1. Manuals
  2. Brands
  3. ProCurve Manuals
  4. Switch
  5. 2900
  6. Manual

ProCurve 2900 Manual

Hide thumbs
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
Table of Contents

Advertisement

Quick Links

Access Security Guide
2900
ProCurve Switches
T.13.01
www.procurve.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 2900 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ProCurve 2900

Summary of Contents for ProCurve 2900

  • Page 1 Access Security Guide 2900 ProCurve Switches T.13.01 www.procurve.com...
  • Page 3 ProCurve Switch 2900 January 2008 T.13.01 Access Security Guide...
  • Page 4 Software Credits and Notices HEWLETT-PACKARD COMPANY MAKES NO WARRANTY SSH on ProCurve Switches is based on the OpenSSH soft- OF ANY KIND WITH REGARD TO THIS MATERIAL, ware toolkit. This product includes software developed by INCLUDING, BUT NOT LIMITED TO, THE IMPLIED the OpenSSH Project for use in the OpenSSH Toolkit.

  • Page 5: Table Of Contents

    Contents Product Documentation About Your Switch Manual Set ....... . . xiii Feature Index .
  • Page 6 Identity-Driven Manager (IDM) ....... 1-11 Dynamic Configuration Arbiter ....... 1-12 Network Immunity Manager .
  • Page 7 Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel ......2-29 Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear”...
  • Page 8 Configuring MAC Authentication on the Switch ....3-45 Overview ..........3-45 Configuration Commands for MAC Authentication .
  • Page 9 5 RADIUS Authentication and Accounting Contents ............5-1 Overview .
  • Page 10 2. Configure Accounting Types and the Controls for Sending Reports to the RADIUS Server ....5-38 3. (Optional) Configure Session Blocking and Interim Updating Options ......5-40 Viewing RADIUS Statistics .
  • Page 11 7 Configuring Secure Socket Layer (SSL) Contents ............7-1 Overview .
  • Page 12 Example ..........8-5 Named Source-Port Filters .
  • Page 13 Do These Steps Before You Configure 802.1X Operation ..9-15 Overview: Configuring 802.1X Authentication on the Switch ..9-18 Configuring Switch Ports as 802.1X Authenticators ... . 9-19 1.
  • Page 14 Show Commands for Port-Access Authenticator ....9-52 Viewing 802.1X Open VLAN Mode Status ..... . 9-61 Show Commands for Port-Access Supplicant .
  • Page 15 Notice of Security Violations ....... . 10-32 How the Intrusion Log Operates ......10-33 Keeping the Intrusion Log Current by Resetting Alert Flags .
  • Page 16 12 Key Management System Contents ........... . . 12-1 Overview .

  • Page 17: Product Documentation

    N o t e For the latest version of all ProCurve switch documentation, including Release Notes covering recently added features, visit the ProCurve Network­ ing Web Site at www.procurve.com, click on Technical support, and then click on Product manuals (all). xiii...

  • Page 18: Feature Index

    Product Documentation Feature Index For the manual set supporting your switch model, the following feature index indicates which manual to consult for information on a given software feature. Feature Management Advanced Multicast Access Traffic Security Configuration Management Routing Guide 802.1Q VLAN Tagging 802.1p Priority 802.1X Port-Based Authentication AAA Authentication...
  • Page 19 Product Documentation Feature Management Advanced Multicast Access Traffic Security Configuration Management Routing Guide Factory Default Settings Flow Control (802.3x) File Management File Transfers Friendly Port Names GVRP Identity-Driven Management (IDM) IGMP Interface Access (Telnet, Console/Serial, Web) IPv4 Addressing IPv6 Addressing (see the IPv6 Configuration Guide) IP Routing Jumbos Support LACP...
  • Page 20 Product Documentation Feature Management Advanced Multicast Access Traffic Security Configuration Management Routing Guide Network Management Applications (SNMP) OpenView Device Management Passwords and Password Clear Protection Ping Port Configuration Port Monitoring Port Security Port Status Port Trunking (LACP) Port-Based Access Control Port-Based Priority (802.1Q) Protocol Filters Protocol VLANS...
  • Page 21 Product Documentation Feature Management Advanced Multicast Access Traffic Security Configuration Management Routing Guide Spanning Tree (MSTP) SSHv2 (Secure Shell) Encryption SSLv3 (Secure Socket Layer) Stack Management Syslog System Information TACACS+ Authentication Telnet Access TFTP Tiered Dynamic Override Time Protocols (TimeP, SNTP) Traffic/Security Filters Troubleshooting USB Autorun...
  • Page 22 Product Documentation xviii...

  • Page 23: Security Overview

    Security Overview Contents Security Overview Contents Introduction ..........1-2 About This Guide .
  • Page 24 Security Overview Contents Dynamic Configuration Arbiter ....... 1-11 Network Immunity Manager ....... . . 1-12 Arbitrating Client-Specific Attributes .

  • Page 25: Introduction

    Security Overview Introduction Introduction Before you connect your switch to a network, ProCurve strongly recommends that you review the Security Overview beginning on page 1-3. It outlines the potential threats for unauthorized switch and network access, and provides guidelines on how to use the various security features available on the switch to prevent such access.

  • Page 26: Default Configuration Settings And Access Security

    Default Configuration Settings and Access Security In its default configuration, the switch is open to unauthorized access of various types. In addition to applying local passwords, ProCurve recommends that you consider using the switch’s other security features to provide a more complete security fabric.

  • Page 27: Snmp Access (Simple Network Management Protocol)

    1, 2c, and 3, including SNMP community and trap configuration. The default configuration supports versions 1 and 2c compatibility, which uses plain text and does not provide security options. ProCurve recommends that you enable SNMP version 3 for improved security. SNMPv3 includes the ability to configure restricted access and to block all non-version 3 messages (which blocks version 1 and 2c unprotected operation).

  • Page 28: Front-Panel Access And Physical Security

    Security Overview Switch Access Security restricting non-SNMPv3 agents to either read-only access or no access ■ ■ co-existing with SNMPv1 and v2c if necessary For information on SNMP, refer to “Using SNMP Tools To Manage the Switch” in the chapter titled “Configuring for Network Management Applications” in the Management and Configuration Guide for your switch.

  • Page 29: Other Provisions For Management Access Security

    For more information, refer to Chapter 11, “Using Authorized IP Managers”. Secure Management VLAN This feature creates an isolated network for managing the ProCurve switches that offer this feature. When a secure management VLAN is enabled, CLI, Menu interface, and Web browser interface access is restricted to ports configured as members of the VLAN.

  • Page 30: Network Security Features

    ■ 802.1X-compliant ProCurve switches For more information, refer to Chapter 9 “Configuring Port-Based and User- Based Access Control (802.1X)”. Web and MAC Authentication...

  • Page 31: Secure Shell (Ssh)

    Security Overview Network Security Features Secure Shell (SSH) SSH provides Telnet-like functions through encrypted, authenticated transac­ tions of the following types: ■ client public-key authentication: uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch.

  • Page 32: Port Security, Mac Lockdown, And Mac Lockout

    Security Overview Network Security Features protocol filters: Inbound traffic having the selected frame (protocol) ■ type will be forwarded or dropped on a per-port (destination) basis. For details, refer to Chapter 8, “Traffic/Security Filters and Monitors”. Port Security, MAC Lockdown, and MAC Lockout The features listed below provide device-based access security in the follow­...

  • Page 33: Key Management System (Kms)

    Identity-Driven Manager (IDM) Key Management System (KMS) KMS is available in several ProCurve switch models and is designed to configure and maintain key chains for use with KMS-capable routing protocols that use time-dependent or time-independent keys. (A key chain is a set of keys with a timing mechanism for activating and deactivating individual keys.)

  • Page 34: Dynamic Configuration Arbiter

    Security Overview Dynamic Configuration Arbiter For more information on IDM, visit the ProCurve Web site at www.procurve.com, and click on Products and Solutions, then Identity Driven Manager (under Network Management). Dynamic Configuration Arbiter Starting in software release T.13.xx, the Dynamic Configuration Arbiter (DCA) is implemented to determine the client-specific parameters that are assigned in an authentication session.

  • Page 35: Network Immunity Manager

    Security Overview Dynamic Configuration Arbiter Network Immunity Manager Network Immunity Manager (NIM) is a plug-in to ProCurve Manager (PCM) and a key component of the ProCurve Network Immunity security solution that provides comprehensive detection and per-port-response to malicious traffic at the ProCurve network edge.

  • Page 36: Arbitrating Client-Specific Attributes

    Precedence is always given to the temporarily applied NIM-configured parameters over RADIUS-assigned and locally configured parameters. For more information on Network Immunity Manager, go to the ProCurve Web site at www.procurve.com, and click on Products and Solutions, then under Network Management, click on ProCurve Network Immunity Manager 1.0.
  • Page 37 Security Overview Dynamic Configuration Arbiter For information about how to configure RADIUS-assigned and locally config­ ured authentication settings, refer to: ■ RADIUS-assigned 802.1X authentication: “Configuring Port-Based and User-Based Access Control (802.1X)”chap­ ter of the Access Security Guide RADIUS-assigned Web or MAC authentication: ■...
  • Page 38 Security Overview Dynamic Configuration Arbiter 1-16...

  • Page 39: Configuring Username And Password Security

    Configuring Username and Password Security Contents Overview ........... . . 2-3 Configuring Local Password Security .
  • Page 40 Configuring Username and Password Security Contents Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel ......2-29 Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear”...

  • Page 41: Overview

    Configuring Username and Password Security Overview Overview Feature Default Menu Set Usernames none — — page 2-9 Set a Password none page 2-6 page 2-8 page 2-9 Delete Password Protection page 2-7 page 2-8 page 2-9 show front-panel-security — page 1-13 —...
  • Page 42 Configuring Username and Password Security Overview Level Actions Permitted Manager: Access to all console interface areas. This is the default level. That is, if a Manager password has not been set prior to starting the current console session, then anyone having access to the console can access any area of the console interface.
  • Page 43 Configuring Username and Password Security Overview N o t e s The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface. If you configure only a Manager password (with no Operator password), and in a later session the Manager password is not entered correctly in response to a prompt from the switch, then the switch does not allow management access for that session.

  • Page 44: Configuring Local Password Security

    Configuring Username and Password Security Configuring Local Password Security Configuring Local Password Security Menu: Setting Passwords As noted earlier in this section, usernames are optional. Configuring a user- name requires either the CLI or the web browser interface. From the Main Menu select: 3.
  • Page 45 Configuring Username and Password Security Configuring Local Password Security To Delete Password Protection (Including Recovery from a Lost Password): This procedure deletes all usernames (if configured) and pass­ words (Manager and Operator). If you have physical access to the switch, press and hold the Clear button (on the front of the switch) for a minimum of one second to clear all password protection, then enter new passwords as described earlier in this chapter.

  • Page 46: Cli: Setting Passwords And Usernames

    Configuring Username and Password Security Configuring Local Password Security CLI: Setting Passwords and Usernames Commands Used in This Section password See below. Configuring Manager and Operator Passwords. N o t e The password command has changed. You can now configure manager and operator passwords in one step.

  • Page 47: Web: Setting Passwords And Usernames

    Configuring Username and Password Security Configuring Local Password Security If you want to remove both operator and manager password protection, use the no password all command. Web: Setting Passwords and Usernames In the web browser interface you can enter passwords and (optional) user- names.

  • Page 48: Saving Security Credentials In A

    By permanently saving a switch’s security credentials in a configuration file, you can upload the file to a TFTP server or Xmodem host, and later download the file to the ProCurve switches on which you want to use the same security settings without having to manually configure the settings (except for SNMPv3 user parameters) on each switch.

  • Page 49: Enabling The Storage And Display Of Security Credentials

    Configuring Username and Password Security Saving Security Credentials in a Config File By storing different security settings in different files, you can test ■ different security configurations when you first download a new software version that supports multiple configuration files, by changing the configuration file used when you reboot the switch.

  • Page 50: Security Settings That Can Be Saved

    Configuring Username and Password Security Saving Security Credentials in a Config File Security Settings that Can Be Saved The security settings that can be saved to a configuration file are: ■ Local manager and operator passwords and user names SNMP security credentials, including SNMPv1 community names and ■...

  • Page 51: Password Command Options

    Configuring Username and Password Security Saving Security Credentials in a Config File Password Command Options The password command has the following options: Syntax: [no] password <manager | operator | port-access> [user-name <name>] <hash-type> <password> Set or clear a local username/password for a given access level. manager: configures access to the switch with manager-level privileges.

  • Page 52: Snmp Security Credentials

    Configuring Username and Password Security Saving Security Credentials in a Config File SNMP Security Credentials SNMPv1 community names and write-access settings, and SNMPv3 usernames continue to be saved in the running configuration file even when you enter the include-credentials command. In addition, the following SNMPv3 security parameters are also saved: snmpv3 user “<name>"...

  • Page 53: Tacacs+ Encryption Key Authentication

    TACACS+ server application. (The encryption key is sometimes referred to as “shared secret” or “secret” key.) For more information, see “TACACS+ Authentication” on page 4-1 in this guide. TACACS+ shared secret (encryption) keys can be saved in a configuration file by entering this command: ProCurve(config)# tacacs-server key <keystring> 2-15...

  • Page 54: Radius Shared-Secret Key Authentication

    RADIUS server. SSH Client Public-Key Authentication Secure Shell version 2 (SSHv2) is used by ProCurve switches to provide remote access to SSH-enabled management stations. Although SSH provides Telnet-like functions, unlike Telnet, SSH provides encrypted, two-way authenticated transactions.
  • Page 55 Configuring Username and Password Security Saving Security Credentials in a Config File The SSH security credential that is stored in the running configuration file is configured with the ip ssh public-key command used to authenticate SSH clients for manager or operator access, along with the hashed content of each SSH client public-key.
  • Page 56 Configuring Username and Password Security Saving Security Credentials in a Config File To display the SSH public-key configurations (72 characters per line) stored in a configuration file, enter the show config or show running-config command. The following example shows the SSH public keys configured for manager access, along with the hashed content of each SSH client public-key, that are stored in a configuration file: ...

  • Page 57: Operating Notes

    Configuring Username and Password Security Saving Security Credentials in a Config File Operating Notes C a u t i o n When you first enter the include-credentials command to save the ■ additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file.
  • Page 58 Configuring Username and Password Security Saving Security Credentials in a Config File • copy config <source-filename> config <target-filename>: Makes a local copy of an existing startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot.

  • Page 59: Restrictions

    Configuring Username and Password Security Saving Security Credentials in a Config File Restrictions The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command: ■ The private keys of an SSH host cannot be stored in the running configuration.
  • Page 60 Configuring Username and Password Security Saving Security Credentials in a Config File the username and password used as 802.1X authentication credentials for access to the switch. You can store the password port-access values in the running configuration file by using the include-credentials command. Note that the password port-access values are configured separately from local operator username and passwords configured with the password operator command and used for management access to the switch.

