Management System Overview Overview HP Procurve Series 5300XL switches provide support for advanced routing capabilities. Security turns out to be extremely important as complex net- works and the internet grow and become a part of our daily life and business.
Page 279: Configuring Key Chain Management
Key Management System Configuring Key Chain Management Configuring Key Chain Management KMS-Related CLI Commands in This Section Page show key-chain < chain_name > page 11-3 [ no ] key-chain chain_name page 11-3 [ no ] key-chain chain_name key Key_ID page 11-4 The Key Management System (KMS) has three configuration steps: Create a key chain entry.
Page 280: Assigning A Time-Independent Key To A Chain
Key Management System Configuring Key Chain Management Add new key chain Entry “Procurve1”. Display key chain entries. Figure 11-1. Adding a New Key Chain Entry After you add an entry, you can assign key(s) to it for use by a KMS-enabled protocol.
Page 281: Assigning Time-Dependent Keys To A Chain
Key Management System Configuring Key Chain Management Adds a new Time-Independent key to the “Procurve1” chain. Displays keys in the key chain entry. Figure 11-2. Example of Adding and Displaying a Time-Independent Key to a Key Chain Entry Assigning Time-Dependent Keys to a Chain A time-dependent key has Accept or Send time constraints.
Page 282 Key Management System Configuring Key Chain Management duration < mm/dd/yy [ yy ] hh:mm:ss | SECONDS > Specifies the time period during which the switch can use this key to authenticate inbound packets. Duration is either an end date and time or the number of seconds to allow after the start date and time (which is the accept-lifetime setting).
Page 283 Key Management System Configuring Key Chain Management Note Given transmission delays and the variations in the time value from switch to switch, it is advisable to include some flexibility in the Accept lifetime of the keys you configure. Otherwise, the switch may disregard some packets because either their key has expired while in transport or there are significant time variations between switches.
Page 284 Key Management System Configuring Key Chain Management The “Procurve1” key chain entry is a time-independent key and will not expire. “Procurve2” uses time-dependent keys, which result in this data: Expired = 1 Key 1 has expired because its lifetime ended at 8:10 on 01/18/03, the previous day.
Page 285 Index Numerics Clear button to delete password protection … 2-6 3DES … 6-3, 7-3 configuration 802.1x port security … 9-5 See port-based access control. RADIUS See RADIUS. See SSH. aaa authentication … 4-8 connection inactivity time … 2-3 aaa port-access console, for configuring See Web or MAC Authentication.
Page 286 accept key time … 11-5, 11-7 OpenSSH … 6-3 assigning a time-dependent key … 11-5 OpenSSL … 7-2 assigning a time-independent key … 11-4 operating notes generating a key chain … 11-3 authorized IP managers … 10-12 generating a time-dependent key … 11-5 port security …...
Page 287 EAP … 8-2 terminology … 8-7 EAPOL … 8-8 troubleshooting, gvrp … 8-43 eap-radius … 8-18 used with port-security … 8-31 enabling on ports … 8-14 VLAN operation … 8-43 enabling on switch … 8-19 prior to … 9-33, 9-34, 9-37 features …...
Page 288 show authentication … 5-26 man-in-the-middle spoofing … 6-16 SNMP access security not supported … 5-2 messages, operating … 6-27 statistics, viewing … 5-24 OpenSSH … 6-3 terminology … 5-3 operating rules … 6-8 TLS … 5-4 outbound SSH not secure … 6-8 web-browser access controls …...
Page 289 operating rules … 7-6 server priority … 4-18 passwords, assigning … 7-7 setup, general … 4-5 prerequisites … 7-5 show authentication … 4-8 remove self-signed certificate … 7-10 supported features … 4-3 remove server host certificate … 7-10 system requirements … 4-5 reserved TCP port numbers …...
Page 290 features … 3-4 general setup … 3-12 LACP not allowed … 3-11 redirect URL … 3-9 rules of operation … 3-10 show status and configuration … 3-25 terminology … 3-8 web browser interface, for configuring port security … 9-36 authorized IP managers … 10-7, 10-8 web browser interface, for configuring port security …...
Page 292 Technical information in this document is subject to change without notice. ©Copyright 2000-2004 Hewlett-Packard Development Company, L.P. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws. Edition 1, February 2004 Manual Part Number 5990-6052...

HP procurve 5300xl Series Access Security Manual

Quick Links

Related Manuals for HP procurve 5300xl Series

Summary of Contents for HP procurve 5300xl Series