  • Page 61: Front-Panel Security

    Configuring Username and Password Security Front-Panel Security Front-Panel Security The front-panel security features provide the ability to independently enable or disable some of the functions of the two buttons located on the front of the switch for clearing the password (Clear button) or restoring the switch to its factory default configuration (Reset+Clear buttons together).

  • Page 62: Front-Panel Button Functions

    Configuring Username and Password Security Front-Panel Security As a result of increased security concerns, customers now have the ability to stop someone from removing passwords by disabling the Clear and/or Reset buttons on the front of the switch. Front-Panel Button Functions The front panel of the switch includes the Reset button and the Clear button.

  • Page 63: Reset Button

    Configuring Username and Password Security Front-Panel Security Reset Button Pressing the Reset button alone for one second causes the switch to reboot. Reset Clear Figure 2-7. Press and hold the Reset Button for One Second To Reboot the Switch Restoring the Factory Default Configuration You can also use the Reset button together with the Clear button (Reset+Clear) to restore the factory default configuration for the switch.

  • Page 64: Configuring Front-Panel Security

    Configuring Username and Password Security Front-Panel Security Reset Clear Test 4. When the Test LED to the right of the Clear button begins flashing, release the Clear button. Reset Clear Test It can take approximately 20-25 seconds for the switch to reboot. This process restores the switch configuration to the factory default settings.
  • Page 65 Configuring Username and Password Security Front-Panel Security • Modify the operation of the Reset+Clear combination (page 2-25) so that the switch still reboots, but does not restore the switch’s factory default configuration settings. (Use of the Reset button alone, to simply reboot the switch, is not affected.) •...
  • Page 66 Configuring Username and Password Security Front-Panel Security Password Recovery: Shows whether the switch is configured with the ability to recover a lost password. (Refer to “Password Recovery Process” on page 2-34.) (Default: Enabled.) CAUTION: Disabling this option removes the ability to recover a password on the switch.

  • Page 67: Disabling The Clear Password Function Of The Clear Button On The Switch's Front Panel

    Configuring Username and Password Security Front-Panel Security Disabling the Clear Password Function of the Clear Button on the Switch’s Front Panel Syntax: no front-panel-security password-clear In the factory-default configuration, pressing the Clear button on the switch’s front panel erases any local usernames and passwords configured on the switch.

  • Page 68: Re-Enabling The Clear Button On The Switch's Front Panel And Setting Or Changing The "Reset-On-Clear" Operation

    Configuring Username and Password Security Front-Panel Security Re-Enabling the Clear Button on the Switch’s Front Panel and Setting or Changing the “Reset-On-Clear” Operation Syntax: [no] front-panel-security password-clear reset-on-clear This command does both of the following: • Re-enables the password-clearing function of the Clear button on the switch’s front panel.

  • Page 69: Changing The Operation Of The Reset+Clear Combination

    Configuring Username and Password Security Front-Panel Security Shows password-clear disabled. Enables password-clear, with reset-on­ clear disabled by the “no” statement at the beginning of the command. Shows password-clear enabled, with reset-on-clear disabled. Figure 2-10. Example of Re-Enabling the Clear Button’s Default Operation Changing the Operation of the Reset+Clear Combination In their default configuration, using the Reset+Clear buttons in the combina­...

  • Page 70: Password Recovery

    (the default) on the switch prior to an attempt ■ to recover from a lost username/password situation ■ Contacting your ProCurve Customer Care Center to acquire a one-time­ use password Disabling or Re-Enabling the Password Recovery Process Disabling the password recovery process means that the only method for...
  • Page 71 Configuring Username and Password Security Front-Panel Security Syntax: [no] front-panel-security password-recovery Enables or (using the “no” form of the command) disables the ability to recover a lost password. When this feature is enabled, the switch allows management access through the password recovery process described below. This provides a method for recovering from a lost manager username (if configured) and password.

  • Page 72: Password Recovery Process

    2. Contact your ProCurve Customer Care Center for further assistance. Using the switch’s MAC address, the ProCurve Customer Care Center will generate and provide a “one-time use” alternate password you can use with the to gain management access to the switch.

  • Page 73: Web And Mac Authentication

    Web and MAC Authentication Contents Overview ........... . . 3-3 Web Authentication .
  • Page 74 Web and MAC Authentication Contents Client Status ..........3-54...

  • Page 75: Overview

    Web and MAC Authentication Overview Overview Feature Default Menu Configure Web Authentication — 3-30 — Configure MAC Authentication — 3-45 — Display Web Authentication Status and Configuration — 3-39 — Display MAC Authentication Status and Configuration — 3-49 — Web and MAC authentication are designed for employment on the “edge” of a network to provide port-based security measures for protecting private networks and a switch from unauthorized access.

  • Page 76: Mac Authentication

    Web and MAC Authentication Overview Note A proxy server is not supported for use by a browser on a client device that accesses the network through a port configured for web authentication. In the login page, a client enters a username and password, which the switch forwards to a RADIUS server for authentication.

  • Page 77: Radius-Based Authentication

    Web and MAC Authentication Overview support multiple client sessions in different VLANs for a network application, design your system so that clients request network access on different switch ports.) In the default configuration, the switch blocks access to all clients that the RADIUS server does not authenticate.

  • Page 78: How Web And Mac Authentication Operate

    Web and MAC Authentication How Web and MAC Authentication Operate How Web and MAC Authentication Operate Before gaining access to the network, a client first presents authentication credentials to the switch. The switch then verifies the credentials with a RADIUS authentication server. Successfully authenticated clients receive access to the network, as defined by the System Administrator.
  • Page 79 Web and MAC Authentication How Web and MAC Authentication Operate The Secure Socket Layer (SSLv3/TLSv1) feature provides remote web access to the network via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS. If you have enabled SSL on the switch, you can specify the ssl-login option when you configure web authentication so that clients who log in to specified ports are redirected to a secure login page (https://...) to enter their credentials.
  • Page 80 Web and MAC Authentication How Web and MAC Authentication Operate 4. If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked. The assigned port VLAN remains in place until the session ends. Clients may be forced to reauthenticate after a fixed period of time (reauth-period) or at any time during a session (reauthenticate).

  • Page 81: Customized Login Web Pages

    Web and MAC Authentication How Web and MAC Authentication Operate Customized Login Web Pages Enhanced web authentication allows you to customize the web pages used by clients to connect to the network. A customized login screen is presented to a client to enter their credentials. By creating customized login web pages, you can improve the “look and feel”...
  • Page 82 Web and MAC Authentication How Web and MAC Authentication Operate 2. If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the Authorized VLAN (auth-vid if configured) and temporarily drops all other VLAN memberships. 3. If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.

  • Page 83: Terminology

    VLAN. Authentication Server: The entity providing an authentication service to the switch. In the case of a ProCurve switch running Web/MAC-Authenti­ cation, this is a RADIUS server. Authenticator: In ProCurve switch applications, a device such as a ProCurve...

  • Page 84: Operating Rules And Notes

    Web and MAC Authentication Operating Rules and Notes Operating Rules and Notes ■ The switch supports concurrent 802.1X and either Web- or MAC- authentication operation on a port (with up to 32 clients allowed). However, concurrent operation of Web- or MAC-authentication with other types of authentication on the same port is not supported.
  • Page 85 Web and MAC Authentication Operating Rules and Notes • During an authenticated client session, the following hierarchy deter­ mines a port’s VLAN membership: 1. If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.

  • Page 86: Setup Procedure For Web/Mac Authentication

    1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this is not required for a Web- or MAC-based configuration, ProCurve recommends that you use a local user name and password pair, at least until your other security measures are in place, to protect the switch configuration from unauthorized access.)
  • Page 87 Web and MAC Authentication Setup Procedure for Web/MAC Authentication ProCurve (config)# show port-access config Port Access Status Summary Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes Supplicant Authenticator Web Auth Mac Auth Port Enabled...
  • Page 88 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Note that when configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named vlan100, you could configure the RADIUS server to use either “100”...

  • Page 89: Configuring The Radius Server To Support Mac Authentication

    Web and MAC Authentication Setup Procedure for Web/MAC Authentication Configuring the RADIUS Server To Support MAC Authentication On the RADIUS server, configure the client device authentication in the same way that you would any other client, except: Configure the client device’s (hexadecimal) MAC address as both ■...
  • Page 90 This section describes how to use HTML skeleton pages as a basis to create customized login web pages for web authentication on your ProCurve switches. When you customize an HTML skeleton file, follow these guidelines: ■...
  • Page 91 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Filename: index.html The index.html file is the first login page displayed, in which a client requesting access to the network enters a username and password. In the index.html skeleton file, you can customize any part of the source code except for the lines that appear in bold.
  • Page 92 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Filename: accept.html The accept.html file is the web page used to confirm a valid client login. This web page is displayed after a valid username and password are entered and accepted. The client device is then granted access to the network.
  • Page 93 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Filename: accept.html <html> <head> <title>EWA User Login</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta http-equiv="refresh" content="<!- ESI(WAUTHREDIRECTTIMEGET, 1) ->;URL=<!- ESI(WAUTHREDIRECTURLGET, 1) ->"> <SCRIPT> var interval = ""; var i = <!- ESI(WAUTHREDIRECTTIMEGET, 1) ->; function startcountdown() interval = window.setInterval("tick()",1000);...
  • Page 94 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Filename: authen.html The authen.html file is the web page used to process a client login and is refreshed while user credentials are checked and verified. <html> <head> <title>EWA User Login</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta http-equiv="refresh"...
  • Page 95 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Filename: reject_unauthvlan.html <html> <head> <title>EWA User Login</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <SCRIPT> var interval = ""; var i = <!- ESI(WAUTHREDIRECTTIMEGET, 1) ->; function startcountdown() interval = window.setInterval("tick()",1000); function stopcountdown() window.clearInterval (interval); interval="";...
  • Page 96 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Filename: statusprocess The statusprocess file contains the WAUTHSTATUSPROC ESI. This ESI is used to redirect an authenticated client to the appropriate web page during the login process. <html> <head> <!- ESI(WAUTHSTATUSPROC, 1) -> </head>...
  • Page 97 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Filename: retry_login.html The retry_login.html file is the web page displayed to a client that has entered an invalid username and/or password, and is given another opportunity to log The WAUTHRETRIESLEFTGET ESI displays the number of login retries that remain for a client that entered invalid login credentials.
  • Page 98 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Filename: sslredirect.html The sslredirect file is the web page displayed when a client is redirected to an SSL server to enter credentials for web authentication. If you have enabled SSL on the switch, you can enable secure SSL-based web authentication by entering the ssl-login parameter when you enable web authentication.
  • Page 99 Web and MAC Authentication Setup Procedure for Web/MAC Authentication Filename: reject_novlan.html <html> <head> <title>EWA User Login</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta http-equiv="refresh" content="<!- ESI(WAUTHQUIETTIMEGET,1) ->;URL=/EWA/ index.html"> <SCRIPT> var interval = ""; var i = <!- ESI(WAUTHQUIETTIMEGET, 1) ->; function startcountdown() interval = window.setInterval("tick()",1000);...

  • Page 100: Configuring A Dns Server For Enhanced Web Authentication

    ) and domain name webserver1 ) into a target IP address: accounts.procurve.com http://webserver1.accounts.procurve.com To configure switch access to a DNS server to support the use of a host name in the aaa port-access web-based ewa server command, follow the instructions in the “Diagnostic Tools”...
  • Page 101 Web and MAC Authentication Configuring the Switch To Access a RADIUS Server Syntax: [no] radius-server [host < ip-address >] Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration. You can config­ ure up to three RADIUS server addresses. The switch uses the first server it successfully accesses.

  • Page 102: Configuring Web Authentication

    2. Identify or create a redirect URL for use by authenticated clients. ProCurve recommends that you provide a redirect URL when using Web Authentication. If a redirect URL is not specified, web browser behavior following authentication may not be acceptable.
  • Page 103 Web and MAC Authentication Configuring Web Authentication For information on how to configure a DNS server, refer to the “Diagnostic Tools” section in the Troubleshooting chapter of the Management and Configuration Guide. 8. Enable web authentication on the switch ports you want to use. 9. Configure the optional settings that you want to use for web authentica­...

  • Page 104: Configuration Commands For Web Authentication

    Web and MAC Authentication Configuring Web Authentication Configuration Commands for Web Authentication Command Page Configuration Level aaa port-access <port-list > controlled-directions <both | in> 3-33 [no] aaa port-access web-based <port-list > 3-35 [auth-vid] 3-35 [clear-statistics] 3-35 [client-limit] 3-35 [client-moves] 3-36 [dhcp-addr] 3-36 [dhcp-lease]...
  • Page 105 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> After you enable web-based authentication on specified ports, you can use the aaa port-access controlled-direc­ tions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.
  • Page 106 Web and MAC Authentication Configuring Web Authentication Syntax: aaa port-access <port-list > controlled-directions <both | in> — Continued — Notes: ■ For information on how to configure the prerequisites for using the aaa port-access controlled-directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation”...
  • Page 107 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based <port-list> Enables web-based authentication on the specified ports. Use the no form of the command to disable web- based authentication on the specified ports. Syntax: aaa port-access web-based <port-list> [auth-vid <vid>]] no aaa port-access web-based <port-list>...
  • Page 108 Web and MAC Authentication Configuring Web Authentication Syntax: [no] aaa port-access web-based <port-list > [client-moves] Allows client moves between the specified ports under Web Auth control. When enabled, the switch allows clients to move without requiring a re-authentication. When disabled, the switch does not allow moves and when one does occur, the user will be forced to re- authenticate.
  • Page 109 Web and MAC Authentication Configuring Web Authentication aaa port-access web-based <port-list > logoff-period <60-9999999> Syntax: Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense.
  • Page 110 Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL may be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. ProCurve recommends that you provide a redirect URL when using Web Authentica­ tion. Note: The redirect-url command accepts only the first 103 characters of the allowed 127 characters.

  • Page 111: Show Commands For Web Authentication

    Web and MAC Authentication Configuring Web Authentication Show Commands for Web Authentication Command Page show port-access web-based [port-list] 3-39 show port-access web-based clients [port-list] 3-40 show port-access web-based clients <port-list> detailed 3-41 show port-access web-based config [port-list] 3-42 show port-access web-based config <port-list> detailed 3-43 show port-access web-based config [port-list] auth-server 3-44...
  • Page 112 The IP address displayed is taken from the DHCP binding table. If a web-authenticated client uses an IPv6 address, n/a - IPv6 is displayed. ProCurve(config)# show port-access web-based clients Port Access Web-Based Client Status Port Client Name...
  • Page 113 Syntax: show port-access web-based clients <port-list> detailed Displays detailed information on the status of web- authenticated client sessions on specified switch ports. ProCurve(config)# show port-access web-based clients 1 detailed Port Access Web-Based Client Status Detailed Client Base Details : Port...
  • Page 114 If the authorized or unauthorized VLAN ID value is 0, the default VLAN ID is used unless overridden by a RADIUS- assigned value. ProCurve(config)# show port-access web-based config Port Access Web-Based Configuration DHCP Base Address : 192.168.0.0 DHCP Subnet Mask : 255.255.255.0...
  • Page 115 Syntax: show port-access web-based config <port-list> detailed Displays more detailed information on the currently config­ ured Web Authentication settings for specified ports. ProCurve(config)# show port-access web-based config 1 detailed Port Access Web-Based Detailed Configuration Port Web-based enabled : Yes Client Limit...
  • Page 116 • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts ProCurve (config)# show port-access web-based config auth-server Port Access Web-Based Configuration Client Client Logoff Re-Auth Quiet...

  • Page 117: Configuring Mac Authentication On The Switch

    Web and MAC Authentication Configuring MAC Authentication on the Switch Configuring MAC Authentication on the Switch Overview 1. If you have not already done so, configure a local username and password pair on the switch. 2. If you plan to use multiple VLANs with MAC Authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made.

  • Page 118: Configuration Commands For Mac Authentication

    Web and MAC Authentication Configuring MAC Authentication on the Switch Configuration Commands for MAC Authentication Command Page Configuration Level aaa port-access mac-based addr-format 3-46 [no] aaa port-access mac-based [e] < port-list > 3-47 [addr-limit] 3-47 [addr-moves] 3-47 [auth-vid] 3-47 [logoff-period] 3-48 [max-requests] 3-48...
  • Page 119 Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: [no] aaa port-access mac-based < port-list > Enables MAC-based authentication on the specified ports. Use the no form of the command to disable MAC- based authentication on the specified ports. Syntax: aaa port-access mac-based [e] <...
  • Page 120 Web and MAC Authentication Configuring MAC Authentication on the Switch aaa port-access mac-based [e] < port-list > Syntax: [logoff-period] <60-9999999> Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense.

  • Page 121: Show Commands For Mac-Based Authentication

    Web and MAC Authentication Configuring MAC Authentication on the Switch Syntax: aaa port-access mac-based [e] < port-list > [unauth-vid <vid>] no aaa port-access mac-based [e] < port-list > [unauth-vid] Specifies the VLAN to use for a client that fails authen­ tication.
  • Page 122 MAC-authenticated client on the switch. The IP address displayed is taken from the DHCP binding table. If a MAC-authenticated client uses an IPv6 address, n/a - IPv6 is displayed. ProCurve(config)# show port-access mac-based clients Port Access MAC-Based Client Status Port MAC Address IP Address Session Status...
  • Page 123 Syntax: show port-access mac-based clients <port-list> detailed Displays detailed information on the status of MAC- authenticated client sessions on specified ports. ProCurve(config)# show port-access mac-based clients 1 detailed Port Access MAC-Based Client Status Detailed Client Base Details : Port Session Status : authenticated...
  • Page 124 Syntax: show port-access mac-based config <port-list> detailed Displays more detailed information on the currently config­ ured MAC Authentication settings for specified ports. ProCurve (config)# show port-access mac-based config 1 detailed Port Access MAC-Based Detailed Configuration Port Web-based enabled : Yes...
  • Page 125 • Timeout waiting period • Number of timeouts supported before authentication login fails • Length of time (quiet period) supported between authentication login attempts ProCurve(config)# show port-access mac-based config auth-server Port Access MAC-Based Configuration Client Client Logoff Re-Auth Quiet Server...

  • Page 126: Client Status

    Web and MAC Authentication Client Status Client Status The table below shows the possible client status information that may be reported by a Web-based or MAC-based ‘show... clients’ command. Reported Status Available Network Possible Explanations Connection authenticated Authorized VLAN Client authenticated. Remains connected until logoff-period or reauth-period expires.

  • Page 127: Tacacs+ Authentication

    TACACS+ Authentication Contents Overview ........... . . 4-2 Terminology Used in TACACS Applications: .

  • Page 128: Overview

    TACACS+ Authentication Overview Overview Feature Default Menu view the switch’s authentication configuration — page 4-9 — view the switch’s TACACS+ server contact — page — configuration 4-10 configure the switch’s authentication methods disabled — page — 4-10 configure the switch to contact TACACS+ server(s) disabled —...

  • Page 129: Terminology Used In Tacacs Applications

    TACACS+ Authentication Terminology Used in TACACS Applications: TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so. For both Console and Telnet access you can configure a login (read-only) and an enable (read/ write) privilege level access.
  • Page 130 TACACS+ Authentication Terminology Used in TACACS Applications: face. (Using the menu interface you can assign a local password, but not a username.) Because this method assigns passwords to the switch instead of to individuals who access the switch, you must distribute the password information on each switch to everyone who needs to access the switch, and you must configure and manage password protection on a per-switch basis.

  • Page 131: General System Requirements

    TACACS+ servers. Notes The effectiveness of TACACS+ security depends on correctly using your TACACS+ server application. For this reason, ProCurve recommends that you thoroughly test all TACACS+ configurations used in your network. TACACS-aware ProCurve switches include the capability of configuring multiple backup TACACS+ servers.
  • Page 132 TACACS+ Authentication General Authentication Setup Procedure other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure. Note If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see “Troubleshooting TACACS+ Operation”...
  • Page 133 15. For more on this topic, refer to the documentation you received with your TACACS+ server application. If you are a first-time user of the TACACS+ service, ProCurve recom­ mends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment.

  • Page 134: Configuring Tacacs+ On The Switch

    Configuring TACACS+ on the Switch Before You Begin If you are new to TACACS+ authentication, ProCurve recommends that you read the “General Authentication Setup Procedure” on page 4-5 and configure your TACACS+ server(s) before configuring authentication on the switch.

  • Page 135: Cli Commands Described In This Section

    TACACS+ Authentication Configuring TACACS+ on the Switch CLI Commands Described in this Section Command Page show authentication show tacacs 4-10 aaa authentication 4-10 through 4-17 console Telnet num-attempts <1-10 > tacacs-server 4-18 host < ip-addr > 4-18 4-22 timeout < 1-255 > 4-23 Viewing the Switch’s Current Authentication Configuration...

  • Page 136: Viewing The Switch's Current Tacacs+ Server Contact Configuration

    TACACS+ Authentication Configuring TACACS+ on the Switch Viewing the Switch’s Current TACACS+ Server Contact Configuration This command lists the timeout period, encryption key, and the IP addresses of the first-choice and backup TACACS+ servers the switch can contact. Syntax: show tacacs For example, if the switch was configured for a first-choice and two backup TACACS+ server addresses, the default timeout period, and paris-1 for a (global) encryption key, show tacacs would produce a listing similar to the...

  • Page 137: Using The Privilege-Mode Option For Login

    The TACACS+ server returns the allowed privilege level to the switch. You are placed directly into Operator or Manager mode, depending on your privilege level. ProCurve(config) aaa authentication login privilege-mode The no version of the above command disables TACACS+ single login capa­ bility.

  • Page 138: Authentication Parameters

    TACACS+ Authentication Configuring TACACS+ on the Switch [< local | none >] If the primary authentication method fails, determines whether to use the local password as a secondary method or to disallow access. aaa authentication num-attempts < 1-10 > Specifies the maximum number of login attempts allowed in the current session.

  • Page 139: Configuring The Tacacs+ Server For Single Login

    TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range Function local none Specifies the secondary (backup) type of authentication being - or - configured. local: The username/password pair configured locally in the switch none for the privilege level being configured none: No secondary type of authentication for the specified method/privilege path.
  • Page 140 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-4. Advanced TACACS+ Settings Section of the TACACS+ Server User Setup Then scroll down to the section that begins with “Shell” (See Figure 4-5). Check the Shell box. Check the Privilege level box and set the privilege level to 15 to allow “root” privileges.
  • Page 141 TACACS+ Authentication Configuring TACACS+ on the Switch Figure 4-5. The Shell Section of the TACACS+ Server User Setup As shown in the next table, login and enable access is always available locally through a direct terminal connection to the switch’s console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.
  • Page 142 TACACS+ Authentication Configuring TACACS+ on the Switch Access Method and Authentication Options Effect on Access Attempts Privilege Level Primary Secondary Telnet — Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. tacacs none If Tacacs+ server unavailable, denies access.
  • Page 143 Console Login (Operator or Read-Only) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console login tacacs local Console Enable (Manager or Read/Write) Access: Primary using TACACS+ server. Secondary using Local. ProCurve (config)# aaa authentication console enable tacacs local Telnet Login (Operator or Read-Only) Access: Primary using TACACS+ server.

  • Page 144: Configuring The Switch's Tacacs+ Server Access

    Note As described under “General Authentication Setup Procedure” on page 4-5, ProCurve recommends that you configure, test, and troubleshoot authentica­ tion via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up authentication in either the switch or your TACACS+ server.
  • Page 145 TACACS+ Authentication Configuring TACACS+ on the Switch Syntax: tacacs-server host < ip-addr > [key < key-string >] Adds a TACACS+ server and optionally assigns a server- specific encryption key. [no] tacacs-server host < ip-addr > Removes a TACACS+ server assignment (including its server-specific encryption key, if any).
  • Page 146 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range host <ip-addr> [key <key-string> none Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per- server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see “Using the Encryption Key”...
  • Page 147 TACACS+ Authentication Configuring TACACS+ on the Switch Name Default Range key <key-string> none (null) n/a Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server”...
  • Page 148 To remove the 10.28.227.15 device as a TACACS+ server, you would use this command: ProCurve(config)# no tacacs-server host 10.28.227.15 Configuring an Encryption Key. Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key.
  • Page 149 TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command: ProCurve(config)# tacacs-server host 10.28.227.104 Note You can save the encryption key in a configuration file by entering this command: Procurve(config)# tacacs-server key <keystring>...

  • Page 150: How Authentication Operates

    For specific operating details, refer to the documentation you received with your TACACS+ server application. Terminal “A” Directly Accessing This First-Choice Switch Via Switch’s Console Port TACACS+ Server ProCurve Switch Configured for TACACS+ Operation Second-Choice TACACS+ Server (Optional) Terminal “B” Remotely...

  • Page 151: Local Authentication Process

    TACACS+ Authentication How Authentication Operates 4. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs: • If the username/password pair received from the requesting terminal matches a username/password pair previously stored in the server, then the server passes access permission through the switch to the terminal.

  • Page 152: Using The Encryption Key

    TACACS+ Authentication How Authentication Operates again prompted to enter a username/password pair. In the default configuration, the switch allows up to three attempts. If the requesting terminal exhausts the attempt limit without a successful authentica­ tion, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again.

  • Page 153: Encryption Options In The Switch

    ProCurve(config)# tacacs-server host 10.28.227.87 key south10campus With both of the above keys configured in the switch, the...

  • Page 154: Controlling Web Browser Interface Access When Using Tacacs+ Authentication

    TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication Controlling Web Browser Interface Access When Using TACACS+ Authentication Configuring the switch for TACACS+ authentication does not affect web browser interface access. To prevent unauthorized access through the web browser interface, do one or more of the following: ■...

  • Page 155: Operating Notes

    TACACS+ Authentication Operating Notes CLI Message Meaning Invalid password The system does not recognize the username or the password or both. Depending on the authentication method (tacacs or local), either the TACACS+ server application did not recognize the username/password pair or the username/password pair did not match the username/password pair configured in the switch.
  • Page 156 TACACS+ Authentication Operating Notes 4-30...
  • Page 157 RADIUS Authentication and Accounting Contents Overview ........... . . 5-3 Authentication Services .
  • Page 158 RADIUS Authentication and Accounting Contents Operating Rules for RADIUS Accounting ..... . 5-35 Steps for Configuring RADIUS Accounting ..... 5-36 1.

  • Page 159: Radius Authentication And Accounting

    ■ Telnet ■ ■ ■ SFTP/SCP Web (8212zl, 5400zl, 4200vl, 2900, 2800s as of software version I.08.60, ■ and 2600s as of software version H.08.58 switches) Port-Access (802.1X) ■ The switch also supports RADIUS accounting for Web Authentication and MAC authentication sessions.

  • Page 160: Accounting Services

    RADIUS Authentication and Accounting Overview Note The switch does not support RADIUS security for SNMP (network manage­ ment) access. For information on blocking access through the web browser interface, refer to “Controlling Web Browser Interface Access” on page 5-22. Accounting Services RADIUS accounting on the switch collects resource consumption data and forwards it to the RADIUS server.

  • Page 161: Terminology

    EXEC Session: a service (EXEC shell) granted to the authenticated login user for doing management operations on the ProCurve device. Host: See RADIUS Server. NAS (Network Access Server): In this case, a ProCurve switch configured for RADIUS security operation. RADIUS (Remote Authentication Dial In User Service): a protocol for...

  • Page 162: Switch Operating Rules For Radius

    (Only one primary and one secondary access method is allowed for each access type.) In the ProCurve switch, EAP RADIUS uses MD5 and TLS to encrypt ■ a response to a challenge from a RADIUS server.

  • Page 163: General Radius Setup Procedure

    IP address to the switch. • Determine an acceptable timeout period for the switch to wait for a server to respond to a request. ProCurve...

  • Page 164: Configuring The Switch For Radius Authentication

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Determine how many times you want the switch to try contacting a RADIUS server before trying another RADIUS server or quitting. (This depends on how many RADIUS servers you have configured the switch to access.) • Determine whether you want to bypass a RADIUS server that fails to respond to requests for service.

  • Page 165: Outline Of The Steps For Configuring Radius Authentication

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Outline of the Steps for Configuring RADIUS Authentication There are three main steps to configuring RADIUS authentication: 1. Configure RADIUS authentication for controlling access through one or more of the following •...

  • Page 166: Configure Authentication For The Access Methods You Want Radius To Protect

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication • Timeout Period: The timeout period the switch waits for a RADIUS server to reply. (Default: 5 seconds; range: 1 to 15 seconds.) • Retransmit Attempts: The number of retries when there is no server response to a RADIUS authentication request.
  • Page 167 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication ure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail. Syntax: aaa authentication < console | telnet | ssh | web | < enable | login <local | radius>>...
  • Page 168 “Enable Primary” and “Enable Secondary” fields are not applicable (N/A). ProCurve(config)# show authentication Status and Counters - Authentication Information Login Attempts : 3 Respect Privilege : Disabled...

  • Page 169: Enable The (Optional) Access Privilege Option

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in this guide. The switch now allows Telnet and SSH authentication only through RADIUS. Figure 5-3.

  • Page 170: Configure The Switch To Access A Radius Server

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication this default behavior for clients with Enable (manager) access. That is, with privilege-mode enabled, the switch immediately allows Enable (Manager) access to a client for whom the RADIUS server specifies this access level. Syntax: [no] aaa authentication login privilege-mode When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server.
  • Page 171 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note If you want to configure RADIUS accounting on the switch, go to page 5-34: “Configuring RADIUS Accounting” instead of continuing here. Syntax: [no] radius-server host < ip-address > Adds a server to the RADIUS configuration or (with no) deletes a server from the configuration.
  • Page 172 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication [key < key-string >] Optional. Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key.

  • Page 173: Configure The Switch's Global Radius Parameters

    RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Figure 5-4. Sample Configuration for RADIUS Server Before Changing the Key and Adding Another Server To make the changes listed prior to figure 5-4, you would do the following: Changes the key for the existing server to “source0127”...
  • Page 174 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Global server key: The server key the switch will use for contacts ■ with all RADIUS servers for which there is not a server-specific key configured by radius-server host < ip-address > key < key-string >. This key is optional if you configure a server-specific key for each RADIUS server entered in the switch.
  • Page 175 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication radius-server retransmit < 1 - 5 > If a RADIUS server fails to respond to an authentica­ tion request, specifies how many retries to attempt before closing the session. Default: 3; Range: 1 - 5) Note Where the switch has multiple RADIUS servers configured to support authen­...
  • Page 176 RADIUS Authentication and Accounting Configuring the Switch for RADIUS Authentication Note: The Webui access task shown in this figure is available only on the switches covered in this guide. After two attempts failing due to username or password entry errors, the switch will terminate the session.

  • Page 177: Local Authentication Process

    RADIUS Authentication and Accounting Local Authentication Process Local Authentication Process When the switch is configured to use RADIUS, it reverts to local authentication only if one of these two conditions exists: Local is the authentication option for the access method being used. ■...

  • Page 178: Controlling Web Browser Interface Access

    RADIUS Authentication and Accounting Controlling Web Browser Interface Access Controlling Web Browser Interface Access To help prevent unauthorized access through the web browser interface, do one or more of the following: ■ Configure the switch to support RADIUS authentication for web browser interface access.

  • Page 179: Commands Authorization

    RADIUS Authentication and Accounting Commands Authorization Commands Authorization The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server will send authorization information (from the user’s profile) to the Network Access Server (NAS). After user authentication has occurred, the authorization information provided by the RADIUS server is stored on the NAS for the duration of the user’s session.

  • Page 180: Enabling Authorization

    The NAS does not request authorization information. For example, to enable the RADIUS protocol as the authorization method: ProCurve(config)# aaa authorization commands radius When the NAS sends the RADIUS server a valid username and password, the RADIUS server sends an Access-Accept packet that contains two attributes —the command list and the command exception flag.

  • Page 181: Displaying Authorization Information

    Configuring Commands Authorization on a RADIUS Server Using Vendor Specific Attributes (VSAs) Some RADIUS-based features implemented on ProCurve switches use HP VSAs for information exchange with the RADIUS server. RADIUS Access- Accept packets sent to the switch may contain the vendor-specific informa­...
  • Page 182 RADIUS Authentication and Accounting Commands Authorization The results of using the HP-Command-String and HP-Command-Exception attributes in various combinations are shown below. HP-Command-String HP-Command-Exception Description Not present Not present If command authorization is enabled and the RADIUS server does not provide any authorization attributes in an Access-Accept packet, the user is denied access to the server.

  • Page 183: Example Configuration On Cisco Secure Acs For Ms Windows

    RADIUS Authentication and Accounting Commands Authorization Example Configuration on Cisco Secure ACS for MS Windows It is necessary to create a dictionary file that defines the VSAs so that the RADIUS server application can determine which VSAs to add to its user interface.
  • Page 184 RADIUS Authentication and Accounting Commands Authorization Profile=IN OUT Enums=Hp-Command-Exception-Types [Hp-Command-Exception-Types] 0=PermitList 1=DenyList 2. Copy the hp.ini dictionary file to c:\program files\cisco acs 3.2\utils (or the \utils directory wherever acs is installed). 3. From the command prompt execute the following command: c:\Program files\CiscoSecure ACS v3.2\utils>...

  • Page 185: Example Configuration Using Freeradius

    RADIUS Authentication and Accounting Commands Authorization 6. Right click and then select New > key. Add the vendor Id number that you determined in step 4 (100 in the example). 7. Restart all Cisco services. 8. The newly created HP RADIUS VSA appears only when you configure an AAA client (NAS) to use the HP VSA RADIUS attributes.
  • Page 186 RADIUS Authentication and Accounting Commands Authorization dictionary.hp As posted to the list by User <user_email> Version: $Id: dictionary.hp, v 1.0 2006/02/23 17:07:07 VENDOR # HP Extensions ATTRIBUTE Hp-Command-String string ATTRIBUTE Hp-Command-Exception integer # Hp-Command-Exception Attribute Values VALUE Hp-Command-Exception Permit-List VALUE Hp-Command-Exception Deny-List 2. Find the location of the dictionary files used by FreeRADIUS (try /usr/...

  • Page 187: Vlan Assignment In An Authentication Session

    RADIUS Authentication and Accounting VLAN Assignment in an Authentication Session VLAN Assignment in an Authentication Session A switch supports concurrent 802.1X and either Web- or MAC-authentication sessions on a port (with up to 32 clients allowed). If you have configured RADIUS as the primary authentication method for a type of access, when a client authenticates on a port, the RADIUS server assigns an untagged VLAN that is statically configured on the switch for use in the authentication session.

  • Page 188: Tagged And Untagged Vlan Attributes

    RADIUS Authentication and Accounting VLAN Assignment in an Authentication Session Tagged and Untagged VLAN Attributes When you configure a user profile on a RADIUS server to assign a VLAN to an authenticated client, you can use either the VLAN’s name or VLAN ID (VID) number.

  • Page 189: Additional Radius Attributes

    RADIUS server to advertise switch capabilities, report information on authentication sessions, and dynamically reconfigure authentication parameters: MS-RAS-Vendor (RFC 2548): Allows ProCurve switches to inform a ■ Microsoft RADIUS server that the switches are from ProCurve Networking.

  • Page 190: Configuring Radius Accounting

    RADIUS Authentication and Accounting Configuring RADIUS Accounting Configuring RADIUS Accounting RADIUS Accounting Commands Page [no] radius-server host < ip-address > 5-37 [acct-port < port-number >] 5-37 [key < key-string >] 5-37 [no] aaa accounting < exec | network | system | commands> 5-40 <...

  • Page 191: Operating Rules For Radius Accounting

    RADIUS Authentication and Accounting Configuring RADIUS Accounting Exec accounting: Provides records holding the information listed ■ below about login sessions (console, Telnet, and SSH) on the switch: • Acct-Authentic • Acct-Status-Type • NAS-Identifier • Acct-Delay-Time • Acct-Terminate-Cause • NAS-IP-Address • Acct-Session-Id •...

  • Page 192: Steps For Configuring Radius Accounting

    RADIUS Authentication and Accounting Configuring RADIUS Accounting If access to a RADIUS server fails during a session, but after the client ■ has been authenticated, the switch continues to assume the server is available to receive accounting data. Thus, if server access fails during a session, it will not receive accounting data transmitted from the switch.

  • Page 193: Configure The Switch To Access A Radius Server

    RADIUS Authentication and Accounting Configuring RADIUS Accounting 1. Configure the Switch To Access a RADIUS Server Before you configure the actual accounting parameters, you should first configure the switch to use a RADIUS server. This is the same as the process described on page 5-14.

  • Page 194: Configure Accounting Types And The Controls For Sending Reports To The Radius Server

    RADIUS Authentication and Accounting Configuring RADIUS Accounting For this example, assume that all other RADIUS authentication parameters for accessing this server are acceptable at their default settings, and that RADIUS is already configured as an authentication method for one or more types of access to the switch (Telnet, Console, etc.).
  • Page 195 RADIUS Authentication and Accounting Configuring RADIUS Accounting Network: Use Network if you want to collect accounting information ■ on 802.1X port-based-access users connected to the physical ports on the switch to access the network. (See also “Accounting Services” on page 4.) Commands: When commands authorization is enabled, a record ■...

  • Page 196: Optional) Configure Session Blocking And Interim Updating Options

    RADIUS Authentication and Accounting Configuring RADIUS Accounting For example, to configure RADIUS accounting on the switch with start-stop for exec functions and stop-only for system functions: Configures exec and system accounting and controls. Summarizes the switch’s accounting configuration. Exec and System accounting are active.
  • Page 197 RADIUS Authentication and Accounting Configuring RADIUS Accounting To continue the example in figure 5-10, suppose that you wanted the switch to: Send updates every 10 minutes on in-progress accounting sessions. ■ ■ Block accounting for unknown users (no username). Update Period Suppress Unknown User Figure 5-11.

  • Page 198: Viewing Radius Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics Viewing RADIUS Statistics General RADIUS Statistics Syntax: show radius [host < ip-addr >] Shows general RADIUS configuration, including the server IP addresses. Optional form shows data for a specific RADIUS host. To use show radius, the server’s IP address must be configured in the switch, which.
  • Page 199 RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 5-13. RADIUS Server Information From the Show Radius Host Command Term Definition Round Trip Time The time interval between the most recent Accounting-Response and the Accounting- Request that matched it from this RADIUS accounting server. PendingRequests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response.

  • Page 200: Radius Authentication Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics Term Definition Requests The number of RADIUS Accounting-Request packets sent. This does not include retransmissions. AccessChallenges The number of RADIUS Access-Challenge packets (valid or invalid) received from this server. AccessAccepts The number of RADIUS Access-Accept packets (valid or invalid) received from this server. AccessRejects The number of RADIUS Access-Reject packets (valid or invalid) received from this server.

  • Page 201: Radius Accounting Statistics

    RADIUS Authentication and Accounting Viewing RADIUS Statistics Figure 5-15. Example of RADIUS Authentication Information from a Specific Server RADIUS Accounting Statistics Syntax: show accounting Lists configured accounting interval, “Empty User” suppres­ sion status, accounting types, methods, and modes. show radius accounting Lists accounting statistics for the RADIUS server(s) config­...

  • Page 202: Changing Radius-Server Access Order

    RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Figure 5-17. Example of RADIUS Accounting Information for a Specific Server Figure 5-18. Example Listing of Active RADIUS Accounting Sessions on the Switch Changing RADIUS-Server Access Order The switch tries to access RADIUS servers according to the order in which their IP addresses are listed by the show radius command.
  • Page 203 RADIUS Authentication and Accounting Changing RADIUS-Server Access Order RADIUS server IP addresses listed in the order in which the switch will try to access them. In this case, the server at IP address 1.1.1.1 is first. Note: If the switch successfully accesses the first server, it does not try to access any other servers in the list, even if the client is denied access by the first server.
  • Page 204 RADIUS Authentication and Accounting Changing RADIUS-Server Access Order Removes the “003” and “001” addresses from the RADIUS server list. Inserts the “003” address in the first position in the RADIUS server list, and inserts the “001” address in the last position in the list. Shows the new order in which the switch searches for a RADIUS server.

  • Page 205: Messages Related To Radius Operation

    RADIUS Authentication and Accounting Messages Related to RADIUS Operation Messages Related to RADIUS Operation Message Meaning Can’t reach RADIUS server < x.x.x.x >. A designated RADIUS server is not responding to an authentication request. Try pinging the server to determine whether it is accessible to the switch.
  • Page 206 RADIUS Authentication and Accounting Messages Related to RADIUS Operation 5-50...
  • Page 207 Configuring Secure Shell (SSH) Contents Overview ........... . . 6-2 Terminology .

  • Page 208: Configuring Secure Shell (Ssh)

    (The same private key can be stored on one or more clients.) 1. Switch-to-Client SSH authentication. ProCurve Client 2.Client-to-Switch (login rsa) authentication...

  • Page 209: Terminology

    Configuring Secure Shell (SSH) Terminology Note SSH in ProCurve switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit www.openssh.com . Switch SSH and User Password Authentication . This option is a subset of the client public-key authentication shown in figure 6-1. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key.
  • Page 210 Configuring Secure Shell (SSH) Terminology PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted ■ client public-key that has been encoded for portability and efficiency. SSHv2 client public-keys are typically stored in the PEM format. See figure 6-3 for an example of PEM-encoded ASCII keys. Private Key: An internally generated key used in the authentication ■...

  • Page 211: Prerequisite For Using Ssh

    Configuring Secure Shell (SSH) Prerequisite for Using SSH Prerequisite for Using SSH Before using the switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 6-2), then the client program must have the capability to generate or import keys.

  • Page 212: Steps For Configuring And Using Ssh For Switch And Client Authentication

    Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication Steps for Configuring and Using SSH for Switch and Client Authentication For two-way authentication between the switch and an SSH client, you must use the login (Operator) level. Table 6-1.
  • Page 213 Configuring Secure Shell (SSH) Steps for Configuring and Using SSH for Switch and Client Authentication B. Switch Preparation 1. Assign a login (Operator) and enable (Manager) password on the switch (page 6-9). 2. Generate a public/private key pair on the switch (page 6-10). You need to do this only once.

  • Page 214: General Operating Rules And Notes

    Configuring Secure Shell (SSH) General Operating Rules and Notes General Operating Rules and Notes ■ Public keys generated on an SSH client must be exportable to the switch. The switch can only store 10 keys client key pairs. The switch’s own public/private key pair and the (optional) client ■...

  • Page 215: Configuring The Switch For Ssh Operation

    1. Assigning a Local Login (Operator) and Enable (Manager) Password At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.

  • Page 216: Generating The Switch's Public And Private Key Pair

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Figure 6-4. Example of Configuring Local Passwords 2. Generating the Switch’s Public and Private Key Pair You must generate a public and private host key pair on the switch. The switch uses this key pair, along with a dynamically generated session key pair to negotiate an encryption method and session with an SSH client trying to connect to the switch.
  • Page 217 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Note When you generate a host key pair on the switch, the switch places the key pair in flash memory (and not in the running-config file). Also, the switch maintains the key pair across reboots, including power cycles. You should consider this key pair to be “permanent”;...
  • Page 218 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation [ babble ] Displays hashes of the switch’s public key in phonetic format. (See “Displaying the Public Key” on page 6-14.) [ fingerprint ] Displays fingerprints of the switch’s public key in hexadecimal format.

  • Page 219: Providing The Switch's Public Key To Clients

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Notes "Zeroizing" the switch’s key automatically disables SSH (sets ip ssh to no). Thus, if you zeroize the key and then generate a new key, you must also re- enable SSH with the ip ssh command before the switch can resume SSH operation.
  • Page 220 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation using Windows® Notepad, ensure that Word Wrap (in the Edit menu) is disabled, and that the key text appears on a single line. Figure 6-7. Example of a Correctly Formatted Public Key 4. Add any data required by your SSH client application.

  • Page 221: Enabling Ssh On The Switch And Anticipating Ssh Client Contact Behavior

    Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Phonetic "Hash" of Switch’s Public Key Hexadecimal "Fingerprints" of the Same Switch Figure 6-9. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key The two commands shown in figure 6-9 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s “known host”...
  • Page 222 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if the switch’s public key has not been copied into the client, then the client’s first connection to the switch will question the connection and, for security reasons, provide the option of accepting or refusing.
  • Page 223 2048 bits. N o t e o n P o r t ProCurve recommends using the default TCP port number (22). However, you Num b er can use ip ssh port to specify any TCP port for SSH connections except those reserved for other purposes.

  • Page 224: Configuring The Switch For Ssh Authentication

    Client Public-Key Authentication” on page 6-22 Note ProCurve recommends that you always assign a Manager-Level (enable) password to the switch. Without this level of protection, any user with Telnet, web, or serial port access to the switch can change the switch’s configuration.
  • Page 225 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: aaa authentication ssh login < local | tacacs | radius >[< local | none >] Configures a password method for the primary and second­ ary login (Operator) access. If you do not specify an optional secondary method, it defaults to none.
  • Page 226 Configuring Secure Shell (SSH) Configuring the Switch for SSH Operation Syntax: copy tftp pub-key-file < ip-address > < filename > Copies a public key file into the switch. aaa authentication ssh login public-key Configures the switch to authenticate a client public-key at the login level with an optional secondary password method (default: none).
  • Page 227 New password for Manager: ******** matches one of the Please retype new password for Manager: ******** keys in the public ProCurve(config)# aaa authentication ssh login public-key none key file. ProCurve(config)# aaa authentication ssh enable tacacs local ProCurve(config)# coy tftp pub-key-file 10.33.18.117...

  • Page 228: Use An Ssh Client To Access The Switch

    Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 6. Use an SSH Client To Access the Switch Test the SSH configuration on the switch to ensure that you have achieved the level of SSH operation you want for the switch. If you have problems, refer to "RADIUS-Related Problems"...
  • Page 229 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 1. The client sends its public key to the switch with a request for authenti­ cation. 2. The switch compares the client’s public key to those stored in the switch’s client-public-key file.
  • Page 230 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication To Create a Client-Public-Key Text File. These steps describe how to copy client-public-keys into the switch for RSA challenge-response authenti­ cation, and require an understanding of how to use your SSH client applica­ tion.
  • Page 231 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication 2. Copy the client’s public key into a text file (filename.txt). (For example, you can use the Notepad editor included with the Microsoft® Windows® software. If you want several clients to use client public-key authentica­ tion, copy a public key for each of these clients (up to ten) into the file.
  • Page 232 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication The babble option converts the key data to phonetic hashes that are easier for visual comparisons. The fingerprint option converts the key data to hexadec­ imal hashes that are for the same purpose. The keylist-str selects keys to display (comma-delimited list).
  • Page 233 Configuring Secure Shell (SSH) Further Information on SSH Client Public-Key Authentication Syntax: clear crypto public-key Deletes the client-public-key file from the switch. Syntax: clear crypto public-key 3 Deletes the entry with an index of 3 from the client-public-key file on the switch. Enabling Client Public-Key Authentication.

  • Page 234: Messages Related To Ssh Operation

    Configuring Secure Shell (SSH) Messages Related to SSH Operation Messages Related to SSH Operation Message Meaning File transfer did not occur. Indicates an error in 00000K Peer unreachable. communicating with the tftp server or not finding the file to download. Causes include such factors as: • Incorrect IP configuration on the switch • Incorrect IP address in the command • Case (upper/lower) error in the filename used in the...
  • Page 235 Configuring Secure Shell (SSH) Messages Related to SSH Operation Message Meaning After you execute the crypto key generate ssh [rsa] Generating new RSA host key. If the command, the switch displays this message while it cache is depleted, this could take up to is generating the key.
  • Page 236 Configuring Secure Shell (SSH) Messages Related to SSH Operation 6-30...
  • Page 237 Configuring Secure Socket Layer (SSL) Contents Overview ........... . . 7-2 Terminology .

  • Page 238: Configuring Secure Socket Layer (Ssl)

    SSL/TLS operation. N o t e ProCurve Switches use SSL and TLS for all secure web transactions, and all references to SSL mean using one of these algorithms unless otherwise noted SSL provides all the web functions but, unlike standard web access, SSL provides encrypted, authenticated transactions.

  • Page 239: Terminology

    ■ ■ RC4 (40-bit, 128-bit) N o t e : ProCurve Switches use RSA public key algorithms and Diffie-Hellman, and all references to a key mean keys generated using these algorithms unless otherwise noted Terminology SSL Server: An ProCurve switch with SSL enabled.
  • Page 240 Configuring Secure Socket Layer (SSL) Terminology Root Certificate: A trusted certificate used by certificate authorities to ■ sign certificates (CA-Signed Certificates) and used later on to verify that authenticity of those signed certificates. Trusted certificates are distrib­ uted as an integral part of most popular web clients. (see browser docu­ mentation for which root certificates are pre-installed).

  • Page 241: Prerequisite For Using Ssl

    Configuring Secure Socket Layer (SSL) Prerequisite for Using SSL Prerequisite for Using SSL Before using the switch as an SSL server, you must install a publicly or commercially available SSL enabled web browser application on the com­ puter(s) you use for management access to the switch. Steps for Configuring and Using SSL for Switch and Client Authentication The general steps for configuring SSL include:...

  • Page 242: General Operating Rules And Notes

    Configuring Secure Socket Layer (SSL) General Operating Rules and Notes General Operating Rules and Notes ■ Once you generate a certificate on the switch you should avoid re­ generating the certificate without a compelling reason. Otherwise, you will have to re-introduce the switch’s certificate on all management stations (clients) you previously set up for SSL access to the switch.

  • Page 243: Configuring The Switch For Ssl Operation

    1. Assigning a Local Login (Operator) and Enable (Manager)Password At a minimum, ProCurve recommends that you always assign at least a Manager password to the switch. Otherwise, under some circumstances, anyone with Telnet, web, or serial port access could modify the switch’s configuration.

  • Page 244: Generating The Switch's Server Host Certificate

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Security Tab Password Button Figure 7-2. Example of Configuring Local Passwords 1. Proceed to the security tab and select device passwords button. 2. Click in the appropriate box in the Device Passwords window and enter user names and passwords.

  • Page 245: To Generate Or Erase The Switch's Server Certificate

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation to connect via SSL to the switch. (The session key pair mentioned above is not visible on the switch. It is a temporary, internally generated pair used for a particular switch/client session, and then discarded.) The server certificate is stored in the switch’s flash memory.

  • Page 246: Comments On Certificate Fields

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation CLI commands used to generate a Server Host Certificate. Syntax: crypto key generate cert [rsa] < 512 | 768 |1024 > Generates a key pair for use in the certificate. crypto key zeroize cert Erases the switch’s certificate key and disables SSL opera­...
  • Page 247 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Table 7-1. Certificate Field Descriptions Field Name Description Valid Start Date This should be the date you desire to begin using the SSL functionality. Valid End Date This can be any future date, however good security practices would suggest a valid duration of about one year between updates of passwords and keys.

  • Page 248: Generate A Self-Signed Host Certificate With The Web Browser Interface

    You can configure SSL from the web browser interface. For more information on how to access the web browser interface refer to the chapter titled “Using the ProCurve Web Browser Interface” in the Management and Configuration Guide for your switch.
  • Page 249 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation To generate a self signed host certificate from the web browser interface: i. Proceed to the Security tab then the SSL button. The SSL config­ uration screen is split up into two halves. The left half is used in creating a new certificate key pair and (self-signed / CA-signed) certificate.
  • Page 250 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation For example, to generate a new host certificate via the web browsers inter­ face: Security Tab SSL button Create Certificate Button Certificate Type Box Key Size Selection Certificate Arguments Figure 7-5.

  • Page 251: Generate A Ca-Signed Server Host Certificate With The Web Browser Interface

    To install a CA-Signed server host certificate from the web browser interface. For more information on how to access the web browser interface, refer to the chapter titled “Using the ProCurve Web Browser Interface” in the Man­ agement and Configuration Guide for your switch.
  • Page 252 Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation The installation of a CA-signed certificate involves interaction with other entities and consists of three phases. The first phase is the creation of the CA certificate request, which is then copied off from the switch for submission to the certificate authority.

  • Page 253: Enabling Ssl On The Switch And Anticipating Ssl Browser Contact Behavior

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Certificate Request Certificate Request Reply -----BEGIN CERTIFICATE----­ MIICZDCCAc2gAwIBAgIDMA0XMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAyMTEyMjIyNTIxN1oXDTAy MTIxMzIyNTIxN1owgYQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEUMBIGA1UEChMLT3Bwb3J0dW5pdGkxGDAW BgNVBAsTD09ubGluZSBTZXJ2aWNlczEaMBgGA1UEAxMRd3d3LmZvcndhcmQuY28u emEwWjANBgkqhkiG9w0BAQEFAANJADBGAkEA0+aMcXgVruVixw/xuASfj6G4gvXe 0uqQ7wI7sgvnTwJy9HfdbV3Zto9fdA9ZIA6EqeWchkoMCYdle3Yrrj5RwwIBA6Ml MCMwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B Figure 7-7. Request for Verified Host Certificate Web Browser Interface Screen 3. Enabling SSL on the Switch and Anticipating SSL Browser Contact Behavior he web-management ssl command enables SSL on the switch and modifies parameters the switch uses for transactions with clients.
  • Page 254 Switch’s Server Host Certificate” on page 7-8. When configured for SSL, the switch uses its host certificate to authenticate itself to SSL clients, however unless you disable the standard ProCurve web browser interface with the no web-management command it will be still avail­...

  • Page 255: Using The Cli Interface To Enable Ssl

    Configuring Secure Socket Layer (SSL) Configuring the Switch for SSL Operation Using the CLI Interface to Enable SSL Syntax: [no] web-management ssl Enables or disables SSL on the switch. [port < 1-65535 | default:443 >] The TCP port number for SSL connections (default: 443).
  • Page 256 Figure 7-8. Using the web browser interface to enable SSL and select TCP port number N o t e o n P o r t ProCurve recommends using the default IP port number (443). However, you N u m b e r can use web-management ssl tcp-port to specify any TCP port for SSL connec­...

  • Page 257: Common Errors In Ssl Setup

    Configuring Secure Socket Layer (SSL) Common Errors in SSL setup Common Errors in SSL setup Error During Possible Cause Generating host certificate on CLI You have not generated a certificate key. (Refer to “CLI commands used to generate a Server Host Certificate” on page 7-10.) Enabling SSL on the CLI or Web browser interface You have not generated a host...
  • Page 258 Configuring Secure Socket Layer (SSL) Common Errors in SSL setup 7-22...
  • Page 259 Traffic/Security Filters and Monitors Contents Overview ........... . . 8-2 Introduction .

  • Page 260: Traffic/Security Filters And Monitors

    Traffic/Security Filters and Monitors Overview Overview Applicable Switch Models. As of June 2007, Traffic/Security filters are available on these current ProCurve switch models: Switch Models Source-Port Protocol Multicast Filters Filters Filters Switch 8212zl Series 6400cl Series 5400zl Series 4200vl Series 3500yl...

  • Page 261: Filter Limits

    Traffic/Security Filters and Monitors Filter Types and Operation You can enhance in-band security and improve control over access to network resources by configuring static filters to forward (the default action) or drop unwanted traffic. That is, you can configure a traffic filter to either forward or drop all network traffic moving to outbound (destination) ports and trunks (if any) on the switch.

  • Page 262: Source-Port Filters

    Traffic/Security Filters and Monitors Filter Types and Operation Source-Port Filters This filter type enables the switch to forward or drop traffic from all end nodes on the indicated source-port to specific destination ports. Server Node “A” Port Port Switch Configured for Source-Port Node Filtering...

  • Page 263: Example

    Traffic/Security Filters and Monitors Filter Types and Operation When you create a source port filter, all ports and port trunks (if any) ■ on the switch appear as destinations on the list for that filter, even if routing is disabled and separate VLANs and/or subnets exist. Where traffic would normally be allowed between ports and/or trunks, the switch automatically forwards traffic to the outbound ports and/or trunks you do not specifically configure to drop traffic.

  • Page 264: Named Source-Port Filters

    Traffic/Security Filters and Monitors Filter Types and Operation This list shows the filter created to block (drop) traffic from source port 5 (workstation "X") to destination port 7 (server "A"). Notice that the filter allows traffic to move from source port 5 to all other destination ports.

  • Page 265: Defining And Configuring Named Source-Port Filters

    Traffic/Security Filters and Monitors Filter Types and Operation To change the named source-port filter used on a port or port trunk, ■ the current filter must first be removed, using the no filter source-port named-filter <filter-name > command. A named source-port filter can only be deleted when it is not applied ■...
  • Page 266 > drop < destination-port-list > A named source-port filter must first be defined and configured before it can be applied. In the following example two named source-port filters are defined, web-only and accounting. ProCurve(config)# filter source-port named-filter web- only ProCurve(config)# filter source-port named-filter accounting By default, these two named source-port filters forward traffic to all ports and port trunks.

  • Page 267: Viewing A Named Source-Port Filter

    Traffic/Security Filters and Monitors Filter Types and Operation Viewing a Named Source-Port Filter You can list all source-port filters configured in the switch, both named and unnamed, and their action using the show command below. Syntax: show filter source-port Displays a listing of configured source-port filters, where each filter entry includes a Filter Name, Port List, and Action: Filter Name: The filter-name used when a named...
  • Page 268 Here we define and configure each of the named source-port filters for our example network in a single step. ProCurve(config)# filter source-port named-filter web-only drop 2-26 ProCurve(config)# filter source-port named-filter accounting drop 1-6,8,9,12-26 ProCurve(config)# filter source-port named-filter no-incoming-web drop 7,10,11...
  • Page 269 Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter Traffic/Security Filters Indicates the port number or port- IDX Filter Type | Value trunk name of the source port or trunk --- ------------ + ------------------- assigned to the filter.
  • Page 270 Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 24 ProCurve(config)# show filter 4 Traffic/Security Filters Traffic/Security Filters Filter Type : Source Port Filter Type : Source Port Source Port : 10 Source Port : 5 Dest Port Type...
  • Page 271 Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter 26 Traffic/Security Filters Filter Type : Source Port Source Port : 1 Dest Port Type | Action --------- --------- + ------------------------ 10/100TX | Forward 10/100TX | Forward 10/100TX | Forward...
  • Page 272 The following revisions to the named source-port filter definitions maintain the desired network traffic management, as shown in the Action column of the show command. ProCurve(config)# filter source-port named-filter accounting forward 8,12,13 ProCurve(config)# filter source-port named-filter no-incoming-web drop 8,12,13 ProCurve(config)#...

  • Page 273: Static Multicast Filters

    Traffic/Security Filters and Monitors Filter Types and Operation ProCurve(config)# show filter source-port Traffic/Security Filters Filter Name | Port List | Action -------------------- + -------------------- + -------------------------- web-only | 2-6,9,14-26 | drop 2-26 accounting | 7-8,10-13 | drop 1-6,9,14-26 no-incoming-web | drop 7-8,10-13 ProCurve(config)# Figure 8-13.

  • Page 274: Protocol Filters

    Traffic/Security Filters and Monitors Filter Types and Operation Table 8-2. Multicast Filter Limits Max-VLANs Maximum # of Multicast Filters (Static and Setting IGMP Combined) 1 (the minimum) 8 (the default) 32 or higher N o t e s Per-Port IP Multicast Filters. The static multicast filters described in this section filter traffic having a multicast address you specify.

  • Page 275: Configuring Traffic/Security Filters

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Only one filter for a particular protocol type can be configured at any one time. For example, a separate protocol filter can be configured for each of the protocol types listed above, but only one of those can be an IP filter. Also, the destination ports for a protocol filter can be on different VLANs.

  • Page 276: Configuring A Source-Port Traffic Filter

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Configuring a Source-Port Traffic Filter Syntax: [no] filter [source-port < port-number | trunk-name>] Specifies one inbound port or trunk. Traffic received inbound on this interface from other devices will be filtered. The no form of the command deletes the source- port filter for <...

  • Page 277: Example Of Creating A Source-Port Filter

    10 and 11 while adding ports 16 and 17 to the "drop" list: ProCurve(config)# filter source-port 5 forward 10-11 drop 16-17 Configuring a Filter on a Port Trunk This operation uses the same command as is used for configuring a filter on an individual port.

  • Page 278: Editing A Source-Port Filter

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters filter on port 5, then create a trunk with ports 5 and 6, and display the results, you would see the following: The *5* shows that port 5 is configured for filtering, but the filtering action has been suspended while the port is a member of a trunk.

  • Page 279: Configuring A Multicast Or Protocol Traffic Filter

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Figure 8-15. Assigning Additional Destination Ports to an Existing Filter Configuring a Multicast or Protocol Traffic Filter Syntax: [no] filter [multicast < mac- address >] Specifies a multicast address. Inbound traffic received (on any port) with this multicast address will be filtered.

  • Page 280: Filter Indexing

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters For example, suppose you wanted to configure the filters in table 8-3 on a switch. (For more on source-port filters, refer to “Configuring a Source-Port Traffic Filter” on page 8-18.) Table 8-3. Filter Example Filter Type Filter Value Action...

  • Page 281: Displaying Traffic/Security Filters

    Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Displaying Traffic/Security Filters This command displays a listing of all filters by index number and also enables you to use the index number to display the details of individual filters. Syntax: show filter Lists the filters configured in the switch, with corresponding filter index (IDX) numbers.
  • Page 282 Traffic/Security Filters and Monitors Configuring Traffic/Security Filters Lists all filters configured in the switch. Filter Index Numbers Criteria for Individual (Automatically Assigned) Filters Uses the index number (IDX) for a specific filter to list the details for that filter only. Figure 8-17.

  • Page 283: Configuring Port-Based And User-Based Access Control (802.1X)

    Configuring Port-Based and User-Based Access Control (802.1X) Contents Overview ........... . . 9-4 Why Use Port-Based or User-Based Access Control? .
  • Page 284 Configuring Port-Based and User-Based Access Control (802.1X) Contents 3. Configure the 802.1X Authentication Method ....9-25 4. Enter the RADIUS Host IP Address(es) ..... . 9-26 5.
  • Page 285 Configuring Port-Based and User-Based Access Control (802.1X) Contents Operating Note ..........9-72 Messages Related to 802.1X Operation .

  • Page 286: Overview

    Configuring Port-Based and User-Based Access Control (802.1X) Overview Overview Feature Default Menu Configuring Switch Ports as 802.1X Authenticators Disabled page 9-19 Configuring 802.1X Open VLAN Mode Disabled page 9-31 Configuring Switch Ports to Operate as 802.1X Supplicants Disabled page 9-49 Displaying 802.1X Configuration, Statistics, and Counters page 9-53 How 802.1X Affects VLAN Operation...

  • Page 287: User Authentication Methods

    Configuring Port-Based and User-Based Access Control (802.1X) Overview • Port-Based access control option allowing authentication by a single client to open the port. This option does not force a client limit and, on a port opened by an authenticated client, allows unlimited client access without requiring further authentication.

  • Page 288: 802.1X Port-Based Access Control

    Configuring Port-Based and User-Based Access Control (802.1X) Overview This operation improves security by opening a given port only to individually authenticated clients, while simultaneously blocking access to the same port for clients that cannot be authenticated. All sessions must use the same untagged VLAN.

  • Page 289: Alternative To Using A Radius Server

    Configuring Port-Based and User-Based Access Control (802.1X) Terminology This operation unblocks the port while an authenticated client session is in progress. In topologies where simultaneous, multiple client access is possible this can allow unauthorized and unauthenticated access by another client while an authenticated client is using the port.
  • Page 290 Authenticator: In ProCurve applications, a switch that requires a supplicant to provide the proper credentials before being allowed access to the network.
  • Page 291 Configuring Port-Based and User-Based Access Control (802.1X) Terminology Static VLAN: A VLAN that has been configured as “permanent” on the switch by using the CLI vlan < vid > command or the Menu interface. Supplicant: The entity that must provide the proper credentials to the switch before receiving access to the network.

  • Page 292: General 802.1X Authenticator Operation

    Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation General 802.1X Authenticator Operation This operation provides security on a point-to-point link between a client and the switch, where both devices are 802.1X-aware. (If you expect desirable clients that do not have the necessary 802.1X supplicant software, you can provide a path for downloading such software by using the 802.1X Open VLAN mode—refer to “802.1X Open VLAN Mode”...

  • Page 293: Vlan Membership Priority

    Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation N o t e The switches covered in this guide can use either 802.1X port-based authen­ tication or 802.1X user-based authentication. For more information, refer to “User Authentication Methods” on page 9-5. VLAN Membership Priority Following client authentication, an 802.1X port resumes membership in any tagged VLANs for which it is already assigned in the switch configuration.
  • Page 294 Configuring Port-Based and User-Based Access Control (802.1X) General 802.1X Authenticator Operation New Client Authenticated Another Assign New Client (Old) Client RADIUS- to RADIUS- Already Using Assigned Specified VLAN Port VLAN? Authorized Client VLAN Assign New Client Accept New Client VLAN Same As Old to Authorized VLAN Configured?

  • Page 295: General Operating Rules And Notes

    Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes General Operating Rules and Notes ■ In the user-based mode, when there is an authenticated client on a port, the following traffic movement is allowed: • Multicast and broadcast traffic is allowed on the port. •...
  • Page 296 Configuring Port-Based and User-Based Access Control (802.1X) General Operating Rules and Notes If a port on switch “A” is configured as an 802.1X supplicant and is ■ connected to a port on another switch, “B”, that is not 802.1X-aware, access to switch “B” will occur without 802.1X security protection. ■...

  • Page 297: General Setup Procedure For 802.1X Access Control

    1. Configure a local username and password on the switch for both the Operator (login) and Manager (enable) access levels. (While this may or may not be required for your 802.1X configuration, ProCurve recommends that you use a local username and password pair at least until your other security measures are in place.)
  • Page 298 Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control ProCurve(config)# password port-access user-name Jim secret3 Figure 9-2. Example of the Password Port-Access Command You can save the port-access password for 802.1X authentication in the configuration file by using the include-credentials command. For more infor­...
  • Page 299 Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control 3. Determine whether to use user-based access control (page 9-5) or port- based access control (page 9-6). 4. Determine whether to use the optional 802.1X Open VLAN mode for clients that are not 802.1X-aware;...

  • Page 300: Overview: Configuring 802.1X Authentication On The Switch

    Configuring Port-Based and User-Based Access Control (802.1X) General Setup Procedure for 802.1X Access Control Overview: Configuring 802.1X Authentication on the Switch This section outlines the steps for configuring 802.1X on the switch. For detailed information on each step, refer to the following: “802.1X User-Based Access Control”...

  • Page 301: Configuring Switch Ports As 802.1X Authenticators

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators N o t e If you want to implement the optional port security feature (step 7) on the switch, you should first ensure that the ports you have configured as 802.1X authenticators operate as expected.

  • Page 302: Enable 802.1X Authentication On Selected Ports

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 1. Enable 802.1X Authentication on Selected Ports This task configures the individual ports you want to operate as 802.1X authenticators for point-to-point links to 802.1X-aware clients or switches, and consists of two steps: A.

  • Page 303: Specify User-Based Authentication Or Return To Port-Based Authentication

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators B. Specify User-Based Authentication or Return to Port- Based Authentication User-Based 802.1X Authentication. Syntax: aaa port-access authenticator client-limit < port-list > < 1 - 32 > Used after executing aaa port-access authenticator < port-list > (above) to convert authentication from port-based to user- based.

  • Page 304: Example: Configuring User-Based 802.1X Authentication

    This example enables ports A10-A12 to operate as authenticators, and then configures the ports for user-based authentication. ProCurve(config)# aaa port-access authenticator a10-A12 ProCurve(config)# aaa port-access authenticator a10-A12 client-limit 4 Figure 9-4. Example of Configuring User-Based 802.1X Authentication Example: Configuring Port-Based 802.1X Authentication This example enables ports A13-A15 to operate as authenticators, and then configures the ports for port-based authentication.
  • Page 305 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page).
  • Page 306 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [quiet-period < 0 - 65535 >] Sets the period during which the port does not try to acquire a supplicant. The period begins after the last attempt authorized by the max-requests parameter fails (next page).
  • Page 307 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators [reauth-period < 0 - 9999999 >] Sets the period of time after which clients connected must be re-authenticated. When the timeout is set to 0 the reauthentication is disabled (Default: 0 second) [unauth-vid <...

  • Page 308: Configure The 802.1X Authentication Method

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 3. Configure the 802.1X Authentication Method This task specifies how the switch authenticates the credentials provided by a supplicant connected to a switch port configured as an 802.1X authenticator You can configure local, chap-radius or eap-radius as the primary password authentication method for the port-access method.

  • Page 309: Enter The Radius Host Ip Address(Es)

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 4. Enter the RADIUS Host IP Address(es) If you select either eap-radius or chap-radius for the authentication method, configure the switch to use 1, 2, or 3 RADIUS servers for authentication. The following syntax shows the basic commands.

  • Page 310: Optional: Reset Authenticator Operation

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators 6. Optional: Reset Authenticator Operation While 802.1X authentication is operating, you can use the following aaa port- access authenticator commands to reset 802.1X authentication and statistics on specified ports. Syntax: aaa port-access authenticator <...

  • Page 311: Wake-On-Lan Traffic

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports as 802.1X Authenticators The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid ■ Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network. For information on how to configure the prerequisites for using the aaa port- access controlled-directions in command, see Chapter 4, “Multiple Instance Spanning-Tree Operation”...

  • Page 312: Example: Configuring 802.1X Controlled Directions

    802.1X authenticated state and successfully authenticates a client device. ProCurve(config)# aaa port-access authenticator a10 ProCurve(config)# aaa authentication port-access eap-radius ProCurve(config)# aaa port-access authenticator active ProCurve(config)# aaa port-access a10 controlled-directions in Figure 9-7. Example of Configuring 802.1X Controlled Directions 9-30...

  • Page 313: 802.1X Open Vlan Mode

    Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Open VLAN Mode 802.1X Authentication Commands page 9-19 802.1X Supplicant Commands page 9-51 802.1X Open VLAN Mode Commands [no] aaa port-access authenticator < port-list > page 9-45 [auth-vid < vlan-id >] [unauth-vid <...

  • Page 314: Vlan Membership Priorities

    Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note On ports configured to allow multiple sessions using 802.1X user-based access control, all clients must use the same untagged VLAN. On a given port where there are no currently active, authenticated clients, the first authenticated client determines the untagged VLAN in which the port will operate for all subsequent, overlapping client sessions.

  • Page 315: Use Models For 802.1X Open Vlan Modes

    Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode N o t e After client authentication, the port resumes membership in any tagged VLANs for which it is configured. If the port is a tagged member of a VLAN used for 1 or 2 listed above, then it also operates as an untagged member of that VLAN while the client is connected.
  • Page 316 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Table 9-1. 802.1X Open VLAN Mode Options 802.1X Per-Port Configuration Port Response No Open VLAN mode: The port automatically blocks a client that cannot initiate an authentication session. Open VLAN mode with both of the following configured: Unauthorized-Client VLAN • When the port detects a client without 802.1X supplicant capability, it automatically becomes an untagged member of this...
  • Page 317 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Authorized-Client VLAN • After client authentication, the port drops membership in the Unauthorized-Client VLAN and becomes an untagged member of this VLAN. Notes: If the client is running an 802.1X supplicant application when the authentication session begins, and is able to authenticate itself before the switch assigns the port to the Unauthorized-Client VLAN, then the port does not become a...
  • Page 318 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Unauthorized-Client VLAN Configured: • When the port detects a client, it automatically becomes an untagged member of this VLAN. To limit security risks, the network services and access available on this VLAN should include only what a client needs to enable an authentication session.
  • Page 319 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 802.1X Per-Port Configuration Port Response Open VLAN Mode with Only an Authorized-Client VLAN Configured: • Port automatically blocks a client that cannot initiate an authentication session. • If the client successfully completes an authentication session, the port becomes an untagged member of this VLAN.

  • Page 320: Operating Rules For Authorized-Client And Unauthorized-Client Vlans

    Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Operating Rules for Authorized-Client and Unauthorized-Client VLANs Condition Rule Static VLANs used as Authorized- These must be configured on the switch before you configure an Client or Unauthorized-Client VLANs 802.1X authenticator port to use them.
  • Page 321 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of Unauthorized-Client VLAN • When an unauthenticated client connects to a port that is already configured with a static, untagged VLAN, the switch temporarily session on untagged port VLAN moves the port to the Unauthorized-Client VLAN (also untagged).
  • Page 322 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Effect of RADIUS-assigned VLAN The port joins the RADIUS-assigned VLAN as an untagged member. This rule assumes no other authenticated clients are already using the port on a different VLAN.
  • Page 323 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Condition Rule Note: Limitation on Using an You can optionally enable switches to allow up to 32 clients per-port. Unauthorized-Client VLAN on an The Unauthorized-Client VLAN feature can operate on an 802.1X­ 802.1X Port Configured to Allow configured port regardless of how many clients the port is configured Multiple-Client Access...

  • Page 324: Setting Up And Configuring 802.1X Open Vlan Mode

    Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Setting Up and Configuring 802.1X Open VLAN Mode Preparation. This section assumes use of both the Unauthorized-Client and Authorized-Client VLANs. Refer to Table 9-1 on page 9-34 for other options. Before you configure the 802.1X Open VLAN mode on a port: ■...
  • Page 325 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Note that as an alternative, you can configure the switch to use local password authentication instead of RADIUS authentication. However, this is less desirable because it means that all clients use the same passwords and have the same access privileges.
  • Page 326 Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode 3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to configure up to three RADIUS server IP address(es) on the switch. Syntax: radius host < ip-address > Adds a server to the RADIUS configuration.
  • Page 327 Configures the switch to look for a RADIUS server with an IP address of 10.28.127.101 and an encryption key of rad4all. ProCurve(config)# aaa port-access authenticator e a10-a20 unauth-vid 80 Configures ports A10 - A20 to use VLAN 80 as the Unauthorized-Client VLAN.

  • Page 328: 802.1X Open Vlan Operating Notes

    Configuring Port-Based and User-Based Access Control (802.1X) 802.1X Open VLAN Mode Inspecting 802.1X Open VLAN Mode Operation. For information and an example on viewing current Open VLAN mode operation, refer to “Viewing 802.1X Open VLAN Mode Status” on page 9-62. 802.1X Open VLAN Operating Notes ■...

  • Page 329: Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices

    Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices The first client to authenticate on a port configured to support multiple ■ clients will determine the port’s VLAN membership for any subsequent clients that authenticate while an active session is already in effect.

  • Page 330: Port-Security

    Configuring Port-Based and User-Based Access Control (802.1X) Option For Authenticator Ports: Configure Port-Security To Allow Only 802.1X-Authenticated Devices Port-Security N o t e If 802.1X port-access is configured on a given port, then port-security learn- mode for that port must be set to either continuous (the default) or port-access. In addition to the above, to use port-security on an authenticator port (chapter 10), use the per-port client-limit option to control how many MAC addresses of 802.1X-authenticated devices the port is allowed to learn.

  • Page 331: Configuring Switch Ports To Operate As Supplicants For 802.1X Connections To Other Switches

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 802.1X Authentication Commands page 9-19 802.1X Supplicant Commands [no] aaa port-access <...
  • Page 332 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches 1. When port A1 on switch “A” is first connected to a port on switch “B”, or if the ports are already connected and either switch reboots, port A1 begins sending start packets to port B5 on switch “B”.

  • Page 333: Supplicant Port Configuration

    Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches Supplicant Port Configuration Enabling a Switch Port as a Supplicant. You can configure a switch port as a supplicant for a point-to-point link to an 802.1X-aware port on another switch.
  • Page 334 Configuring Port-Based and User-Based Access Control (802.1X) Configuring Switch Ports To Operate As Supplicants for 802.1X Connections to Other Switches aaa port-access supplicant [ethernet] < port-list > (Syntax Continued) [secret] Enter secret: < password > Repeat secret: < password > Sets the secret password to be used by the port supplicant when an MD5 authentication request is received from an authenticator.

  • Page 335: Displaying 802.1X Configuration, Statistics, And Counters

    Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Displaying 802.1X Configuration, Statistics, and Counters 802.1X Authentication Commands page 9-19 802.1X Supplicant Commands page 9-49 802.1X Open VLAN Mode Commands page 9-31 802.1X-Related Show Commands show port-access authenticator page 9-54 show port-access authenticator config page 9-55...
  • Page 336 Information on ports not enabled for 802.1X port-access authentication is not displayed. ProCurve(config)# show port-access authenticator Port Access Authenticator Status Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes...
  • Page 337 802.1X configuration information for ports that are not enabled as 802.1X authenticators is not displayed. ProCurve(config)# show port-access authenticator config Port Access Authenticator Configuration Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No...
  • Page 338 Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Table 9-2. Field Descriptions of show port-access authenticator config Command Output (Figure 9-11) Field Description Port-access Whether 802.1X authentication is enabled or disabled on specified port(s). authenticator activated Port Port number on switch.
  • Page 339 802.1X configuration information for ports that are not enabled as an 802.1X authenticators is not displayed. ProCurve(config)# show port-access authenticator statistics Port Access Authenticator Statistics Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No...
  • Page 340 <username> command (see page 13-49). 802.1X configuration information for ports that are not enabled as an 802.1X authenticators is not displayed. ProCurve(config)# show port-access authenticator session-counters Port Access Authenticator Session Counters Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No...
  • Page 341 802.1X configuration information for ports that are not enabled as an 802.1X authenticators is not displayed. ProCurve(config)# show port-access authenticator vlan Port Access Authenticator VLAN Configuration Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No...
  • Page 342 The IP address displayed is taken from the DHCP binding table. • If an 802.1X-authenticated client uses an IPv6 address, n/a - IPv6 is displayed. ProCurve (config)# show port-access authenticator clients Port Access Authenticator Client Status Port Client Name MAC Address...
  • Page 343 Syntax: show port-access authenticator clients <port-list> detailed Displays detailed information on the status of 802.1X­ authenticated client sessions on specified ports. ProCurve (config)# show port-access authenticator clients 5 detailed Port Access Authenticator Client Status Detailed Client Base Details : Port...

  • Page 344: Viewing 802.1X Open Vlan Mode Status

    You can examine the switch’s current VLAN status by using the show port- access authenticator vlan and show port-access authenticator < port-list > com­ mands as illustrated in figure 9-17. ProCurve (config)# show port-access authenticator vlan Port Access Authenticator VLAN Configuration Port-access authenticator activated [No]: Yes...
  • Page 345 Displays the port status for the selected VLAN, including an indication of which port memberships have been temporarily overridden by Open VLAN mode. ProCurve (config)# show vlan 1 Status and Counters - VLAN Information - VLAN 1 VLAN ID : 1...

  • Page 346: Show Commands For Port-Access Supplicant

    Configuring Port-Based and User-Based Access Control (802.1X) Displaying 802.1X Configuration, Statistics, and Counters Show Commands for Port-Access Supplicant Syntax: show port-access supplicant [< port-list >] [statistics] show port-access supplicant [< port-list >] Shows the port-access supplicant configuration (excluding the secret parameter) for all ports or < port- list >...

  • Page 347: How Radius/802.1X Authentication Affects Vlan Operation

    Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation supplicant port to another without clearing the statistics data from the first port, the authenticator’s MAC address will appear in the supplicant statistics for both ports. How RADIUS/802.1X Authentication Affects VLAN Operation Static VLAN Requirement.

  • Page 348: Vlan Assignment On A Port

    Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation N o t e You can use 802.1X (port-based or client-based) authentication and either Web or MAC authentication at the same time on a port, with a maximum of 32 clients allowed on the port.
  • Page 349 Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation • If the port is assigned as a member of an untagged dynamic VLAN that was learned through GVRP, the dynamic VLAN configuration must exist on the switch at the time of authentication and GVRP- learned dynamic VLANs for port-access authentication must be enabled.

  • Page 350: Example Of Untagged Vlan Assignment In A Radius-Based Authentication Session

    Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation If this temporary VLAN assignment causes the switch to disable a different untagged static or dynamic VLAN configured on the port (as described in the preceding bullet and in “Example of Untagged VLAN Assignment in a RADIUS-Based Authentication Session”...
  • Page 351 Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation For example, suppose that a RADIUS-authenticated, 802.1X-aware client on port A2 requires access to VLAN 22, but VLAN 22 is configured for no access on port A2, and VLAN 33 is configured as untagged on port A2: Scenario: An authorized 802.1X client requires access...
  • Page 352 Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation This entry shows that port A2 is temporarily untagged on VLAN 22 for an 802.1X session. This is to accommodate an 802.1X client’s access, authenticated by a RADIUS server, where the server included an instruction to put the client’s access on VLAN 22.

  • Page 353: Enabling The Use Of Gvrp-Learned Dynamic Vlans In Authentication Sessions

    Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation When the 802.1X client’s session on port A2 ends, the port removes the temporary untagged VLAN membership. The static VLAN (VLAN 33) that is “permanently” configured as untagged on the port becomes available again.
  • Page 354 Configuring Port-Based and User-Based Access Control (802.1X) How RADIUS/802.1X Authentication Affects VLAN Operation Syntax: aaa port-access gvrp-vlans —Continued— 2. After you enable dynamic VLAN assignment in an authen­ tication session, it is recommended that you use the interface unknown-vlans command on a per-port basis to prevent denial-of-service attacks.

  • Page 355: Operating Note

    Configuring Port-Based and User-Based Access Control (802.1X) Operating Note Operating Note Applying Web Authentication or MAC Authentication Concurrently with Port-Based 802.1X Authentication: While 802.1X port-based access control can operate concurrently with Web Authentication or MAC Authenti­ cation, port-based access control is subordinate to Web-Auth and MAC-Auth operation.

  • Page 356: Messages Related To 802.1X Operation

    The ports in the port list have not been enabled as 802.1X Port authenticators. Use this command to enable the ports as authenticators: ProCurve(config)# aaa port-access authenticator e 10 < port-list > Occurs when there is an attempt to change the supplicant Port is not a supplicant.

  • Page 357: Configuring And Monitoring Port Security

    Configuring and Monitoring Port Security Contents Overview ........... . 10-3 Port Security .
  • Page 358 Configuring and Monitoring Port Security Contents Web: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags ......10-39 Operating Notes for Port Security .

  • Page 359: Overview

    Configuring and Monitoring Port Security Overview Overview Feature Default Menu Displaying Current Port Security — page 10-8 page 10-32 Configuring Port Security disabled — page 10-12 page 10-32 Retention of Static Addresses — page 10-16 MAC Lockdown disabled — page 10-22 MAC Lockout disabled —...

  • Page 360: Port Security

    Alert flags that are captured by network management tools such as ■ ProCurve Manager (PCM and PCM+) ■ Alert Log entries in the switch’s web browser interface Event Log entries in the console interface ■...

  • Page 361: Eavesdrop Protection

    Configuring and Monitoring Port Security Port Security • Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses. (If you specify only some of the authorized addresses, the port learns the remaining authorized addresses from the traffic it receives from connected devices.) •...

  • Page 362: Trunk Group Exclusion

    Configuring and Monitoring Port Security Port Security configuration to ports on which hubs, switches, or other devices are connected, and to maintain security while also maintaining network access to authorized users. For example: Physical Topology Logical Topology for Access to Switch A Switch A Switch A Port Security...

  • Page 363: Planning Port Security

    Configuring and Monitoring Port Security Port Security Planning Port Security 1. Plan your port security configuration and monitoring according to the following: a. On which ports do you want port security? b. Which devices (MAC addresses) are authorized on each port? c. For each port, what security actions do you want? (The switch automatically blocks intruders detected on that port from transmit­...

  • Page 364: Port Security Command Options And Operation

    Configuring and Monitoring Port Security Port Security Port Security Command Options and Operation Port Security Commands Used in This Section show port-security 10-9 show mac-address port-security 10-12 < port-list > 10-12 learn-mode 10-12 address-limit 10-15 mac-address 10-15 action 10-16 clear-intrusion-flag 10-16 no port-security 10-16...
  • Page 365 Configuring and Monitoring Port Security Port Security Displaying Port Security Settings. Syntax: show port-security show port-security <port number> show port-security [<port number>-<port number>]. . .[,<port number>] The CLI uses the same command to provide two types of port security listings: • All ports on the switch with their Learn Mode and (alarm) Action • Only the specified ports with their Learn Mode, Address...
  • Page 366 Note that no spaces are allowed in the port number portion of the command string: ProCurve(config)# show port-security A1-A3,A6,A8 Listing Authorized and Detected MAC Addresses. Syntax: show mac-address [ port-list | mac-address | vlan < vid >] Without an optional parameter, show mac-address lists the authorized MAC addresses that the switch detects on all ports.
  • Page 367 Configuring and Monitoring Port Security Port Security Figure 10-4. Examples of Show Mac-Address Outputs 10-11...

  • Page 368: Configuring Port Security

    Configuring and Monitoring Port Security Port Security Configuring Port Security Using the CLI, you can: ■ Configure port security and edit security settings. Add or delete devices from the list of authorized addresses for one or more ■ ports. Clear the Intrusion flag on specific ports ■...
  • Page 369 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port.
  • Page 370 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) learn-mode < continuous | static | port-access | configured | limited- continuous > (Continued) Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted device to become “authorized”.
  • Page 371 Configuring and Monitoring Port Security Port Security Syntax: port-security (Continued) Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system-information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces.

  • Page 372: Retention Of Static Addresses

    Configuring and Monitoring Port Security Port Security action < none | send-alarm | send-disable > Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port.
  • Page 373 1.) It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port. ProCurve(config)# port-security a1 learn-mode static action send-disable The next example does the same as the preceding example, except that it...
  • Page 374 Send an alarm to a management station if an intruder is detected on the ■ port, but allow the intruder access to the network. ProCurve(config)# port-security a5 learn-mode static address-limit 2 mac-address 00c100-7fec00 0060b0-889e00 action send-alarm If you manually configure authorized devices (MAC addresses) and/or an alarm action on a port, those settings remain unless you either manually change them or the switch is reset to its factory-default configuration.
  • Page 375 MAC address with a single command. For example, suppose port A1 allows one authorized device and already has a device listed: ProCurve(config) show port-security a1 Port Security Port : A1 Learn Mode [Continuous] : Static...
  • Page 376 A1 that raises the address limit to 2 and specifies the additional device’s MAC address. For example: ProCurve(config)# port-security a1 mac-address 0c0090- 456456 address-limit 2 Removing a Device From the “Authorized” List for a Port. This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list.
  • Page 377 The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1: ProCurve(config)# port-security a1 address-limit 1 ProCurve(config)# no port-security a1 mac-address 0c0090- 123456 The above command sequence results in the following configuration for port Figure 10-9. Example of Port A1 After Removing One MAC Address...

  • Page 378: Mac Lockdown

    Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown MAC Lockdown, also known as “static addressing,” is the permanent assign­ ment of a given MAC address (and VLAN, or Virtual Local Area Network) to a specific port on the switch. MAC Lockdown is used to prevent station movement and MAC address hijacking.

  • Page 379: Differences Between Mac Lockdown And Port Security

    Configuring and Monitoring Port Security MAC Lockdown If the device (computer, PDA, wireless device) is moved to a different port on the switch (by reconnecting the Ethernet cable or by moving the device to an area using a wireless access point connected to a different port on that same switch), the port will detect that the MAC Address is not on the appropriate port and will continue to send traffic out the port to which the address was locked.

  • Page 380: Mac Lockdown Operating Notes

    Configuring and Monitoring Port Security MAC Lockdown MAC Lockdown, on the other hand, is not a “list.” It is a global parameter on the switch that takes precedence over any other security mechanism. The MAC Address will only be allowed to communicate using one specific port on the switch.

  • Page 381: Deploying Mac Lockdown

    Configuring and Monitoring Port Security MAC Lockdown These messages in the log file can be useful for troubleshooting problems. If you are trying to connect a device which has been locked down to the wrong port, it will not work but it will generate error messages like this to help you determine the problem.
  • Page 382 Server “A” Core Switch Switch Network There is no need to lock MAC addresses on switches in the internal core network. 2900 Switch 2900 Switch Network Edge Lock Server “A” to these ports. Switch 1 Switch 1 Edge Devices Mixed Users Figure 10-10.MAC Lockdown Deployed At the Network Edge Provides Security...
  • Page 383 Configuring and Monitoring Port Security MAC Lockdown The key points for this Model Topology are: • The Core Network is separated from the edge by the use of switches which have been “locked down” for security. • All switches connected to the edge (outside users) each have only one port they can use to connect to the Core Network and then to Server A.
  • Page 384 Configuring and Monitoring Port Security MAC Lockdown Internal Network PROBLEM: If this link fails, Server A traffic to Server A will not use the backup path via Switch 3 Switch 3 Switch 4 Server A is locked down to Switch 1, Uplink 2 Switch 2 Switch 1 External...

  • Page 385: Mac Lockout

    Configuring and Monitoring Port Security MAC Lockout MAC Lockout MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so that any traffic to or from the “locked-out” MAC address will be dropped. This means that all data packets addressed to or from the given address are stopped by the switch.
  • Page 386 Configuring and Monitoring Port Security MAC Lockout MAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti­ cation. You cannot use MAC Lockout to lock: • Broadcast or Multicast Addresses (Switches do not learn these) • Switch Agents (The switch’s own MAC Address) There are limits for the number of VLANs, Multicast Filters, and Lockout MACs that can be configured concurrently as all use MAC table entries.

  • Page 387: Port Security And Mac Lockout

    Configuring and Monitoring Port Security MAC Lockout Port Security and MAC Lockout MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable to port-security to stop access from known devices because it can be configured for all ports on the switch with one command. It is possible to use MAC Lockout in conjunction with port-security.

  • Page 388: Web: Displaying And Configuring Port Security Features

    Configuring and Monitoring Port Security Web: Displaying and Configuring Port Security Features Web: Displaying and Configuring Port Security Features 1. Click on the Security tab. 2. Click on [Port Security] 3. Select the settings you want and, if you are using the Static Learn Mode, add or edit the Authorized Addresses field.

  • Page 389: How The Intrusion Log Operates

    The Intrusion Log in the Security | Intrusion Log window lists per-port security violation entries • In network management applications such as ProCurve Manager via an SNMP trap sent to a network management station How the Intrusion Log Operates When the switch detects an intrusion attempt on a port, it enters a record of this event in the Intrusion Log.

  • Page 390: Keeping The Intrusion Log Current By Resetting Alert Flags

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags The log shows the most recent intrusion at the top of the listing. You cannot delete Intrusion Log entries (unless you reset the switch to its factory-default configuration). Instead, if the log is filled when the switch detects a new intrusion, the oldest entry is dropped off the listing and the newest entry appears at the top of the listing.

  • Page 391: Menu: Checking For Intrusions, Listing Intrusion Alerts, And Resetting Alert Flags

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Menu: Checking for Intrusions, Listing Intrusion Alerts, and Resetting Alert Flags The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen. From the Main Menu select: 1.

  • Page 392: Cli: Checking For Intrusions, Listing Intrusion Alerts, And Resetting Alert Flags

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags • Because the Port Status screen (figure 10-13 on page 10-35) does not indicate an intrusion for port A1, the alert flag for the intru­ sion on port A1 has already been reset. •...
  • Page 393 Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags clear intrusion-flags Clear intrusion flags on all ports. port-security [e] < port-number > clear-intrusion-flag Clear the intrusion flag on one or more specific ports. In the following example, executing show interfaces brief lists the switch’s port status, which indicates an intrusion alert on port A1.

  • Page 394: Using The Event Log To Find Intrusion Alerts

    Intrusion Alert entry for port A1 has changed to “No”. (Executing show port-security intrusion-log again will result in the same display as above, and does not include the Intrusion Alert status.) ProCurve(config)# port-security a1 clear-intrusion-flag ProCurve(config)# show interfaces brief Intrusion Alert on port A1 is now Figure 10-17.Example of Port Status Screen After Alert Flags Reset...

  • Page 395: Web: Checking For Intrusions, Listing Intrusion Alerts, And Resetting Alert Flags

    Configuring and Monitoring Port Security Reading Intrusion Alerts and Resetting Alert Flags Log Command Log Listing with with Security Violation “security” for Detected Search Log Listing with No Security Violation Detected Figure 10-18.Example of Log Listing With and Without Detected Security Violations From the Menu Interface: In the Main Menu, click on 4.

  • Page 396: Operating Notes For Port Security

    Operating Notes for Port Security Identifying the IP Address of an Intruder. The Intrusion Log lists detected intruders by MAC address. If you are using ProCurve Manager to manage your network, you can use the device properties page to link MAC addresses to their corresponding IP addresses.
  • Page 397 Configuring and Monitoring Port Security Operating Notes for Port Security ProCurve(config)# port-security e a17 learn-mode static address-limit 2 LACP has been disabled on secured port(s). ProCurve(config)# The switch will not allow you to configure LACP on a port on which port security is enabled.
  • Page 398 Configuring and Monitoring Port Security Operating Notes for Port Security 10-42...
  • Page 399 Using Authorized IP Managers Contents Overview ........... . 11-2 Options .

  • Page 400: Using Authorized Ip Managers

    Using Authorized IP Managers Overview Overview Authorized IP Manager Features Feature Default Menu Listing (Showing) Authorized page 11-5 page 11-6 page 11-9 Managers Configuring Authorized IP None page 11-5 page 11-6 page 11-9 Managers Building IP Masks page 11-10 page 11-10 page 11-10 Operating and Troubleshooting page 11-13 page 11-13 page 11-13 Notes...

  • Page 401: Options

    Using Authorized IP Managers Options Options You can configure: ■ Up to 10 authorized manager addresses, where each address applies to either a single management station or a group of stations Manager or Operator access privileges (for Telnet, SNMPv1, and ■...

  • Page 402: Defining Authorized Management Stations

    Using Authorized IP Managers Defining Authorized Management Stations Defining Authorized Management Stations Authorizing Single Stations: The table entry authorizes a single man­ ■ agement station to have IP access to the switch. To use this method, just enter the IP address of an authorized management station in the Autho­ rized Manager IP column, and leave the IP Mask set to 255.255.255.255.

  • Page 403: Menu: Viewing And Configuring Ip Authorized Managers

    Using Authorized IP Managers Defining Authorized Management Stations rized Manager IP address to authorize four IP addresses for management station access. The details on how to use IP masks are provided under “Building IP Masks” on page 11-10. N o t e The IP Mask is a method for recognizing whether a given IP address is authorized for management access to the switch.

  • Page 404: Cli: Viewing And Configuring Authorized Ip Managers

    Using Authorized IP Managers Defining Authorized Management Stations 2. Enter an Authorized Manager IP address here. 3. Use the default mask to allow access by one management device, or edit the mask to allow access by a block of management devices. See “Building IP Masks”...

  • Page 405: Configuring Ip Authorized Managers For The Switch

    IP address of 10.28.227.0 through 10.28.227.255: ProCurve(conf )# ip authorized-managers 10.28.227.101 255.255.255.0 access manager Similarly, the next command authorizes manager-level access for any station having an IP address of 10.28.227.101 through 103: ProCurve(config)# ip authorized-managers 10.28.227.101 255.255.255.252 access manager 11-7...
  • Page 406 ProCurve(config)# ip authorized-managers 10.28.227.101 To Delete an Authorized Manager Entry. This command uses the IP address of the authorized manager you want to delete: ProCurve(config)# no ip authorized-managers 10.28.227.101 11-8...

  • Page 407: Web: Configuring Ip Authorized Managers

    Using Authorized IP Managers Web: Configuring IP Authorized Managers Web: Configuring IP Authorized Managers In the web browser interface you can configure IP Authorized Managers as described below. To Add, Modify, or Delete an IP Authorized Manager address: 1. Click on the Security tab. 2. Click on [Authorized Addresses].

  • Page 408: Using A Web Proxy Server To Access The Web Browser Interface

    Using Authorized IP Managers Building IP Masks Using a Web Proxy Server to Access the Web Browser Interface C a u t i o n This is NOT recommended. Using a web proxy server between the stations and the switch poses a security risk. If the station uses a web proxy server to connect to the switch, any proxy user can access the switch.

  • Page 409: Configuring Multiple Stations Per Authorized Manager Ip Entry

    Using Authorized IP Managers Building IP Masks Table 11-1. Analysis of IP Mask for Single-Station Entries Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask The “255” in each octet of the mask specifies that only the exact value in that octet of the corresponding IP address is allowed.
  • Page 410 Using Authorized IP Managers Building IP Masks Table 11-2. Analysis of IP Mask for Multiple-Station Entries Manager-Level or Operator-Level Device Access Octet Octet Octet Octet IP Mask The “255” in the first three octets of the mask specify that only the exact value in the octet of the corresponding IP address is allowed.

  • Page 411: Additional Examples For Authorizing Multiple Stations

    Using Authorized IP Managers Operating Notes Additional Examples for Authorizing Multiple Stations Entries for Authorized Results Manager List IP Mask 255 255 0 This combination specifies an authorized IP address of 10.33.xxx.1. It could be applied, for example, to a subnetted network where each subnet is defined by the Authorized 248 1 third octet and includes a management station defined by the value of “1”...
  • Page 412 Using Authorized IP Managers Operating Notes uses the web proxy server. The following two options outline how to eliminate a web proxy server from the path between a station and the switch: • Even if you need proxy server access enabled in order to use other applications, you can still eliminate proxy service for web access to the switch.
  • Page 413 Key Management System Contents Overview ........... . 12-2 Terminology .

  • Page 414: Key Management System

    Key Management System Overview Overview The switches covered in this guide provide support for advanced routing capabilities. Security turns out to be extremely important as complex net­ works and the internet grow and become a part of our daily life and business. This fact forces protocol developers to improve security mechanisms employed by their protocols, which in turn becomes an extra burden for system administrators who have to set up and maintain them.

  • Page 415: Configuring Key Chain Management

    Key Management System Configuring Key Chain Management Configuring Key Chain Management KMS-Related CLI Commands in This Section Page show key-chain < chain_name > page 12-3 [ no ] key-chain chain_name page 12-3 [ no ] key-chain chain_name key Key_ID page 12-4 The Key Management System (KMS) has three configuration steps: 1. Create a key chain entry.

  • Page 416: Assigning A Time-Independent Key To A Chain

    Key Management System Configuring Key Chain Management For example, to generate a new key chain entry: Add new key chain Entry “Procurve1”. Display key chain entries. Figure 12-1. Adding a New Key Chain Entry After you add an entry, you can assign key(s) to it for use by a KMS-enabled protocol.

  • Page 417: Assigning Time-Dependent Keys To A Chain

    Key Management System Configuring Key Chain Management For example, to generate a new time-independent key for the Procurve1 key chain entry: Adds a new Time-Independent key to the “Procurve1” chain. Displays keys in the key chain entry. Figure 12-2. Example of Adding and Displaying a Time-Independent Key to a Key Chain Entry Assigning Time-Dependent Keys to a Chain A time-dependent key has Accept or Send time constraints.
  • Page 418 Key Management System Configuring Key Chain Management Specifies the time period during which the switch can use this key to authenticate inbound packets. Duration is either an end date and time or the number of seconds to allow after the start date and time (which is the accept-lifetime setting).
  • Page 419 Key Management System Configuring Key Chain Management Note Given transmission delays and the variations in the time value from switch to switch, it is advisable to include some flexibility in the Accept lifetime of the keys you configure. Otherwise, the switch may disregard some packets because either their key has expired while in transport or there are significant time variations between switches.
  • Page 420 Key Management System Configuring Key Chain Management The “Procurve1” key chain entry is a time-independent key and will not expire. “Procurve2” uses time-dependent keys, which result in this data: Expired = 1 Key 1 has expired because its lifetime ended at 8:10 on 01/18/03, the previous day.

  • Page 421: Index

    Index Numerics enabling on ports … 9-20 enabling on switch … 9-26 3DES … 6-3, 7-3 features … 9-4 802.1X access control force authorized … 9-22 authenticate users … 9-6 force unauthorized … 9-22 authentication methods … 9-5 general setup … 9-15 authentication, local …...
  • Page 422 access … 9-5 supplicant-timeout … 9-23 client without authentication … 9-6 terminology … 9-7 effect of Web/MAC Auth client … 9-72 traffic flow on unathenticated ports … 9-28 enable … 9-20, 9-47 troubleshooting, gvrp … 9-64, 9-65, 9-66 latest client, effect … 9-6 trunked port blocked …...
  • Page 423 untagged membership … 9-21 definitions of single and multiple … 11-4 VLAN operation … 9-64 effect of duplicate IP addresses … 11-13 VLAN use, multiple clients … 9-8 IP mask for multiple stations … 11-11 VLAN, assignment conflict … 5-31, 9-13 IP mask for single station …...
  • Page 424 IP multicast address range … 8-16 include credentials Eavesdrop Protection … 10-4 See security credentials … 2-11 encryption key inconsistent value, message … 10-19 RADIUS … 2-12, 2-16 interface TACACS … 2-12, 2-15 unknown-vlans command … 9-71 event log intrusion alarms intrusion alerts …...
  • Page 425 hierarchy of precedence in authentication session … 1-12 MAC auth overview … 1-13 port access … 9-5 MAC Authentication authenticator operation … 3-6 blocked traffic … 3-3 open VLAN mode CHAP See 802.1X access control. defined … 3-11 OpenSSH … 6-3 usage …...
  • Page 426 … 5-13 See SSH. login privilege-mode, application options … 5-14 privilege-mode … 4-11 login-privilege mode … 5-13 ProCurve Manager … 1-11, 10-4 manager access denied … 5-14 protocol filters … 8-16 manager access privilege … 5-13 proxy manager access privilege, service type web server …...
  • Page 427 SNMP access security not supported … 5-4 viewing in startup configuration … 2-19 statistics, viewing … 5-42 when SNMPv3 credentials in downloaded file terminology … 5-5 are not supported … 2-21 TLS … 5-6 security violations Tunnel-Type atttribute … 5-32 notices of …...
  • Page 428 keys, zeroing … 6-11 generating Host Certificate … 7-8 key-size … 6-17 host key pair … 7-9 known-host file … 6-13, 6-15 key, babble … 7-12 man-in-the-middle spoofing … 6-16 key, fingerprint … 7-12 messages, operating … 6-28 man-in-the-middle spoofing … 7-18 OpenSSH …...
  • Page 429 configuration, timeout … 4-23 configuration, viewing … 4-10 USB encryption key … 4-6, 4-18, 4-19, 4-22 autorun and passwords … 2-5 encryption key exclusion … 4-29 user name encryption key, general operation … 4-26 cleared … 2-7 encryption key, global … 4-23 encryption key, saving to configuration file …...
  • Page 430 display all 802.1X, Web, and MAC authentication configuration … 3-14, 9-16 enhanced (EWA) … 3-11 general setup … 3-14 LACP not allowed … 3-14 redirect URL … 3-11 rules of operation … 3-12 show status and configuration … 3-39 terminology … 3-11 using customized login pages …...
  • Page 432 © Copyright 2007, 2008 Hewlett-Packard Development Company, L.P. January 2008 Manual Part Number 5991-6198...

This manual is also suitable for:

Procurve switch 2900-24gProcurve switch 2900-48g

Table of Contents